Spam Software

Healthcare Ransomware Attacks Accounted for 50% of All Security Incidents

Hackers are continuing to attack healthcare organizations, but healthcare ransomware attacks are the biggest cause of security incidents, according to the NTT Security 2017 Global Threat Intelligence Report.

Healthcare ransomware attacks accounted for 50% of all security breaches reported by healthcare organizations between October 2015 and September 2016 and are the largest single cause of security breaches.

However, healthcare is far from the only sector to be targeted. Retail, government, and the business & professional services sector have also suffered many ransomware attacks during the same period. Those four sectors accounted for 77% of global ransomware attacks. The worst affected sector was business & professional services, with 28% of reported ransomware attacks, followed by the government (19%), healthcare (15%) and retail (15%).

NTT Security reports that phishing emails are the most common mechanism for ransomware delivery, being used in 73% of ransomware and malware attacks. Poor choices of password are also commonly exploited to gain access to networks and email accounts. NTT says just 25 passwords were used in 33% of all authentication attempts on its honeypots, while 76% of authentication attempts used a password known to have been implemented in the Mirai botnet.

Zero-day exploits tend to attract considerable media attention, but they are used in relatively few attacks. Web-based attacks have fallen but they still pose a significant threat. The most commonly attacked products were Microsoft Internet Explorer, Adobe Flash Player, and Microsoft Silverlight. Exploit kit activity has fallen throughout the year as cybercriminals have turned to phishing emails to spread malware and ransomware. There was a steady decline in exploit kit attacks throughout the year.

With phishing posing the highest risk, it is essential that organizations ensure they have adequate defenses in place. Phishing attacks are sophisticated and hard to distinguish from genuine emails. Security awareness training is important, but training alone will not prevent some attacks from being successful. It is also important to ensure that training is not just a one time exercise. Regular training sessions should be conducted, highlighting the latest tactics used by cybercriminals and recent threats.

The best form of defense against phishing attacks is to use anti-phishing technologies such as spam filters to prevent phishing emails from reaching end users. The more phishing emails that are blocked, the less reliance organizations place on end users being able to identify phishing emails. Solutions should also be implemented to block users from visiting phishing websites via hyperlinks sent via email.

Ransomware Attacks on Businesses Soar, but Exploit Kit Attacks Fall

There was some good news in the latest Symantec Internet Security Threat Report. Exploit kit attacks have fallen dramatically, unfortunately however, ransomware attacks on businesses have sky rocketed.

Over the past 12 months, exploit kit attacks fell by 30%, but over the same period, ransomware attacks on businesses have increased by 36%.

Ransomware has proved popular with cybercriminals as attacks are easy and money can be made much more quickly. If an attacker succeeds in encrypting business data, a ransom demand is issued and payment is required in a few days. In most cases, the attackers get paid within a week.

Web-based attacks on the other hand typically take longer. Cybercriminals need to wait until employees visit a compromised website and download malware. The network must be explored to find sensitive data, data needs to be exfiltrated and a buyer needs to be found. It takes much longer in many cases for the attackers to get paid.

Furthermore, ransomware attacks are easier to pull off. With ransomware-as-a-service – Cerber ransomware for example – little technical skill is required to conduct a campaign. All the attackers need to do is to pay to rent the ransomware, set their own terms and distribute the malware via spam email. Many ransomware authors are even providing kits with instructions. The appeal of ransomware is clear. It is quick, easy and profitable to conduct attacks and money can be made very quickly.

Symantec says it has now detected 101 separate ransomware families whereas in 2015 the count stood at just 30. As soon as one variant is cracked and a decryptor released, there are many new variants released to take its place. Ransomware attacks on businesses will continue to be conducted and in all likelihood, with increasing frequency.

Fortunately, good data backup policies will ensure that businesses do not have to pay to unlock their data. Unfortunately, even if data can be recovered from backups, ransomware attacks can prove costly to resolve. Cybersecurity firms often need to be hired to conduct analyses of networks to ensure all traces of ransomware (and other malware) have been removed. Those firms must also check to make sure no backdoors have been installed.

Ransomware infections can see computers locked for several days causing considerable loss of revenue. Customer breach notifications may also need to be issued. A ransomware attack can result in considerable costs, even if no ransom is paid.

Since ransomware is primarily distributed via spam email, businesses need to ensure they have appropriate email defenses in place. An advanced spam filter with an anti-phishing component is essential, along with other endpoint protection systems.

The decline in web-based attacks is certainly good news, but it doesn’t mean the threat can be ignored. Last year there were 229,000 web-based attacks tracked by Symantec. This is a considerable decrease from the previous year, although web-based attacks are still a significant threat to businesses. The report indicates 9% of websites have critical bugs that could be easily exploited by cybercriminals allowing them to hijack the websites. Worryingly, Symantec reports that 76% of websites contain bugs that could potentially be exploited.

The Symantec Internet Security Threat Report shows data breaches have remained fairly constant over the past two years. In 2014, widely reported to be ‘the year of the data breach’, Symantec recorded 1,523 data breaches. The following year that fell to 1,211 breaches. Last year, there was little change, with 1209 breaches reported.

The halt in the rise in data breaches suggests organizations are getting better at protecting their networks and data. However, large data breaches are increasing. Last year there were 15 data breaches that involved the theft of more than 10 million records, up from 11 in 2014.

Phishing Attacks on Schools Spike – Is Your School Doing Enough to Prevent Attacks?

In the United States, phishing attacks on schools and higher education institutions have soared in recent months, highlighting the need for improvements to be made to staff education programs and cybersecurity defenses.

Phishing refers to the practice of sending emails in an attempt to get the recipients to reveal sensitive information such as logins to email accounts, bank accounts, or other computer systems.  Typically, a link is included in the email which will direct the user to a website where information must be entered. The sites, as well as the emails, contain information to make the request look genuine.

Phishing is nothing new. It has been around since the 1980’s, but the extent to which sensitive information is stored electronically and the number of transactions that are now conducted online has made attacks much more profitable for cybercriminals. Consequently, attacks have increased. The quality of phishing emails has also improved immeasurably. Phishing emails are now becoming much harder to identify, especially by non-technical members of staff.

No organization is immune to attack, but attackers are no longer concentrating on financial institutions and healthcare organizations. The education sector is now being extensively targeted. Phishing attacks on schools are being conducted far more frequently, and all too often those attacks are succeeding.

Such is the scale of the problem that the IRS recently issued a warning following a massive rise in phishing attacks on schools. Campaigns were being conducted by attackers looking for W-2 Form data of school employees. That information was then used to submit fraudulent tax returns in school employees’ names.

Recent Phishing Attacks on Schools, Colleges, and Universities

Westminster College is one of the latest educational institutions to report that an employee has fallen for the W-2 Form phishing scam, although it numbers in dozens of schools, colleges and universities that have been attacked this year.

Phishing emails are not only concerned with obtaining tax information. Recently, a phishing attack on Denver Public Schools gave the attackers the information they needed to make a fraudulent bank transfer. More than $40,000 intended to pay staff wages was transferred to the criminal’s account.

This week, news emerged of a listing on a darknet noticeboard from a hacker who had gained access to school email accounts, teacher’s gradebooks, and the personal information of thousands of students. That individual was looking for advice on what to do with the data and access in order to make money.

Washington University School of Medicine was targeted in a phishing attack that saw the attackers gain access to patient health information. More than 80,000 patients potentially had their health information stolen as a result of that attack.

Last week, news emerged of an attempted phishing attack on Minnesota schools, with 335 state school districts and around 170 charter schools potentially attacked. In that case, the phishing attack was identified before any information was released. The attack involved an email that appeared to have been sent from the Education Commissioner. The attackers were trying to gain access to financial information.

How to Improve Defenses Against Phishing Attacks

Fortunately, there are a number of technological controls that can be implemented cheaply to reduce the risk of phishing attacks on schools being successful.

An advanced spam filtering solution with a powerful anti-phishing component is now essential. A spam filter looks for the common spam and phishing signatures and ensures suspect messages are quarantined and not delivered to end users.

It must be assumed that occasionally, even with a spam filter, phishing emails may occasionally be delivered. To prevent employees from visiting phishing websites and revealing their information, a web filtering solution can be used. Web filters can be configured to block end users from visiting websites that are known to be used for phishing. As an additional benefit, web filters can stop individuals from accessing websites known to contain malware or host illegal or undesirable material – pornography for instance.

Those solutions should be accompanied by training for all staff members on the risk from phishing and the common identifiers that can help staff spot a phishing email. Schools should also implement policies for reporting threats to the organization’s IT department. Fast reporting can limit the harm caused and prevent other staff members from responding.

IT departments should also have policies in place to ensure thwarted attacks are reported to law enforcement. Warnings should also be sent to other school districts following an attack to allow them to take action to protect themselves against similar attacks.

Any school or higher educational institution that fails to implement appropriate defenses against phishing attacks will be at a high risk of a phishing attack being successful. Not only do phishing attacks place employees at risk of fraud, they can prove incredibly costly for schools to mitigate. With budgets already tight, most schools can simply not afford to cover those costs.

If you would like further information on the range of cybersecurity protections that can be put in place to prevent phishing attacks on schools and other educational institutions, call TitanHQ today for an informal chat.

HIPAA Compliance and Phishing: Email Attacks Can Result in HIPAA Penalties

A phishing attack on a HIPAA-covered entity has resulted in a $400,000 penalty for non-compliance with HIPAA Rules. This is not the first time a phishing attack has attracted a penalty from OCR for non-compliance.

The failure to prevent phishing attacks does not necessarily warrant a HIPAA penalty, but failing to implement sufficient protections to prevent attacks could land HIPAA-covered entities in hot water.

HIPAA Compliance and Phishing

The U.S. Department of Health and Human Services’ Office for Civil Rights is tasked with enforcing Health Insurance Portability and Accountability Act Rules. While OCR conducts audits of covered entities to identify aspects of HIPAA Rules that are proving problematic for covered entities, to date, no financial penalties have been issued as a result of HIPAA violations discovered during compliance audits. The same is certainly not the case when it comes to investigations of data breaches.

OCR investigates each and every data breach that impacts more than 500 individuals. Those investigations often result in the discovery of violations of HIPAA Rules.  Any HIPAA-covered entity that experiences a phishing attack that results in the exposure of patients’ or health plan members’ protected health information could have historic HIPAA violations uncovered. A single phishing attack that is not thwarted could therefore end up in a considerable fine for non-compliance.

What HIPAA Rules cover phishing? While there is no specific mention of phishing in HIPAA, phishing is a threat to the confidentiality, integrity, and availability of ePHI and is covered under the administrative requirements of the HIPAA Security Rule. HIPAA-covered entities are required to provide ongoing, appropriate training to staff members. §164.308.(a).(5).(i) requires security awareness training to be provided, and while these are addressable requirements, they cannot be ignored.

These administrative requirements include the issuing of security reminders, protection from malicious software, password management and login monitoring. Employees should also be taught how to identify potential phishing emails and told about the correct response when such an email is received.

The HIPAA Security Rule also requires technical safeguards to be implemented to protect against threats to ePHI. Reasonable and appropriate security measures should be employed to protect ePHI. Since ePHI is often available through email accounts, a reasonable and appropriate security measure would be to employ a spam filtering solution with an anti-phishing component.

Given the frequency of attacks on healthcare providers, and the extent to which phishing is involved in cytberattacks – PhishMe reports 91% of cyberattacks start with a phishing email –  a spam filtering solution can be classed as an essential security control.

The risk from phishing should be highlighted during a risk analysis: A required element of the HIPAA Security Rule. A risk analysis should identify risks and vulnerabilities that could potentially result in ePHI being exposed or stolen. Those risks must then be addressed as part of a covered entity’s security management process.

HIPAA Penalties for Phishing Attacks

OCR has recently agreed to a settlement with Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC) based in Denver, Colorado following a phishing attack that occurred in December 2011. The attack allowed the attacker to gain access to the organization’s email accounts after employees responded by providing their credentials. The ePHI of 3,200 individuals was contained in those email accounts.

The fine was not exactly for failing to prevent the attack, but for not doing enough to manage security risks. MCPN had failed to conduct a risk analysis prior to the attack taking place and had not implemented security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. OCR settled with MCPN for $400,000.

In 2015, another covered entity ended up settling with OCR to resolve violations of HIPAA Rules following a phishing attack. University of Washington Medicine paid OCR $750,000 following the exposure of 90,000 individual’s ePHI. In that case, the phishing attack allowed attackers to install malware.  OCR Director at the time, Jocelyn Samuels, pointed out “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.” She also said, “All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical records or that fails to provide appropriate oversight and accountability for all parts of the enterprise.”

Covered entities are not expected to prevent all phishing attacks, but they must ensure the risk of phishing has been identified and measures put in place to prevent phishing attacks from resulting in the exposure of theft of ePHI. If not, a HIPAA fine may be issued.

Exploit Kit Activity has Declined, but Spamming Activity Has Increased

Figures from Trustwave show there has been a steady decline in exploit kit activity over the past year. Exploit kits were once one of the biggest cybersecurity threats. In late 2015 and early 2016 exploit kits were being extensively used to spread ransomware and malware. Now exploit kit activity has virtually dropped to nothing.

Exploit kits are toolkits that are loaded onto malicious or hijacked websites that probe for vulnerabilities in browsers and plugins such as Adobe Flash Player and Java. When a new zero-day vulnerability was discovered, it would rapidly be added to exploit kits and used to silently download ransomware and malware onto web visitors’ computers. Any individuals that had failed to keep their browsers and plugins up to date would be at risk of being infected. All that would be required was make them – or fool them- into visiting a malicious website.

Links were sent via spam email, malvertising was used to redirect web visitors and websites were hacked and hijacked.  However, the effort required to develop exploits for vulnerabilities and host exploit kits was considerable. The potential rewards made the effort more than worthwhile.

Exploit kits such as Angler, Magnitude and Neutrino no longer pose such a big threat. The actors behind the Angler exploit kit, which was used to spread Locky ransomware in early 2016, were arrested. Law enforcement agencies across the world have also targeted gangs running these exploit kits. Today, exploit kit activity has not stopped entirely, but it is nowhere near the level seen in the first half of 2016.

While this is certainly good news, it does not mean that the threat level has reduced. Ransomware and malware are still major threats, all that has happened is cybercriminals have changed tactics for distributing the malicious programs. Exploit kits are not dead and buried. There has just been a lull in activity. New exploit kits are undoubtedly being developed. For the time being, exploit kit activity remains at a low level.

Now, the biggest threat comes from malicious spam email messages. Locky and other ransomware variants are now almost exclusively spread via spam email messages. Cybercriminals are also developing more sophisticated methods to bypass security controls, trick end users into opening infected email attachments, and improve infection rates.

Much greater effort is now being put into developing convincing phishing and spear phishing emails, while spam emails are combined with a wide range of social engineering tricks to get end users to open infected email attachments. End users are more knowledgeable and know not to click on suspicious email attachments such as executable files; however, malicious Word documents are another matter. Office documents are now extensively used to fool end users into installing malware.

With cybercriminals now favoring spam and phishing emails to spread malware and ransomware, businesses need to ensure their spam defenses are up to scratch. Employees should continue to be trained on cybersecurity, the latest email threats should be communicated to staff and advanced spam filters should be deployed to prevent messages from being delivered to end users.

New Statistics Released on Corporate Email Security Threats

Google has released its latest statistics on the main corporate email security threats, with the search engine giant’s report also delving into the latest email-borne attacks on corporate Gmail account users. The report follows on from a presentation at the RSA Conference, which provided more detail on the biggest corporate email security threats that now have to be blocked.

According to Google’s data, spam is still a major problem for businesses. While the barrage of unsolicited emails is a nuisance that results in many hours of lost productivity, corporate users face a much bigger threat from spam. Malicious messages are a major menace.

Cybercriminals are targeting corporate users to a much higher extent than personal email account holders. The reason is clear. There is more to be gained from infecting corporate computers with malware than personal computers. Businesses are much more likely to pay ransoms if data are encrypted by ransomware. The data stored by businesses has much higher value on the darknet, and plundering business bank accounts nets far higher rewards.

It is therefore no surprise to hear that Google’s stats show that businesses are 6.2 times as likely to receive phishing emails and 4.3 times as likely to be targeted with malware-infected emails. Spam on the other hand is more universal, with business emails accounts 0.4 times as likely to be spammed than personal accounts.

Main Corporate Email Security Threats by Business Sector

Corporate email security threats are not spread evenly. Cybercriminals are conducting highly targeted attacks on specific industry sectors. Google’s data show that nonprofits are most commonly targeted with malware, receiving 2.3 times as many malware-infected emails as business accounts. The education sector is also being extensively targeted. Schools, colleges and universities are 2.1 times as likely to be sent malware-infected emails, followed by government industries, which are 1.3 times as likely to be targeted than businesses.

However, when it comes to email spam and phishing attacks, it is the business sector which is most commonly targeted. Currently, email spam is the biggest problem for businesses in the IT, housing, and entertainment industries, while phishing attacks are much more commonly conducted on IT companies, arts organizations and the financial sector.

Malicious Spam Poses a Major Risk to Corporations

As we have seen on so many occasions in the past two years, email is a major attack vector for businesses. Cybercriminals use spam email to infect end users with information-stealing malware, file-encrypting ransomware, and conduct credential-stealing phishing attacks. Email-borne attacks are still highly profitable. The attacks require little effort and criminals are able to bypass security controls by targeting end users.

Given the massive increase in malware and ransomware variants in the past two years, blocking spam and malicious messages is now more important than ever. Additionally, the cost of mitigating data breaches is rising year on year (According to the Ponemon Institute). Malware and ransomware infections can be extremely costly to resolve, while successful phishing attacks can net cybercriminals huge sums from selling stolen corporate data and making fraudulent bank transfers. Those costs must be absorbed by businesses.

Protecting Your Organization from Email-Borne Threats

Fortunately, it is possible to mitigate corporate email security threats by using an advanced spam filtering solution such as SpamTitan. SpamTitan blocks 99.97% of spam messages and boasts a low false positive rate of just 0.03%. A powerful anti-phishing component prevents phishing emails from being delivered to end users, while dual anti-virus engines (Kaspersky Lab/ClamAV) are used to scan all incoming (and outgoing) messages for malicious links and attachments.

If you want to improve your defenses against the latest corporate email security threats, contact the TitanHQ team today. Since SpamTitan is available on a 30-day free trial, you can also see for yourself how effective our product is at protecting your organization from email-borne threats before committing to a purchase.

Anti-Phishing Training Data Show Why an Advanced Spam Filter is Essential

Anti-phishing training can help an organization improve its security posture. However, even with training on phishing email identification, employees still fail to spot many email scams. Anti-phishing training alone is insufficient to prevent successful phishing attacks.

The Threat from Phishing is Growing

Your business is likely to be bombarded with phishing emails, especially at this time of year. Tax season sees millions of emails sent to businesses by cybercriminals who want access to employees’ W-2 Forms. However, phishing is a year-round problem. It has been estimated that an astonishing 156 million phishing emails are now being sent every single day.

As we have already seen this year, phishing scams can be highly convincing. Many businesses have discovered employees have responded to these scams in the belief that the email requests are genuine. The cost of those phishing attacks can be considerable for businesses, their customers and their employees.

Anti-Phishing Training Alone will Not Prevent Successful Phishing Attacks

To ensure employees are prepared, many businesses provide employees with anti-phishing training. They teach staff members how to identify phishing scams and the tell-tale signs that email requests are not genuine.

How effective is anti-phishing training? A recent analysis by Diligent showed that the average score on its phishing test was 76%. That means employees are failing to identify phishing scams 24% of the time and all it takes is one response to a phishing email for an employee’s email account to be compromised, a network login to be handed to cybercriminals, or the W-2 Forms of an entire workforce to be emailed to tax fraudsters.

Fortunately, as PhishMe’s data shows, with practice, employees get much better at identifying phishing emails. Providing training and conducting follow up tests using dummy phishing emails helps to show where training has failed. This allows organizations to provide further training to employees whose phishing email identification skills are poor. However, even with training and testing it will never be possible to ensure that 100% of employees identify 100% of phishing emails 100% of the time.

The Best Phishing Defense is to Prevent Phishing Emails from Being Delivered

Training should be provided and employees’ anti-phishing skills should be tested with dummy phishing exercises, but organizations should ensure that phishing emails are not delivered to end users’ inboxes. That means an advanced, powerful spam filtering solution is required.

SpamTitan blocks 99.97% of spam emails from being delivered. SpamTitan also includes a powerful anti-phishing component to block phishing attacks. However, blocking potentially malicious emails is only part of the story. It is also important to choose a solution that does not prevent genuine emails from being delivered.

Independent tests by VB Bulletin confirm SpamTitan has a consistently low false positive rate. Only 0.03% of genuine emails trigger SpamTitan’s anti-spam filters. The excellent catch rates and low false positives have seen SpamTitan win 36 consecutive VB Bulletin Anti-Spam Awards.

SpamTitan is available as a gateway appliance or a cloud-based solution, with both requiring minimal IT support. To suit the needs of service providers, the cloud-based version is available in a private cloud and is supplied in white-label format ready for rebranding.

The cost-effective solution is easy to implement, use and maintain and can be used to protect a limitless number of email accounts.

If you want to keep your employees’ inboxes free from phishing emails, malware, and ransomware, call the TitanHQ Sales Team today and say a fond farewell to email spam.

Microsoft Warns Users of Change in Malware Distribution Tactics

Spammers and scammers are constantly updating their malware distribution tactics to ensure their malicious payloads are delivered to unsuspecting end users. However, Microsoft has spotted a major change to malware distribution tactics used by cybercriminals. The change has prompted the software giant to issue a new warning.

Malware, including ransomware, is commonly distributed via spam email. Links to malicious websites are used in an attempt to bypass spam filter controls; however, malicious attachments are the delivery mechanism of choice for many cybercriminal gangs. Malicious links are commonly blocked by web filtering solutions – WebTitan for example prevents all users from visiting websites known to be malicious.

To bypass spam filter controls, attachments rarely include the actual malware or ransomware files, instead the files contain scripts that download the malicious payload.

One of the most common methods of downloading malware is JavaScript code. JavaScript files are typically included in ZIP files. If the files are extracted and opened, the malicious code runs. A connection is opened to the attackers’ servers and malicious files are silently downloaded.

However, JavaScript files are not typically used by the majority of end users. These files are therefore not always opened. Furthermore, spam filters can identify JavaScript files even when they are included in compressed files. Later this month, Google will also start blocking emails with JavaScript attachments and will not allow them to be sent via Gmail.

Due to the ease at which these malicious downloaders are being identified, malware distribution tactics have been changed. Rather than use these suspect files, cybercriminals have switched to file types that are less obviously malicious. Microsoft has noticed a trend for using LNK files and SVG files containing malicious PowerShell scripts.

LNK files are Windows shortcut files which usually point to some form of executable file. SVG (Scalable Vector Graphics) files are image files, and are much more innocuous. These files are typically opened with image software such as Adobe Creative Suite or Illustrator.  Double clicking on these malicious LNK and SVG files will launch PowerShell scripts that download malware or ransomware.

Protecting against these types of attacks may seem fairly straightforward. It is possible, for example, to set restrictions on PowerShell commands to prevent them from running. However, even with restrictions in place, those policies can be easily bypassed. Intel Security has recently explained one such method: “PowerShell’s Get-Content can access the content of a .ps2 malware script and pass it to Invoke-Expression (iex) for execution.”

In the case of SVG files, it is relatively straightforward to include obfuscated JavaScript code in the image files. This JavaScript code may not be detected by software solutions and therefore could be delivered to end users’ inboxes.

There is of course an easy way to block these new malware distribution tactics. SpamTitan can be configured to block specific files attached to emails, preventing them from being delivered to end users. By implementing SpamTitan and blocking JavaScript Files, LNK files, and SVG files, organizations will be better protected against malware infections.

Since SVG, JavaScript, and LNK files are rarely sent in legitimate emails, blocking these attachments will not cause major disruption. Any individual or department that does use these files – IT or marketing for example – can be instructed to send the files via Dropbox or another file sharing platform.

Ransomware Attacks on British Schools Prompt Action Fraud to Issue Warning

Ransomware attacks on British schools have soared in recent weeks. The problem has become so serious that the British National Fraud and Cyber Crime Reporting Center, also known as Action Fraud, has issued a new ransomware warning to British schools.

Ransomware has grown in popularity with cybercriminals over the past 2 years, with attacks on organizations around the world soaring in 2016. 2017 may only be a few weeks old, but ransomware attacks are continuing at the high levels seen in 2016. Security experts predict that 2017 will see even more cyberattacks on schools and other educational institutions. Ransomware the attack method of choice.

Ransomware is a form of malware that encrypts data on a compromised system. A wide range of file types are locked with powerful encryption and a ransom demand is issued. If payment is made, the attackers claim they will supply the key to unlock the encryption. Without the key – the sole copy is held by the attackers – data will remain locked forever.

Some forms of ransomware have been cracked and free decryptors made available, but they number in the few. The majority of ransomware variants have yet to be cracked. Recovery depends on payment of the ransom or the wiping of the attacked system and restoration of files from backups.

While a standard charge per encrypted device was the norm early last year, ransomware is now more sophisticated. The attackers are able to set their payment demand based on the types of files encrypted, the extent of the infection, and the perceived likelihood of the victim paying up. Ransomware attacks on British schools have seen ransom demands of an average of £8,000 issued.

Ransomware Attacks on British Schools are Targeted, Not Random

Many ransomware attacks are random – Spam emails are sent in the millions in the hope that some of them reach inboxes and are opened by employees. However, ransomware attacks on British schools have seen a different approach used. Recent attacks have been highly targeted.

Rather than send emails out en masse, the spate of recent ransomware attacks on British schools start with a phone call. In order to find their target, the attackers call the school and ask for the email address of the head teacher. The email address is required because sensitive information needs to be sent that should only be read by the head teacher. Information such as mental health assessment forms and teacher guidance forms.

An email is then crafted and sent to the head teacher; addressed to that individual by name. While there are many types of ransomware emails, a number of recent ransomware attacks on British schools involved an email that appears to have been sent by the Department of Education. Other cases have involved the impersonation of the Department of Work and Pensions and telecom providers.

In the text of the email the attacker explains that they have sent some information in an attached file which is important and needs to be read. The attached file, usually in compressed format such as .ZIP or .RAR, contains files that install ransomware if opened.

These ransomware downloaders may be JavaScript files, Word or Excel macros, or a host of other file types.  In some cases, links are used instead of attachments. The links are masked so they appear to be official webpages; on the Department for Education website for example. In the case of links, they direct the recipient to a webpage containing an exploit kit or other form of file downloader. Just visiting that link could infect the user’s computer, mapped network drives, and portable storage devices.

How to Prevent Ransomware Attacks

Ransomware attacks on British schools can be highly sophisticated, although risk can be effectively mitigated.

  • Ensure all staff with computer access are made aware of the risk of ransomware attacks
  • Provide cybersecurity training to all staff, including how to identify ransomware and phishing emails
  • Never open attachments or visit links in emails sent from unknown senders
  • Implement a spam filter to capture and quarantine malicious spam emails
  • Use a web filtering solution to prevent staff members from visiting malicious links and from downloading ‘risky’ files
  • Ensure all software is kept up to date and patches are applied promptly
  • Keep all anti-virus and anti-malware solutions up to date, setting updates to occur automatically
  • Restrict the use of administrator accounts – Only use accounts with high levels of privileges for specific tasks

It is also essential to ensure that backups of all data are made on a daily basis and backup devices are disconnected after backups have been performed. Data should ideally be backed up to the cloud and on a physical backup device. In the event of an attack, data can then be recovered without paying the ransom.

University Phishing Scams on the Rise

University phishing scams targeting students have increased in recent months. Targeting some of the most well educated individuals may not appear to be the most rewarding strategy for scammers, but students are falling for these university phishing scams in their droves.

University Phishing Scams are Becoming Difficult to Identify

Awareness of phishing tactics has certainly improved thanks to educational programs, email warnings, and media coverage of phishing attacks, but in response, cybercriminals have got better at scamming. Today, phishing emails can be difficult to identify. In fact, in many cases, it is virtually impossible to tell a genuine email from a scam.

While students may be aware of the risks of clicking links in emails from unknown senders, the same cannot be said when the emails are sent from a contact. Emails from university IT departments, professors and colleagues are likely to be opened. Students’ guard is let down when the sender of the email is known.

When a convincing request is included, students often respond and have no idea that they have been scammed into revealing their login credentials or disclosing other sensitive information. All it takes is for one email account of a student to be compromised to start the process. Emails are then sent to that individual’s email address book. A number of those contacts respond. The same happens with their contacts and so on. Given that there are supposedly six degrees of separation between all individuals on the planet, it is easy to see how fast malware infections can spread and how multiple email accounts can be compromised rapidly.

University phishing scams have been increasing for some time, although the past few months have seen even more scams emails sent.  Recently, the University of Connecticut sent warnings out to students following a spate of phishing scams. Some of those scams involved the impersonation of the University president. Students at the University of Georgia have also been targeted.

In the case of the latter, one student’s email account was compromised after she responded to a phishing email sent from UGA associate. The email did not arouse any suspicions because the contact was known. In the email the student was told that it was important for her to change her password. Failure to do so would result in her being locked out of her email account. She responded by clicking the link and changing her password. However, what she had done was disclose her old password and her new one to the attacker.

The attacker then used those credentials to set up a mail forwarder on the email account. The student only found out after querying why she was no longer receiving emails with the IT help desk. After investigating, the mail forwarder was discovered.

Other students were similarly targeted and their emails accounts were used to send out huge volumes of spam emails. It was only when spamming complaints were received about the compromised accounts that the problem was identified.

These university phishing scams are conducted for a wide range of nefarious purposes. Spamming and mail forwarders may cause limited harm, but that may not always be the case. Malware infections can result in serious financial harm to students and universities. Ransomware installations can occur after students respond to phishing campaigns, and those attacks can cost tens of thousands of dollars to resolve.

How to Protect Students and Networks from the Scammers

Since these phishing scams are now so hard to identify, training on email and cybersecurity best practices is no longer as effective as it once was. Technological solutions are therefore required to prevent emails from being delivered and to stop end users from being directed to malicious websites.

SpamTitan is an ideal spam filtering solution for universities. SpamTitan blocks 99.97% of spam emails and 100% of known malware. The solution is cost effective to install, easy to administer, and no additional hardware is required or any software updates necessary.

When used in conjunction with WebTitan – TitanHQ’s powerful web filtering solution –all attempts to visit malicious links and known phishing websites can be blocked.

Both solutions are available on a 30-day no obligation free trial. If you want to ensure your students and university networks are properly protected, contact the TitanHQ sales team today to register for the trials and discover the difference that each solution can make.

W2 Phishing Scams Aplenty as Tax Season Commences

Its tax season in the United States, which means the start of scamming season. W2 phishing scams and other tax-related email and telephone scams are rife at this time of year. Businesses need to be particularly careful. There have already been a number of victims of W2 phishing scams and the year has barely started.

2016 Saw a 400% Rise in Tax Season Phishing and Malware Incidents

Tax season in the United States runs from the start of January to April 15. It is the time of year when Americans calculate how much tax they need to pay from the previous financial year. It is also a busy time for cybercriminals. They will not be filing their own tax returns however. Instead they are concentrating on filing tax returns on behalf of their victims.

In order for tax refunds to be fraudulently filed, cybercriminals need information about their victims. Given the number of data breaches that have resulted in the theft of Social Security numbers in the past 12 months, 2017 could well be a record year for tax scams.

However, while past data breaches can provide cybercriminals with the information they need to file fraudulent tax returns, tax season usually sees a massive increase in phishing scams. The sole purpose of these scams is to get victims to reveal their Social Security numbers and the other personal information necessary to file tax returns.

Since the IRS started allowing Americans to e-file their tax returns, scammers had a new option for filing fraudulent tax returns. Phishing emails claiming to have been sent by the IRS request the recipients update their IRS e-file. A link is included in the emails for this purpose. Clicking on the link in the emails will not direct the recipient to the IRS website, but a spoofed version of the site. The information entered online is then used to e-file on behalf of the victims and the scammers pocket the tax refunds.

In 2016, the IRS reported a massive increase in phishing and malware incidents. These scams and malware infections increased by an incredible 400%. The massive rise in scams prompted the IRS to issue a warning to Americans about the scams, with the IRS confirming that it does not initiate contact with taxpayers by email to request personal or financial information.

2017 is likely to be no different. Until April 15, tax-related scams are likely to be rife. All Americans should therefore be wary and must exercise caution.

Tax Season Sees a Massive Rise in W2 Phishing Scams

While consumers are at risk. Businesses in the United States are also extensively targeted at this time of year. The scammers impersonate CEOs, CFOs, and other individuals with authority and make requests for W2 data and other financial information about employees. The requests can be highly convincing and each year many employees fall for these types of scams. The scammers are well aware that some employees would be nervous about questioning a request that has been emailed from their SEO or CFO.

It is difficult to determine how many attempted W2 phishing scams took place last year, but in the first quarter of 2016, at least 41 U.S companies reported that they were the victims of successful W2 phishing scams. Employees were sent email requests to send W2 data by return and they responded. By doing so, employees’ tax information was sent directly to the scammers’ inboxes.

2017 is not yet a month old, yet already W2 phishing scams have been reported. The week, the Tipton County Schools District in western Tennessee reported that it had fallen victim to one of these W2 phishing scams. The attacker had posed as the director of the schools and had requested W2 tax data on all employees. W2 form data were then emailed to the attacker by an employee.

A similar email phishing scam was reported to have been used to attack 8 school districts in Missouri, according to a report by the Missouri Department of Elementary and Secondary Education. In this case, only one of the eight school districts responded to the scam: An employee from the Odessa School District was fooled and send the tax details of the district’s employees to the attackers.

It is not only schools that are being targeted. A hospital in Campbell County, Wyoming was attacked this week. According to a Campbell County Health news release, a hospital executive was impersonated in this attack. A 66-year old hospital worker fell for the scam and emailed W-2 information about employees as requested.

Preventing successful W2 phishing scams requires a combination of technological solutions, employee training, and updates to policies and procedures.  All employees with access to sensitive data must be advised of the risk and told to exercise caution. Policies should be introduced that require all email requests for employees’ tax information to be authenticated via telephone or other means. Organizations should also implement a robust spam filtering solution to prevent the scam emails from being delivered to employees’ inboxes.

However, if nothing is done to mitigate risk, 2017 is likely to be another record breaking year for the scammers.

Los Angeles Valley College Ransomware Attack Highlights Importance of Solid Ransomware Defenses

A Los Angeles Valley College ransomware attack has resulted in file systems being taken out of action for seven days and considerable costs being incurred to resolve the infection.

Attackers succeeded in taking control of one of the college’s servers on December 30, 2016. When staff returned after the Christmas break they discovered the computer system to be out of action and essential files locked with powerful encryption.

The attackers had succeeded in locking a wide range of file types on network drives and computers. Unfortunately, the college was unable to recover the files from a backup. Administrators therefore faced a tough decision. To try to recover from the attack without paying the ransom and risk file loss or to give in to the attacker’s demands and pay for the keys to unlock the encryption.

Los Angeles Valley College Ransomware Attack Nets Criminal Gang $28,000

Due to the extent of the infection and the number of devices affected, the ransom payment was considerable. The attackers set the price at $28,000 for the decryption keys. The ransom demand was high but the college had little in the way of options.

The ransom note that was loaded onto the college’s X-drive said if the ransom was not paid within 7 days, the unique keys to unlock the encryption would be permanently deleted. That would likely have resulted in all of the locked files being permanently lost.

The college enlisted help from cybersecurity experts to determine the likelihood of files being recovered without paying the ransom. However, college administrators were advised to dig deep and pay the attackers for the key. While there is no guarantee that paying the ransom would result in viable keys being supplied, the college’s cybersecurity experts said there was a high probability of data recovery if the ransom was paid and a very low probability of data being recovered if the ransom demand was ignored. The likely cost of resolving the infection without paying the ransom was also estimated to be higher than attempting to remove the infection. The decision was therefore made to pay the attackers in Bitcoin as requested.

The attackers made good on their promise and supplied the keys to unlock the data. Now IT staff must apply those keys and remove the encryption on the server, network drives, and the many infected computers. Fortunately for the college, a cyber insurance policy will pay out and cover the cost of the ransom and resetting systems. However, there will be other costs that need to be covered, which will must be paid by the district.

Recovery from the Los Angeles Valley College ransomware attack will not be a quick and simple process, even though the decryption keys have been supplied by the attackers. The district’s Chief Information Officer Jorge Mata said “There are often a lot of steps where there’s no coming back, and if you pick the wrong path, there’s no return.” The recovery process therefore requires care and precision and cannot be rushed. The process could well take a number of weeks. The main priority is to recover the email system. Other systems and devices will then be methodically restored.

Los Angeles Valley College Ransomware Attack One of Many Such Attacks on Educational Institutions

The Los Angeles Valley College ransomware attack has hit the headlines due to the extent of the infection and high ransom demand, but it is one of many such attacks to have occurred over the past 12 months. Educational institutions have been heavily targeted by attackers due to the value of college and school data. Educational establishments cannot risk data loss and are therefore likely to pay the ransom to regain access to files.

In the past few months, other educational institutions in the United States that have been attacked with ransomware include M.I.T, University of California-Berkeley, and Harvard University as well as many K-12 schools throughout the country. Figures from Malwarebytes suggest that 9% of ransomware attacks targeted educational establishments.

How Can Educational Institutions Protect Against Ransomware Attacks?

There are a number of steps that educational institutions can take to reduce the risk of ransomware attacks and ensure that recovery is possible without having to resort to paying a ransom. The most important step to take is to ensure that all data is backed up regularly, including the email system. Backups should be stored on air-gapped devices, not on network drives. A separate backup should be stored in the cloud.

However, backups can fail and files can be corrupted. It is therefore important that protections are implemented to prevent ransomware from being delivered via the two most common attack vectors: Email and the Internet.

Email is commonly used to deliver ransomware or malicious code that downloads the file-encrypting software. Preventing these malicious emails from being delivered to staff and students’ inboxes is therefore essential. An advanced spam filter such as SpamTitan should therefore be installed. SpamTitan blocks 99.97% of spam emails and 100% of known malware.

To protect against web-borne attacks and prevent exploit kit activity and drive-by downloads, schools and colleges should use a web filter such as WebTitan. WebTitan uses a variety of methods to block access to malicious webpages where malware and ransomware is downloaded. WebTitan can also be configured to prevent malicious third-party adverts from being displayed. These adverts – called malvertising – are commonly used to infect end users by redirecting their browsers to websites containing exploit kits.

For further information on SpamTitan and WebTitan, to find out more about how both anti-ransomware solutions can prevent infection, and to register for a free 30-day trial of both products, contact TitanHQ today.

Risk of Spear Phishing Attacks Must Not be Ignored

Research conducted by the anti-phishing training company PhishMe has shown a worrying increase in phishing attacks in 2016 and has highlighted the importance of taking steps to reduce the risk of spear phishing attacks.

Unfortunately, cybercriminals are becoming much more adept at crafting highly convincing spear phishing campaigns. A wide range of social engineering techniques are used to fool employees into responding to the emails and the campaigns are becoming much harder to identify.

Unfortunately responding to these emails can result in email and network credentials being compromised, malware and ransomware being installed on corporate networks, and sensitive data being emailed to the attackers.

The study of phishing attacks in 2016 showed attacks increased by 55% year on year. PhishMe research shows that out of the successful data breaches in 2016, 90% started with a spear phishing email.

In 2016, business email compromise attacks rose by an incredible 1300%, while ransomware attacks increased 400%. Cybercriminals are attacking companies with a vigor never before seen and unfortunately many of those attacks have been successful.

The figures from the U.S. Department of Health and Human Services’ Office for Civil Rights – which tracks U.S. healthcare data breaches – show that 2016 was the worst ever year on record for healthcare data breaches. At least 323 breaches of more than 500 records occurred in 2016. Undoubtedly many more breaches have yet to be discovered.

Cybercriminals and hackers have employees firmly in their crosshairs. Unfortunately, employees are easy targets. A recent survey conducted by cybersecurity firm Avecto showed that 65% of employees are now wary about clicking on links emailed to them by strangers. Alarmingly, that means 35% are not.

The same survey showed that 68% of respondents have no concerns about clicking on links sent by their friends and colleagues. Given the extent to which email addresses and passwords have been compromised in the last year, this is incredibly worrying. 1 billion Yahoo accounts were breached and 117 million email addresses were compromised as a result of the LinkedIn breach. Gaining access to email accounts is not a problem for cybercriminals. If those accounts are used to send spear-phishing emails, the chance of links being clicked are very high.  Unfortunately, all it takes is for one email account to be compromised for access to a network to be gained.

The risk of spear phishing attacks was clearly demonstrated in 2015 when the largest ever healthcare data breach was discovered. 78.8-million health plan members’ records were stolen from Anthem Inc. That breach occurred as a result of an employee of one of the insurer’s subsidiaries responding to a spear phishing email.

Anthem Inc., is the second largest health insurer in the United States and the company spends many tens of millions of highly complex cybersecurity defenses. Those multi-million dollar defenses were undone with a single email.

Organizations must take steps to reduce the risk of speak phishing attacks. Unfortunately, there is no single solution to eradicate risk. A multi-layered defense strategy is required.

An advanced anti-spam solution is essential to prevent the vast majority of spam and phishing emails from being delivered to end users. SpamTitan for example, blocks 99.97% of spam email and 100% of known malware.

Employees must be trained and their training must be tested with phishing exercises. Practice really does make perfect when it comes to identifying email scams. Endpoint defenses should also be employed, along with anti-virus and antimalware software.

The risk of spear phishing attacks will increase again in 2017. Doing nothing to improve cybersecurity defenses and combat the spear phishing risk could prove to be a very costly mistake.

How Do Spam Filters Block Spam Email?

How do spam filters block spam email? Spammers are constantly adapting their strategies to bypass spam filters and deliver more malicious messages to corporate users’ inboxes, so how do antispam solutions keep pace and block these annoying and often malicious messages?

Many anti-spam solutions rely on blacklists to identify spammers’ email addresses and IP addresses. Once a spammer’s IP address has been identified, it is added to a global spam blacklist.

Antispam solutions check incoming messages against these blacklists. As soon as an IP address is blacklisted, any email sent from that IP address is automatically marked as spam and will be deleted or quarantined.

Spammers are aware that the lifespan of an email address for spamming is short. As anti-spam solutions have improved, the time delay between an email address being used for spamming and it being added to a global spam blacklist has reduced considerably. Whereas spammers used to be able to use an email address for weeks before it was identified by anti-spam solutions and blacklisted, now the lag has been reduced to days or even hours.

Spammers therefore have a very small window of opportunity to use email addresses and mail servers for spamming before they are detected and blacklisted.

Snowshoe and Hailstorm Spam Tactics to Get Messages to Inboxes

Spammers have attempted to increase the timespan for using email addresses using a number of methods, the most common being conducting snowshoe campaigns. This tactic involves sending out very low numbers of spam email messages from each IP address. If spam email volume is kept low, there is less chance of the IP address being recognized as used for spamming. To ensure sufficient numbers of messages are sent, spammers use millions of IP addresses. Even using this tactic will not allow the spammers to conduct their activities undetected for very long. Spammers therefore need to constantly add new IP addresses to their spamming networks to enable them to continue conducting their campaigns.

Snowshoe tactics are now widely used and the technique is highly effective, although a new tactic has recently been uncovered that is referred to as hailstorm spamming. Hailstorm spam campaigns similarly involve extremely large numbers of IP addresses, yet they are used very briefly and intensely. Rather than trying to stay under the radar, the spammers use those IP addresses to send huge volumes of messages very quickly.

Researchers at Cisco Talos recently analyzed both tactics and determined that the DNS query volume from a typical snowshoe campaign involved around 35 queries an hour. A hailstorm spam campaign involved around 75,000 queries an hour. The snowshoe campaign would continue at that rate for many hours, whereas the hailstorm spam campaign spiked and then fell to next to nothing. Hailstorm campaigns can therefore be used to deliver huge volumes of emails before the IP addresses are added to blacklists.

How do Spam Filters Block Spam Email?

How do spam filters block spam email when these tactics are used? Snowshoe and hailstorm spam campaigns are effective against antispam solutions that rely on blacklists to identify spammers. Only when an IP address is added to a blacklist will the spam email messages be blocked.  Advanced spam solutions offer far greater protection. Blacklist are still used, although a number of other methods of spam detection are employed.

Conducting a Bayesian analysis on all incoming spam email messages greatly reduces the volume of spam email messages that are delivered to end users. A Bayesian analysis involves reading the contents of a message and assessing the words, phrases, headers, message paths, and CSS or HTML contained in the message. While scoring, messages based on content can be effective, Bayesian spam filters also learn as they go. They constantly compare spam emails to legitimate emails and build up the range of spam characteristics that are checked. As spammers change tactics, this is picked up by a Bayesian spam filter and spam messages continue to be filtered.

The use of greylisting is also important in a spam filter. There will be some messages that pass all of the checks and some that monumentally fail. Categorizing these messages as genuine or spam is therefore simple. However, there is a sizeable grey area – messages that could potentially be spam.

If all of these messages are blocked, many genuine emails would not be delivered. If they are all allowed, many spam messages would get through. This would result in poor catch rates or extremely high false positive rates. Greylisting helps in this regard. Suspect messages are returned to the sender’s mail server and a request is made for the message to be resent. Since spammers mail servers are typically constantly busy, these requests are either ignored or they are not dealt with promptly. The time it takes for the message to be resent is therefore a good indicator of whether the message is genuine.

SpamTitan – Keep Your Inboxes Spam Free

SpamTitan uses a range of methods to identify spam emails including blacklists, Bayesian analyses, and greylisting. These checks ensure that more spam emails are identified and blocked, even if IP addresses have yet to be added to spam blacklists. This makes SpamTitan highly effective, even when spammers use snowshoe and hailstorm spamming tactics. By using a range of methods to identify spam emails, spam detection rates are improved and false positives are reduced.

SpamTitan is independently tested every month to determine its effectiveness. SpamTItan is consistently verified as capable of blocking more than 99.97% of spam emails, with a false positive rate below 0.03%.

If you want to find out the difference that SpamTitan makes to the volume of spam messages that are delivered to your employees’ inboxes, why not take advantage of our free, no-obligation 30-day trial. You can implement the solution quickly, evaluate its effectiveness, and you will receive full customer and technical support for the duration of the trial.

To find out more about SpamTitan and the difference it can make to your business, call the TitanHQ sales team today.

Why Should Businesses Perform Outbound Email Scanning?

All antispam solutions and spam filters check inbound messages for common spam signatures; however, it is also important to choose a solution that performs outbound email scanning. Outbound email scanning ensures spam emails, or emails containing malware, are not sent from an organization’s email accounts or domains.

Your employees would be unlikely to knowingly use their corporate email accounts to send spam emails, but malware infections can allow cybercriminals to gain access to email accounts and use them to send high volumes of spam email messages. Cybercriminals could also compromise email accounts and use an organization’s domain to send malware and ransomware to clients and customers.

Should this happen, it can have a seriously detrimental effect on an organization’s reputation and may result in corporate email accounts or an entire domain being blacklisted.

Blacklists are maintained by a number of organizations – spamhaus.org for example. Internet Service Providers (ISPs), web servers, and antispam solutions check these blacklists before allowing emails to be delivered to end users. If a particular IP address, email account, or domain is listed in one of the blacklist databases, emails sent from the domain, IP address or email account will not be delivered.

Blacklists are updated in real-time and contain many millions of blocked domains and email addresses that have been reported as having been used for unwanted activity such as the sending of spam emails. If emails are sent from a blacklisted account, domain, or IP address those emails will either be directed to a quarantine folder, deleted, or will simply be rejected.

If a business has its domain added to a spam blacklist important emails to clients and customers will not get through. This can prove costly, as real estate firm Keller Williams has recently discovered.

Blacklisted Domains and Email Accounts Can Prove Costly for Businesses

Over the past few days, email messages sent from the kw.com domain used by Keller Williams have been rejected by AOL. Yahoo has been blocking emails from the kw.com account for some time. The problem appears to be the addition of the kw.com domain to spam blacklists.

If a Keller Williams real estate agent needs to send an email to a customer who has an AOL or Yahoo account, it will not be delivered. Agents have therefore been forced to get customers to open Google email accounts in order to send online paperwork or documents requiring e-signatures.

The issue also affects online paperwork sent via the transaction management software program Ziplogix, with one Keller Williams agent also claiming Dotloop is also affected. Some agents at Keller Williams have reportedly had to send important paperwork for listings and sales via personal email accounts to ensure emails are delivered.

The AOL website explains that when domains have been flagged as being abusive, the server will be temporarily blocked until the spamming stops. Until a domain is removed from its blacklist, AOL account holders will be prevented from receiving emails from the blocked domain. Removing the domain from the blacklist can take up to a week.

Removing a domain from the 80+ commonly used spam blacklists can be a time-consuming task; furthermore, if spam emails are sent from the account again, the domain will simply be added to the blacklists once more.

Outbound Email Scanning Prevents the Blacklisting of an Organization’s Domain

Unlike many third-party antispam solutions, SpamTitan checks incoming email messages for spam signatures as well as performing outbound email scanning. If an email account has been compromised and is being used to send spam emails, if malware is sending spam, those messages will be blocked and will not be sent. Outbound email scanning is an important protection that will prevent an organization’s domain or email accounts from being used to send spam or malware.

Organizations can therefore avoid the embarrassment and reputation damage that results from being suspected as engaging in spamming or malware delivery. They can also rest assured that in addition to blocking 99.97% of inbound email spam, their domains and email accounts will not be added to spam blacklists.

Malicious Spam Email Volume Increases Again

Spam email volume has reduced over the past couple of years following the takedown of key botnets – and individuals – behind some of the biggest spamming campaigns. It was starting to look like the super-spamming days of the early 2010s were a thing of the past. However, spam email volume has been increasing in recent months.

Necurs botnet activity has increased and last month the Tofsee botnet came back to life after years of dormancy. Both of these botnets had previously been used to send annoying but relatively harmless spam emails offering cheap pharmaceuticals and offers of beautiful Russian brides. However, the increase in activity is also coupled with the move to malicious email attachments containing malware and ransomware.

These and other botnets such as Helihos are also growing in size at alarming rates and spam email volume is soaring. Some reports suggest spam email volume has increased from around 200,000 spam emails per second to 450,000 emails per second over the past couple of months.

But what are these malicious email attachments, and how big is the risk?

97% of Malicious Spam Email Attachments Contain Locky Ransomware

Locky ransomware first appeared in February 2016. It has since become one of the biggest email threats. The ransomware is being sent in massive spam campaigns and increasingly sophisticated social engineering techniques are used to infect end users.

To put these email campaigns into some perspective, historically, the volume of spam email used to deliver malware, ransomware, and other email nasties stood at around 2% of the total spam email volume. By around April this year, two months after Locky first appeared on the scene, malicious spam emails containing the ransomware accounted for around 18% of total spam email volume.

The Quarterly Threat Report issued by ProofPoint earlier this month suggests the volume of spam email containing malicious attachments or links reached record levels in quarter 3, 2016. The vast majority of those emails contained Locky. According to the report, 97% of captured spam emails with malicious attachments were used to deliver Locky. That’s a 28% increase from Q2, and a 64% increase since Q1.

Since its release, Locky ransomware has been infecting users via Word documents containing malicious macros, JavaScript files, executable HTML files (HTA), and more recently Windows Script Files (WSF) hiding the Nemucod downloader. Now, another change has been detected. Earlier this month, researchers at the Microsoft Malware Protection Center discovered the actors behind Locky ransomware had made another change to the way they infect computers and made the switch to shortcut files (LNK) containing PowerShell commands.

This discovery coincided with a drop in detection and a relatively quiet period for the past two weeks. However, Locky is back with a vengeance. On Monday this week, three new campaigns were detected, one of which was massive and involved 14 million messages in around half a day. 6 million of those messages were sent in a single hour!

The risk from Locky is considerable. Locky is capable of deleting Windows Shadow Files and encrypting a wide range of data, including data on portable storage devices and network drives. Resolving an attack can prove extremely costly. It is therefore essential to improve defenses to prevent attacks.

Ransomware and Malware Protection

Larger botnets and the move to malicious messages means organizations need to be prepared and take steps to ensure that these messages are effectively blocked.

Protecting your organization from email attacks is critical. It is therefore essential to employ a robust enterprise spam filtering solution. SpamTitan blocks 99.7% of spam email, preventing malicious email attachments and links from being delivered to your end users. This reduces reliance on training programs to educate end users on email threats.

Preventing ransomware infections requires a multi-layered approach. There is no silver bullet that will offer total protection against ransomware infections, but there are security products that can greatly reduce risk.

Protecting against exploit kits and malvertising requires a web filtering solution. By blocking websites known to contain malware or exploit kits, and carefully controlling the website content that can be accessed by employees, organizations can effectively protect against web-borne infections. WebTitan offers that protection and can be used to block malicious websites and reduce the risk from infections via malvertising.

Along with intrusion detection systems, firewalls, antivirus and anti-malware solutions, it is possible to defend against ransomware and malware attacks and keep your data secured.

Surge in Ransomware Emails In March 2016

A new report by anti-phishing training company PhishMe shows a marked rise in the volume of ransomware emails in March. The report shows that spam emails are now predominantly being used to deliver ransomware to unsuspecting victims. The spike in ransomware emails highlights how important it is to conduct anti-phishing training and to use anti-spam solutions to prevent the malicious file-encrypting software from being delivered to employee’s inboxes.

Spike in Ransomware Emails as Criminals Seek Easy Cash

Ransomware has been around for about a decade, yet it has not been favored by cybercriminals until recently. Throughout 2015, under 10% of phishing emails were being used to transmit ransomware. However, in December there was a major spike in ransomware emails, which accounted for 56% of all phishing emails in December. The upward trend has continued in 2016 and by March, 93% of phishing emails contained ransomware – or were used to infect users by directing them to malicious websites where drive-by downloads of the malicious software occurred.

Spam email volume has been in general decline, in no small part to the shutting down of major botnets in recent years. However, that does not mean that the threat of cyberattacks via email can be ignored. In fact, PhishMe’s figures show there has been a surge in the number of phishing emails being sent. In the first quarter of 2016, the number of detected phishing emails soared to 6.3 million, which represents a 789% increase from the volume captured in the last quarter of 2015.

Ransomware is increasingly being used by cybercriminals for a number of reasons. Ransomware is now easy to obtain and send out. Many ransomware authors offer ransomware-as-a-service to any criminal looking to make a quick buck. Not only can the ransomware be hired for next to nothing, instructions are supplied on how to use it and criminals are allowed to set their own ransoms and timescales for payment. All they need to do is pay a percentage of the ransoms they obtain to the authors.

What makes the use of ransomware even more attractive is the speed at which criminals can get paid. Time limits for paying ransoms are usually very short. Demands for payment within 48 hours are not uncommon. While phishing emails have commonly been used to obtain credit card details from victims, which then need to be sold on, criminals can run a ransomware campaign and rake in Bitcoin payments in just a few days.

The ransoms being demanded are also relatively low. This means that many individuals can afford to pay the ransom to obtain the decryption keys to unlock their files, and businesses are also likely to pay. The cost of recovering data and restoring systems, together with the lost revenue from the time that computer systems are down, is often less than the ransom being demanded.

Ransomware Is Becoming Much More Sophisticated

The latest forms of ransomware now being used – Locky, CryptXXX, TeslaCrypt, and Samas (Samsam) – are capable of spreading laterally. Not only can the ransomware infect files on a single computer, other networked computers can also be infected, as can network drives, servers, portable storage devices, and backup drives. Some forms are also capable of deleting Windows shadow copies and preventing the restoration of files from backups.

All that the criminals need is for one business computer to be infected in order to encrypt files throughout the network. That means only one end user needs to be fooled into opening an infected attachment or visiting a malicious webpage.

Ransomware emails often contain personal information to increase the likelihood of an individual clicking a malicious link or opening an infected attachment. Word files are now commonly being used to infect users. Embedded macros contain code that downloads the malicious payload.

The malicious software is sent out in spear phishing campaigns targeting one or two users in a company, such as accounts and billing department executives. Personal information is often used in the emails – names, addresses, and job titles for example – to increase the likelihood of attachments being opened and links being clicked.

As criminals get better at crafting phishing emails and the ransomware becomes more sophisticated, it is more important than ever to use anti-spam solutions such as SpamTitan to trap ransomware emails and prevent them from being delivered. SpamTitan traps 99.9% of spam emails, helping organizations protect their networks from ransomware attacks.

Beware of GozNym Banking Malware – A Silent Threat That Can Empty Bank Accounts

Eastern European hackers may only have had access to GozNym banking malware for a few days, but they have already used the malicious software to make fraudulent bank transfers from more than two dozen bank accounts. The new malware is primarily being used to target banks and credit unions, although the attackers have also used the malware to attack e-commerce platforms. 22 attacks have been conducted on financial institutions in the United States with a further 2 attacks in Canada. So far the attackers behind the GozNym banking malware have managed to steal at least $4 million from U.S and Canadian banks.

GozNym Banking Malware Combines Gozi ISFB with Nymaim Source Code

As the name suggests, GozNym banking malware was developed by combining two different malware strains – Nymaim and Gozi ISFB.

IBMs X-Force Research team believe the new malware is the work of the team behind Nymaim malware, as the source code of Nymaim is understood to be only held by the original developers of the malware. The source code for Gozi ISFB malware has previously been leaked on two occasions. X-Force analysts think the Nymaim malware developers obtained that source code and used the best parts to form the new hybrid Trojan.

Nymaim malware has previously been used almost exclusively as a method of ransomware delivery, although the group behind the malware started using it as a banking Trojan late last year. Nymaim malware is a two stage malware dropper that is loaded onto computers using an exploit kit.

Links to a website containing the Blackhole Exploit Kit are sent via spam email. Once Nymaim has been loaded onto a computer, the second payload is deployed. In the case of GozNym banking malware the second stage is the running of Gozi ISFB code.

GozNym banking malware is stealthy and persistent. The malware remains dormant on a computer until the user logs into their bank account. When account details are entered, GozNym records the login credentials and silently sends them to the attackers’ command and control server. If GozNym banking malware is installed, the user will be unaware that their banking sessions have been compromised.

IBM recommends using adaptive malware detection solutions to reduce the risk of an attack. Anti-spam solutions such as SpamTitan can prevent emails containing the malicious links from being delivered, while WebTItan web filtering solutions can be used to block websites containing malicious code and exploit kits.

With new malware constantly being developed – around 1,000,000 new malware samples are now being released every day according to Symantec – organizations now need to implement sophisticated multi-layered defenses to protect their networks from malware infections.

Healthcare Ransomware Attack Sees Hospital Pay $17K Ransom to Unlock EHR

Over the past 12 months, cybercriminals have used ransomware with increasing frequency to extort money out of businesses, leading some security experts to predict that healthcare ransomware infections would become a major problem in 2016.

Would cybercriminals stoop so low and attack the providers of critical medical care? The answer is yes. This week a U.S. hospital has taken the decision to pay a ransom to obtain the security keys necessary to unlock data that had been encrypted by ransomware. The attack does not appear to have been targeted, but the ransom still needed to be paid to unlock the hospital’s electronic medical record system.

Last year, Cryptowall infections were regularly reported that required individuals to pay a ransom of around $500 to get the security key to recover files. However, when businesses accidentally install ransomware the ransom demand is usually far higher. Cybercriminals can name their price and it is usually well in excess of $500.

Healthcare Ransomware Infection Results in Hospital Paying $16,664 to Unlock EHR

While businesses have been targeted by cybercriminal gangs and have had their critical data locked by ransomware, it is rare for healthcare providers to be attacked. The latest healthcare ransomware infection does not appear to have been targeted, instead a member of staff inadvertently installed malware which locked the hospital’s enterprise-wide electronic health record system (EHR): The system that houses patient health records and critical medical files.

The EHR of Southern California’s Hollywood Presbyterian Medical Center was locked on February 5, 2016., with physicians and other members of the hospital staff unable to access the EHR to view and log patient health information. An investigation into the IT issue was immediately launched and it soon became apparent that the database had been locked by ransomware.

No one wants to have to pay cybercriminals for security keys, and the hospital took steps to try to recover without having to give in to ransom demands. The Police and FBI were contacted and started an investigation. Computer experts were also brought in to help restore the computer system but all to no avail.

The news of the healthcare ransomware attack broke late last week, with early reports suggesting the hospital had received a ransom demand of 9,000 Bitcoin, or around $3.4 million. The EHR was taken out of action for more than a week while the hospital attempted to recover and unlock its files.

Eventually, the decision had to be taken to pay the ransom. While it may have been possible for patient health data to be restored from backups, the time it would take, the resources required to do that, and the disruption it would likely cause was not deemed to be worth it. Allen Stefanek, CEO of Hollywood Presbyterian Medical Center, took the decision to pay the ransom to obtain the security key to unlock the data.

In a statement posted on the company’s website he confirmed that the reports of a ransom demand of 9,000 Bitcoin were untrue. The attackers were asking for 40 Bitcoin, or $16,664, to release the security key to unlock the hospital’s data.

Stefanek said, “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”

Fortunately, healthcare ransomware attacks are relatively rare, as many healthcare providers in the United States already have controls in place to reduce the likelihood of an attack being successful. Staff are trained to be vigilant and not to install software on healthcare devices or open suspicious email attachments. Many use a spam filter to quarantine suspect emails. The latter being an essential protection against healthcare ransomware attacks.

The Importance of a Robust Spam Filter to Prevent Healthcare Ransomware Attacks

A healthcare ransomware attack does not just have a financial impact; it has potential to cause actual harm to patients. The delivery of healthcare services is slowed as a result of the inability to access and share healthcare data, and not being able to view patient health records could delay the delivery of critical patient care or result in incorrect medications being prescribed. That could be a life or death matter. Preventing healthcare ransomware attacks is therefore essential. A technological solution should be employed for maximum protection.

TitanHQ’s SpamTitan software has been developed to keep businesses protected from malware and ransomware attacks. SpamTitan uses two anti-malware engines to maximize the probability of spam emails and malicious attachments being caught and prevented from being delivered to end user inboxes. SpamTitan catches 99.9% of Spam email and quarantines emails with suspicious attachments to prevent them from being delivered.

If you want to reduce the risk of a suffering a ransomware attack and having to pay cybercriminals to unlock critical data, using a robust, powerful anti-spam solution such as SpamTitan is the best way to protect computers and networks from attack. Along with staff training to improve understanding of healthcare ransomware and other malware, it is possible to prevent attacks from being successful.

For further information on SpamTitan anti-spam solutions, contact the TitanHQ team today:

US Sales +1 813 304 2544

UK/EU Sales +44 203 808 5467

IRL +353 91 54 55 00

Or email sales@spamtitan.com

Best Antivirus Software Solution for 2015 Awards Announced

What was the best antivirus software solution for 2015 for the enterprise?

Protecting against the ever increasing number of cyberthreats is a full time job. The attack surface is now broader than ever before and hackers are developing increasingly sophisticated methods of obtaining data. The measures that must now be implemented to keep cyberattackers at bay have also increased in diversity and complexity.

Once of the core protections required by all organizations and individuals is an anti-virus software solution, and there is certainly no shortage of choice. But what was the best antivirus software solution for 2015?

The best AV software engines rated by AV-Comparatives

What AV engine detects and removes the most malware? What product offers the best real world protection? Which boasts the best file detection rates? These are all important considerations if you want to keep your organization protected. These and other factors were assessed over the course of the year by AV-comparatives.

AV-Comparatives is an independent testing lab based in Innsbruck, Austria. Each year the company publishes a report detailing the results of the AV tests the company conducted over the course of the year. The report is an excellent indicator of performance.

The company tested 21 of the top AV products on the market, subjecting each to a wide range of rigorous tests to determine the potential of each to protect users against malicious attacks.

The test results clearly show that not all antivirus products are the same. While all AV engines under test offered an acceptable level of performance, “acceptable” may not be good enough for enterprise installations.

The best antivirus software solution of 2015

AC-Comparatives rated performance and issued a number of awards to companies that excelled in specific areas of antivirus and antimalware protection. Gold, Silver and Bronze awards were awarded along with an overall best antivirus software solution for 2015 award.

Antivirus award categories:

  • Real-world detection
  • File detection
  • False positives
  • Overall performance
  • Proactive protection
  • Malware removal

Contenders for the ‘Best Antivirus Software Solution for 2015 Awards’

The Antivirus protects tested and considered for the awards were:

  • Avast Free Antivirus
  • AVG Internet Security
  • Avira Antivirus Pro
  • Baidu Antivirus
  • Bitdefender Internet Security
  • BullGuard Internet Security
  • Emsisoft Anti-Malware
  • eScan Internet Security Suite
  • ESET Smart Security
  • F-Secure Internet Security
  • Fortinet FortiClient (with FortiGate)
  • Kaspersky Internet Security
  • Lavasoft Ad-Aware Free Antivirus+
  • McAfee Internet Security
  • Microsoft Windows Defender for Windows 10
  • Panda Free Antivirus
  • Quick Heal Total Security
  • Sophos Endpoint Security and Control
  • Tencent PC Manager
  • ThreatTrack VIPRE Internet Security
  • Trend Micro Internet Security

The Best Antivirus Software Solution for 2015 Award

After assessing all categories of anti-virus protection there were two AV products that excelled in all categories and received an Advanced+ rating: Bitdefender and Kaspersky Lab, with Kaspersky Lab bestowed the best antivirus software solution for 2015. Kaspersky Lab is one of the two AV engines at the core of SpamTitan anti-spam solutions.

The Russian antivirus company also received a Gold Award for “Real-World” protection, file detection, and malware removal, as well as a Silver Award for proactive (Heuristic/Behavioral) protection, and a Bronze Award for overall low system impact performance.