Blog

AI Tools Used to Research Executives in Targeted Phishing Campaigns

by titanadmin | Dec 30, 2024 | Phishing & Email Spam |

It used to be relatively easy to spot a phishing attempt. Phishing emails would have poor grammar and be littered with spelling mistakes, with relatively easy-to-identify lures such as too-good-to-be-true offers. The unsolicited emails would be sent from unknown email addresses in huge volumes, as threat actors knew they were good enough to fool enough recipients and make the campaigns worthwhile. Provided employees had a modicum of security awareness training and took time to carefully read emails, the phishing attempts could be easily identified and avoided.

Phishing has been growing in sophistication and while these poorly constructed emails are not exactly a thing of the past, there is now a new breed of phishing emails that are expertly written, contain no errors, and are highly personalized to maximize the probability of getting the desired response. In order to conduct a highly personalized spear phishing campaign, threat actors need to spend a considerable amount of time researching their intended targets. In order to warrant that amount of time, the potential rewards must be high. These campaigns are usually conducted on high-value targets such as C-suite members by well-resourced threat actors, such as state-sponsored hacking groups.

Advances in AI technology have made these highly targeted phishing campaigns much easier to conduct. AI tools greatly reduce the amount of human effort required and that has opened up these targeted campaigns to a much broader range of cybercriminals. AI tools can be used to craft perfect phishing emails that closely mimic the companies and brands they spoof, making identification difficult. AI tools are also being used to analyze online profiles to gather personal information to be included in phishing emails, massively reducing the time required to construct the perfect scam email.

AI tools can also be used to assess online interactions by a particular individual to find out topics the individual is likely to respond to. They can rapidly ingest large amounts of data to craft phishing lures closely mimicking the style of emails written by a particular company or individual, making the spoofing almost impossible for individuals to distinguish from genuine communications. With the tools to gather a wealth of personal information and create flawless emails on appropriate topics, business email compromise scams have become much easier and can be conducted by a broader range of cybercriminals. The consequences of falling for one of these scams can be severe.

To combat these advanced phishing campaigns, businesses need advanced defenses. It is important to ensure that all members of the workforce receive ongoing security awareness training, including the C-suite as they are often the people being targeted in these campaigns. However, given the quality of these phishing attempts, security awareness training and a standard spam filter appliance will not cut it. For many years, spam filters have relied on blacklists of IP addresses and domains that have been previously identified as malicious or have low trust scores, along with antivirus engines for malware detection, and scans of message content for phrases commonly associated with spam and phishing. These spam filters will catch the majority of spam and bulk phishing emails, but will not detect the more sophisticated, AI-generated threats.

Advanced email security solutions are now a necessity. The latest anti-spam software and cloud based anti-spam services incorporate AI and machine learning-based detection in addition to the standard spam filtering methods, such as the engine at the heart of TitanHQ’s SpamTitan and PhishTitan M365 anti-phishing solutions. In recent independent tests by VirusBulletin, TitanHQ’s SpamTitan Skellig engine scored joint first place for detection in the Q3, 2024 tests and first place in Q4, achieving a 100% phishing detection rate with a 0.00% false positive rate and a 100% malware catch rate. Whether you are a business looking to improve your defenses or a managed service provider looking to provide more advanced security to your clients, give the TitanHQ team a call to find out more about getting the right tools in place to counter these advanced phishing threats.

DocuSign Phishing Campaign Abuses HubSpot Tools to Attack European Businesses

by titanadmin | Dec 28, 2024 | Phishing & Email Spam |

An ongoing large-scale phishing campaign targets European businesses and attempts to obtain credentials for their Microsoft Azure cloud infrastructure. While businesses in multiple sectors have been attacked, the majority are in the automotive, chemical, and industrial manufacturing sectors. According to an analysis of the campaign by the Unit 42 team, this campaign has targeted at least 20,000 businesses in Europe.

Like many current phishing campaigns targeting companies, the campaign uses DocuSign-themed lures, where the user is asked to review an emailed document, which includes the branding of the company being targeted. If the document is opened, the user is directed via embedded hyperlinks to an online form created using HubSpot’s free online form builder tool. The drag-and-drop form builder allows forms to be created quickly, and in this case, the threat actor has used the free-to-use tool to create a form with a link button to view the document on Microsoft’s secured cloud.

If the button is clicked, the user will be directed to a phishing page that mimics the Office 365 Outlook Web App login page. If credentials are entered in the fake login page – commonly hosted on attacker-controlled .buzz domains – they are captured by the threat actor, who will attempt to login, and then pivot and move laterally to the cloud. A successful login will see the threat actor add a new device to the victim’s account for persistence.

There are several measures that can be taken by businesses to protect against phishing campaigns such as this, starting with an email spam filter to block the initial contact via email. SpamTitan is an advanced cloud-based anti-spam service for blocking email phishing and malware threats. The solution checks inbound messages against up-to-the-minute lists of blacklisted domains, performs SPF, DKIM, and DMARC checks, malware scans, assessments of message headers and content for phishing indicators, and incorporates AI and machine learning algorithms to identify anomalies in message content. Email sandboxing is used to subject messages to in-depth analysis to identify zero day threats. In recent independent testing by VirusBulletin, SpamTitan achieved first place for overall score out of 11 leading email security solutions, blocking 100% of phishing attempts, 100% of malware, and 99.998% of spam email, with a 0.00% false positive rate.

Security awareness training is vital to teach security best practices and make employees aware of threats, including email threats that abuse legitimate services and tools. TitanHQ’s SafeTitan platform allows businesses to quickly create and automate security awareness training programs, tailored for departments, user groups, and individuals, and reinforce training through phishing simulations.  An additional recommended protection is the WebTitan DNS-based web filter, which incorporates URL filtering to prevent users from visiting known malicious websites, incorporating controls to prevent users from downloading malware.

For more information on improving your defenses against phishing, give the TitanHQ team a call today. The full TitanHQ suite of cybersecurity solutions is available on a free trial, with full product support provided throughout the trial.

Google Calendar Abused in Phishing Campaign

by titanadmin | Dec 28, 2024 | Phishing & Email Spam |

Companies in multiple sectors are being targeted in an ongoing phishing campaign involving initial contact via email via Google Calendar-generated meeting invites. This campaign has proven effective, especially when the user recognizes other guests. The campaign has been active throughout December, with at least 1,000 of these phishing emails identified each week, according to Check Point.

The aim of the phishing emails is to trick the recipients into clicking a link in the email or opening a Calendar file attachment (.ics), both of which will send the user to either Google Forms or Google Drawings.  Next, the user is tricked into clicking another link, which could be a support button or a fake reCAPTCHA. A click will drive the user to the scam page, where they will be taken through a fake authentication process that captures personal information, and ultimately payment card information. This campaign could easily be adapted to obtain credentials rather than payment card details, and campaigns in the past that abused Google Calendar have targeted credentials.

An attacker only needs to obtain an individual’s email address to send the calendar invite, and the emails look exactly like a genuine invite for a meeting. Since the legitimate Google Calendar service is used to generate the phishing invites, the emails are generally not blocked by spam filtering services. Since the sender is legitimate and trusted, the emails pass SPF, DKIM, and DMARC checks, guaranteeing delivery.

Depending on the user’s settings, these may be automatically added to the user’s calendar. The threat actor can then trigger a second email by canceling the meeting and has been doing so in this campaign. The cancellation email also includes a hyperlink to a malicious website.

The use of Google Calendar invites in phishing is nothing new. It is effective as it ensures a large number of requests land in inboxes, and Google Calendar will be familiar to most people, considering there are more than 500 million active users of the tool.

There are simple steps to take to block these threats, although the first option will also limit legitimate functionality for genuine invites. To block these attempts, go into Google Calander settings, and in the event settings switch from automatically add invitations to only show invitations I have responded to.  Also, access Gmail settings and uncheck automatically add events from Gmail to my calendar. To avoid disabling the functionality, check the only known individuals setting in Google Calendar, which will generate an alert if the user has had no interactions with an individual in the past.

It is important to have an advanced email security solution that is capable of detecting sophisticated phishing attacks that bypass the standard reputation checks that are present in virtually all spam filtering software – SPF, DKIM, and DMARC. Advanced spam filtering solutions incorporate AI and machine learning capabilities and can detect anomalies in inbound emails and flag them as suspicious or send them for deeper inspection in an email sandbox. In the sandbox, the message can be analyzed for malicious content, including following the link to check the destination URL. While this campaign does not use malware, an email filtering service with email sandboxing will also protect against malware threats.

Meeting invites, calendar invites, and collaboration requests are commonly used in phishing campaigns and are sent from trusted domains that often bypass spam filtering controls, so it is important to cover these types of scam emails in security awareness training. Employees should be made aware that these requests may not be what they seem, even if they have been sent via a legitimate service. Businesses can also gauge how susceptible employees are to these types of scams using a phishing simulator. SafeTitan includes many phishing templates involving invites from legitimate services to allow businesses to incorporate these into their simulations.

Call TitanHQ today for more information on improving your defenses against phishing with the SafeTitan security awareness training platform, SpamTitan email security, and the PhishTitan anti-phishing solution for Microsoft 365.

Threat Actors Adopt Corrupted Word Files for Phishing Campaigns

by titanadmin | Dec 16, 2024 | Phishing & Email Spam |

A new phishing campaign has been identified that uses the novel tactic of attaching corrupted Microsoft Word files to emails. The files themselves do not contain any malicious code, so scans of the attachments by email security solutions may not flag the emails as malicious.

In order to get the recipient to open the email, the threat actor impersonates the HR department or payroll team, as employees will typically open these messages. The attached files have file names related to payments, annual benefits, and bonuses, which employees may open without performing standard checks of the email, such as identifying the true sender of the message. Many employees place a moderate amount of trust in Word files, as if they contain a macro, it should not run automatically if the Word document is opened.

The threat actor relies on the employee’s curiosity to open the file and the way that operating systems handle corrupted files. The file recovery feature of Microsoft Word will attempt to recover corrupted files. The user will be informed that parts of the file contain unreadable content, and the user is prompted to confirm if they would like the file to be recovered. The documents have been crafted to ensure that they can be recovered by Word, and the recovery will present the user with a QR code that they are told they must scan to retrieve the document.

The document includes the logo of the company being targeted, and the user does not need to “enable editing” to view the contents of the document, so they may mistakenly believe they are safe. If they scan the QR code using their mobile device, they will be directed to a phishing page where they are asked to enter their Microsoft credentials on a phishing page that is an exact match of the genuine Microsoft login prompt.

Businesses with spam filter software may not be protected as email security solutions often fail to scan corrupted files. For instance, the phishing emails bypass Outlook spam filters according to the researchers at Any.Run who identified the campaign. That means the emails may be delivered to inboxes, especially as the messages do not contain any content in the body of the email indicative of a phishing attempt.

If the user opens the file and scans the QR code, they will switch from their desktop or laptop to their mobile phone. Mobile devices rarely have the same level of security protection, so corporate anti-phishing controls such as web filters will likely be bypassed.

Threat actors are constantly developing new ways to trick employees in their phishing campaigns, which is why it is important to run security awareness training programs continuously, updating the training content with new training material in response to threat actors’ changing tactics. By warning employees about this method, they should recognize the scam for what it is if they receive an email with a corrupted file attachment. That is easy to do with a security awareness training platform such as SafeTitan. New training content can be quickly created and rolled out to all users as part of their monthly allocation of training modules. It is also easy to add this type of threat to the SafeTitan phishing simulator to test how employees respond to this new threat type.

As the researchers demonstrated, Microsoft fails to detect the threat, demonstrating why it is important to bolster your M365 phishing defenses with a third-party solution, such as PhishTitan from TitanHQ. PhishTitan integrates seamlessly with Microsoft 365 to augment protection and catches the phishing threats that Microsoft misses. PhishTitan will also add a banner to all inbound emails that come from external sources, giving users a clear flag that these emails are not genuine. The HR department and payroll have internal email addresses.

An email security solution with email sandboxing is also advisable for deep inspection of file attachments, including the ability to read QR codes. Spam filters for incoming mail should also have machine learning and AI-based detection capabilities for identifying emails that deviate from the messages typically received by the business.

All of these features are part of TitanHQ’s email security suite. Give the team a call today to find out more.

Phishing Campaign Targets Law Firms by Impersonating U.S. Federal Courts

by titanadmin | Nov 30, 2024 | Phishing & Email Spam |

A phishing campaign has been identified that targets law firms by impersonating U.S. federal courts and purports to contain an electronic notice of court filings. Like many similar campaigns in recent months, the campaign aims to trick law firm employees into downloading malware that provides the threat actor with persistent access to the law firm’s network.

Threat actors often target businesses, but a far more effective use of their time and resources is to target vendors. If a threat actor gains access to a vendor’s network, they can potentially use the vendor’s privileged access to attack all downstream clients. Even when a vendor does not have privileged access to client networks, they are likely to store large amounts of data from multiple clients. In the case of law firms, that data is highly sensitive and easily monetized. It can be easily sold on darknet marketplaces and be used as leverage to extort the law firm and its clients.

Over the last few years, law firms have been extensively targeted by threat actors for this very reason. According to a 2023 report from the UK’s National Cyber Security Centre, 65% of law firms have been a victim of a cyber incident and a 2024 report from the chartered accountancy firm Lubbock Fine indicates cyberattacks on law firms have increased by 77% year-over-year. The main motivation for these attacks is extortion and ransomware attacks. There has also been a surge in business email compromise (BEC) attacks on law firms, as they are typically involved in large financial transactions that threat actors can try to divert to their own accounts.

One of the latest campaigns seeks persistent access to the networks of law firms by tricking the firms into installing malware. The campaign came to light following multiple complaints about fake notices of electronic court filings, which prompted the U.S. federal judiciary to issue a warning to U.S. lawyers to be alert to email notifications that purport to be notifications from the courts. The emails impersonate the PACER case management and electronic case files system, and instruct the recipient to respond immediately. The judiciary advised law firms to always check the federal judiciary’s official electronic filing system and never open attachments in emails or download files from unofficial sources.

The intercepted emails impersonate lower courts and prompt the recipient to click an embedded hyperlink to access a document from a cloud-based repository. Clicking the link directs the user to a malicious website where they are prompted to download a file. Opening the file triggers the installation of malware that will give the threat actor the access they need for an extensive compromise. The campaign will undoubtedly result in the theft of sensitive data and attempted extortion.

Most law firms will be well aware that they are prime targets for threat actors and the importance of implementing robust cybersecurity defenses. Since phishing is the most common way that threat actors get access to their networks and sensitive data, it is vital for law firms to ensure that they have an effective email security solution – one that is capable of detecting and blocking malware and correctly classifying phishing and BEC emails. This is an area where TitanHQ can help. TitanHQ offers a suite of cutting-edge cybersecurity solutions that provide multiple layers of protection against the most common attack vectors.

The primary defense against phishing and BEC attacks is anti-spam software, which TitanHQ can provide as a cloud-based anti-spam service or virtual anti-spam appliance that can be installed on-premises on existing hardware. The SpamTitan solution incorporates dual anti-virus engines and email sandboxing for detecting malware and malicious code in email attachments, even zero-day malware threats. The solution has machine learning capabilities for detecting novel email threats such as phishing and BEC attacks that are needed to detect and block the latest AI-generated threats. In independent tests by Virus Bulletin in November 2024 on 125,000 emails, SpamTitan had a 100% malware and phishing catch rate and only miscategorized 2 benign spam emails.

It is also important to ensure that all lawyers and support staff are made aware of the latest threats and receive regular cybersecurity awareness training. TitanHQ offers a comprehensive security awareness training platform (SafeTitan) and phishing simulator that makes it easy to create effective, ongoing training programs that incorporate training material on the latest threats. Give the TitanHQ team a call today for more information on these and other cybersecurity solutions and for advice on improving your cybersecurity defenses against the most common attack vectors.

Phishing Campaign Uses Visio File Attachments for Credential Theft

by titanadmin | Nov 29, 2024 | Phishing & Email Spam |

A new phishing scam uses Microsoft Visio files to bypass phishing defenses to steal Microsoft 365 credentials. Microsoft Visio is a diagramming and vector graphics application used to create a variety of diagrams, including building plans, data flow diagrams, organizational charts, and flowcharts. While the software is widely used by businesses, Visio files are unlikely to feature heavily in security awareness training courses as they are not commonly used in phishing campaigns or for malware delivery. Security awareness training tends to focus on the most common file types such as documents, spreadsheets, and executable files. Unfamiliarity with the file type should mean employees exercise extreme caution; however, since Visio is part of the Microsoft 365 family, the files may be trusted and opened.

To increase the chance of that, this campaign uses compromised accounts to send the phishing emails. By using trusted accounts there is less chance of the emails being identified by email security solutions as malicious since emails are likely to pass reputation and authentication checks. It also increases the chance of emails being opened, as employees are trained to be suspicious of emails from unknown senders and generally trust emails from known senders. Like countless other phishing campaigns, tried and tested lures are used to get the recipient to open the attached .vsdx file. In this campaign the phishing emails masquerade as a purchase order and business proposals. Also observed in this campaign is the use of an Outlook message attachment, with that message including the malicious Visio file. Some emails use hyperlinks instead which direct the recipient to a SharePoint page hosting the Visio file. The latter helps to ensure that the email message is not blocked by email security solutions, which typically trust SharePoint URLs.

If the Visio file is opened, the user will be presented with branding that makes the file appear legitimate and they are advised to click an embedded link to view the contents of the file. The user is told to hold down the CTRL key when they click the link – an additional measure for evading security solutions. That link directs the user to a URL that hosts a spoofed login page that prompts them to enter their Microsoft credentials, which are captured by the threat actor.

While the use of Visio files for phishing is not common, there has been an increase in the use of these files as threat actors look for more reliable methods of phishing. It is certainly worthwhile ensuring that these file types are covered in your security awareness training programs and phishing simulations. While it is important to train employees to be aware of the latest tactics, techniques, and procedures used by threat actors to steal credentials, having an advanced email security solution in place can ensure that these malicious emails do not reach their targets. One of the easiest ways to block the threat, given that these are not commonly used files, is to configure your spam filter to block/quarantine emails containing .vsdx attachments, and certainly to do so for users who do not need to use these file types for work purposes. This is straightforward with SpamTitan (see our Help section).

If it is not practical to block these file types, SpamTitan does incorporate a variety of safeguards for preventing the delivery of malicious messages, including email sandboxing for deep analysis of file attachments to identify malicious URLs (and malware) and machine learning to identify emails that deviate from the messages typically received by the user/business. These features are critical, since the messages in this campaign are sent from compromised email accounts that are potentially trusted.

If you are not a SpamTitan user, give the TitanHQ team a call to find out more about the solution and why so many businesses are switching to SpamTitan for email security and check out this post, which highlights SpamTitan’s 100% malware and phishing block rate in recent tests.

SVG Image Files Being Used for Phishing and Malware Delivery

by titanadmin | Nov 29, 2024 | Phishing & Email Spam |

Cybercriminals are increasingly leveraging SVG files in their email campaigns. These file attachments have been used as part of convincing campaigns that have fooled many end users into disclosing their credentials or installing malware.

SVG files, or Scalable Vector Graphics files to give them their full name, differ from standard image files such as BMP, JPG, and PNG files. Vector graphics are constructed using mathematical formulas that establish points on a grid, rather than specific blocks of color (pixels). The advantage of vector graphics files is that they can be scaled infinitely with no loss of resolution, something that cannot be done with pixel-based images. Vector files are often used for logos, as they can be scaled up easily to be used in billboards with no loss of resolution, and they are increasingly being used on the web as the images will display correctly regardless of the size of the browser window or screen.

SVG is an incredibly versatile file format that can incorporate elements other than the image code, for instance, SVG files can be used to display HTML. It is possible to create an SVG image file that incorporates HTML and executes JavaScript on loading, redirecting users to a malicious website such as a phishing landing page. Images can be created that incorporate clickable download buttons, which will download payloads from a remote URL. An end user could easily be tricked into downloading a file with a double extension that appears to be a PDF file but is actually a malware executable.

Some of the recently intercepted phishing emails have included an SVG file that displays an image of an Excel spreadsheet. Since the spreadsheet is an image, the user cannot interact with it, but it includes an embedded form that mimics the Microsoft 365 login prompt. If the user enters their credentials into that form, they are transmitted to the threat actor. One of the problems with this type of file format is it is not generally blocked by anti-spam software, so is likely to be delivered to inboxes.

While SVG and other vector graphics file formats are invaluable for design and can be found extensively on the web, they are not generally used for image sharing, so the easiest way to protect against these malicious campaigns is to configure your spam filtering service to block or quarantine emails containing SVG file attachments, at least for employees who do not usually work with these file formats. If you have a cloud-based anti-spam service that incorporates email sandboxing, where attachments are sent for deep analysis, it is possible to detect SVG files that incorporate malicious JavaScript. Since the use of these file formats is increasing, it is important to make your employees aware of the threat through security awareness training. Emails with SVG file attachments should also be incorporated into your phishing simulations to determine whether employees open these files. Both are easy with the SafeTitan security awareness training and phishing simulation platform.

DocuSign Abused in Massive Phishing Campaign

by titanadmin | Nov 28, 2024 | Phishing & Email Spam |

A large-scale phishing campaign has been identified that abuses the e-signature software DocuSign, a hugely popular software solution used to legally and securely sign digital documents and eliminate the time-consuming process of manually signing documents.

DocuSign uses “envelopes” to send documents to individuals for signing. These document containers may contain one or more documents that need to be signed, and the envelopes are sent via email. In this campaign, a bad actor abuses the DocuSign Envelopes API to create fake invoices, which are mass-distributed via email. This campaign aims to get the recipient of the invoice to sign it using DocuSign, then the signed document can be used for the next phase of the scam, which typically involves sending the signed document to the billing department for payment, which may or may not be through DocuSign. The invoices generated for this campaign are based on legitimate DocuSign templates and are generated through a legitimate DocuSign account. The invoices include legitimate branding for DocuSign and the company/product the threat actor is impersonating – such as Norton Internet Security, PayPal, and other big-name brands.

The problem for businesses with this campaign is the emails are sent from the genuine docusign[.]net domain, which means email security solutions are unlikely to block the messages since the domain is trusted. Since the emails appear to be legitimate invoices with genuine branding and the correct invoice amount for the product being spoofed, end users are likely to be tricked by the emails. The tactics used in this campaign are similar to others that have abused legitimate cloud-based services to bypass email security solutions, such as sending malicious URLs in documents hosted on Google Docs and Microsoft SharePoint.

The primary defense against these campaigns is security awareness training. Businesses need to make their employees aware of campaigns such as these messages, which often bypass email security solutions and are likely to land in inboxes since they may not contain any malicious URLs or malware code and are sent from a legitimate, trusted domain. The workforce needs to be trained on cybersecurity best practices and told about the red flags in emails that are indicative of a scam. Training needs to be provided continuously to make employees aware of the latest scams, as bad actors are constantly refining their tactics, techniques, and procedures, and developing new ways to trick end users. The easiest way to do this is with a comprehensive security awareness training solution such as SafeTitan.

SafeTitan makes it easy to create training programs for different roles in the organization and automate these training programs to ensure training content is delivered in manageable chunks, with new content added and rolled out in response to the latest threats. These training programs should be augmented with phishing simulations. An email security solution with AI and machine-learning capabilities is also important, as standard spam software is not effective at identifying threats from legitimate and trusted cloud services. TitanHQ’s PhishTitan solution for Microsoft 365 has these capabilities and identifies the phishing emails that Microsoft often misses. PhishTitan scans inbound messages for malicious content, uses email sandboxing for detecting zero-day threats, adds banners to emails from external sources, and allows security teams to rapidly remediate identified threats throughout the entire email environment. In November 2024, Virus Bulletin assessed the engine that powers the SpamTitan spam filtering service and PhishTitan anti-phishing solution using around 125,000 emails. SpamTitan and PhishTitan blocked 100% of malware and 100% of phishing emails and only miscategorized 2 benign spam emails, demonstrating how effective these solutions are at blocking malicious emails.

For more information on improving your defenses against malicious email campaigns through cutting-edge email security and security awareness training, give the TitanHQ team a call today.

Excel File Attachments Used in Phishing Campaign to Deliver Fileless Remote Access Trojan

by titanadmin | Nov 15, 2024 | Phishing & Email Spam |

A phishing campaign has been identified that uses purchase order-related lures and Excel file attachments to deliver the Remcos RAT, a commercially available malware variant that gives threat actors remote access to an infected device.  The malware allows the threat actor to log keystrokes, record audio via the microphone, and take screenshots and provides a foothold allowing an extensive compromise. Infection with the Remcos RAT invariably involves data theft and could lead to a ransomware attack and extortion.

Businesses with antivirus software installed are unlikely to be protected. While antivirus software is effective at detecting and neutralizing malware, the Remcos RAT is poorly detected as it is fileless malware that runs in memory and does not install files on the disk. The campaign, detected by researchers at FortiGuard Labs, targets Windows users and starts with a phishing email with an encrypted Excel attachment. The emails purport to be a purchase order and include a malicious Excel file attachment. The Excel file uses OLE objects to exploit an old vulnerability in Office, tracked as CVE-2017-0199. Successful exploitation of the vulnerability will see an HTML Application (HTA) file downloaded, which is launched using mshta.exe. The file is heavily obfuscated to evade security solutions, and its function is to download and execute a binary, which uses process hollowing to download and run the Remcos RAT in the memory.

The Remcos RAT is used to enumerate and terminate processes, execute commands, capture sensitive data, and download additional malware payloads. Since the Remcos RAT runs in the memory, it will not survive a reboot. To achieve persistence, it runs the registry editor (reg.exe) to edit the Windows Registry to add a new auto-run item to ensure it is launched after each reboot.

Since the initial contact is made via email, an advanced email security solution with email sandboxing and AI- and machine learning capabilities should ensure the email is identified as malicious and blocked to prevent delivery. Should the email be delivered and the attachment opened, end users are informed that the document is protected. They are presented with a blurred version of the Excel file and are told they need to enable editing to view the content – a red flag that should be identified by security-aware employees. If that red flag is missed, enabling content will trigger the exploitation of the vulnerability that ultimately delivers the Remcos RAT. Businesses with an advanced DNS-based web filter will have another layer of protection, as the URLs hosting the malicious files should be blocked.

TitanHQ offers cutting-edge cybersecurity solutions that provide exceptional protection against phishing, BEC, and malware attacks, blocking the initial emails and connections to malicious websites to prevent end users from viewing malicious emails (SpamTitan) and preventing malicious file downloads from the Internet (WebTitan). In November 2024 tests by Virus Bulletin, TitanHQ’s SpamTitan Solution had a 100% phishing and malware block rate. TitanHQ also provides a comprehensive security awareness training platform (SafeTitan) to teach cybersecurity best practices and keep employees aware of the latest threats. The platform also incorporates a phishing simulator for reinforcing training. Give the TitanHQ team a call today for more information on TitanHQ solutions and how they can improve your defenses against email, web, SMS, and voice-based threats at your business.

A Russian APT Group is Conducting a Massive Spear Phishing Campaign

by titanadmin | Oct 31, 2024 | Phishing & Email Spam |

The notorious Russian advanced persistent threat (APT) group Midnight Blizzard (aka Cozy Bear, APT29) has been conducting a massive spear phishing campaign on targets in the United Kingdom, Europe, Australia, and Japan. Midnight Blizzard is a hacking group with strong links to Russia’s Foreign Intelligence Service (SVR) which engages in espionage of foreign interests and seeks persistent access to accounts and devices to steal information of interest to the SVR. The latest campaign is a highly targeted information-gathering exercise that was first observed on October 22, 2024.

While Midnight Blizzard’s spear phishing attacks are usually conducted on government officials and individuals in non-governmental organizations (NGOs), individuals in academia and other sectors have also been targeted. The spear phishing attacks were identified by Microsoft Threat Intelligence which reports that thousands of emails have been sent to more than 100 organizations and the campaign is ongoing. While spear phishing is nothing new, Midnight Blizzard has adopted a new tactic in these attacks and is sending a signed Remote Desktop Protocol (RDP) configuration file as an email attachment, with a variety of lures tailored to the individual being targeted. Some of the intercepted emails impersonated Microsoft, others impersonated cloud service providers, and several of the emails used lures related to zero trust. The email addresses used in this campaign have been previously compromised in other Midnight Blizzard campaigns.

Amazon has also reported that it detected phishing emails that impersonated Amazon Web Services (AWS), attempting to trick the recipients into thinking AWS domains were used; however, the campaign did not seek AWS credentials, as Midnight Blizzard is targeting Windows credentials. Amazon immediately started the process of seizing the domains used by Midnight Blizzard to impersonate AWS and that process is ongoing.

RDP files contain automatic settings and resource mappings and are created when a successful connection to an RDP server occurs. The attached RDP files are signed with a Lets Encrypt certificate and extend features and resources of the local system to a remote server under the attacker’s control. If the RDP file is executed, a connection is made to a server under the control of Midnight Blizzard, and the targeted user’s local device’s resources are bidirectionally mapped to the server.

The server is sent resources including logical hard disks, clipboard contents, printers, connected devices, authentication features, and Windows operating system facilities. The connection allows the attacker to install malware, which is set to execute via AutoStart folders, steal credentials, and download other tools to the user’s device, including remote access trojans to ensure that access to the targeted system is maintained when the RDP session is closed.

Since the emails were sent using email addresses at legitimate organizations, they are unlikely to be flagged as malicious based on reputation checks by anti-spam software, although may be detected by more advanced anti-spam services that incorporate machine learning and AI-based detection mechanisms and email sandboxing. You should configure your spam antivirus filter to block emails containing RDP files and other executable files and configure your firewall to block outbound RDP connection attempts to external or public networks. Multifactor authentication should be configured on all accounts to prevent compromised credentials from granting access, and consider blocking executable files from running via your endpoint security software is the executable file is not on a trusted list. Also, ensure that downloaded files are scanned using antivirus software. A web filter can provide added protection against malicious file downloads from the internet.

An anti-phishing solution should also be considered for augmenting the protection provided through Microsoft Defender and EOP for Microsoft 365. PhishTitan from TitanHQ has been shown to improve protection and block threats that Microsoft’s anti-phishing solution fails to detect, augmenting rather than replacing the protection provided by EOP and Defender. It is also important to provide security awareness training to the workforce and ensure that spear phishing and RDP file attachments are included in the training. Also, consider conducting spear phishing simulations.

Threat Actors Increasingly Using Scripts in Emails for Malware Delivery

by titanadmin | Oct 28, 2024 | Phishing & Email Spam |

For many years, cybercriminals have favored Office documents for distributing malware. These documents are familiar to most workers and are likely to be opened because they are so familiar and used so often. The documents may contain hyperlinks to malicious websites where malware is downloaded, but the easiest method is automating the delivery of malware using a malicious macro. If that macro is allowed to run, the infection process will be triggered.

Microsoft has helped to make documents and spreadsheets more secure by disabling macros by default if they have been delivered via the Internet and increasing numbers of companies are providing workforce security awareness training and instructing their employees not to enable content on Office documents delivered via the Internet. It has become much harder for cybercriminals to distribute malware using these file formats, so they have turned to script languages for malware delivery.

The use of VBScript and JavaScript in malware distribution campaigns has been increasing, with these executable files often hidden from security solutions by adding them to archive files. The scripts used in campaigns are snippets of code that include command sequences, which automate the downloading and execution of malware, often only operating within the system’s memory to avoid detection. The user is likely to be unaware that malware installation has been triggered.

For example, in one campaign, a malicious VBS script was hidden in an archive file to evade email security defenses. If extracted and executed, the script executes PowerShell commands, which can be difficult for security solutions to identify as malicious. PowerShell triggered the BitsTransfer utility to fetch another PowerShell script, which downloaded and decoded Shellcode, which in turn loaded a second shellcode that used the Windows wab.exe utility to download an encrypted payload. The shellcode decrypted and incorporated the payload into wab.exe, turning it into the remote access trojan, Remcos RAT. This multi-stage infection process used living-off-the-land techniques to evade security solutions, and it all started with an email that used social engineering to trick the recipient into executing the script.

Using this attack as an example, there are opportunities for identifying the email for what it really is. Businesses need to ensure they have advanced email security defenses in place such as an advanced spam filter for Office 365 or a machine-learning/AI-driven spam filtering service. These services perform standard checks of inbound email, such as anti-spoofing and reputation checks on the sender, Bayesian analysis to determine whether the email is likely to be spam, but also machine learning checks, where the inbound message is compared against the emails typically received by a business and is flagged if any irregularities are found.

Anti-virus scans are useful for detecting malware, but these checks can often be evaded by adding malicious scripts to archive files, and the multi-stage process involved in infection is often sufficient to defeat signature-based malware detection. An email security solution therefore needs to also use email sandboxing. All attachments capable of being used for malicious purposes are scanned with an anti-virus engine and are then sent to the sandbox for deep analysis. Malware sandboxing for email is important, as it detects malware not by its signature, but by its behavior, which is vital for identifying script-based malware delivery. While there are sandboxing message delays, it prevents many costly malware infections.

SpamTitan, TitanHQ’s cloud-based anti-spam service, incorporates these checks to provide exceptional malware detection. In recent independent tests, SpamTitan blocked 100% of malware and had a 99.99% phishing catch rate and a 0.000% false positive rate. In addition to using an advanced spam filter, businesses can further reduce risk by blocking delivery of the 50 or so archive file formats supported by Windows if they are not used by the business.

It is also important to provide continuous security awareness training to the workforce to improve awareness of threats and the new tactics, techniques, and procedures being used by threat actors to trick individuals into providing them with network access. This is easily down with TitanHQ’s SafeTitan security awareness training platform solution, especially when combined with phishing simulations.

Cyberattacks targeting individuals are increasing in sophistication and standard security defenses are often evaded. To find out more about improving your defenses against sophisticated phishing, malware, and business email compromise threats, give the TitanHQ team a call. Improving your defenses is likely to be much cheaper than you think.

Multiple Accounts Compromised in Targeted Phishing Campaigns

by titanadmin | Oct 26, 2024 | Phishing & Email Spam |

The purpose of phishing attacks is usually to steal credentials to gain unauthorized access to accounts. If an employee falls for a phishing attack and their credentials are obtained, the attacker can gain access to that user’s account and any data contained therein. That access can be all that is required for the threat actor to achieve a much more extensive compromise.

Oftentimes, a threat actor conducts a more extensive phishing campaign on multiple employees at the same organization. These phishing attacks can be harder to spot as they have been tailored to that specific organization. These attacks usually spoof an internal department with the emails seemingly sent from a legitimate internal email account. The emails may address each individual by name, or appear to be broadcast messages to staff members. One successful campaign was identified by the Office of Information Technology at Boise State University, although not before several employees responded to the emails and disclosed their credentials. In this campaign, the emails were addressed to “Dear Staff,” and appeared to have been sent from the postmaster account by “Health Services,” purporting to be an update on workplace safety. The emails had the subject line “Workplace Safety: Updates on Recent Health Developments,” with a similar campaign indicating a campylobacter infection had been reported to the health department.

In the message, recipients were advised about a health matter involving a member of staff, advising them to contact the Health Service department if they believed they had any contact with the unnamed worker.  In order to find out if they had any contact with the worker, the link must be clicked. The link directed the user to a fraudulent login page on an external website, where they were required to enter their credentials. The login page had been created to look like it was a legitimate Boise State University page, captured credentials, and used a Duo Securit notification to authorize access to their account.

These targeted campaigns are now common, especially at large organizations where it is possible to compromise a significant number of accounts and is worth the attacker’s time to develop a targeted campaign. Another attack was recently identified by the state of Massachusetts. The attacker created a fake website closely resembling the HR/CMS Employee Self-Service Time and Attendance (SSTA) system, which is used for payroll. Employees were tricked into visiting the portal and were prompted to enter their credentials, which the attacker used to access their personal and direct deposit information. In this case, the aim of the attack appeared to be to change direct deposit information to have the employees’ wages paid into the attacker’s account. Several employees were fooled by the scam; although in this case the attack was detected promptly and the SSTA system was disabled to prevent fraudulent transfers.

A different type of campaign recently targeted multiple employees via email, although the aim of the attack was to grant the threat actor access to the user’s device by convincing them to install the legitimate remote access solution, AnyDesk. The threat actor, the Black Basta ransomware group, had obtained employee email addresses and bombarded them with spam emails, having signed them up for newsletters via multiple websites. The aim was to create a legitimate reason for the next phase of the attack, which occurred via the telephone, although the group has also been observed using Microsoft Teams to make contact. The threat actor posed as the company’s IT help desk and offered assistance resolving the spam problem they created, which involved downloading AnyDesk and granting access to their device. During the session, tools are installed to provide persistent access. The threat actor then moved laterally within the network and extensively deployed ransomware.

These attacks use social engineering to exploit human weaknesses. In each of these attacks, multiple red flags should have been spotted revealing these social engineering attempts for what they are but more than one employee failed to spot them. It is important to provide security awareness training to the workforce to raise awareness of phishing and social engineering threats, and for training to be provided regularly. Training should include the latest tactics used by threat actors to breach networks, including phishing attacks, fake tech support calls, malicious websites, smishing, and vishing attacks.

A phishing simulator should be used to send realistic but fake phishing emails internally to identify employees who fail to spot the red flags. They can then receive additional training relative to the simulation they failed. By providing regular security awareness training and conducting phishing simulations, employers can develop a security culture. While it may not be possible to prevent all employees from responding to a threat, the severity of any compromise can be limited. With TitanHQ’s SafeTitan solution, it is easy to create and automate tailored training courses and phishing simulations that have been shown to be highly effective at reducing susceptibility to phishing and other threats.

Since threat actors most commonly target employees via email, it is important to have robust email defenses to prevent the threats from reaching employees. Advanced anti-spam services such as SpamTitan incorporate a wide range of threat detection methods to block more threats, including reputation checks, extensive message analysis, machine-learning-based detection, antivirus scans, and email sandboxing for malware detection.  SpamTitan has been shown to block more than 99.99% of phishing threats and 100% of malware.

TOAD Attacks: New Voice-Based Phishing Techniques Used in Attacks on Businesses

by titanadmin | Oct 24, 2024 | Phishing & Email Spam |

Phishing is one of the most effective methods used by cyber actors to gain initial access to protected networks Phishing tactics are evolving and TOAD attacks now pose a significant threat to businesses. TOAD stands for Telephone-Oriented Attack Delivery and is a relatively new and dangerous form of phishing that involves a telephone call, although there are often several different elements to a TOAD attack which may include initial contact via email, SMS messages, or instant messaging services.

TOAD attacks often start with an information-gathering phase, where the attacker obtains personal information about individuals that can then be targeted. That information may only be a mobile phone number or an email address, although further information is required to conduct some types of TOAD attacks.

One of the most common types of TOAD attacks is callback phishing. The attacker impersonates a trusted entity in an email and makes a seemingly legitimate request to make contact. There is a sense of urgency to get the targeted individual to take prompt action. Rather than use a hyperlink in the message to direct the user to a website, the next phase of the attack takes place over the telephone or a VOIP-based service such as WhatsApp. A phone number is included that must be called to resolve a problem.

If the call is made, the threat actor answers and during the call, trust is built with the caller and the threat actor makes their request. That could be an instruction to visit a website where sensitive information must be entered or a file must be downloaded. That file download leads to a malware infection.

Several TOAD attacks have involved the installation of legitimate remote access software. One campaign involved initial contact via email about an expensive subscription that was about to be renewed, which required a call to cancel. The threat actor convinces the user to download remote access software which they are told is necessary to prevent the charge being applied, such as to fully remove the software solution from the user’s device.

The user is convinced to give the threat actor access to their device through the software and the threat actor keeps the person on the line while they install malware or perform other malicious actions, reassuring them if they get suspicious.  Other scams involve initial contact about a fictitious purchase that has been made, or a bank scam, where an email impersonates a bank and warns the victim that an account has been opened in their name or a large charge is pending. These attacks result in the victim providing the threat actor with the information they need to access their account.

TOAD attacks often involve the impersonation of a trusted individual, who may be a colleague, client, or even a family member. Since information is gathered before the scam begins, when the call is made, the threat actor can provide that information to the victim to convince them that they are who they claim to be. That information may have been purchased on the dark web or obtained in a previous data breach. For instance, following a healthcare data breach, the healthcare provider may be impersonated, and the attacker can provide medical information in their possession to convince the victim that they work at the hospital.

The use of AI tools makes these scams even more convincing. Deepfakes are used, where a person’s voice is mimicked, or video images are manipulated on video conferencing platforms. Deepfakes were used in a scam on an executive in Hong Kong, who was convinced to transfer around £20 million in company funds to the attacker’s account, believing they were communicating with a trusted individual via a video conferencing platform.

TOAD attacks may be solely conducted over the phone, where the attacker uses call spoofing to manipulate the caller ID to make it appear that the call is coming from a known and previously verified number. Other methods may be used to convince the victim that the reason for the call is genuine, such as conducting a denial-of-service attack to disrupt a service or device to convince the user that there is an urgent IT problem that needs to be resolved. TOAD attacks are increasing because standard phishing attacks on businesses are becoming harder to pull off due to email security solutions, multifactor authentication, and improved user awareness about scam messages.

Unfortunately, there is no single cybersecurity solution or method that can combat these threats. A comprehensive strategy is required that combines technical measures, security awareness training and administrative controls. Advanced anti-spam software with machine learning and AI-based detection can identify the emails that are used for initial contact. These advanced detection capabilities are needed because the initial emails often contain no malicious content, other than a phone number. SpamTitan, TitanHQ’s cloud-based anti-spam service, can detect these initial emails through reputation checks on the sender’s IP address, email account, and domain, and machine learning is used to analyze the message content, including comparing emails against the typical messages received by a business.

WebTitan is a cloud-based DNS filter that is used to control the web content that users can access. WebTitan will block access to known malicious sites and can be configured to prevent certain file types from being downloaded from the internet, such as those commonly used to install malware, unauthorized apps, and remote access solutions.

Regular security awareness training is a must. All members of the workforce should be provided with regular security awareness training and TOAD attacks should feature in the training content. SafeTitan, TitanHQ’s security awareness training platform and phishing simulator, makes it easy for businesses to create and automate training courses for the workforce. Employees should be trained in how to identify a TOAD attack, told not to trust caller ID alone, to avoid clicking links in emails and SMS messages, and to be vigilant when receiving or making calls, and to report any suspicious activity and immediately end a call if something does not seem right.

Mamba 2FA Phishing Kit Used to Bypass MFA on Microsoft 365 Accounts

by titanadmin | Oct 20, 2024 | Phishing & Email Spam |

Researchers have identified a new phishing kit that is being used to steal credentials for Microsoft 365 accounts and gain access to accounts protected by multi-factor authentication (MFA). The phishing kit, called Mamba 2FA is a cause of concern as it has the potential to be widely adopted given its relatively low price and there are signs it is proving popular with cybercriminals since its release in late 2023. Phishing kits make it easy for low-skilled cybercriminals to conduct sophisticated attacks as they provide all the tools required to breach accounts. The Mamba 2FA kit includes the necessary infrastructure to conduct phishing campaigns, masks IP addresses to prevent them from being blocked, and updates the phishing URLs frequently to ensure they remain active and are not blocked by security solutions.

The Mamba 2FA kit includes phishing pages that mimic Microsoft services such as OneDrive and SharePoint, and the pages can be customized to create realistic phishing URLs for targeting businesses, including allowing the business logo and background images to be added to the login page. Since businesses often have MFA enabled, simply stealing Microsoft credentials is not sufficient, as the MFA will block any attempt to use the credentials for unauthorized access. Like several other popular phishing kits, the Mamba 2FA kit supports adversary-in-the-middle (AitM) attacks, incorporating proxy relays to steal one-time passcodes and authentication cookies in real time. When credentials are entered into the phishing page, they are relayed to Microsoft’s servers in real-time and Microsoft’s responses are relayed back to the victim, including MFA prompts, which allows the threat actor to steal the session cookie and gain access to the user’s account.

Phishing kits such as Mamba 2FA pose a serious threat to businesses, which should take steps to protect against attacks. The AitM tactics can defeat less secure forms of MFA that are based on one-time passwords but are not effective against hardware-based MFA. Implementing phishing-resistant MFA will ensure these attacks do not succeed. Other recommended controls include geo-blocking and allowlisting for IPs and devices. While these advanced phishing kits are effective, threat actors must convince people to click a link in an email and disclose their login credentials, and with advanced email security solutions these phishing threats can be identified and blocked before they reach inboxes. Training should also be provided to the workforce to help with the identification and avoidance of phishing.

TitanHQ can help through the SpamTitan cloud-based spam filtering service and the SafeTitan security awareness training and phishing simulation platform. SpamTitan incorporates reputation checks, Bayesian analysis, greylisting, machine learning-based detection, antivirus scans, and email sandboxing to block phishing and malware threats. Independent tests demonstrated SpamTitan was one of the best spam filtering solutions for businesses at blocking threats, with a 99.99% phishing block rate and a 100% malware block rate.

The SafeTitan security awareness training platform makes it easy for businesses to provide regular cybersecurity awareness training. The platform includes more than 80 training modules, videos, and webinars, with hundreds of phishing simulation templates based on real-world phishing examples. Regular training and phishing simulations have been proven to be highly effective at reducing susceptibility to phishing and other threats targeting employees. This month, TitanHQ has also launched its security awareness training platform for MSPs, which has been specifically developed to make it quick and easy for MSPs to incorporate security awareness training into their service stacks. Speak with TitanHQ today for more information about these and other cybersecurity solutions for combatting the full range of cyber threats.

Evidence Found Indicating Cybercriminals Are Using GenAI Tools for Malware Creation

by titanadmin | Sep 27, 2024 | Phishing & Email Spam |

Generative artificial intelligence (GenAI) services are already being leveraged by cybercriminals to create convincing phishing emails, and it appears that these tools are being used for the creation of malware. GenAI services are capable of writing code; however, guardrails have been implemented to prevent malicious uses of these tools, such as the creation of malware. If those guardrails can be circumvented, the creation of malware would no longer be limited to skilled malware developers. Lower-skilled cybercriminals could develop their own malware using GenAI services, and there is growing evidence they are doing just that.

Over the summer, HP security researchers identified an email campaign targeting French users. The phishing email used HTML smuggling (encrypted HTML) to evade detection, and on analysis, the campaign delivered malicious VBScript and JavaScript code that appeared to have been created using GenAI tools. The entire malicious code included comments about what each function does, which is rare in malware development as the exact workings of the code tend not to be described. The comments, along with the use of native language function names and variables all suggest that GenAI was used to create the malware.

The code was used to deliver AsyncRAT malware, a widely available, open source malware that is an information stealer capable of recording the victim’s screen and logging keystrokes. The malware also acts as a malware downloader that can deliver other malware payloads, including ransomware. In this campaign, little technical skill was required as HTML smuggling does not require any programming, the malware being delivered is widely available, and the fact that the comments had not been removed and there was no obfuscation, points to the development of malware by an inexperienced cybercriminal.

There have been other examples of apparent malicious code creation using GenAI, such as a malicious PowerShell script identified earlier this year that was also used to deploy infostealer malware. That campaign targeted users in Germany and impersonated Metro cash-and-carry and was also delivered via email. Just as GenAI tools are helping writers rapidly create written content, GenAI tools can be used to rapidly develop malicious code. ChatGPT and Gemini have guardrails in place that it may be possible to circumvent, but there are many dark LLMs that lack those controls such as WormGPT and FraudGPT. If these tools are leveraged, relatively low-skilled cybercriminals can develop their own malware variants.

Traditional antivirus solutions use signature-based detection. When malware is identified, a signature is added to the antivirus solution for that specific malware variant that allows it to be detected in the future. There is a delay between the creation of malware and the addition of malware signatures to the definition lists of antivirus solutions, during which time malware can easily be smuggled onto devices undetected. If the creation of malware can be accelerated with GenAI tools, cybercriminals will have the upper hand.

The solution for businesses is to deploy security solutions capable of detecting novel malware variants by their behavior rather than a signature. Since malware is commonly delivered via email, having a cloud-based email security solution that incorporates behavioral analysis of attachments will help identify and neutralize these malware variants before they can be installed.

SpamTitan from TitanHQ is a cloud-based antispam software that incorporates email sandboxing. When standard antivirus checks are passed, suspicious emails and attachments are sent to a next-generation email sandbox for deep inspection, where the behavior of the attachments is assessed in an isolated sandbox environment.  If malicious actions are detected, the threat is neutralized. SpamTitan also incorporates AI-based and machine-learning detection mechanisms to assist with malicious email detection, and along with a host of other checks ensure malicious emails are detected and blocked. In recent independent tests, SpamTitan has a 99.99% phishing catch rate and a 100% malware catch rate, with zero false positives.

SpamTitan, like all other TitanHQ cybersecurity solutions, is available on a free trial to allow you to see for yourself the difference it makes. To find out more about protecting your business from increasingly sophisticated threats, give the TitanHQ team a call.

Novel QR Code Phishing Campaign Steals M365 Credentials via Microsoft Sway

by Jennifer Marsh | Aug 30, 2024 | Phishing & Email Spam |

QR codes are used for a wide range of purposes, including marketing, communications, and even in restaurants to direct diners to menus, and with the popularity of QR codes soaring it should be no surprise that they are being used by cybercriminals in their phishing campaigns. QR codes are similar to the bar codes on products. They are black and white images that contain information, which for QR codes is commonly a URL for a web page or hosted file. A camera on a smartphone is used to scan the code, which will detect the URL, and the user can click that URL to visit the resource. It is far more convenient than entering a URL on a mobile phone keypad.

The use of QR codes has been growing considerably. According to a 2024 report from QR Tiger on QR Code trends, there has been 47% year-over-year growth in QR code usage. The convenience of QR codes and their growing popularity have not been lost on cybercriminals who are using QR codes to direct unsuspecting users to malicious websites that host malware or are used to phish for credentials. As an added advantage, many traditional security solutions are unable to assess the URLs in QR codes and fail to block access to malicious sites.

QR code phishing (aka quishing) may involve QR codes sent via email. Instead of embedding a hyperlink in an email, a QR code is used to evade email security solutions. A novel campaign has recently been detected by security researchers at Netskope Threat Labs that uses QR codes to steal Microsoft 365 credentials. In this campaign, a Microsoft 365 product called Microsoft Sway is abused to host the spoofed web pages.

Microsoft Sway is used for creating newsletters and presentations and was first released by Microsoft under the M365 product suite in 2015. Since Microsoft Sway is a legitimate Microsoft cloud-based tool, a link to a Sway presentation is unlikely to be identified as malicious by security solutions, as Sway is a trusted platform. The link to the Sway presentation may be distributed in emails, SMS messages, and instant messenger platforms, or can be added to websites in an iframe. A QR code could even be used to direct a user to the Sway presentation.

That presentation includes a QR code that encodes a URL for a website that masquerades as a legitimate Microsoft site. If scanned, the user is directed to a web page where they are asked to enter their Microsoft 365 credentials. What makes this campaign even harder for users to identify is the transparent phishing technique used.  Entering credentials will log the user into the legitimate site, and at the same time credentials are captured along with any MFA code, which are relayed to the attacker. The credentials and MFA code are then used to hijack the account.

TitanHQ offers several cybersecurity solutions that provide layered protection against advanced phishing attempts, including quishing. Since these scams target individuals, it is important to raise awareness of the threat by providing security awareness training to the workforce. The SafeTitan platform from TitanHQ includes a wealth of training content, including modules for raising awareness of quishing. The platform also includes a phishing simulator with quishing templates to test whether employees scan QR codes and visit the websites they encode.

Regardless of how a URL is communicated to a member of the workforce, it is possible to block access to a malicious URL with a DNS filter. TitanHQ’s DNS filter, WebTitan, blocks access to all known malicious websites and is constantly updated with the latest threat intelligence from a global network of users. As soon as a malicious URL is detected, the solution is updated and all WebTitan users are protected. QR code may direct users to websites where malware is downloaded. WebTitan can be configured to block file downloads from the internet by file type.

QR codes are commonly sent via email, so an advanced email security solution is required. SpamTitan is a cutting-edge spam filtering service that uses advanced detection techniques, including AI and natural language processing to identify and block these threats, even zero-minute phishing attempts. In contrast to many spam filters for incoming mail, SpamTitan can detect novel phishing and quishing attempts. Finally, businesses can add another layer of protection through PhishTitan, TitanHQ’s advanced anti-phishing solution for Microsoft 365 which blocks attempts to visit phishing sites and allows security teams to easily remediate phishing attempts across their entire email system.

Phishers are constantly developing new tactics and techniques for distributing malware and stealing credentials, but with TitanHQ solutions in place, you will be well protected against these rapidly evolving threats. Talk with TitanHQ’s cybersecurity experts today for more information on staying one step ahead of cybercriminals and keeping your company safe.

Increasingly Advanced Phishing Campaigns Being Launched by Russia

by Jennifer Marsh | Aug 20, 2024 | Phishing & Email Spam |

Russian threat actors have been conducting increasingly advanced phishing campaigns against media organizations, international NGOs, and other targets perceived as being a threat to Russia. According to a recent report from Access Now and Citizen Lab, several international NGOs have reported being targeted with spear phishing emails in a campaign that has been ongoing since the start of 2023.

The campaign has been attributed to a threat actor known as COLDRIVER (aka Star Blizzard, Calisto) which multiple governments have attributed to the Russian Federal Security Service (FSB), and another campaign has been conducted by a second threat group, a relatively;y new threat group known as COLDWASTREL, whose interests align with those of COLDRIVER.

The campaigns aim to steal credentials rather than infect devices with malware. Spear phishing emails are used to make initial contact and trick the targets into disclosing their credentials. Emails are sent to individuals that have been highly personalized to maximize the probability of the recipient responding. A common theme was to make initial contact by masquerading as a person known to the target, including colleagues, funders, and U.S. government employees.

One of the common lures used in the emails was to request that the recipient review a document relevant to their work, which for media companies was often a draft article. In some of the emails, the document that the target was requested to view was not attached to the email. The failure to attach the file is likely a tactic used by the threat actor to see if the recipient responds and to only provide the file if they do. That could help to ensure that only the intended recipient is presented with the malicious file, reducing the risk of detection.

The file is often a PDF file, which if opened, only displays blurred text. The target is told that the text has been encrypted using an online service e.g. ProtonDrive. In order to view the document, the recipient is required to click a link. If the link is clicked, JavaScript code is fetched from the attacker’s server which fingerprints the system. If deemed to be of interest, they are directed to a URL that has a CAPTCHA check that must be passed to prevent bots from landing on the destination URL.

The landing page presents the user with a login prompt relevant to their email service, such as Gmail or ProtonMail, which may be pre-populated with the user’s email address so they are only required to enter their password and multifactor authentication code. If they are entered, the threat actor will obtain a session cookie that will allow them to access the account for some time before they are required to reauthenticate, allowing them to immediately access sensitive information in the target’s email account and associated online storage, such as Google Drive. The domains used for these campaigns did not remain operational for more than 30 days and they were registered with Hostinger, which rotates the IP addresses for the domains every 24 hours in an effort to prevent the sites being blocked by security solutions.

The targets of the campaign who spoke with the researchers chose to remain anonymous. They included Russian opposition figures in exile, NGO staff members in the US and Europe, funders, and media organizations. The researchers suggest that the campaign may have been conducted more broadly on other targets that are perceived threats to Russia. The researchers said a common theme among the targets was that they had extensive networks among sensitive communities and links to Russia, Ukraine, and Belarus.

Spear phishing campaigns can be highly effective as they are hyper-focused on small numbers of individuals and often are highly researched preceding initial contact to ensure that the right person is impersonated and a lure is used that the target is likely to respond to. Various measures are also used to reduce the chance of detection, including avoiding sending malicious content in the initial email, the use of CAPTCHA checks, and rotating IP addresses. Standard email security solutions may fail to detect these threats which means it is often down to the individuals to identify and avoid these threats. The consequences of failing to do so can be severe, especially for the targeted individuals in this campaign who could be subjected to physical harm or arrest and imprisonment.

Spear phishing is also used by cybercriminals in their campaigns, and while these attacks are typically financially motivated, they can cause significant harm to businesses. Similar tactics are used and the campaigns can be highly effective. To block spear phishing and other sophisticated phishing attacks, businesses need to have advanced email security measures that include email sandboxing and machine learning algorithms to identify potentially malicious emails, since standard checks of the sender’s reputation, embedded URLs, and malware scans are unlikely to identify anything suspicious. This is an area where TitanHQ can help. Give the team a call to find out more about protecting against advanced phishing and malware threats.

Massive Phishing Campaign Defeats SPF and DKIM by Leveraging Proofpoint Misconfiguration

by Jennifer Marsh | Jul 31, 2024 | Phishing & Email Spam |

A massive phishing campaign that involved around 3 million emails a day was made possible due to a misconfiguration in Proofpoint’s email servers. The vulnerability was exploited to get the emails DomainKeys Identified Mail (DKIM) signed and approved by SPF, thereby ensuring the emails were delivered to inboxes.

Researchers at Guardio identified the campaign, which ran from January 2024 to June 2024 and at its peak involved sending around 14 million emails a day. The purpose of the campaign was to steal credit card numbers and set up regular credit card payments. The emails impersonated well-known brands such as Nike, Disney, Coca-Cola, and IBM. As is common in phishing attempts, the headers of the emails were spoofed to make it appear that the email had been sent by a genuine company. The majority of spam filters would be able to detect this spoofing and block the emails because they use Sender Policy Framework (SPF) and DKIM, specifically to detect and prevent spoofing.

Emails must be sent from approved servers to pass SPF checks and they must be authenticated using the DKIM encryption key for the domain. With DKIM, public-key cryptography is used to sign an email with a private key when it leaves the sender’s server, and the recipient server uses the public key to verify the source of the message. If the from filed matches the DKIM check is passed and the email is determined to be authentic and will be delivered. If not, the email will identified as spam and will be blocked. In this campaign the emails were all properly signed and authenticated, ensuring that they would be delivered.

For an email that impersonated Nike, a spoofed email address would be used with the nike.com domain, which thanks to passing the SPF and DKIM checks, would be verified by the recipient as having been authenticated. The recipient may be fooled that the email has come from the genuine company domain, and since the emails themselves contained that company’s branding and provided a plausible reason for taking action, the user may click the link in the email.

As with most phishing emails, there is urgency. Action must be taken quickly to avoid negative consequences, such as an impending charge, notification about the closure of an account, or another pressing matter.  If the link is clicked, the user will be directed to a phishing site that also spoofs the brand and they are asked to provide their credit card details. Alternatively, they are offered a too-good-to-be-true offer, and by paying they also enroll in an ongoing subscription involving sizeable monthly charges.

The way that the attackers got around the checks was to send the emails from an SMTP server on a virtual server under their control and to route them through a genuine Office 365 account on an Online Exchange server, then through a domain-specific Proofpoint server which sent the email on to the intended recipient. Since the Proofpoint customers being spoofed had authorized the Proofpoint service to send emails on their behalf as an allowed email sender, the attackers only had to find a way to send spoofed emails through the Proofpoint relay. Due to a misconfiguration that allowed Microsoft Office 365 accounts to easily interact with its relay servers, they were able to do just that, pass SPF and DKIM checks, and make their fake emails appear to be clean.

They obtained the MX record for the company being spoofed by querying the domain’s public DNS, then routed the email through the correct Proofpoint host that is used to process email for that domain. Since the Proofpoint server was tricked into believing that the emails had come from the genuine domains of its customers – such as Nike and Disney – the emails were then forwarded to the intended recipients rather than being quarantined.

Spammers are constantly developing new methods of defeating the best email security solutions and while email security products can usually block spam and malicious emails, some will be delivered to recipients. This is why it is important to have layered defenses in place to protect against all phases of the attack. For instance, in this attack, spam filters were bypassed, but other measures could detect and block this attack. For instance, a web filter can be used to prevent a user from visiting a phishing website linked in an email, and security awareness training should be conducted to teach employees how to identify the signs of phishing, to check the domain of any website linked in an email, and to also check the domain when they arrive on any website.

Microsoft Forms Used in Phishing Campaign Targeting M365 Credentials

by titanadmin | Jul 31, 2024 | Phishing & Email Spam |

Microsoft credentials are being targeted in phishing campaigns that abuse Microsoft Forms. Microsoft Forms is a feature of Microsoft 365 that is commonly used for creating quizzes and surveys. Microsoft Forms has been used in the past for phishing campaigns, and Microsoft has implemented phishing protection measures to prevent abuse, but these campaigns show that those measures are not always effective.

To increase the probability of the phishing emails being delivered and the recipients responding, threat actors use compromised email accounts for the campaigns. If a business email account can be compromised in a phishing attack, it can be used to send phishing emails internally. Vendor email accounts are often targeted and used to conduct attacks on their customers. The emails are likely to be delivered as they come from a trusted account, which may even be whitelisted on email security solutions to ensure that their messages are delivered.

If the recipient clicks the link in the email they are directed to a Microsoft Form, which has an embedded link that the user is instructed to click. If the link is clicked, the user is directed to a phishing page where they are asked to enter their Microsoft 365 credentials. If the credentials are entered, they are captured by the attacker and are used to access their account.

The initial contact includes messages with a variety of lures, including fake delivery failure notifications, requests to change passwords, and notifications about shared documents. When the user lands on the form, they are told to click a link and fill in a questionnaire, that link then sends the user to a phishing page that appears to be a genuine login page for Microsoft 365 or another company, depending on which credentials are being targeted.

The attackers make their campaign more realistic by using company logos in the phishing emails and familiar favicons in the browser tab on the fake web pages. Since Microsoft Forms is used in this campaign, the URL provided in the phishing emails has the format https://forms.office[dot]com, as the forms are on a genuine Microsoft Forms domain. Not only does that help to trick the user into thinking the request is genuine, but it also makes it much harder for email security solutions to determine that the email is not legitimate as the forms.office[dot]com is generally trusted as it has a high reputation score.

When these phishing campaigns are detected, Microsoft takes prompt action to block these scams. Each form has a ‘report abuse’ button, so if the scams are identified by users, Microsoft will be notified and can take action to shut it down. The problem is that these emails are being sent in huge numbers and there is a considerable window of opportunity for the attacks. Further, if the attacker’s campaign is detected, they can just set up different web pages and forms and continue.

These phishing campaigns involve two phases, the first phase involves compromising email accounts to send the initial phishing emails. An advanced email security solution with sandboxing, URL rewriting, and AI-based detection capabilities will help to block this first phase of the attack. Advanced anti-phishing solutions for Office 365 can reduce the number of phishing emails that land in inboxes, even when sent from trusted email accounts. Banner warnings in emails will help to alert users to potential phishing emails; however, users need to be vigilant as it may be up to them to spot and report the phishing attempt. That means security awareness training should be provided to raise awareness of these types of phishing attempts.

Security awareness training should also incorporate phishing simulations, and it is recommended to create simulations of phishing attempts using Microsoft Forms. If users fall for the fake Microsoft Forms phishing attempts, they can be provided with further training and told how they could have identified the scam. If another Microsoft Forms phishing attempt is received, they are more likely to be able to identify it for what it is.

TitanHQ can help businesses improve their defenses against phishing through the TitanHQ cybersecurity suite, which includes SpamTitan cloud-based anti-spam service, the PhishTitan anti-phishing solution, and the SafeTitan security awareness and phishing simulation platform. SpamTitan and PhishTitan have exceptionally high detection rates with a low false positive rate, and SafeTitan is the only behavior-driven security awareness training platform that delivers training in real-time in response to employee mistakes. Give the TitanHQ team a call today for more information about these products, you can book a product demonstration to find out more, and all solutions are available on a free trial.

Don’t Put Up with Substandard Phishing Protection for M365!

by Jennifer Marsh | Jul 29, 2024 | Phishing & Email Spam |

Businesses that rely on Microsoft Defender for detecting malware and phishing emails may not be as well protected as they think. While Defender performs a reasonable job at blocking malware, spam, and phishing emails, it lacks the high detection levels of many third-party anti-phishing solutions.

Take malware for example. A study conducted in 2022 by AV-Comparatives found Defender only had a 60.3% offline detection rate. Fast forward to Q2, 2024, and TitanHQ’s email security suite was put to the test alongside 12 other email security solutions by Virus Bulletin. In the independent tests, TitanHQ had a malware catch rate of 100%.

In the same round of testing, TitanHQ’s spam filter for Office 365 and the email security suite had a spam catch rate of over 99.98%, a phishing email catch rate of 99.99%, and was given an overall final score of 99.984, the second highest in the tests. It is possible to configure an email solution to provide maximum protection; however, that will be at the expense of an elevated number of false positives – genuine emails that are inadvertently marked as potentially suspicious and are quarantined until they are released by an administrator. In the tests, TitanHQ had a 0.00% false positive rate, with no genuine emails misclassified.

Another issue with Microsoft Defender is the exception list, which contains locations such as files, folders, and processes that are never scanned. These are used to ensure that legitimate apps are not scanned, to prevent them from being misclassified as malware. The problem is that the exception list lacks security protections, which means it can be accessed internally by all users. Should a device be compromised, a threat actor could access the exceptions list, identify folders and files that are not scanned, and use those locations to hide malware.

Given the increasingly dangerous threat environment and the high costs of a cyberattack and data breach, businesses need to ensure they are well-defended, which is why many businesses are choosing to protect their Microsoft 365 environments with TitanHQ’s PhishTitan anti-phishing solution.

PhishTitan is a cloud-based, AI-driven solution for Microsoft 365 that integrates seamlessly into M365 to increase protection from sophisticated phishing attacks. Rather than replacing Microsoft’s EOP and Defender protections, PhishTitan augments them and adds next-generation phishing protection, not only ensuring that more threats are blocked but also giving users easy-to-use remediation capabilities.

PhishTitan adds advanced threat detection capabilities through machine learning and LLM to identify the zero-day and emerging threats that are missed by Defender. PhishTitan provides real-time protection against phishing links in emails in addition to checks performed when the email is received. URLs are rewritten for Link Lock protection with all links reassessed at the point a user clicks to ensure that URLs that have been made malicious after delivery are detected and blocked. If the link is detected as malicious, access to that URL will be prevented.

PhishTitan also adds banner notifications to emails to alert users to unsafe content and emails from external sources, and the auto-remediation feature allows all threats to be instantly removed from the entire mail system, with robust cross-tenant features for detection and response for MSPs.

PhishTitan has also been developed to be quick to set up and configure. There is no need to change MX records, setup typically takes less than 10 minutes, and the solution is incredibly easy to manage. Why put up with inferior threat detection and complex interfaces, when you can improve the Office 365 phishing protection with an easy-to-use anti-phishing solution

Don’t take our word for it though. Take advantage of the free trial of PhishTitan to see for yourself. Product demonstrations can also be arranged on request.

ZeroFont Phishing Scam Targets Microsoft 365 Users

by titanadmin | Jul 27, 2024 | Phishing & Email Spam |

A ZeroFont phishing campaign is being conducted that targets Microsoft 365 users. Rather than using the ZeroFont technique to hide malicious content from anti-spam software, this method aims to trick end users into thinking the email is genuine and safe.

The ZeroFont phishing technique was first identified in phishing attempts around five years ago, so it is not a new technique; however, this version uses a novel approach. When an email is sent to a business user, before that email is delivered it will be subject to various checks by the anti-spam server. The business’s anti-spam solution will perform reputation checks, scan the email for malware, and analyze the content of the email to search for signs of spam or phishing. Only if those checks are passed will the message be delivered to the end user. ZeroFont is a technique for hiding certain words from email security solutions to ensure that the messages are not flagged as spam and are delivered.

According to Check Point, Microsoft is the most commonly impersonated brand in phishing emails. If a threat actor impersonates Microsoft, they obviously cannot send the email from the Microsoft domain as they do not have access. Spam filters will check to make sure that the domain from which the email is sent matches the signature, and if there is no match, that is a strong signal that the email is not genuine. With ZeroFont, the signature used would only display Microsoft to the end user, and the spam filter is presented with a nonsensical string of text. The user would not see that text as the padding text around the word Microsoft is set to a font size of zero, which means the text is machine-readable but cannot be seen by the user.

A recent campaign uses the ZeroFont techniques but with a twist. In this campaign, the aim is not to trick a spam filter but to instead trick Outlook users. In Outlook, it is possible to configure the mail client with a listing view option, which will show the user the first lines of text of an email. The problem for phishers is getting Outlook users to engage with the messages, which means the messages must be sufficiently compelling so as not to be deleted without opening them. This is especially important if the sender of the email is not known to the recipient.

The email was detected by Jan Kopriva, who noticed that ZeroFont was used to make the message appear trustworthy by displaying text indicating the message had been scanned and secured by the email security solution, rather than showing the first lines of visible content of the message. This was achieved by using a zero font size for some of the text. The threat actor knew that the first lines of the emails are displayed by the mail client in the listing view, regardless of the font size, which means if the font is set to zero, the text will be displayed in the listing view but will not be visible to the user in the message body when the email is opened.

The email used a fake job offer as a lure and asked the user to reply with their personal information: Full name, address, phone number, and personal email, and impersonated the SANS Technology Institute. The full purpose of the phishing attempt is not known. There were no malicious links in the email and no malware attached so the email would likely pass through spam filters. If a response is received, the personal information could be used for a spear phishing attempt on the user’s personal email account, which is less likely to have robust spam filtering in place, or for a voice phishing attempt, as we have seen in many callback phishing campaigns.

Security awareness training programs train employees to look for signs of phishing and other malicious communications, and they are often heavily focused on embedded links in emails and attachments. Emails such as this and callback phishing attempts lack the standard malicious content and as such, end users may not identify them as phishing attempts. It is important to incorporate phishing emails such as this in security awareness training programs to raise awareness of the threat.

That is easy with SafeTitan from TitanHQ, as is conducting phishing simulations with these atypical message formats. SafeTitan includes a huge library of security awareness training content, and the phishing simulator includes thousands of phishing templates from real-world phishing attempts. It is easy for businesses to create and automate comprehensive security awareness training programs for the workforce and provide training on how to identify novel techniques such as this when they are identified, to ensure employees are kept up to date on the latest tactics, techniques, and procedures used by cybercriminals.

CrowdStrike Phishing and Malware Distribution Scams Mount Following Outage

by Jennifer Marsh | Jul 26, 2024 | Phishing & Email Spam |

CrowdStrike has confirmed that a significant proportion of Windows devices that were rendered inoperable following a faulty update last Friday have now been restored to full functionality; however, businesses are still facing disruption and many scams have been identified by cybercriminals looking to take advantage.

One of those scams involves a fake recovery manual that is being pushed in phishing emails. The emails claim to provide a Recovery Tool that fixes the out-of-bounds memory read triggered by the update that caused Windows devices to crash and display the blue screen of death. The phishing emails include a document attachment named “New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows. docm.” The document is a copy of a Microsoft support bulletin, which claims that a new Microsoft Recovery Tool has been developed that automates recovery by deleting the CrowdStrike driver that is causing the crash. The user is prompted to enable content; however, doing so will allow a macro to run, which will download a malicious DLL, which launches the Daolpu stealer – an information stealer that collects and exfiltrates credentials, login information, and cookies stored in Chrome and Firefox.

Another campaign has been identified that capitalizes on the defective Falcon Sensor update. The spear phishing campaign targeted German firms and attempts to distribute a fake CrowdStrike Crash Reporter installer via a website that spoofs a legitimate German company. The website was registered a day after the CrowdStrike disruptions started. If the user attempts to download the installer by clicking the download button in the email, a ZIP archive will be delivered that includes a malicious InnoSetup installer. If executed, the user is shown a fake CrowdStrike branded installer. The installer is password-protected to prevent analysis and the final payload could not be determined.

Another campaign attempts to distribute Lumma information-stealing malware. The campaign uses the domain, crowdstrike-office365[.]com, and tricks the recipient into downloading a fake recovery tool to deal with the boot loop that prevents Windows devices from booting up. If the downloaded file is executed, it delivers a malware loader, which will, in turn, deliver the Lumma infostealer.

These are just three campaigns that use the CrowdStrike outage to deliver malware, all of which use email as the way to make contact with individuals affected by the outage. Many other campaigns are being conducted and a large number of CrowdStrike-themed domains have been registered since the problems started. Other malicious domains used in campaigns include the following, all of which should be blocked.

crowdstrike-helpdesk.com

crowdstrike.black

crowdstrikefix.zip

crowdstrikebluescreen.com

crashstrike.com

fix-crowdstrike-bsod.com

crowdstrike-falcon.online

crowdstrike-bsod.com

crowdstrikedoomsday.com

crowdstrikedown.site

crowdstrikefix.com

isitcrowdstrike.com

crowdstriketoken.com

crowdstrike0day.com

crowdstrikeoutage.com

These scams are likely to continue for some time, so it is important to remind employees of the high risk of malicious emails and warn them to exercise extreme caution with any emails received. Employees should be told to report any suspicious emails to their security team.

TitanHQ offers a range of cybersecurity solutions to block phishing and malware distribution campaigns, all of which are quick and easy to implement and can protect you in a matter of minutes. They include the WebTitan web filter for blocking access to known malicious websites, such as those detailed in this email; the PhishTitan anti-phishing solution for Office 365, and the SpamTitan corporate email filter for blocking phishing emails. The latter incorporates email sandboxing for blocking novel and obfuscated malware threats. TitanHQ also provides a comprehensive security awareness training platform and phishing simulator for improving your human defenses by raising awareness of cyber threats and providing timely training content on the latest tactics used by cybercriminals in targeted attacks on employees.

Give the TitanHQ team a call today for further information on improving your defenses, or take advantage of the free trial available with all TitanHQ products to get immediate protection.

Surge in Fake Websites and Phishing Related to CrowdStrike Windows Outage

by Jennifer Marsh | Jul 22, 2024 | Phishing & Email Spam |

On July 19, 2024, Windows workstations and servers were disabled as a result of a bug in a software update for CrowdStrike Falcon Sensor. When the update was installed on Windows devices, it caused them to show the Blue Screen of Death or get stuck in a boot loop, rendering the devices unusable. Microsoft revealed that its telemetry showed 8.5 million Windows devices had been affected in around 78 minutes.

CrowdStrike Falcon platform is a cybersecurity solution that incorporates anti-virus protection, endpoint detection and response, threat intelligence, threat hunting, and security hygiene, and it is used by many large businesses around the world, including around half of Fortune 500 firms. The disruption caused by the update has been colossal. Airlines had to ground flights, airports were unable to check people in, healthcare providers were unable to access electronic patient records and had to cancel appointments and surgeries, financial institutions faced major disruption, and some media companies were unable to broadcast live television for hours. Even organizations that did not use the Falcon product were adversely affected if any of their vendors used the product. The incident has been called the worst-ever IT outage, with huge financial implications.

It did not take long for cybercriminals to take advantage of the chaos. Within hours, cybercriminals were registering fake websites impersonating CrowdStrike offering help fixing the problem, and domains were registered and used in phishing campaigns promising a rapid resolution of the problem. Given the huge financial impact of suddenly not having access to any Windows devices, there was a pressing need to get a rapid resolution but the fixes being touted by cybercriminals involved downloading fake updates and hotfixes that installed malware.

Those fake updates are being used to deliver a range of different malware types including malware loaders, remote access Trojans, data wipers, and information stealers, while the phishing campaigns direct users to websites where they are prompted to enter their credentials, which are captured and used to access accounts. Cybercriminals have been posing as tech specialists and independent researchers and have been using deepfake videos and voice calls to get users to unwittingly grant them access to their devices, disclose their passwords, or divulge other sensitive codes.

CrowdStrike has issued a fix and provided instructions for resolving the issue, but those instructions require each affected device to be manually fixed. The fix was rolled out rapidly, but CrowdStrike CEO George Kurtz said it will likely take some time for a full recovery for all affected users, creating a sizeable window of opportunity for threat actors. Due to the surge in criminal activity related to the outage, everyone should remain vigilant and verify the authenticity of any communications, including emails, text messages, and telephone calls, and only rely on trusted sources for guidance.  The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reminded all organizations of the importance of having robust cybersecurity measures in place to protect their users, assets, and data, and to remind all employees to avoid opening suspicious emails or clicking on unverified links in emails.

It is important to have multiple layers of security protection to identify, detect, and avoid these attacks, including AI-driven phishing protection, web filtering to block access to malicious websites, anti-virus software to detect and neutralize malware, and security awareness training for employees. TitanHQ can help to secure your business in all of these areas and offers a cloud-based spam filtering service (SpamTitan) which includes email sandboxing and email antivirus filter, phishing protection for Office 365 (PhishTitan), and the SafeTitan security awareness training and phishing simulator.

Is Your Business Prepared for a Summer of Scams?

by Jennifer Marsh | Jul 1, 2024 | Phishing & Email Spam |

Phishing attacks and business email compromise scams are leading causes of losses to cybercrime and attacks have increased in 2024. According to the Federal Bureau of Investigation, phishing is the leading cause of complaints to its Internet Crime Complaint Center and business email compromise currently ranks second out of all tracked forms of cybercrime in terms of total losses.

Over the coming days and weeks, there are several events that cybercriminals take advantage of in their attacks and scams. The UEFA European Football Championship is currently taking place in Germany and thousands of individual phishing campaigns have been detected so far that are piggybacking on the popularity of the championship in Europe and beyond.

Cybercriminals often take advantage of sporting events and commonly use lures related to tickets, which usually sell out months before the first football is kicked and this year is no exception. Now that the tournament is underway and broadcasters and other legitimate entities are running competitions offering free tickets to the finals, scammers are doing the same and are using email and social media networks to advertise their scams. These campaigns use realistic websites that are almost identical to the brands they spoof and attempt to steal sensitive information such as credit card numbers and login credentials.

Many of the phishing attacks and scams impersonate businesses associated with the tournament. These include accommodation providers, airlines and travel companies, and others. The Wimbledon tennis tournament is underway, which will be shortly followed by another major sporting event in Paris – The 2024 Olympics. The latter has a huge global audience and there is a high risk of cyber threat activity using Olympics-themed lures. Cybercriminals are impersonating event organizations, sponsors, ticketing systems, and travel companies. Many cyber espionage groups and nation-state actors are likely to target the Olympics, in addition to financially motivated threat actors.

This week, there is a major celebration in the United States on July 4. Independence Day is a very active time for a host of malicious actors who conduct scams related to the celebrations, including holiday-themed texts and emails, fake giveaways and vouchers, and Independence Day event ticket scams. Being a major holiday in the United States when staffing levels are greatly reduced, it is a time when many ransomware groups choose to strike as their activities are less likely to be identified.

Also on July 4, 2024, a major event is taking place across the Atlantic in the UK. The UK general election will be taking place to decide the next government and scammers are already taking advantage and are using deepfake scams and malicious websites used to steal information and influence voters. It will be a similar story in the United States in the run-up to the November Presidential election.

With so many events taking place, it is vital for everyone to be on their guard and be constantly alert to the threat of scams, phishing, and malware attacks. Due to the elevated threat from phishing, businesses should step up their security awareness training to raise awareness of cyber threats and teach cybersecurity best practices. It is a good idea to use these events in your internal phishing simulations to identify any knowledge gaps and provide immediate training to any individual who fails a phishing simulation.

Security awareness training is made simple with SafeTitan from TitanHQ. SafeTitan is a comprehensive security awareness training platform that teaches security best practices to eradicate risky behaviors, raises awareness of the threat from phishing and malware, teaches the red flags to look for in emails and texts, and what to do if a potential threat is found. The phishing simulator can be used to automate internal phishing simulations to test awareness of threats and how employees are applying their training.

It is also a good time for businesses to bolster email security with an advanced email security solution. SpamTitan from TitanHQ is an advanced email security solution that uses predictive techniques to identify malicious emails, including AI and machine learning to block phishing threats and email sandboxing to block malware. SpamTitan integrates seamlessly with Microsoft 365 and is consistently rated as one of the best spam filters for Outlook, improving the native defenses that Microsoft offers. TitanHQ also offers a host of cybersecurity solutions for managed services providers, including advanced phishing protection, to help them better protect their clients.

If you want to improve protection this summer against increasingly sophisticated cyberattacks and scams, give the TitanHQ team a call to find out more about improving your security posture.

Malicious Email Campaign Deliver a Malware Cluster Bomb of Up to 10 Viruses

by Jennifer Marsh | Jun 30, 2024 | Phishing & Email Spam |

Many malware infections start with a malicious email that contains a file attachment with a malicious script that downloads malware if executed. One response to a single email is all it takes to infect the user’s device with malware, which may be able to spread across the network or at least provide the threat actor with the foothold they need in the network for follow-on activities. There is a much worse scenario, however. Rather than a single user infecting the network with one malware variant, that single response to the malicious email results in multiple malware infections. One campaign has been identified that does just that. A malware cluster bomb is delivered that can infect the user’s device with up to 10 different malware variants.

The campaign was identified by researchers at KrakenLabs and has been attributed to a threat actor known as Unfurling Hemlock. The campaign is being conducted globally with at least 10 countries known to have been attacked, although most of the victims have so far been located in the United States. The campaign has been running since at least February 2024 and uses two methods to deliver the malware variants – malicious emails and malware loaders installed by other threat groups. The threat actor has already distributed hundreds of thousands of malicious files in the 5 months since the operation is believed to have commenced.

In the email campaign conducted by Unfurling Hemlock, the victim is tricked into downloading a file called WExtract.exe which contains nested cabinet files, each containing a different malware variant. If the file is executed, the malware is extracted in sequence, and each malware variant is executed in reverse order, starting with the last malware variant to be extracted. Each malware cluster bomb has between four and seven stages, with some of those stages delivering multiple malware variants.

The malware variants delivered vary but they consist of information stealers, backdoors, malware loaders, and botnets. Information stealers include Redline Stealer, Mystic Stealer, and RisePro, and malware loaders including Amadey and SmokeLoader. Other malware variants are used to disable security solutions such as Windows Defender, help with obfuscation and hiding malware payloads, gathering system information, and reporting on the status of the malware infections.

It is not clear how the threat actor is using these malware infections. They could be delivering malware for other threat actors and selling the access, using the malware to harvest credentials to sell on the darkweb, conducting their own attacks using whatever malware variant serves their purpose, or a combination of the three. What the attack does ensure is maximum flexibility, as there are high levels of redundancy to ensure that if some of the malware variants are detected, some are likely to remain.

The delivery of multiple malware variants means this campaign could be highly damaging, but it also increases the chance of detection. While antivirus software is a must and may detect some of the malware variants, others are likely to go undetected. The key to blocking attacks is to prevent the initial phishing emails from reaching end users and to provide training to the workforce to help with the identification and avoidance of these malicious emails.

Many email security solutions rely on antivirus engines to detect malware but cybercriminals are skilled at bypassing these signature-based defenses. TitanHQ’s SpamTitan anti-spam software, SpamTitan, uses dual antivirus engines as part of the initial checks but also email sandboxing for behavioral analysis. Suspicious emails are sent to the sandbox where files are unpacked and their behavior is analyzed in depth. The behavioral analysis identifies malicious actions, resulting in the messages being quarantined for further analysis by the security team. SpamTitan also includes AI and machine-learning algorithms to check how messages deviate from the emails typically received and can identify new threats that have previously not been seen. SpamTitan is a highly effective Microsoft 365 spam filter and can be provided as a gateway spam filter or a cloud-based anti-spam service.

End user training is an important extra layer of security that helps eradicate bad security practices and teaches employees how to recognize and avoid malicious emails. Should a malicious bypass email security defenses, trained employees will be more likely to recognize and report the threat to the security team. Training data from SafeTitan, TitanHQ’s security awareness training platform and phishing simulator, shows the training and phishing simulations can reduce susceptibility to email attacks by up to 80% when provided regularly throughout the year.

Give the TitanHQ sales team a call today for more information on these and other cybersecurity solutions to improve your defenses against the full range of cyber threats.

New Campaigns Use Trojanized Software Downloaders to Distribute Dangerous Information Stealers

by Jennifer Marsh | Jun 28, 2024 | Phishing & Email Spam |

Two new malware distribution campaigns have been detected that deliver dangerous information-stealing malware, both targeting individuals looking to download free and pirated software.

Trojaninized Cisco Webex Meetings App Delivers Malware Loader and Information Stealer

Another malware distribution campaign has been identified that is using trojanized installers for free and pirated software to deploy a malware loader called Hijack Loader, which in turn delivers an information stealer. In the attacks, the victim was tricked into downloading a trojanized version of the Cisco Webex Meetings App, a video streaming app. The user downloaded a password-protected archive (RAR) file, which contained a file called setup.exe. When the victim executed the file, DLL sideloading was used to launch the HijackLoader, which was injected into a Windows binary.

HijackLoader connects with its command-and-control server and downloads another binary, an information stealer called Vidar Stealer. The malware bypasses User Account Control (UAC), escalates privileges, and adds an exception to the Windows Defender exclusion list. Vidar Stealer is used to steal credentials from browsers and deliver additional malware payloads, including a cryptocurrency miner. This campaign primarily targets organizations in Latin America and the Asia Pacific region.

Google Ads Used to Target Mac Users and Deliver Poseidon Malware

An information stealer called Poseidon is being distributed via malicious Google Ads that claim to provide the popular Arc web browser. The campaign targets Mac users and delivers a trojanized version of the Arc browser installer. If the installer is launched, the user gets the browser but is also infected with the malware.

According to an analysis from Malwarebytes, the new information stealer has similar features to the notorious Atomic Stealer, including a file grabber, crypto wallet extractor, and the ability to steal passwords from password managers such as Bitwarden and KeepassXC, passwords stored in browsers, and browser histories. The targeting of password managers makes this malware particularly dangerous, potentially allowing the theft of all passwords. The researchers believe the malware has been set up as a rival to Atomic Stealer

How to Protect Your Business

Protecting against malware requires a defense-in-depth approach to security, where several different security solutions provide multiple overlapping layers of protection. These security measures should include the following:

Antivirus software – Antivirus software is a must. The software will be able to detect malware when it is downloaded onto a device or is executed. The malware is identified by its signature, which means that a particular malware variant must be known and its signature must be present in the malware definition list used by that software. Antivirus software will not detect novel malware variants without behavioral analysis of files.

Web filter – One of the best defenses against malware distributed via the internet is a web filter. The web filter blocks downloads of malicious files by preventing downloads of executable files from the Internet, blocking access to known malicious websites, and limiting the sites that users can visit on their corporate-owned devices. The main advantage of a web filter is the threat is dealt with before any files are downloaded from the Internet.

Security awareness training – Users should be warned about the risks of downloading software from the Internet, be taught how to identify the signs of phishing and malicious emails, and be trained on security best practices. The latter should include carefully checking the domain of the website offering software and making sure it is the official website of the software vendor or a reputable software distributor.

Email security solution – Malware is often delivered via email, usually via a malicious script in an attached file or via a linked web page. An email security solution needs to have antivirus capabilities – signature-based detection and behavioral analysis in an email sandbox. The former will detect known malware variants and email sandboxing is used to detect novel malware variants.  Your email security solutions should also include AI-based detection, which can identify malicious messages based on how they differ from standard messages received by your business and perform comparisons with previous malware distribution campaigns.

While TitanHQ does not provide antivirus software, TitanHQ can help with web filtering (WebTitan), email security (SpamTitan), phishing protection (PhishTitan), and security awareness training (SafeTitan). For more information on improving your defenses against malware and TitanHQ’s multi-award-winning cloud-based email security and internet security solutions for businesses and managed service providers, give the TitanHQ team a call today.

Phishing Is the Most Common Type of Cyberattack in the UK but BEC is the Costliest

by Jennifer Marsh | May 30, 2024 | Phishing & Email Spam |

Last month, the UK government published the findings of its 2024 cyber security breaches survey. The annual survey was conducted by the Department for Science, Innovation and Technology (DSIT) in partnership with the Home Office between September 2023 and January 2024 on 2,000 UK businesses, 1,004 registered UK charities, and 430 educational institutions. The survey provides insights into the nature of cyberattacks and data breaches experienced in the UK and confirms that attacks are increasing.

In the past year, 50% of surveyed businesses and almost one-third of charities (32%) experienced at least one cybersecurity breach or attack, with medium-sized businesses (70%), large businesses (74%), and high-income charities with £500,000+ annual income (66%) more likely to experience a cybersecurity breach.

It is often reported that cyberattacks are becoming more sophisticated; however, the most common cyber threats are relatively unsophisticated and are often effective. The most common type of cyberattack was phishing, which was reported by 84% of businesses and 83% of charities, with impersonation of organizations – online and via email – reported by more than one-third of businesses (35%) and charities (37%). Malware was used in 17% of attacks on businesses and 14% of attacks on charities. In terms of prevalence, phishing was by far the most common type of cybercrime. 90% of businesses and 94% of charities that were victims of cybercrime experienced at least one phishing attack.

The costliest type of phishing attack is business email compromise (BEC). BEC covers several types of attacks, with the most common involving criminals accessing work email accounts and using them to trick others into transferring funds or sending sensitive data. For example, a threat actor gains access to an email account of a vendor and uses the account to send an email to a customer containing a fake invoice or a request to change bank account information for an upcoming payment.

The losses to BEC attacks can be considerable. Attacks frequently result in fraudulent transfers of tens of thousands of pounds or in some cases hundreds of thousands or millions. With such large sums involved, criminals put considerable effort into these scams. Targets are researched, phishing is used to compromise an employee email account, internal phishing is used to gain access to the right accounts, the contents of accounts are studied to identify information that can be used in the scam, and the legitimate account holder is impersonated in the attack on the targeted organization or individual.

The goal in these attacks is often to gain access to the email account of the CEO or a senior executive, and that account is used to conduct a scam internally or externally. Since the request comes from a trusted authority figure and uses their legitimate account, the request is often not questioned.

BEC attacks can be difficult to identify by employees but also by email security solutions as trusted accounts are used for the scams and the emails usually do not contain any malicious content such as a URL to a phishing website or malware. These attacks use social engineering and target human weaknesses.

Defending against BEC and phishing attacks requires a combination of measures. Since targets are extensively researched, businesses should consider reducing their digital footprint and making it harder for cybercriminals to obtain information that can be used in convincing phishing and BEC campaigns, especially by reducing the amount of information that is available online about senior staff members.

Anti-spam software is a must for blocking the initial phishing attacks that are used to compromise accounts; however, an advanced solution is required to block sophisticated BEC attacks. TitanHQ’s cloud-based anti-spam service – SpamTitan – performs a barrage of spam checks for inbound and outbound emails to identify spam, phishing, and BEC content, including reputation checks of domains and accounts, scans of message content, sandboxing to identify malicious attachments, and AI and machine learning analysis to identify emails that deviate from the standard messages typically received by an organization.

PhishTitan is an anti-phishing solution for Microsoft 365 that enhances Microsoft’s anti-phishing measures and catches the phishing threats that Microsoft misses. The solution adds banners to emails to warn employees about potentially malicious content and allows security teams to quickly remediate phishing attempts across the entire email environment.

Since phishing and BEC attacks target human weaknesses, it is vital to provide training to the workforce. The aim should be to improve awareness and condition employees to always be on the lookout for a scam and to err on the side of caution and report suspicious emails to their IT security team. Phishing simulations are useful for helping staff to recognize phishing emails and identify knowledge gaps. TitanHQ’s SafeTitan training platform has all the content you need to run effective training programs to improve defenses against phishing and BEC attacks.

Contact TitanHQ today about these solutions and other ways you can improve your defenses against phishing, BEC, and other types of cyberattacks.

Remcos RAT Now Distributed in Spam Email Using VHD Attachments

by Jennifer Marsh | Apr 24, 2024 | Phishing & Email Spam |

Cybercriminals are constantly evolving their tactics for delivering malware and one of the most recent changes concerns the Remcos RAT.  Remcos was developed by Breaking Security as a legitimate remote administration tool that can be used for network maintenance, system monitoring, surveillance, and penetration testing; however, the tool has been weaponized to create the Remcos Remote Access Trojan (RAT).

The Remocos RAT has extensive capabilities and has been used by cybercriminals since 2016. The malware allows threat actors to take control of systems and maintain persistent, highly privileged remote access. The malware can be used for a range of purposes, with threat actors commonly using it for credential theft, man-in-the-middle internet connections, and to create botnets of infected devices that can be used for distributed denial of service attacks (DDoS).

The Remcos RAT is distributed in spam email campaigns. Since 2016, the most common method for distributing the malware used spam emails with malicious Office attachments. Social engineering techniques were used to trick users into opening the files and enabling macros; however, campaigns have recently been detected that deliver the malware via weaponized virtual hard disk (VHD) files.

Security awareness training often focuses on teaching users to be careful when opening Office files and other file types commonly associated with malware distribution. The change to a more unusual file type could result in the file being opened, and VHD files are less likely to be identified as malicious by email security solutions.

An analysis of the extracted VHD files revealed a shortcut file that contained a PowerShell command line that executed a malicious script that ultimately delivered the Remcos RAT via a sophisticated multi-stage delivery method designed to evade security solutions. Once installed, the malware can log keystrokes, take screenshots, and exfiltrate data to its command-and-control server. The malware also has mass-mailer capabilities and can send copies of itself via email from an infected device. According to Check Point, the Remcos RAT rose to the 4^th most prevalent malware threat in March 2024.

The constantly changing tactics for distributing malware mean network defenders need cybersecurity solutions that can adapt and detect zero-day threats. SpamTitan is an advanced email filtering service with AI and machine learning-driven threat detection which is capable of identifying and blocking novel phishing and malware distribution methods. The machine learning algorithm uses predictive technology to identify previously unseen attacks, emails are scanned using twin antivirus engines, and suspicious file types are sent to a next-generation sandbox for behavioral analysis, ensuring even previously unseen malware variants can be identified and blocked.

SpamTitan scans all inbound emails and also includes an outbound email filter to identify malicious emails that are sent from compromised email accounts and by malicious insiders. SpamTitan also has data loss protection capabilities, allowing IT teams to detect and block internal data loss. If your corporate email filter does not include advanced threat protection including AI-driven detection and sandboxing, or if you rely on Microsoft’s anti-spam and anti-phishing protection, sophisticated threats such as zero-day attacks are unlikely to be blocked and your business will be at risk.

Give the TitanHQ team a call today to find out more about SpamTitan. SpamTitan is delivered as a cloud-based anti-spam service that integrates seamlessly with Microsoft 365 to improve protection, or as a gateway solution for on-premises protection, which can be installed on existing hardware as a virtual anti-spam appliance.

Large-scale StrelaStealer Malware Campaign Spreads to US and Europe

by Jennifer Marsh | Mar 28, 2024 | Phishing & Email Spam |

A phishing campaign distributing StrelaStealer malware has expanded to Europe and the United States, with the attackers favoring the high-tech, finance, professional and legal services, manufacturing, government, energy, utilities, insurance, and construction sectors.

StrelaStealer malware was first identified in November 2022 and its primary purpose is to extract email account login credentials from popular email clients such as Microsoft Outlook and Mozilla Thunderbird, and exfiltrate them to its command-and-control server. StrelaStealer has previously been used to target companies in Spanish-speaking countries however, targeting has now been expanded to the United States and Europe, with attacks peaking in November 2023 and January 2023 with more than 500 attacks a day on companies in the United States and more than 100 attacks per day in Europe, according to tracking data from Palo Alto Networks Unit 42 team.

The campaign uses email as the initial access vector with the emails typically claiming to be an invoice. Early attacks used ISO file attachments that included a .lnk shortcut and an HTML file, which invoked the rundll32.exe process to execute the malware payload. The latest attacks use a different method, with .zip file attachments favored. These compressed files include Jscript files which, if executed, drop a batch file and base64-encoded file that decodes into a DLL file, which is executed using rundll32.exe to deploy the StrelaStealer payload.

Email sandboxing provides a vital layer of protection against malware, which can be difficult to detect using transitional signature-based email security solutions. Anti-virus solutions are generally signature-based, which means they can only detect known malware. Advanced email security solutions use sandboxing to analyze the behavior of files to identify and block novel malware threats. Suspicious files are sent to the sandbox for in-depth behavioral analysis. The control flow obfuscation technique used in this attack can make analysis difficult, even in sandboxed environments, with excessively long code blocks used that can result in timeouts when executed in some sandboxed environments. While sandboxing can delay email delivery, which is far from ideal for businesses that need to act on emails quickly, it is important to provide enough time to allow attachments to be fully analyzed, as StrelaStealer malware clearly demonstrates. The easiest way for businesses to sandbox email attachments is with SpamTitan Email Security.

StrelaStealer malware is actively evolving, and new methods are being developed to deliver the malware and evade security solutions. Combatting sophisticated phishing attacks such as this, requires a defense-in-depth approach to security, using multiple security solutions that provide overlapping layers of protection such as SpamTitan Email Security, PhishTitan phishing protection, and SafeTitan security awareness training. Give the TitanHQ team a call today for more information on affordable cybersecurity solutions that are easy to use and capable of blocking advanced phishing threats.

Tycoon 2FA Phishing Kit Targets M365 and Gmail Credentials and Bypasses MFA

by Jennifer Marsh | Mar 27, 2024 | Phishing & Email Spam |

Phishing is one of the most common methods used to gain access to credentials; however, businesses are increasingly implementing multi-factor authentication (MFA) which adds an extra layer of protection and means stolen credentials cannot be used on their own to gain access to accounts. An additional authentication factor is required before access to the account is granted. While any form of MFA is better than none, MFA does not protect against all phishing attacks. There are several popular phishing-as-a-service (PhaaS) platforms that can steal credentials and bypass MFA including LabHost, Greatness, and Robin Banks. For a relatively small fee, any cybercriminal looking to compromise accounts can use the PhaaS platform and gain access to MFA-protected accounts.

A relatively new PhaaS platform has been growing in popularity since its discovery in October 2023 which has been causing concern in the cybersecurity community. Dubbed Tycoon 2FA, the PhaaS platform is being offered through private Telegram groups. Like many other PhaaS platforms, Tycoon 2FA uses adversary-in-the-middle (AiTM) tactics to steal MFA tokens, allowing access to be gained to accounts. The phishing kit uses at least 1,100 domains and has been used in thousands of phishing attacks.

Like most phishing attacks, initial contact is made with end users via email. The messages include a malicious link or a QR code. QR codes are popular with phishers as they communicate a URL to the end user and are difficult for email security solutions to identify as malicious. To ensure that the malicious URLs are not detected by security solutions, after clicking the link or visiting the website via the QR code, the user must pass a security challenge (Cloudflare Turnstile). The web page to which the user is directed targets Microsoft 365 or Gmail credentials. The user’s email address is captured and used to prefill the login page, and when the user enters their password it is captured and they are directed to a fake MFA page.

The phishing kit uses a reverse proxy server that relays the user’s credentials to the legitimate service being targeted in real-time and similarly captures the session cookie when the MFA challenge is passed. The user is unlikely to recognize that their account has been compromised as they are redirected to a legitimate-looking page when the MFA mechanism is passed. According to the researchers, many different threat actors have been using the kit for their phishing campaigns, with the Tycoon 2FA operators having received almost $395,000 in payments to their Bitcoin wallet as of March 2024. The price of the phishing kit is $120 for 10 days of usage which shows how popular the platform is with cybercriminals.

PhaaS platforms allow cybercriminals to conduct sophisticated attacks and bypass MFA without having to invest time and money setting up their own infrastructure they significantly lower the entry barrier for conducting MFA-bypassing phishing attacks. An advanced spam filtering service such as SpamTitan Plus will help to prevent malicious emails from reaching inboxes, and is an ideal spam filter for MSPs looking to provide the best level of protection for their clients. The SpamTitan suite of email security solutions combines phishing, spam, and antivirus filtering and independent tests show a spam block rate of 99.983% and a malware block rate of 99.51%.

PhishTitan from TitanHQ greatly improves protection against more advanced phishing campaigns such as those that use QR codes. Employees should be provided with regular security awareness training to help them identify and avoid phishing messages, and businesses should consider using phishing-resistant MFA rather than more basic forms of 2-factor authentication that use SMS or one-time passwords, which phishing kits such as Tycoon 2FA can easily bypass.

U.S. Government Entities Impersonated in Business Email Compromise Attacks

by Jennifer Marsh | Mar 27, 2024 | Phishing & Email Spam |

Business Email Compromise (BEC) attacks may not be as frequently encountered as phishing attacks but the losses to this type of attack are far greater. According to figures from the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3), $2.9 billion was lost last year to BEC attacks – The second most expensive type of cybercrime.

BEC attacks usually involve impersonation, with the attacker posing as a trusted individual. Contact is established and the scammer tricks the victim into divulging sensitive company information or transferring a large sum of money. For instance, the scammer may pose as a contractor and request that bank details are changed for an upcoming payment. The scam is not usually detected until after the transfer has been made and the funds have been withdrawn from the attacker-controlled account.

BEC attacks can be difficult for email security solutions to identify, as the emails are often sent from a known and trusted email account that has been compromised in a phishing attack. BEC scammers research their targets and may have access to past conversations between the victim and the person they are impersonating and can therefore disclose information from past conversations in email exchanges to convince the target that they are who they claim they are. The scams may also be spread across multiple emails, with trust building during the exchanges.

One of the latest BEC campaigns to be identified involves the impersonation of U.S. government entities, such as the U.S. Department of Transportation, Department of Agriculture, and Small Business Association. Initial contact is made via email and a PDF attachment is sent that includes a QR code, which has links about fake bidding processes. The targeted individual is told to use the QR code to find out more information about the bidding process.

The PDF file explains that the QR code is included as complaints have been received that the bid button in the email does not work with some browsers and that the QR code will direct them to a document that should be downloaded as it is required to submit a bid. The emails and the PDF are crafted to appear to have been sent by the spoofed organization, and the website to which the user is directed resembles the official portal used by the spoofed government agency.

If the QR code is scanned, the user will be directed to a phishing site where they will be required to enter their Office 365 credentials, which will provide the attacker with access to their email account. Once access has been gained, the scammers can proceed to the next phase of the attack. They search the email account for messages related to banking or finance and use that information for their BEC attack and send messages to contacts that include fraudulent invoices or payment requests. The emails are sent from a trusted account, so the emails will likely be delivered and there is a good chance that the attack will be successful.

Security awareness training can help to raise awareness of the threat of these attacks with individuals involved in financial transactions in a company, and policies should be in place that require any requested change to banking information to be verified by phone using a previously verified phone number. It is also important to have an email security solution in place to block or flag potential BEC messages.

TitanHQ’s PhishTitan is an ideal choice. PhishTitan can identify and flag sophisticated phishing and BEC emails and can also read and follow the URLs encoded in QR codes. When a suspicious email is detected a banner is added to warn the user, and the emails can be auto-remediated and sent to the junk folder. PhishTitan improves Microsoft’s Office 365 spam filter. Independent tests by Virus Bulletin show the engine that powers T

itanHQ’s SpamTitan spam filter for Office 365 and the PhishTitan 0365 anti-phishing solution has a phishing catch rate of 99.914% with zero false positives. For every 80,000 emails received, PhishTitan identifies and blocks 20 unique, sophisticated phishing attempts that Microsoft’s top anti-phishing solution misses. The solution is also just a fraction of the cost of the average loss to a single BEC attack.

For more information about PhishTitan and how it can protect your business from advanced phishing and BEC attacks, give the TitanHQ team a call.

Facebook Messages Used to Distribute Snake Infostealer Malware

by Jennifer Marsh | Mar 20, 2024 | Phishing & Email Spam |

Malware is often distributed via email or websites linked in emails, and advanced email security solutions such as SpamTitan Plus can protect you by preventing the messages from reaching inboxes. SpamTitan Plus uses dual antivirus engines to detect known malware and sandboxing to identify and block zero-day malware threats. SpamTitan Plus also rewrites URLs, uses predictive analysis to identify suspicious URLs, and blocks those URLs to prevent users from reaching the websites where malware is hosted. To get around email security solutions, cybercriminals use other methods for making initial contact with end users, and instant messaging services are a popular alternative.

Researchers at Cybereason recently identified a malware distribution campaign that distributes a Python-based information stealer via Facebook messages. The infostealer has been dubbed Snake and has been developed to steal credentials and other sensitive information. The campaign was first detected in the summer of 2023 and targets businesses. The messages use lures such as complaints and offers of products from suppliers to trick users into visiting a link and downloading a file. As is common with malware distribution campaigns, the threat actor uses legitimate public repositories for hosting the malicious file, such as GitHub and GitLab. The file to which the user is directed is a compressed file and, if extracted, will lead to the execution of a first-stage downloader. The first-stage downloader fetches a second compressed file,  extracts the contents, and executes a second downloader, which delivers the Python infostealer.

Three different variants of the infostealer have been identified, all of which gain persistence via the StartUp folder. Each variant targets web browsers, including Brave, Chromium, Chrome, Edge, Firefox, Opera, and the Vietnamese CoC CoC browser, with the latter and other evidence suggesting that the campaign is being conducted by a Vietnamese threat actor. All three variants also target Facebook cookies. The gathered data and cookies are exfiltrated in a .zip file via the Telegram Bot API or Discord.

One way of blocking these attacks is to use a web filter to block access to instant messaging services that are not required for business purposes, including Facebook Messenger. With WebTitan it is possible to block Messenger without blocking the Facebook site, and controls can be implemented for different users to allow users with responsibility for updating the organization’s social media sites to access the platforms while preventing access for other users. It is also a good practice to use WebTitan to block downloads of executable files from the Internet to prevent malware delivery and stop employees from downloading and installing unauthorized software.

Dropbox Abused in Novel Phishing Attack to Obtain M365 Credentials

by Jennifer Marsh | Mar 14, 2024 | Phishing & Email Spam |

The file hosting service Dropbox is being abused in a novel phishing campaign that exploits trust in the platform to harvest Microsoft 365 credentials. The campaign targeted 16 employees of an organization who received an email from the no-reply[@]dropbox.com account, a legitimate email account that is used by Dropbox. The emails included a link that directed the recipients to a Dropbox-hosted PDF file, which was named to appear as if it had been created by one of the organization’s partners. If the PDF file was opened, the user would see a link that directs them to an unrelated domain – mmv-security[.]top. One of the employees was then sent a follow-up email reminding them to open the PDF file that was sent in the first email. They did, and they were directed to a phishing page that spoofed the Microsoft 365 login page. A couple of days later, suspicious logins were detected in the user’s Microsoft 365 account from unknown IP addresses, which were investigated and found to be associated with ExpressVPN, indicating the attacker was using the VPN to access the account and mask their IP address.

Multifactor authentication was correctly configured on the account but this appears to have been bypassed, with the logins appearing to use a valid MFA token. After capturing credentials, the employee is thought to have unknowingly approved the MFA authentication request which allowed the account to be compromised. The attacker gained access to the user’s email account and set up a new rule that moved emails from the organization’s accounts team to the Conversation History folder to hide the malicious use of the mailbox. Emails were also sent from the account to the accounts team in an apparent attempt to compromise their accounts.

Phishing attacks are becoming increasingly sophisticated and much more difficult for end users to identify. Security awareness training programs often teach users about the red flags in emails they should look out for, such as unsolicited emails from unknown senders, links to unusual domains, and to be wary of any requests that have urgency and carry a threat should no action be taken. Impersonation is common in phishing attacks, but in this case, the impersonation went further with the emails sent from a valid and trusted account. That means that the email is more likely to be trusted and unlikely to be blocked by email security solutions, especially as the emails include a link to a file hosted on a trusted platform. This was also a staged attack, with follow-up emails sent, which in this case proved effective even though the second email was delivered to the junk email folder. The login page to which the user was directed looked exactly the same as the genuine login prompt for Microsoft 365, aside from the domain on which it was hosted.

Many businesses have configured multifactor authentication on their Microsoft 365 accounts, but as this attack demonstrates, MFA can be bypassed. The sophisticated nature of phishing attacks such as this demonstrates how important it is for businesses to have advanced defenses against phishing. TitanHQ’s anti-phishing solutions use AI and a large language model (LLM) with proprietary threat intelligence currently not found in any other anti-phishing and anti-spam software solutions on the market. All emails are scanned – internal and external – for phrases and keywords that are unusual and could indicate malicious intent. All URLs are checked against various threat intelligence feeds to identify malicious URLs, and URLs are rewritten to show their true destination. The solution also learns from feedback provided by users and detection improves further over time. The curated and unique email threat intelligence data is unmatched in visibility, coverage, and accuracy, and TitanHQ’s anti-spam and email security solutions feature sandboxing, where attachments are subjected to deep analysis in addition to signature-based anti-virus scanning. When a malicious email is detected, all other instances are removed from the entire M365 tenant.

If you want to improve your defenses against sophisticated phishing attacks give the TitanHQ team a call. If you are a Managed Service Provider looking for an easy-to-use solution to protect your clients from phishing and malware, look no further than TitanHQ. All solutions have been developed from the ground up to meet the needs of MSPs to better protect their customers from spam, phishing, malware, and BEC attacks.

CryptoChameleon Phishing Kit Targets FCC Employees and Cryptocurrency Platform Users

by Jennifer Marsh | Mar 5, 2024 | Phishing & Email Spam |

A new phishing kit has been identified that is being used to target employees of the U.S. Federal Communications Commission (FCC) and the cryptocurrency platforms Binance and Coinbase, as well as users of cryptocurrency platforms such as Binance, Coinbase, Caleb & Brown, Gemini, Kraken, ShakePay, and Trezor.

A phishing kit is a set of tools and templates that allows threat actors to conduct effective phishing campaigns. These kits are marketed on the dark web to hackers and allow them to conduct phishing campaigns without having to invest time and money into setting up their own infrastructure. Phishing kits range from simple kits that provide phishing templates and cloned login pages, to more advanced kits that are capable of adversary-in-the-middle attacks that can defeat multifactor authentication. These kits significantly lower the entry barrier for conducting phishing campaigns as they require little technical expertise. Pay a relatively small fee and sophisticated phishing campaigns can be conducted in a matter of minutes.

The new phishing kit is called CryptoChameleon and allows users to create carbon copies of the single sign-on (SSO) pages that are used by the targeted businesses. Employees are used to authenticating through a single solution, through which they authenticate with many business applications. The kit also includes templates for phishing pages to harvest the credentials of cryptocurrency platform users and employees, including pages that impersonate Okta, iCloud, Gmail, Outlook, Yahoo, AOL, and Twitter.

The phishing operation was discovered by researchers at Lookout and more than 100 high-value victims of this campaign have been identified to date. Threat actors using the kit have been contacting users via SMS, email, and phone calls to trick them into visiting a malicious site where their credentials are harvested. Users are redirected to a phishing site but before the content is displayed, they are required to pass an hCAPTCHA check. This helps with the credibility of the campaign, but most importantly it prevents automated analysis tools and security solutions from identifying the phishing site.

In the campaign targeting FCC employees, after passing the hCAPTCHA check, the user is presented with a login page that is a carbon copy of the FCC Okta page. The domain on which the page is hosted – fcc-okta[.com] – differs only slightly (1 character) from the legitimate FCC Okta login page. Login credentials alone are not normally enough to gain access to accounts as many are now protected by MFA. The captured login credentials are used to log in to the real account in real time, and the victim is then directed to the appropriate page where additional information is collected to pass the MFA checks. This could be a page that requests their SMS-based token or the MFA token from their authenticator app. Once the MFA check has been passed and the account has been accessed by the threat actor, the victim can be redirected anywhere. For instance, they could be shown a message that the login has been unsuccessful and they must try again later.

To target cryptocurrency platform users, messages are sent about security alerts such as warnings that their account has been accessed. These messages are likely to attract a rapid response due to the risk of substantial financial losses. In the campaign targeting Coinbase, the user is told they can secure their account and if they log in they can terminate suspicious devices. A similar process is used to obtain the credentials and MFA codes needed to access the account as the FCC campaign.

This is just one of many phishing kits offered on the dark web. Protecting against these phishing kits requires a combination of measures including an advanced spam filter, web filter, and security awareness training. For further information on cybersecurity solutions capable of combatting advanced phishing attempts, give the TitanHQ team a call.