titanadmin

Protect Your Business Against Holiday Season Cyber Threats

Holiday season officially started the day after Thanksgiving in the United States, or Black Friday as it is now known. Taking its name from a term used by police officers in Philadelphia to describe the chaos in the city caused by the deluge of suburban shoppers heading to the city to do their holiday shopping, it has become a day when retailers offer bargains to entice the public to buy their goods and services. While the jury is still out on how good many of those bargains are, the consensus is that there are bargains to be found in stores and online, with the official day for the latter being the Monday after Black Friday – Cyber Monday.

The holiday season for shoppers is boom time for cybercriminals who take advantage of the increase in online shoppers looking to buy gifts for Christmas and pick up a bargain of two. Many people time major purchases to take advantage of Black Friday and Cyber Monday offers and cybercriminals are poised to pounce on the unwary. The losses to scams over the holiday period are staggering. According to the Federal Bureau of Investigation (FBI), more than $73 million was lost to holiday season scams in 2022; however, the true total is likely to be considerably higher since many losses go unreported. Those figures do not include the losses to phishing, malware, ransomware, BEC attacks, and other cyberattacks that occur over the holiday period. For instance, the surge in ransomware attacks over Thanksgiving weekend and Christmas when the IT staff is spread thin.

Given the heightened risk of scams and cyberattacks over the holiday season, consumers should be on their guard and take extra care online and ensure that vendors are legitimate before handing over their card details and double-checking the legitimacy of any email requests. While consumers face elevated risks during the holiday season, so do businesses. There are end-of-year deadlines to meet and it’s a short month with many workers taking annual leave over Christmas and the New Year. As the year draws to a close it is common for vigilance to slip, and threat actors are ready to take advantage. Businesses need to ensure that their defenses are up to scratch, especially against phishing – the most common initial access vector in cyberattacks – as a slip in vigilance can easily lead to a costly cyberattack.

Businesses can take several proactive steps to ensure they are protected against holiday season cyber threats, and conducting a security awareness training session is a good place to start. Employees should be reminded about the increase in malicious cyber activity over the holiday period and be reminded about the risks they may encounter online, via email, SMS, instant messaging services, and the phone. With TitanHQ’s SafeTitan security awareness training platform, it is easy to spin up training courses for employees to remind them to be vigilant and warn them about seasonal and other cyber threats. The training platform makes it quick and easy to create and automate training courses, with the training delivered in modules of no more than 10 minutes to ensure employees can maintain concentration and fit the training into their workflows. The SafeTitan platform also incorporates a phishing simulator, which businesses can use to reinforce training and identify individuals who are fooled by phishing scams and ensure they receive the additional training they need.

Due to the high risk of phishing attacks, it is a good idea to implement an advanced spam filter service, one that reliably identifies and neutralizes phishing and business email compromise attempts and provides cutting-edge protection against malware. You need look no further than SpamTitan for that protection. SpamTitan incorporates machine learning and AI-based detection capabilities for detecting phishing, BEC, and scam emails, and dual antivirus engines and email sandboxing for detecting malware threats, including novel malware variants. In Q3, VirusBulletin’s tests of SpamTitan confirmed a phishing detection rate of 99.99% and a malware catch rate of 99.511%. The interim figures for November 2024 are a 100% phishing catch rate and a 100% malware catch rate, demonstrating the reliability of TitanHQ’s cloud-based email filtering solution.

TitanHQ also offers online protection through the WebTitan DNS filter, which prevents access to known malicious websites, blocks malware downloads from the Internet, and can be used to control the web content employees can access, providing an important extra layer of security against web-based threats. At TitanHQ we hope you have a happy holiday period and above all else that you are well protected against cyber threats. Give the team a call today to find out more about how we can help protect your business this holiday season and beyond.

Phishing Campaign Targets Law Firms by Impersonating U.S. Federal Courts

A phishing campaign has been identified that targets law firms by impersonating U.S. federal courts and purports to contain an electronic notice of court filings. Like many similar campaigns in recent months, the campaign aims to trick law firm employees into downloading malware that provides the threat actor with persistent access to the law firm’s network.

Threat actors often target businesses, but a far more effective use of their time and resources is to target vendors. If a threat actor gains access to a vendor’s network, they can potentially use the vendor’s privileged access to attack all downstream clients. Even when a vendor does not have privileged access to client networks, they are likely to store large amounts of data from multiple clients. In the case of law firms, that data is highly sensitive and easily monetized. It can be easily sold on darknet marketplaces and be used as leverage to extort the law firm and its clients.

Over the last few years, law firms have been extensively targeted by threat actors for this very reason. According to a 2023 report from the UK’s National Cyber Security Centre, 65% of law firms have been a victim of a cyber incident and a 2024 report from the chartered accountancy firm Lubbock Fine indicates cyberattacks on law firms have increased by 77% year-over-year. The main motivation for these attacks is extortion and ransomware attacks. There has also been a surge in business email compromise (BEC) attacks on law firms, as they are typically involved in large financial transactions that threat actors can try to divert to their own accounts.

One of the latest campaigns seeks persistent access to the networks of law firms by tricking the firms into installing malware. The campaign came to light following multiple complaints about fake notices of electronic court filings, which prompted the U.S. federal judiciary to issue a warning to U.S. lawyers to be alert to email notifications that purport to be notifications from the courts. The emails impersonate the PACER case management and electronic case files system, and instruct the recipient to respond immediately. The judiciary advised law firms to always check the federal judiciary’s official electronic filing system and never open attachments in emails or download files from unofficial sources.

The intercepted emails impersonate lower courts and prompt the recipient to click an embedded hyperlink to access a document from a cloud-based repository. Clicking the link directs the user to a malicious website where they are prompted to download a file. Opening the file triggers the installation of malware that will give the threat actor the access they need for an extensive compromise. The campaign will undoubtedly result in the theft of sensitive data and attempted extortion.

Most law firms will be well aware that they are prime targets for threat actors and the importance of implementing robust cybersecurity defenses. Since phishing is the most common way that threat actors get access to their networks and sensitive data, it is vital for law firms to ensure that they have an effective email security solution – one that is capable of detecting and blocking malware and correctly classifying phishing and BEC emails. This is an area where TitanHQ can help. TitanHQ offers a suite of cutting-edge cybersecurity solutions that provide multiple layers of protection against the most common attack vectors.

The primary defense against phishing and BEC attacks is anti-spam software, which TitanHQ can provide as a cloud-based anti-spam service or virtual anti-spam appliance that can be installed on-premises on existing hardware. The SpamTitan solution incorporates dual anti-virus engines and email sandboxing for detecting malware and malicious code in email attachments, even zero-day malware threats. The solution has machine learning capabilities for detecting novel email threats such as phishing and BEC attacks that are needed to detect and block the latest AI-generated threats. In independent tests by Virus Bulletin in November 2024 on 125,000 emails, SpamTitan had a 100% malware and phishing catch rate and only miscategorized 2 benign spam emails.

It is also important to ensure that all lawyers and support staff are made aware of the latest threats and receive regular cybersecurity awareness training. TitanHQ offers a comprehensive security awareness training platform (SafeTitan) and phishing simulator that makes it easy to create effective, ongoing training programs that incorporate training material on the latest threats. Give the TitanHQ team a call today for more information on these and other cybersecurity solutions and for advice on improving your cybersecurity defenses against the most common attack vectors.

Phishing Campaign Uses Visio File Attachments for Credential Theft

A new phishing scam uses Microsoft Visio files to bypass phishing defenses to steal Microsoft 365 credentials. Microsoft Visio is a diagramming and vector graphics application used to create a variety of diagrams, including building plans, data flow diagrams, organizational charts, and flowcharts. While the software is widely used by businesses, Visio files are unlikely to feature heavily in security awareness training courses as they are not commonly used in phishing campaigns or for malware delivery. Security awareness training tends to focus on the most common file types such as documents, spreadsheets, and executable files. Unfamiliarity with the file type should mean employees exercise extreme caution; however, since Visio is part of the Microsoft 365 family, the files may be trusted and opened.

To increase the chance of that, this campaign uses compromised accounts to send the phishing emails. By using trusted accounts there is less chance of the emails being identified by email security solutions as malicious since emails are likely to pass reputation and authentication checks. It also increases the chance of emails being opened, as employees are trained to be suspicious of emails from unknown senders and generally trust emails from known senders. Like countless other phishing campaigns, tried and tested lures are used to get the recipient to open the attached .vsdx file. In this campaign the phishing emails masquerade as a purchase order and business proposals. Also observed in this campaign is the use of an Outlook message attachment, with that message including the malicious Visio file. Some emails use hyperlinks instead which direct the recipient to a SharePoint page hosting the Visio file. The latter helps to ensure that the email message is not blocked by email security solutions, which typically trust SharePoint URLs.

If the Visio file is opened, the user will be presented with branding that makes the file appear legitimate and they are advised to click an embedded link to view the contents of the file. The user is told to hold down the CTRL key when they click the link – an additional measure for evading security solutions. That link directs the user to a URL that hosts a spoofed login page that prompts them to enter their Microsoft credentials, which are captured by the threat actor.

While the use of Visio files for phishing is not common, there has been an increase in the use of these files as threat actors look for more reliable methods of phishing. It is certainly worthwhile ensuring that these file types are covered in your security awareness training programs and phishing simulations. While it is important to train employees to be aware of the latest tactics, techniques, and procedures used by threat actors to steal credentials, having an advanced email security solution in place can ensure that these malicious emails do not reach their targets. One of the easiest ways to block the threat, given that these are not commonly used files, is to configure your spam filter to block/quarantine emails containing .vsdx attachments, and certainly to do so for users who do not need to use these file types for work purposes. This is straightforward with SpamTitan (see our Help section).

If it is not practical to block these file types, SpamTitan does incorporate a variety of safeguards for preventing the delivery of malicious messages, including email sandboxing for deep analysis of file attachments to identify malicious URLs (and malware) and machine learning to identify emails that deviate from the messages typically received by the user/business. These features are critical, since the messages in this campaign are sent from compromised email accounts that are potentially trusted.

If you are not a SpamTitan user, give the TitanHQ team a call to find out more about the solution and why so many businesses are switching to SpamTitan for email security and check out this post, which highlights SpamTitan’s 100% malware and phishing block rate in recent tests.

SVG Image Files Being Used for Phishing and Malware Delivery

Cybercriminals are increasingly leveraging SVG files in their email campaigns. These file attachments have been used as part of convincing campaigns that have fooled many end users into disclosing their credentials or installing malware.

SVG files, or Scalable Vector Graphics files to give them their full name, differ from standard image files such as BMP, JPG, and PNG files. Vector graphics are constructed using mathematical formulas that establish points on a grid, rather than specific blocks of color (pixels). The advantage of vector graphics files is that they can be scaled infinitely with no loss of resolution, something that cannot be done with pixel-based images. Vector files are often used for logos, as they can be scaled up easily to be used in billboards with no loss of resolution, and they are increasingly being used on the web as the images will display correctly regardless of the size of the browser window or screen.

SVG is an incredibly versatile file format that can incorporate elements other than the image code, for instance, SVG files can be used to display HTML. It is possible to create an SVG image file that incorporates HTML and executes JavaScript on loading, redirecting users to a malicious website such as a phishing landing page. Images can be created that incorporate clickable download buttons, which will download payloads from a remote URL. An end user could easily be tricked into downloading a file with a double extension that appears to be a PDF file but is actually a malware executable.

Some of the recently intercepted phishing emails have included an SVG file that displays an image of an Excel spreadsheet. Since the spreadsheet is an image, the user cannot interact with it, but it includes an embedded form that mimics the Microsoft 365 login prompt. If the user enters their credentials into that form, they are transmitted to the threat actor. One of the problems with this type of file format is it is not generally blocked by anti-spam software, so is likely to be delivered to inboxes.

While SVG and other vector graphics file formats are invaluable for design and can be found extensively on the web, they are not generally used for image sharing, so the easiest way to protect against these malicious campaigns is to configure your spam filtering service to block or quarantine emails containing SVG file attachments, at least for employees who do not usually work with these file formats. If you have a cloud-based anti-spam service that incorporates email sandboxing, where attachments are sent for deep analysis, it is possible to detect SVG files that incorporate malicious JavaScript. Since the use of these file formats is increasing, it is important to make your employees aware of the threat through security awareness training. Emails with SVG file attachments should also be incorporated into your phishing simulations to determine whether employees open these files. Both are easy with the SafeTitan security awareness training and phishing simulation platform.

DocuSign Abused in Massive Phishing Campaign

A large-scale phishing campaign has been identified that abuses the e-signature software DocuSign, a hugely popular software solution used to legally and securely sign digital documents and eliminate the time-consuming process of manually signing documents.

DocuSign uses “envelopes” to send documents to individuals for signing. These document containers may contain one or more documents that need to be signed, and the envelopes are sent via email. In this campaign, a bad actor abuses the DocuSign Envelopes API to create fake invoices, which are mass-distributed via email. This campaign aims to get the recipient of the invoice to sign it using DocuSign, then the signed document can be used for the next phase of the scam, which typically involves sending the signed document to the billing department for payment, which may or may not be through DocuSign. The invoices generated for this campaign are based on legitimate DocuSign templates and are generated through a legitimate DocuSign account. The invoices include legitimate branding for DocuSign and the company/product the threat actor is impersonating – such as Norton Internet Security, PayPal, and other big-name brands.

The problem for businesses with this campaign is the emails are sent from the genuine docusign[.]net domain, which means email security solutions are unlikely to block the messages since the domain is trusted. Since the emails appear to be legitimate invoices with genuine branding and the correct invoice amount for the product being spoofed, end users are likely to be tricked by the emails. The tactics used in this campaign are similar to others that have abused legitimate cloud-based services to bypass email security solutions, such as sending malicious URLs in documents hosted on Google Docs and Microsoft SharePoint.

The primary defense against these campaigns is security awareness training. Businesses need to make their employees aware of campaigns such as these messages, which often bypass email security solutions and are likely to land in inboxes since they may not contain any malicious URLs or malware code and are sent from a legitimate, trusted domain. The workforce needs to be trained on cybersecurity best practices and told about the red flags in emails that are indicative of a scam. Training needs to be provided continuously to make employees aware of the latest scams, as bad actors are constantly refining their tactics, techniques, and procedures, and developing new ways to trick end users. The easiest way to do this is with a comprehensive security awareness training solution such as SafeTitan.

SafeTitan makes it easy to create training programs for different roles in the organization and automate these training programs to ensure training content is delivered in manageable chunks, with new content added and rolled out in response to the latest threats. These training programs should be augmented with phishing simulations. An email security solution with AI and machine-learning capabilities is also important, as standard spam software is not effective at identifying threats from legitimate and trusted cloud services. TitanHQ’s PhishTitan solution for Microsoft 365 has these capabilities and identifies the phishing emails that Microsoft often misses. PhishTitan scans inbound messages for malicious content, uses email sandboxing for detecting zero-day threats, adds banners to emails from external sources, and allows security teams to rapidly remediate identified threats throughout the entire email environment. In November 2024, Virus Bulletin assessed the engine that powers the SpamTitan spam filtering service and PhishTitan anti-phishing solution using around 125,000 emails. SpamTitan and PhishTitan blocked 100% of malware and 100% of phishing emails and only miscategorized 2 benign spam emails, demonstrating how effective these solutions are at blocking malicious emails.

For more information on improving your defenses against malicious email campaigns through cutting-edge email security and security awareness training, give the TitanHQ team a call today.

Multifactor Authentication Can Give a False Sense of Security

It is all too easy to place too much reliance on multifactor authentication (MFA) to protect against phishing attacks. In theory, if an employee is duped by a phishing email and their credentials are stolen, MFA should stop the threat actor from using those credentials to access the account, as they will not have the necessary additional authentication factor(s). The reality is somewhat different. While MFA can – and does – block many attacks where credentials have been obtained, it is far from infallible. MFA has made it much harder to compromise accounts but, in response, threat actors have developed new tactics to bypass MFA protections.

For example, there is a scam where an employee is contacted by an individual who claims to be from their IT department. The scammer tells them there is an issue with their account and they need to update their password. They are directed to a site where they are prompted to enter their password and enter the MFA code sent to their phone. The threat actor uses that information in real-time to access their account. Multiple campaigns have targeted IT helpdesk staff, with the threat actor impersonating an employee. They provide information to verify their identity (obtained in an earlier phase of the campaign) and ask to register a new device to receive their MFA codes.

Phishing-as-a-service toolkits (PhaaS) capable of defeating MFA are advertised on hacking forums and Telegram channels that can be purchased or rented. They involve an adversary-in-the-middle (AitM) attack and use a reverse proxy between the victim and the legitimate portal for the credentials being sought. The user is directed to a login page that appears exactly as expected, as the user is logging into the genuine site. What is unknown to the user is the attacker sits between them and the site and captures credentials and the session cookie after MFA is successfully navigated. The attacker then has access to the account for the duration of the session cookie and can register a new device to receive future codes.

PhaaS kits are a serious threat and are proving popular with cybercriminals. Take the Rockstar 2FA kit for example, which is advertised for $200 for a 2-week subscription. The kit includes everything a phisher needs, including MFA bypass, login pages for targeting specific credentials, session cookie harvesting, undetectable malicious (FUD) links and link redirectors, a host of phishing templates, and an easy-to-use admin panel that allows tracking of phishing campaigns. The phishing URLs available are also hosted on legitimate services such as Google Docs Viewer, Microsoft OneDrive, and LiveAgent – sites commonly trusted by email security solutions. This is just one phishing kit. There are many being offered with similar capabilities.

The take-home message is that MFA, while important, can be bypassed. For maximum protection, phishing-resistant multifactor authentication should be used – e.g. smartcards or FIDO security keys. These MFA tools can be expensive to implement, so at the very least ensure that you have some form of MFA implemented and implement several other layers of defenses. An advanced spam filtering service such as SpamTitan is essential, as it can block phishing emails to ensure they do not reach end users. Review sites often rate SpamTitan as one of the best spam filters for business due to how easy the solution is to use and its excellent detection rate. In November 2024, in tests by Virus Bulletin, SpamTitan blocked 100% of malware and 100% of phishing emails out of a test involving around 125,000 messages. Previous assessments had a catch rate of more than 99.99%, demonstrating the reliability and accuracy of the solution.

Another layer of protection can be provided by a web filter, which will block attempts to visit known malicious websites, such as those used for phishing and malware distribution. WebTitan provides time-of-click protection, as does TitanHQ’s PhishTitan product – an anti-phishing solution specifically developed to protect M365 accounts against phishing by augmenting Microsoft’s controls to catch the phishing emails that EOP and Defender miss.

Technical defenses are important, but so too is workforce training. Through regular security awareness training and phishing simulations, employees can be taught cybersecurity best practices and how to identify and avoid scam emails. If you want to improve your defenses against phishing and malware, give the TitanHQ team a call and have a chat about your options. All TitanHQ solutions are easy to use, are available on a free trial, and full product support is provided during that trial.

Businesses at Risk as Malvertising Threat Grows

Most cyberattacks start with phishing so businesses need to ensure they have advanced spam filter service capable of accurately identifying and remediating phishing attempts, with robust anti-malware capabilities such as email sandboxing to combat the growing volume of zero-day malware threats. While security teams are all too aware of the threat of phishing, another attack vector is on the rise – malvertising.

Malvertising, or malicious advertising, is the use of deceptive adverts that direct users to malicious web pages. These malicious pages are used to steal sensitive information, infect visitors with malware, and direct users to a wide range of scams. Malvertising can appear on legitimate websites that have been compromised by threat actors and through third-party ad blocks that many legitimate website owners use to boost revenue. They are also commonly encountered on search engines and may appear in prominent positions, placed above the organic listings for key search terms.

Advertisers, including Google, have checks in place and vet advertisers to ensure malicious adverts do not make it onto their networks, but despite robust controls, many malicious adverts are displayed in the search engine results and are pushed out to hundreds of legitimate websites. These adverts may only be short-lived but they are active for long enough to get huge numbers of views and many clicks. Given the increase in malvertising, this method of contact with end users is proving profitable for cybercriminals.

Recent Examples of Malvertising Campaigns

At the start of the month, a new malvertising campaign was detected that used Meta business accounts and personal Facebook accounts to abuse the Meta advertising platform to display malicious ads. Many different ads were used for the campaign, with the common theme being adverts for well-known software tools including CapCut, Office 365, Canva, video streaming services such as Netflix, video games, and many more. The adverts appeared to primarily target middle-aged men.

The threat actor behind the campaign used almost 100 malicious domains according to the Bitdefender analysis, served several thousand ads, and undoubtedly reached tens of thousands of users. The aim of the campaign was to distribute an information stealer called SYS01stealer. SYS01stealer is used to steal login credentials and other sensitive data, including browser histories, cookies and Facebook ad and business account data. The Facebook data was used to compromise Facebook accounts which are used to create further malicious adverts to scale up the operation.

Another Facebook malvertising campaign targeted Facebook users in Europe, in this case, the threat actor used fraudulent ads for the Bitwarden password manager. The ads claimed to offer security updates and showed alerts about compromised passwords. Clicking the ad directs the user to a web page spoofing the Chrome web store, which delivers a browser extension. If granted permissions, the extension could alter network requests and access sites, cookies, and storage. The installation also launches JavaScript which exfiltrates task data, cookies, and Facebook details for personal and business accounts.

A campaign identified by Malwarebytes in November targeted eBay users. The malicious adverts were served via Google Ads and the campaign involved at least four different advertiser accounts. In this campaign, the aim was to trick people into calling an eBay support number which was a tech support scam.

Because the adverts often appear on trusted websites, including websites that are frequently visited, they fool a great many people who mistakenly trust that the adverts are genuine.

How Should Businesses Deal with the Malvertising Threat?

The primary defense for consumers is vigilance. Just because an advert appears on a trusted website or search engine, does not mean that the advert is genuine.  As is the case with carefully checking links in emails and the domains to which those links direct, the domain and URL should be carefully checked to make sure it is a legitimate vendor.

Businesses can easily protect against malvertising by using a web filter such as WebTitan. WebTitan is a DNS filter that blocks access to all known malicious websites and receives consistent threat intelligence to protect against zero-minute threats. WebTitan can be configured to block downloads of certain file types from the Internet, such as executable files to block malware delivery and prevent the installation of unauthorized software products, which often sideload unwanted programs. WebTitan can also be used to prevent employees – on or off the network – from visiting any of 53 categories of websites, with a further 8 customizable categories giving granular control over the content that users can access.

Businesses should also raise awareness of the threat of malvertising through security awareness training. The SafeTitan security awareness training platform includes training modules on malvertising and hundreds of training modules covering other threats to improve human defenses against phishing, malware, and scams.

WebTitan is available on a free trial, with full support provided throughout the trial. For more information on WebTitan and to book a product demonstration, give the TitanHQ team a call today.

Watch Out for Holiday Season & Black Friday Scams

As consumers wait patiently for Black Friday to snaffle a bargain or two, scammers are hard at work perfecting their Black Friday scams and getting ahead of the game by offering amazing deals via email. In the run-up to Black Friday, Cyber Monday, and throughout the holiday season, everyone should be wary of scams and spam emails. The superb offers and hugely discounted prices are not always what they seem. Most are scams.

There are Black Friday and Cyber Monday deals aplenty, with bricks and mortar and online retailers vying to get your business to kick start the holiday season shopping bonanza. Rather than being confined to the weekend, many retailers have offers over an extended period, and marketing for those deals starts well in advance. Black Friday deals seem to be taking over much of November. While there are bargains to be had, even the incredible prices being offered by genuine retailers may not be quite as good as they seem. While Black Friday deals are touted as being the lowest prices of the year, research suggests that is not necessarily the case. According to the consumer group Which? it is common for prices to be inflated in the run-up to Black Friday to make the discounts seem bigger, and in some cases, the price that a retailer claims a product has been reduced from has never been offered in the previous 12 months. It pays to do some research before you buy.

As far as online shopping goes, it is important to visit your favorite retailers’ websites directly and, as a general rule of thumb, never respond to any offers received by email by clicking links. If you get an email from a retailer advising you of a Black Friday deal, visit their website using your bookmark or by typing in the URL. If the offer is available it should be detailed on the website. This is important as the majority of Black Friday emails are scams. According to a recent analysis by Bitdefender – the company that powers the SpamTitan email sandbox – 77% of Black Friday-themed spam were scams, a 7% increase from 2023. Many of these scam emails impersonate big-name brands and offer impressive but fake discounts on products and services. They often lead to financial loss, data theft, and malware infections.

Black Friday scams include offering top-name brands at heavily discounted prices, but actually mailing cheap counterfeit goods or not mailing any product at all. Big-name brands have been impersonated in spam emails that include an attachment that purports to be a shipping confirmation, confirming that orders are ready for shipment when the attachments direct users to websites where they are asked to disclose their credentials or the attachments install malware.

At this time of year there is a surge in survey scams, where consumers are asked to take part in surveys in exchange for a discount or voucher, and after completing the survey are asked to disclose sensitive information that can be used directly for fraud or spear phishing campaigns.  If you receive unwanted marketing communications from genuine retailers, you can use the unsubscribe option to update your preferences, but make sure you carefully check the destination of the unsubscribe button and the sender’s email address to confirm the communication is from a legitimate retailer.

If you receive spam emails, the unsubscribe option should be avoided. Using the unsubscribe option lets the scammer know that the account is active, and all that is likely to happen is you will receive even more spam. Far better is to mark the email as spam and block the sender. Clicking an unsubscribe option in an email may direct you to a site where a vulnerability is exploited to download malware.

Businesses should ensure they have an effective spam filter, and it is never more important than in November, December, and January when spammers are highly active. At TitanHQ, we offer products that provide exception protection against spam, scams, phishing emails, and malware. In recent independent tests by VirusBulletin, the engine that powers the SpamTitan spam filtering service and the PhishTitan anti-phishing solution for Microsoft 365 achieved a 100% phishing catch rate, a 100% malware catch rate, and a spam catch rate in excess of 99.9% in November 2024 results. These follow overall scores in excess of 99.99% for blocking spam, phishing, and malware earlier in the year, demonstrating these email security products provide excellent and reliable protection against malicious and spam emails.

TitanHQ Achieves 100% Phishing and Malware Catch Rate in November

TitanHQ is thrilled to announce that the engine that powers its email security solutions – SpamTitan and PhishTitan – achieved an incredible 100% catch rate for phishing emails and malware in November 2024 in independent tests by Virus Bulletin.

Virus Bulletin is a testing and certification body that has an excellent reputation within the information security community. Virus Bulletin performs independent tests of security solutions and has been reviewing, benchmarking, and issuing certifications for security products for more than 2 decades.

The spam, malware, and phishing identification tests are conducted over a 16-day period each month, with the final results published each quarter. For the past two quarters, TitanHQ’s email security solutions have achieved VBSpam+ certification, and the results from October and November indicate SpamTitan email security and the PhishTitan anti-phishing solutions are on track to receive their third consecutive quarterly VBSpam+ certification.

The interim results for November are based on an evaluation of almost 125,000 emails. TitanHQ’s solutions correctly identified all malware and phishing emails over that period, and it was nearly a clean sweep of 100% scores; however, there was a narrow miss on blocking non-malicious spam emails, as while the vast majority of spam emails were correctly identified, 2 spam emails were unfortunately miscategorized.

The flawless results for malware blocking and phishing identification by TitanHQ’s cloud-based anti-spam software clearly demonstrate the superb reliability and effectiveness of TitanHQ’s email security solutions and validate what our customers already know – That you can rely on TitanHQ to keep your email accounts free from threats.

“We are thrilled to have significantly outperformed our main competitors and surpassed the industry average,” said Ronan Kavanagh, CEO at TitanHQ. “Our unwavering commitment to providing unmatched email security is evident in these results, and we remain dedicated to protecting our clients from evolving cyber threats.”

In addition to providing a cutting-edge, easy to use, email filtering service, TitanHQ’s cybersecurity portfolio also includes a comprehensive security awareness training and phishing simulation platform – SafeTitan; a DNS-based web filtering solution for blocking Internet threats and controlling internet access – WebTitan; an easy-to-use and cost-effective email archiving solution – ArcTitan; and an email encryption solution for securing sensitive data – EncryptTitan.

All TitanHQ solutions are cloud-based and easy to implement and use, even by individuals with little technical expertise. These solutions can be used by businesses of all sizes and TitanHQ also offers anti-spam solutions for managed service providers to allow them to provide comprehensive security services to their clients.

For more information about these solutions or joining our partner program, give the TitanHQ team a call today and be sure to check out these anti-spam tips.

Excel File Attachments Used in Phishing Campaign to Deliver Fileless Remote Access Trojan

A phishing campaign has been identified that uses purchase order-related lures and Excel file attachments to deliver the Remcos RAT, a commercially available malware variant that gives threat actors remote access to an infected device.  The malware allows the threat actor to log keystrokes, record audio via the microphone, and take screenshots and provides a foothold allowing an extensive compromise. Infection with the Remcos RAT invariably involves data theft and could lead to a ransomware attack and extortion.

Businesses with antivirus software installed are unlikely to be protected. While antivirus software is effective at detecting and neutralizing malware, the Remcos RAT is poorly detected as it is fileless malware that runs in memory and does not install files on the disk. The campaign, detected by researchers at FortiGuard Labs, targets Windows users and starts with a phishing email with an encrypted Excel attachment. The emails purport to be a purchase order and include a malicious Excel file attachment. The Excel file uses OLE objects to exploit an old vulnerability in Office, tracked as CVE-2017-0199. Successful exploitation of the vulnerability will see an HTML Application (HTA) file downloaded, which is launched using mshta.exe. The file is heavily obfuscated to evade security solutions, and its function is to download and execute a binary, which uses process hollowing to download and run the Remcos RAT in the memory.

The Remcos RAT is used to enumerate and terminate processes, execute commands, capture sensitive data, and download additional malware payloads. Since the Remcos RAT runs in the memory, it will not survive a reboot. To achieve persistence, it runs the registry editor (reg.exe) to edit the Windows Registry to add a new auto-run item to ensure it is launched after each reboot.

Since the initial contact is made via email, an advanced email security solution with email sandboxing and AI- and machine learning capabilities should ensure the email is identified as malicious and blocked to prevent delivery. Should the email be delivered and the attachment opened, end users are informed that the document is protected. They are presented with a blurred version of the Excel file and are told they need to enable editing to view the content – a red flag that should be identified by security-aware employees. If that red flag is missed, enabling content will trigger the exploitation of the vulnerability that ultimately delivers the Remcos RAT. Businesses with an advanced DNS-based web filter will have another layer of protection, as the URLs hosting the malicious files should be blocked.

TitanHQ offers cutting-edge cybersecurity solutions that provide exceptional protection against phishing, BEC, and malware attacks, blocking the initial emails and connections to malicious websites to prevent end users from viewing malicious emails (SpamTitan) and preventing malicious file downloads from the Internet (WebTitan). In November 2024 tests by Virus Bulletin, TitanHQ’s SpamTitan Solution had a 100% phishing and malware block rate. TitanHQ also provides a comprehensive security awareness training platform (SafeTitan) to teach cybersecurity best practices and keep employees aware of the latest threats. The platform also incorporates a phishing simulator for reinforcing training. Give the TitanHQ team a call today for more information on TitanHQ solutions and how they can improve your defenses against email, web, SMS, and voice-based threats at your business.

A Russian APT Group is Conducting a Massive Spear Phishing Campaign

The notorious Russian advanced persistent threat (APT) group Midnight Blizzard (aka Cozy Bear, APT29) has been conducting a massive spear phishing campaign on targets in the United Kingdom, Europe, Australia, and Japan. Midnight Blizzard is a hacking group with strong links to Russia’s Foreign Intelligence Service (SVR) which engages in espionage of foreign interests and seeks persistent access to accounts and devices to steal information of interest to the SVR. The latest campaign is a highly targeted information-gathering exercise that was first observed on October 22, 2024.

While Midnight Blizzard’s spear phishing attacks are usually conducted on government officials and individuals in non-governmental organizations (NGOs), individuals in academia and other sectors have also been targeted. The spear phishing attacks were identified by Microsoft Threat Intelligence which reports that thousands of emails have been sent to more than 100 organizations and the campaign is ongoing. While spear phishing is nothing new, Midnight Blizzard has adopted a new tactic in these attacks and is sending a signed Remote Desktop Protocol (RDP) configuration file as an email attachment, with a variety of lures tailored to the individual being targeted. Some of the intercepted emails impersonated Microsoft, others impersonated cloud service providers, and several of the emails used lures related to zero trust. The email addresses used in this campaign have been previously compromised in other Midnight Blizzard campaigns.

Amazon has also reported that it detected phishing emails that impersonated Amazon Web Services (AWS), attempting to trick the recipients into thinking AWS domains were used; however, the campaign did not seek AWS credentials, as Midnight Blizzard is targeting Windows credentials. Amazon immediately started the process of seizing the domains used by Midnight Blizzard to impersonate AWS and that process is ongoing.

RDP files contain automatic settings and resource mappings and are created when a successful connection to an RDP server occurs. The attached RDP files are signed with a Lets Encrypt certificate and extend features and resources of the local system to a remote server under the attacker’s control. If the RDP file is executed, a connection is made to a server under the control of Midnight Blizzard, and the targeted user’s local device’s resources are bidirectionally mapped to the server.

The server is sent resources including logical hard disks, clipboard contents, printers, connected devices, authentication features, and Windows operating system facilities. The connection allows the attacker to install malware, which is set to execute via AutoStart folders, steal credentials, and download other tools to the user’s device, including remote access trojans to ensure that access to the targeted system is maintained when the RDP session is closed.

Since the emails were sent using email addresses at legitimate organizations, they are unlikely to be flagged as malicious based on reputation checks by anti-spam software, although may be detected by more advanced anti-spam services that incorporate machine learning and AI-based detection mechanisms and email sandboxing. You should configure your spam antivirus filter to block emails containing RDP files and other executable files and configure your firewall to block outbound RDP connection attempts to external or public networks. Multifactor authentication should be configured on all accounts to prevent compromised credentials from granting access, and consider blocking executable files from running via your endpoint security software is the executable file is not on a trusted list. Also, ensure that downloaded files are scanned using antivirus software. A web filter can provide added protection against malicious file downloads from the internet.

An anti-phishing solution should also be considered for augmenting the protection provided through Microsoft Defender and EOP for Microsoft 365. PhishTitan from TitanHQ has been shown to improve protection and block threats that Microsoft’s anti-phishing solution fails to detect, augmenting rather than replacing the protection provided by EOP and Defender. It is also important to provide security awareness training to the workforce and ensure that spear phishing and RDP file attachments are included in the training. Also, consider conducting spear phishing simulations.

Malvertising Campaign Uses Facebook Ads to Deliver SYS01 Information Stealer

A new malvertising campaign has been identified that abuses the Meta advertising platform to deliver an information stealer malware variant called SYS01 Stealer. Similar to other malvertising campaigns, popular brands are impersonated to trick users into downloading the information stealer in the belief they are installing legitimate software. In this campaign, the impersonated brands include popular software tools that are commonly used by businesses, including the video and imaging editing tools CapCut, Adobe Photoshop, and Canva, as well as productivity tools such as Office 365, instant messaging platforms such as Telegram, VPN providers such as Express VPN, and a host of other software products and services to ensure a wide reach, including video games and streaming services.

The adverts claim that these software solutions games and services are available free of charge, which is a red flag as the genuine products and services usually require a purchase or subscription. The advertisements are published via hijacked Facebook business accounts, which according to an analysis by Bitdefender, have been used to create thousands of ads on the platform, many of which remain active for months. If a user interacts with one of the adverts, they are directed to sites hosted on Google Sites or True Hosting. Those sites impersonate trusted brands and offer the application indicated in the initial ad. If the user is tricked and progresses to a download, a zip file is delivered that contains an executable file that sideloads a malicious DLL, which launches the infection process.

The DLL will run PowerShell commands that will prevent the malware from executing in sandboxes and will prepare the environment for the malware to be installed, including disabling security solutions to ensure the malware is not detected, and maintaining persistence ensured through scheduled tasks. Some identified samples include an Electron application with JavaScript code embedded that drops and executes the malware.

The cybercriminals behind the campaign respond to detections of the malware by security solutions and change the code when the malware starts to be blocked, with the new variant rapidly pushed out via Facebook ads. The information stealer primarily targets Facebook business accounts and steals credentials allowing those accounts to be hijacked. Personal data is stolen, and the accounts are used to launch more malicious ads. Since legitimate Facebook business accounts are used, the attackers can launch malicious ads at scale without arousing suspicion. This malvertising campaign stands out due to its scale, with around 100 malicious domains currently used for malware distribution and command and control operations.

Businesses should take steps to ensure they are protected by using a web filter to block the malicious domains used to distribute the malware, the Facebook site for employees, and to prevent malware downloads from the Internet. Since business Facebook accounts are targeted, it is important to ensure that 2-factor authentication is enabled in the event of credentials being compromised and business Facebook accounts should be monitored for unauthorized access. Business users should not install any software unless it comes from an official source, which should be reinforced through security awareness training.

TitanHQ has developed an easy-to-use web filter called WebTitan that is constantly updated with threat intelligence to block access to malicious sites as soon as they are discovered. WebTitan can be configured to block certain file downloads from the Internet by extension to reduce the risk of malware infections and control shadow IT, and WebTitan makes it easy for businesses to enhance productivity while improving security by blocking access to known distractions such as social media platforms and video streaming sites. WebTitan provides real-time protection against clicks in phishing emails by preventing a click from launching a malicious website and the solution can be used to protect all users on the network as well as off-network users on portable devices through the WebTitan on-the-go roaming agent. For more information about improving your defenses against malware delivered via the internet and malvertising campaigns, give the TitanHQ team a call today.

New Tactics Used by Threat Actors for Phishing, Malware Delivery, and Extortion

Several new campaigns have been detected in recent weeks that use diverse tactics to trick people into disclosing sensitive information and installing malware.

Cybercriminals Target Crypto Wallets via Webflow Sites

Webflow is a software-as-a-service company that businesses can use to accelerate website development. The platform makes it easier to create websites and web pages, simplifying and eliminating many of the complex tasks to speed up website creation. Cybercriminals have taken advantage of the platform and are using it to rapidly spin up phishing pages and create pages to redirect users to malicious sites. One of the main advantages of Webflow compared to alternative platforms is the ease of creating custom subdomains, which can help phishers make their phishing pages more realistic. Subdomains can be created to mimic the login pages that they are impersonating, increasing the probability that individuals will be fooled into disclosing their credentials.

The number of detected phishing pages on Webflow has increased sharply, especially for crypto scams. One of the campaigns impersonated the Trezo hardware wallet. Since the subdomain can be customized to make the phishing page appear official, and screenshots of the actual Trexor site are used, these phishing pages can be very convincing. In these campaigns, the aim is to steal the seed phrases of the victim to allow the threat actor to access cryptocurrency wallets and transfer the funds. In one campaign, when the seed phrase is disclosed, the user is told their account has been suspended for unauthorized activity and they are told to launch a chat service for support. The chat service is manned by the threat actor who keeps the victim engaged while their wallet is emptied.

Hackers Use Deepfakes to Target Finance Professionals

The cost of artificial intelligence (AI) solutions is falling and cybercriminals are taking advantage. AI is increasingly being used to manipulate images, audio, and video recordings to make their scams more convincing. These deepfakes are realistic and more effective at tricking individuals into making fraudulent wire transfers than business email compromise scams, as they include deepfake videos of the person being spoofed. Cybercriminals use AI tools to create deepfakes from legitimate video presentations and webinars, impersonating an executive such as the CEO or CFO in an attack on finance team members. The aim is to trick the employees into making a wire transfer. Earlier this year, the engineering group Arup was targeted using a deepfake of the company CFO, and $25 million was transferred to the scammers in transfers to five different bank accounts.

Vendors are often spoofed in deepfake scams to trick their clients into wiring payments to attacker-controlled bank accounts. A recent survey by Medius revealed that 53% of finance professionals in the UK and US had experienced at least one attempted deepfake scam. These scams may occur over the phone, with the deepfake occurring in real-time, and there have been many cases of deepfake impersonations over video conferencing platforms such as Microsoft Teams and Zoom.

North Korean Hackers Target Developers with Fake Job Interviews

The North Korean hacking team, Lazarus Group, is known to use diverse tactics in its attacks. The group has now been observed infiltrating business networks by obtaining positions as IT workers. According to Mandiant, dozens of Fortune 100 companies have been tricked into hiring workers from North Korea, who steal corporate data after being hired. One UK firm discovered they had been duped 4 months after employing an It worker who was actually based in North Korea. The IT worker used the network access provided to siphon off sensitive data, and when the worker was sacked for poor performance, demanded a ransom to return the stolen data. Researchers believe the data was provided to North Korea.

The Lazarus Group has also been targeting developers through fake interviews. The group hosts fake coding assessments on legitimate repositories such as GitHub and hides malicious code in those repositories, especially in Python files. The developers are tricked into downloading the code and are tasked with finding and fixing a bug but will inadvertently execute the malicious code regardless of whether they complete the assessment. The hackers often pose as legitimate companies in the financial services.

Legitimate File-Hosting Services Used for Phishing Attacks and Malware Distribution

One of the ways that cybercriminals attempt to bypass filtering mechanisms is to use legitimate hosting services for phishing and malware delivery. Dropbox, OneDrive, Google Drive, and SharePoint are all commonly used by cybercriminals. These services are used by businesses for storing and sharing files and for collaboration, so these services are often trusted. They are also often trusted by security solutions. Tactics commonly used include sharing links to files hosted on these services via phishing emails, often restricting access to the files to prevent detection by security solutions. For instance, the user is required to be logged in to access the file. Files may be hosted in view-only mode to avoid detection by security solutions, with social engineering techniques used to fool the user into downloading the files.

Cybercriminals are constantly evolving their tactics to phish for credentials, distribute malware, and gain unauthorized access to sensitive data. Businesses need to adopt a defense-in-depth approach to security, adding several layers to their defenses to combat new threats. These measures include an advanced spam filtering service with machine learning capabilities and email sandboxing, a web filter for blocking access to malicious websites and preventing malware downloads from the Internet, anti-phishing solutions for Microsoft 365 environments to block the threats that Microsoft often fails to detect, and comprehensive security awareness training for the workforce.

Cybercriminals will continue to evolve their tactics, so security solutions should also be able to evolve and be capable of detecting zero-day threats. With TitanHQ as your security partner, you will be well protected against these rapidly changing tactics.  Give the TitanHQ team a call today to find out more about improving your technical and human defenses against these threats.

Threat Actors Increasingly Using Scripts in Emails for Malware Delivery

For many years, cybercriminals have favored Office documents for distributing malware. These documents are familiar to most workers and are likely to be opened because they are so familiar and used so often. The documents may contain hyperlinks to malicious websites where malware is downloaded, but the easiest method is automating the delivery of malware using a malicious macro. If that macro is allowed to run, the infection process will be triggered.

Microsoft has helped to make documents and spreadsheets more secure by disabling macros by default if they have been delivered via the Internet and increasing numbers of companies are providing workforce security awareness training and instructing their employees not to enable content on Office documents delivered via the Internet. It has become much harder for cybercriminals to distribute malware using these file formats, so they have turned to script languages for malware delivery.

The use of VBScript and JavaScript in malware distribution campaigns has been increasing, with these executable files often hidden from security solutions by adding them to archive files. The scripts used in campaigns are snippets of code that include command sequences, which automate the downloading and execution of malware, often only operating within the system’s memory to avoid detection. The user is likely to be unaware that malware installation has been triggered.

For example, in one campaign, a malicious VBS script was hidden in an archive file to evade email security defenses. If extracted and executed, the script executes PowerShell commands, which can be difficult for security solutions to identify as malicious. PowerShell triggered the BitsTransfer utility to fetch another PowerShell script, which downloaded and decoded Shellcode, which in turn loaded a second shellcode that used the Windows wab.exe utility to download an encrypted payload. The shellcode decrypted and incorporated the payload into wab.exe, turning it into the remote access trojan, Remcos RAT. This multi-stage infection process used living-off-the-land techniques to evade security solutions, and it all started with an email that used social engineering to trick the recipient into executing the script.

Using this attack as an example, there are opportunities for identifying the email for what it really is. Businesses need to ensure they have advanced email security defenses in place such as an advanced spam filter for Office 365 or a machine-learning/AI-driven spam filtering service. These services perform standard checks of inbound email, such as anti-spoofing and reputation checks on the sender, Bayesian analysis to determine whether the email is likely to be spam, but also machine learning checks, where the inbound message is compared against the emails typically received by a business and is flagged if any irregularities are found.

Anti-virus scans are useful for detecting malware, but these checks can often be evaded by adding malicious scripts to archive files, and the multi-stage process involved in infection is often sufficient to defeat signature-based malware detection. An email security solution therefore needs to also use email sandboxing. All attachments capable of being used for malicious purposes are scanned with an anti-virus engine and are then sent to the sandbox for deep analysis. Malware sandboxing for email is important, as it detects malware not by its signature, but by its behavior, which is vital for identifying script-based malware delivery. While there are sandboxing message delays, it prevents many costly malware infections.

SpamTitan, TitanHQ’s cloud-based anti-spam service, incorporates these checks to provide exceptional malware detection. In recent independent tests, SpamTitan blocked 100% of malware and had a 99.99% phishing catch rate and a 0.000% false positive rate. In addition to using an advanced spam filter, businesses can further reduce risk by blocking delivery of the 50 or so archive file formats supported by Windows if they are not used by the business.

It is also important to provide continuous security awareness training to the workforce to improve awareness of threats and the new tactics, techniques, and procedures being used by threat actors to trick individuals into providing them with network access. This is easily down with TitanHQ’s SafeTitan security awareness training platform solution, especially when combined with phishing simulations.

Cyberattacks targeting individuals are increasing in sophistication and standard security defenses are often evaded. To find out more about improving your defenses against sophisticated phishing, malware, and business email compromise threats, give the TitanHQ team a call. Improving your defenses is likely to be much cheaper than you think.

TitanHQ Launches Security Awareness Training for MSPs

Managed service providers can implement security solutions to protect their clients from phishing, social engineering, and business email compromise attacks but if a malicious email manages to bypass those defenses, it could easily result in hackers gaining a foothold in the network, resulting in a highly disruptive and costly cyberattack and data breach. To improve defenses against phishing, managed service providers should offer their clients security awareness training to manage human risk, and now TitanHQ can offer a security awareness training (SAT) solution that allows them to do that with ease.

This month, TitanHQ launched its Security Awareness Training (SAT) solution for MSPs. The solution has been specifically created to be used by MSPs and allows them to provide affordable, scalable training with minimal setup. The training platform has now been integrated with TitanHQ’s MSP cybersecurity platform and is ready for MSPs to use. In contrast to many SAT solutions that only provide standard cybersecurity training, TitanHQ’s SAT solution integrates advanced phishing simulation with behavior-focused training that is fun and engaging for participants. The solution delivers maximum value to MSPs and can be rapidly set up, allowing them to roll out training programs to new clients with just a few clicks. There is no need to spend hours assigning training content to new customers, as it is possible to select multiple customers and rapidly spin up training courses that can be rapidly deployed for individuals or groups of customers in the future.

The AI-driven training platform allows training content to be tailored to individual employees to meet their training needs, personalizing the training experience. The platform includes more than 80 videos, training sessions, and webinars to improve awareness and help create a security culture. MSPs are provided with monthly reports on the progress that is being made by individual employees and they are provided with actionable insights.

The platform includes a phishing simulator that allows MSPs to conduct real-time phishing simulations based on a huge variety of templates (1,800+) covering all types of phishing and other attack scenarios, and the content is updated regularly to include the latest tactics, techniques, and procedures used by cybercriminals in real-world phishing campaigns. MSPs can easily pre-configure phishing simulations and training campaigns to roll out to new clients as they are onboarded, and the MSP dashboard provides a view of quick actions and live analytics all in one place.

The training platform can deliver reactive training in response to user behavior, where users in need of training are automatically enrolled and delivered relevant training content. MSPs can use the platform to conduct cyber awareness knowledge checks to identify areas where individuals need training, verify understanding of the training material, and retest employees over time to ensure they have not forgotten the material from previous training sessions. The training material covers the cyber threats that employees are likely to encounter such as phishing, social engineering, business email compromise, and malware, but also in-person threats such as physical security, ensuring they receive comprehensive training that covers all the bases.

If you have yet to start offering security awareness training to your clients, or if you already offer training but require a more comprehensive and easier-to-use training platform, give the TitanHQ team a call. Product demonstrations can be arranged on request to show you just how easy the platform is to use.

“Our integrated cybersecurity platform delivers maximum value to MSPs, offering a quicker time-to-market, reduced set-up requirements combined with real-world, practical security awareness training & phishing simulations. TitanHQ delivers that seamlessly, allowing MSPs to offer comprehensive SAT to their customers in just a few clicks,” said TitanHQ CEO, Ronan Kavanagh.

Multiple Accounts Compromised in Targeted Phishing Campaigns

The purpose of phishing attacks is usually to steal credentials to gain unauthorized access to accounts. If an employee falls for a phishing attack and their credentials are obtained, the attacker can gain access to that user’s account and any data contained therein. That access can be all that is required for the threat actor to achieve a much more extensive compromise.

Oftentimes, a threat actor conducts a more extensive phishing campaign on multiple employees at the same organization. These phishing attacks can be harder to spot as they have been tailored to that specific organization. These attacks usually spoof an internal department with the emails seemingly sent from a legitimate internal email account. The emails may address each individual by name, or appear to be broadcast messages to staff members. One successful campaign was identified by the Office of Information Technology at Boise State University, although not before several employees responded to the emails and disclosed their credentials. In this campaign, the emails were addressed to “Dear Staff,” and appeared to have been sent from the postmaster account by “Health Services,” purporting to be an update on workplace safety. The emails had the subject line “Workplace Safety: Updates on Recent Health Developments,” with a similar campaign indicating a campylobacter infection had been reported to the health department.

In the message, recipients were advised about a health matter involving a member of staff, advising them to contact the Health Service department if they believed they had any contact with the unnamed worker.  In order to find out if they had any contact with the worker, the link must be clicked. The link directed the user to a fraudulent login page on an external website, where they were required to enter their credentials. The login page had been created to look like it was a legitimate Boise State University page, captured credentials, and used a Duo Securit notification to authorize access to their account.

These targeted campaigns are now common, especially at large organizations where it is possible to compromise a significant number of accounts and is worth the attacker’s time to develop a targeted campaign. Another attack was recently identified by the state of Massachusetts. The attacker created a fake website closely resembling the HR/CMS Employee Self-Service Time and Attendance (SSTA) system, which is used for payroll. Employees were tricked into visiting the portal and were prompted to enter their credentials, which the attacker used to access their personal and direct deposit information. In this case, the aim of the attack appeared to be to change direct deposit information to have the employees’ wages paid into the attacker’s account. Several employees were fooled by the scam; although in this case the attack was detected promptly and the SSTA system was disabled to prevent fraudulent transfers.

A different type of campaign recently targeted multiple employees via email, although the aim of the attack was to grant the threat actor access to the user’s device by convincing them to install the legitimate remote access solution, AnyDesk. The threat actor, the Black Basta ransomware group, had obtained employee email addresses and bombarded them with spam emails, having signed them up for newsletters via multiple websites. The aim was to create a legitimate reason for the next phase of the attack, which occurred via the telephone, although the group has also been observed using Microsoft Teams to make contact. The threat actor posed as the company’s IT help desk and offered assistance resolving the spam problem they created, which involved downloading AnyDesk and granting access to their device. During the session, tools are installed to provide persistent access. The threat actor then moved laterally within the network and extensively deployed ransomware.

These attacks use social engineering to exploit human weaknesses. In each of these attacks, multiple red flags should have been spotted revealing these social engineering attempts for what they are but more than one employee failed to spot them. It is important to provide security awareness training to the workforce to raise awareness of phishing and social engineering threats, and for training to be provided regularly. Training should include the latest tactics used by threat actors to breach networks, including phishing attacks, fake tech support calls, malicious websites, smishing, and vishing attacks.

A phishing simulator should be used to send realistic but fake phishing emails internally to identify employees who fail to spot the red flags. They can then receive additional training relative to the simulation they failed. By providing regular security awareness training and conducting phishing simulations, employers can develop a security culture. While it may not be possible to prevent all employees from responding to a threat, the severity of any compromise can be limited. With TitanHQ’s SafeTitan solution, it is easy to create and automate tailored training courses and phishing simulations that have been shown to be highly effective at reducing susceptibility to phishing and other threats.

Since threat actors most commonly target employees via email, it is important to have robust email defenses to prevent the threats from reaching employees. Advanced anti-spam services such as SpamTitan incorporate a wide range of threat detection methods to block more threats, including reputation checks, extensive message analysis, machine-learning-based detection, antivirus scans, and email sandboxing for malware detection.  SpamTitan has been shown to block more than 99.99% of phishing threats and 100% of malware.

TOAD Attacks: New Voice-Based Phishing Techniques Used in Attacks on Businesses

Phishing is one of the most effective methods used by cyber actors to gain initial access to protected networks Phishing tactics are evolving and TOAD attacks now pose a significant threat to businesses. TOAD stands for Telephone-Oriented Attack Delivery and is a relatively new and dangerous form of phishing that involves a telephone call, although there are often several different elements to a TOAD attack which may include initial contact via email, SMS messages, or instant messaging services.

TOAD attacks often start with an information-gathering phase, where the attacker obtains personal information about individuals that can then be targeted. That information may only be a mobile phone number or an email address, although further information is required to conduct some types of TOAD attacks.

One of the most common types of TOAD attacks is callback phishing. The attacker impersonates a trusted entity in an email and makes a seemingly legitimate request to make contact. There is a sense of urgency to get the targeted individual to take prompt action. Rather than use a hyperlink in the message to direct the user to a website, the next phase of the attack takes place over the telephone or a VOIP-based service such as WhatsApp. A phone number is included that must be called to resolve a problem.

If the call is made, the threat actor answers and during the call, trust is built with the caller and the threat actor makes their request. That could be an instruction to visit a website where sensitive information must be entered or a file must be downloaded. That file download leads to a malware infection.

Several TOAD attacks have involved the installation of legitimate remote access software. One campaign involved initial contact via email about an expensive subscription that was about to be renewed, which required a call to cancel. The threat actor convinces the user to download remote access software which they are told is necessary to prevent the charge being applied, such as to fully remove the software solution from the user’s device.

The user is convinced to give the threat actor access to their device through the software and the threat actor keeps the person on the line while they install malware or perform other malicious actions, reassuring them if they get suspicious.  Other scams involve initial contact about a fictitious purchase that has been made, or a bank scam, where an email impersonates a bank and warns the victim that an account has been opened in their name or a large charge is pending. These attacks result in the victim providing the threat actor with the information they need to access their account.

TOAD attacks often involve the impersonation of a trusted individual, who may be a colleague, client, or even a family member. Since information is gathered before the scam begins, when the call is made, the threat actor can provide that information to the victim to convince them that they are who they claim to be. That information may have been purchased on the dark web or obtained in a previous data breach. For instance, following a healthcare data breach, the healthcare provider may be impersonated, and the attacker can provide medical information in their possession to convince the victim that they work at the hospital.

The use of AI tools makes these scams even more convincing. Deepfakes are used, where a person’s voice is mimicked, or video images are manipulated on video conferencing platforms. Deepfakes were used in a scam on an executive in Hong Kong, who was convinced to transfer around £20 million in company funds to the attacker’s account, believing they were communicating with a trusted individual via a video conferencing platform.

TOAD attacks may be solely conducted over the phone, where the attacker uses call spoofing to manipulate the caller ID to make it appear that the call is coming from a known and previously verified number. Other methods may be used to convince the victim that the reason for the call is genuine, such as conducting a denial-of-service attack to disrupt a service or device to convince the user that there is an urgent IT problem that needs to be resolved. TOAD attacks are increasing because standard phishing attacks on businesses are becoming harder to pull off due to email security solutions, multifactor authentication, and improved user awareness about scam messages.

Unfortunately, there is no single cybersecurity solution or method that can combat these threats. A comprehensive strategy is required that combines technical measures, security awareness training and administrative controls. Advanced anti-spam software with machine learning and AI-based detection can identify the emails that are used for initial contact. These advanced detection capabilities are needed because the initial emails often contain no malicious content, other than a phone number. SpamTitan, TitanHQ’s cloud-based anti-spam service, can detect these initial emails through reputation checks on the sender’s IP address, email account, and domain, and machine learning is used to analyze the message content, including comparing emails against the typical messages received by a business.

WebTitan is a cloud-based DNS filter that is used to control the web content that users can access. WebTitan will block access to known malicious sites and can be configured to prevent certain file types from being downloaded from the internet, such as those commonly used to install malware, unauthorized apps, and remote access solutions.

Regular security awareness training is a must. All members of the workforce should be provided with regular security awareness training and TOAD attacks should feature in the training content. SafeTitan, TitanHQ’s security awareness training platform and phishing simulator, makes it easy for businesses to create and automate training courses for the workforce. Employees should be trained in how to identify a TOAD attack, told not to trust caller ID alone, to avoid clicking links in emails and SMS messages, and to be vigilant when receiving or making calls, and to report any suspicious activity and immediately end a call if something does not seem right.

Education Sector Under Threat from Diverse Range of Threat Actors

Schools and higher educational institutions have long been a target for cybercriminals and attacks are on the increase. Educational institutions store large amounts of sensitive data on their students, which can include health and financial data – information that can be easily monetized. The data can be sold on the dark web to identity thieves and can be used for a range of fraudulent purposes.

Like the healthcare sector, which is also extensively targeted by malicious actors, educational institutions often have a complex mix of modern and legacy IT systems and securing those systems can be a challenge while ensuring they remain accessible to authorized individuals, especially when there is often a limited budget for cybersecurity. There are also non-technical vulnerabilities. Schools employ a diverse range of individuals including teaching and support staff and networks are accessed by students of a range of ages. Cybersecurity awareness can vary greatly among network users.  The combination of vulnerabilities means the sector is relatively easy to attack.

According to a recent report from Microsoft, schools in the United States are being used by malicious actors to test their tactics, techniques, and procedures. Microsoft Threat Intelligence data indicates education is the third-most targeted sector in the United States and attacks are also increasing in the United Kingdom, especially higher education institutions where 43% of surveyed institutions said they experience a cyberattack or data breach at least weekly. In Q2, 2024, the education sector was also on a par with healthcare, information technology, telecommunications, consumer retail, and transportation sectors for ransomware attacks, each accounting for 11% of attacks in the quarter.

It is not only cybercriminal groups that target the education sector. Several state-sponsored hacking groups are targeting universities to gain access to connections and steal IP. Universities are commonly engaged in cutting-edge research and often work closely with government agencies. Nation state hacking groups target intellectual property to further research in their native countries, and it can be a lot easier to target individuals in the education sector and use their accounts to pivot to attack their contacts, which may include high-level individuals in a range of private sector industries, as well as the defense sector.

Microsoft has tracked attacks on the education sector by Iranian threat groups such as Mint Sandstorm and Peach Sandstorm, both of which conduct sophisticated phishing and social engineering attacks. North Korean hacking groups also target the U.S. education sector, with groups tracked by Microsoft as Emerald Sleet and Moonstone Sleep using novel techniques to install malware to gain access to the networks of educational institutions.

While vulnerabilities in software and operating systems can be exploited, phishing and social engineering attacks are much more commonly used to steal credentials and install malware, so it is essential that educational institutions have robust defenses against these types of attacks.

Advanced anti-spam software is essential for blocking phishing and social engineering attacks. In independent tests, SpamTitan has been shown to block 100% of malware thanks to twin antivirus engines and email sandboxing, and 99.99% of spam and phishing emails thanks to a barrage of checks and tests, including machine learning and AI-driven detection.

Many threats are delivered via the Internet, so it is vital to block access to malicious sites. WebTitan is a DNS-based web filtering solution for educational institutions that blocks access to malicious sites, prevents malware downloads from the Internet, and is used by schools to restrict the types of websites that staff and students can access to better protect students from harmful web content and comply with government regulations.

Security awareness training is also important to improve human defenses. TitanHQ’s SafeTitan training platform allows educational institutions to easily create training courses for staff and students, and test knowledge of social engineering and phishing through an easy-to-use phishing simulator.

Cybercriminals and nation state actors are likely to continue to target the education sector, so it is important to have the right defenses in place. Give the TitanHQ team a call today to find out more about improving your defenses against increasingly sophisticated cyber threats.

Mamba 2FA Phishing Kit Used to Bypass MFA on Microsoft 365 Accounts

Researchers have identified a new phishing kit that is being used to steal credentials for Microsoft 365 accounts and gain access to accounts protected by multi-factor authentication (MFA). The phishing kit, called Mamba 2FA is a cause of concern as it has the potential to be widely adopted given its relatively low price and there are signs it is proving popular with cybercriminals since its release in late 2023. Phishing kits make it easy for low-skilled cybercriminals to conduct sophisticated attacks as they provide all the tools required to breach accounts. The Mamba 2FA kit includes the necessary infrastructure to conduct phishing campaigns, masks IP addresses to prevent them from being blocked, and updates the phishing URLs frequently to ensure they remain active and are not blocked by security solutions.

The Mamba 2FA kit includes phishing pages that mimic Microsoft services such as OneDrive and SharePoint, and the pages can be customized to create realistic phishing URLs for targeting businesses, including allowing the business logo and background images to be added to the login page. Since businesses often have MFA enabled, simply stealing Microsoft credentials is not sufficient, as the MFA will block any attempt to use the credentials for unauthorized access. Like several other popular phishing kits, the Mamba 2FA kit supports adversary-in-the-middle (AitM) attacks, incorporating proxy relays to steal one-time passcodes and authentication cookies in real time. When credentials are entered into the phishing page, they are relayed to Microsoft’s servers in real-time and Microsoft’s responses are relayed back to the victim, including MFA prompts, which allows the threat actor to steal the session cookie and gain access to the user’s account.

Phishing kits such as Mamba 2FA pose a serious threat to businesses, which should take steps to protect against attacks. The AitM tactics can defeat less secure forms of MFA that are based on one-time passwords but are not effective against hardware-based MFA. Implementing phishing-resistant MFA will ensure these attacks do not succeed. Other recommended controls include geo-blocking and allowlisting for IPs and devices. While these advanced phishing kits are effective, threat actors must convince people to click a link in an email and disclose their login credentials, and with advanced email security solutions these phishing threats can be identified and blocked before they reach inboxes. Training should also be provided to the workforce to help with the identification and avoidance of phishing.

TitanHQ can help through the SpamTitan cloud-based spam filtering service and the SafeTitan security awareness training and phishing simulation platform. SpamTitan incorporates reputation checks, Bayesian analysis, greylisting, machine learning-based detection, antivirus scans, and email sandboxing to block phishing and malware threats. Independent tests demonstrated SpamTitan was one of the best spam filtering solutions for businesses at blocking threats, with a 99.99% phishing block rate and a 100% malware block rate.

The SafeTitan security awareness training platform makes it easy for businesses to provide regular cybersecurity awareness training. The platform includes more than 80 training modules, videos, and webinars, with hundreds of phishing simulation templates based on real-world phishing examples. Regular training and phishing simulations have been proven to be highly effective at reducing susceptibility to phishing and other threats targeting employees. This month, TitanHQ has also launched its security awareness training platform for MSPs, which has been specifically developed to make it quick and easy for MSPs to incorporate security awareness training into their service stacks. Speak with TitanHQ today for more information about these and other cybersecurity solutions for combatting the full range of cyber threats.

Confirmation Threat Actors Are Using GenAI Tools for Malware Development

Generative Artificial Intelligence (GenAI) has many benefits for businesses, including streamlining customer support, generating content, and improving productivity and there are many uses in cybersecurity, especially with the analysis of data to provide actional insights. One of the problems, however, is that the capabilities of GenAI for improving cybersecurity can also be leveraged by cybercriminals for malicious purposes.

GenAI tools have guardrails in place to prevent them from being used for malicious purposes. For instance, if you want to use ChatGPT to write a phishing email, it is not possible to ask that directly, as the request will be blocked. That does not mean that it will not write the email, only that you would need to be more subtle. There are, however, other tools that lack the guardrails and have been specifically created to be used for malicious purposes.

It is clear that cybercriminals have been using GenAI for phishing and social engineering to create grammatically perfect phishing emails even when the phisher does not know a language, and the same applies to the landing pages used for phishing. GenAI has been shown to be capable of coming up with new social engineering techniques to trick employees into disclosing their credentials or installing malware. GenAI tools can also be leveraged for malware development, either by writing new malware code from scratch or checking code for errors.

There is growing evidence that GenAI is now being used to write malicious code. This spring, evidence was uncovered that the developer and operator of the DanaBot banking trojan, Skully Spider, had used an artificial intelligence tool to create a Powershell script for loading the Rhadamanthys stealer into the memory. The researchers found that each component of the script included grammatically perfect comments explaining the function of each component. That suggested that either a GenAI tool was used to create the malware or was at least used to check the code and add comments on each function.

One of the most popular GenAI tools is ChatGPT, a tool with extensive guardrails to prevent malicious uses; however, OpenAI, the company behind ChatGPT, confirmed that its platform has been used for malicious purposes, albeit on a small scale. According to the OpenAI report, the company has disrupted more than 20 attempts to use ChatGPTfor the development and debugging of malware, creating spear phishing content, conducting research and reconnaissance, identifying vulnerabilities, researching social engineering themes, enhancing their scripting techniques, and hiding malicious code.

Malware was created by one threat actor with assistance provided by ChatGPT that allowed them to identify the user’s exact location, steal information such as call logs, contact lists, and browser histories, capture screenshots, and obtain files stored on the device. While a certain level of skill is required to abuse these tools for malware creation and other malicious purposes, they can be used to improve efficiency and could be used by relatively low-skilled threat actors to conduct more attacks and improve their effectiveness.

Cybercriminals are using AI for malicious purposes, but network defenders can also harness the power of these tools for defensive purposes. AI-augmented cybersecurity solutions such as spam filtering services are more effective at identifying AI-generated phishing and social engineering attempts and can respond to new threats and triage attacks in real time. Advanced machine learning is used in SpamTitan’s email sandbox for detecting zero-day malware threats that evade standard email security solutions. AI tools can summarize and analyze threat intelligence data, identify trends, and provide actionable insights, including analyzing network traffic logs, system logs, and user behavior to find anomalies.

With growing evidence of cybercriminals’ use of these tools, businesses need to ensure that their cybersecurity solutions also incorporate AI and machine learning capabilities to combat AI-augmented threats.

Cyber Actors Conducting Spear Phishing Campaigns for Iranian State

Spear phishing attacks are being conducted by a cyber threat group working on behalf of Iran’s Islamic Revolutionary Guard Corps. The cyber threat actors have been gaining access to the personal and business accounts of targeted individuals to obtain information to support Iran’s information operations.

According to a joint cybersecurity advisory issued by the Federal Bureau of Investigation (FBI), U.S. Cyber Command – Cyber National Mission Force (CNMF), the Department of the Treasury (Treasury), and the United Kingdom’s National Cyber Security Centre (NCSC), the campaign has been targeting individuals with a nexus to Iranian and Middle Eastern affairs, including journalists, political activists, government officials, think tank personnel, and individuals associated with US political campaign activity.

Individuals are typically contacted via email or messaging platforms. As is common in spear phishing attacks, the cyber threat actors impersonate trusted contacts, who may be colleagues, associates, acquaintances, or family members. In some of the group’s attacks, they have impersonated known email service providers, well-known journalists seeking interviews, contacts offering invitations to conferences or embassy events, or individuals offering speaking engagements. There have been instances where an individual is impersonated who is seeking foreign policy discussions and opinions.

In contrast to standard phishing attacks where the victim is sent a malicious email attachment or link to a phishing website in the initial email, more effort is put into building a rapport with the victim to make them believe they are engaging with the person the scammer is impersonating. There may be several exchanges via email or a messaging platform before the victim is sent a malicious link, which may be embedded in a shared document rather than being directly communicated via email or a messaging app.

If the link is clicked, the victim is directed to a fake email account login page where they are tricked into disclosing their credentials. If entered, the credentials are captured and used to login to the victim’s account. If the victim’s account is protected with multi-factor authentication, they may also be tricked into disclosing MFA codes. If access to the account is gained, the cyber threat actor can exfiltrate messages and attachments, set up email forwarding rules, delete or manipulate messages, and use the account to target other individuals of interest.

Spear phishing attempts are harder to identify than standard phishing attempts as greater effort is put in by the attackers, including personalizing the initial contact messages, engaging in conversations spanning several messages, and using highly plausible and carefully crafted lures. These emails may bypass standard spam filtering mechanisms since the emails are not sent in mass campaigns and the IP addresses and domains used may not have been added to blacklists.

It is important to have robust anti-phishing, anti-spam, and anti-spoofing solutions in place to increase protection and prevent these malicious emails from reaching their intended targets. An advanced spam filtering solution should be used that incorporates Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) to identify spoofing and validate inbound emails. SpamTitan also incorporates machine learning and AI-based detection to help identify spear phishing attempts.

If you are a Microsoft 365 user, the anti-spam and anti-phishing mechanisms provided by Microsoft should be augmented with a third-party anti-phishing solution. PhishTitan can detect the spear phishing emails that Microsoft’s EOP and Defender often miss while adding a host of detection mechanisms and anti-phishing features including adding banners to emails from external sources.

One of the main defenses against these attacks is vigilance. An end-user security awareness training program should be implemented to improve awareness of spear phishing attacks. SafeTitan makes this as easy as possible and covers all possible attack scenarios, with training provided in short and easy-to-assimilate training modules. It is also important to conduct phishing simulations to raise and maintain awareness. These simulations can be especially effective at raising awareness about spear phishing emails and giving end users practice at identifying these threats.

Multifactor authentication should be enabled on all accounts, with phishing-resistant multi-factor authentication providing the highest degree of protection. IT teams should also consider prohibiting email forwarding rules from automatically forwarding emails to external addresses and conducting regular scans of the company email server to identify any custom rules that have been set up or changes to the configuration. Alerts should also be configured for any suspicious activity such as logins from foreign IP addresses.

Latest Sextortion Scam Email Campaigns Use Novel Tactics

Sextortion – financially motivated sexual extortion – is a form of digital blackmail, where the attacker either holds or claims to hold compromising information and threatens to publish or share that information with others unless a payment is made. One of the most common types of sextortion scams involves a cybercriminal making contact, usually via email, claiming they have accessed the victim’s computer and found sexually explicit material such as photographs or viewed the victim’s browsing history of adult web content. The emails claim that the victim’s webcam and microphone have also been hacked, and the victim has been recorded while viewing sexually explicit content. Threats are issued to share that information with the victims, friends, family members, spouse, or employer and a demand is issued for payment. These hacking-based sextortion scams are usually empty threats, as the scammer has not managed to hack the user’s device.

New tactics have been identified in recent sextortion scams. In one campaign, the cyber threat actor impersonates a cybersecurity company and claims they have found evidence that indicates the victim’s spouse has been cheating on them. Rather than demand payment to prevent the publication or sharing of that information, the messages ask for payment to provide evidence of the infidelity. The company claims to have obtained full copies of the spouse’s address book, social media communications, website viewing history, dating app activity, and more, and that the information will be provided as a package if payment is made. The messages are addressed to the victim by name and include the spouse’s name, which adds legitimacy to the claim. That information is thought to have been obtained in a data breach.

Another sextortion tactic has been identified that uses a photograph of the victim’s home in the initial communication. In this scam, the targeted individual is sent an email with a PDF file that uses the victim’s first and last name for the file name. If the file is opened, the victim will see a photograph of their house along with their address. The sextortion scam follows a similar pattern to the hacked computer scam, where the victim is told that their computer has been hacked and the hacker has viewed their browsing history and recorded them browsing filthy videos using the laptop’s camera and clicking on links to unsafe websites. In one scam, the user is told that the well-known Pegasus spyware was used to covertly record and remotely monitor the user’s laptop and mobile, and that access has been gained to the user’s email account, social media accounts, and their full contact list has been downloaded.

The house image is a novel twist that is intended to make the scammer’s claim even more realistic and suggests that the scammer has visited the user’s home and knows where they live. While the latter is true, the image has been screenshotted from Google Maps Street View, and in all likelihood, the user’s email address and home address have been obtained from a publicly available source or a data breach.

These scam emails are intended to make the victim panic and make payment; however, these scams rarely involve actual hacking. Any payment is likely to lead to further blackmail attempts. The best approach is to simply not respond to the email and delete it.

School Cyberattacks Increase 55% with Phishing Attacks the Most Common Threat

While no sector is immune to cyberattacks, some sectors are targeted more frequently than others and attacks on the education sector are common and on the rise. In May 2024, new data released by the UK’s Information Commissioner’s Office revealed there had been 347 cyber incidents reported by the education and childcare sector in 2023, an increase of 55% from the previous year.

These attacks can prevent access to IT systems, forcing schools to resort to manual processes for checking pupil registers, teaching, and all other school functions. Without access to IT systems, teachers are unable to prepare for lessons, schools have been prevented from taking payment for pupil lunches, and many have lost students’ coursework. The impact on schools, teachers, and students can be severe. Some schools have been forced to temporarily close due to a cyberattack.

A survey conducted by the Office of Qualifications and Examinations Regulation (Ofqual) found that 9% of surveyed headteachers had experienced a critically damaging cyberattack in the past academic year. 20% of schools were unable to immediately recover from a cyberattack and 4% reported that they still had not returned to normal operations more than half a term later.

The Ofqual survey revealed more than one-third of English schools had suffered a cyber incident in the past academic year and a significant percentage faced ongoing disruption due to a cyberattack. Cyberattacks can take many forms and while ransomware attacks are often the most damaging, the most common type of cyber incident is phishing. According to the survey, 23% of schools and colleges in England experienced a cybersecurity incident as a result of a phishing attack in the past year.

Schools are not sufficiently prepared to deal with these attacks. According to the survey, 1 in 3 teachers said they had not been provided with cybersecurity training in the past year, even though cybersecurity training has proven to be effective at preventing cyberattacks. The survey revealed that out of the 66% of teachers who had been provided with training, two-thirds said it was useful.

TitanHQ has developed a comprehensive security awareness training platform for all sectors, that is easy to tailor to meet the needs of individual schools. The platform includes an extensive range of computer-based training content, split into modules of no more than 10 minutes to make it easy for teachers and other staff members to complete. The training material is enjoyable, covers the specific threats that educational institutions face, and teaches the cybersecurity practices that can help to improve defenses and combat phishing, spear phishing, and malware attacks.

The SafeTitan platform also includes a phishing simulator for conducting simulated phishing attacks to improve awareness, reinforce training, and give staff members practice in identifying phishing and other cyber threats. The training and simulations can be automated, and training modules can be set to be triggered by security errors and risky behaviors. Further, the platform is affordable.

To find out more about improving human defenses at your educational institution through SafeTitan, give the TitanHQ team a call. TitanHQ can also help with improving technical defenses, with a suite of cybersecurity solutions for the education sector including SpamTitan anti-spam software, the PhishTitan anti-phishing solution, and the WebTitan DNS-based web filter. Combined, these technical defenses can greatly improve your security posture and prevent cyber threats them from reaching end users and their devices.

Cybersecurity Awareness Month 2024: Time to Beef Up Phishing Defenses

October is Cybersecurity Awareness Month – a four-week international effort to raise awareness of the importance of cybersecurity and educate everyone about online safety and the steps that can easily be taken to protect personal data. In the United States, the federal lead for National Cybersecurity Awareness Month is the Cybersecurity and Infrastructure Security Agency (CISA) and resources have been made available by the National Cybersecurity Alliance (NCA) to help organizations communicate to their employees and customers the importance of cybersecurity.

This year, the theme of the month is “Secure Our World,” and the focus is on four simple and easy-to-implement steps that everyone can take to significantly improve defenses against cyberattacks and prevent unauthorized access to personal data. Those steps are:

  • Use strong passwords and a password manager
  • Enable multifactor authentication
  • Update software
  • Recognize and report phishing

Passwords should be set that are resistant to brute force guessing attempts. That generally means setting a password that is complex and uses several different character sets to increase the number of potential combinations. The standard advice is to ensure that each password contains at least one capital letter, lowercase letter, number, and special character. Ideally, a password should consist of a random string of all of those characters and be at least 8 characters long. Since strong passwords are difficult to remember, a password manager should be used. Password managers can help to generate truly random strings of characters and store them (and autofill them) so they do not need to be remembered.

The U.S. National Institute of Standards and Technology (NIST) has recently updated its password guidance and suggests moving away from enforcing complexity rules in favor of longer passwords, as they are easier to remember and are less likely to see individuals taking shortcuts that weaken password security. NIST recommends a password of at least 8 characters, ideally 15 characters or more, and to allow passwords of up to 64 characters. Enforced password changes should only be required if a password is compromised, and businesses should maintain a list of weak and commonly used passwords and prevent them from being set. A unique password should be set for each account. Only 38% of people set a unique password for all accounts.

A password alone should not be enough to grant access to an account, as while strong passwords may be difficult to guess, they can be obtained through other means such as data breaches or phishing attacks. To better protect accounts, multifactor authentication should be enabled. If a password is compromised, another method of authentication is required before access to an account is granted. For the best protection, phishing-resistant multi-factor authentication should be used.

While the exploitation of vulnerabilities is not the main way that cybercriminals gain access to devices and networks, everyone should ensure that their software and operating system are kept up to date and running the latest version with patches applied promptly. Software should ideally be configured to update automatically, but if not possible, should be checked regularly to ensure it is running the latest version.

One of the most important defenses is to improve education about phishing, as it is one of the main ways that accounts are compromised and networks are breached. This is an area where employers need to take action. Education of the workforce about the threat of phishing and malware is vital, and it should be provided often. Employees should be taught how to identify phishing attempts, and they should be provided with an easy way of reporting potential threats to their security team and be encouraged to do so. A one-click option in their email client will make this quick and easy.

This is an area where TitanHQ can help. TitanHQ’s SafeTitan security awareness training platform has an extensive library of training content that teaches cybersecurity best practices to help eradicate the risky behaviors that open the door to hackers and scammers. The platform allows training courses to be easily created and tailored for different roles within the organization. The platform also delivers training in response to security mistakes, ensuring training is immediately provided to correct poor security behavior at the time when it is likely to have the greatest impact. The training content is constantly updated using real-world examples of the latest tactics, techniques, and procedures used by cybercriminals to ensure the workforce is kept aware of the latest threats. The platform also includes a phishing simulator, that businesses can use to reinforce training. Internal campaigns can be easily configured and automated, with reports generated to demonstrate how training is improving over time. The simulator can also be configured to immediately generate relevant training in response to a failed phishing simulation.

TitanHQ also offers a range of cybersecurity solutions that provide cutting-edge protection against phishing, social engineering, malware, and other threats. These include SpamTitan antispam software to prevent threats from reaching inboxes. SpamTitan is a cloud-based email filtering service with an exceptional detection rate thanks to AI- and machine-learning capabilities, dual anti-virus engines, a next-generation email sandbox, and the information of SPF, DKIM, and DMARC to prevent spoofing. The solution also includes an Outlook add-in to allow employees to easily report suspicious emails to their security team.

PhishTitan is an anti-phishing solution for Microsoft 365 that provides excellent protection against phishing threats, adds banners to emails to alert employees about messages from external sources, and allows security teams to rapidly remediate phishing attempts on the organization. WebTitan is a DNS-based web filtering solution that prevents employees from visiting malicious web content, blocking malware and potentially risky file downloads from the Internet, and allows organizations to carefully control the web content that can be accessed on and off the network.

This Cybersecurity Awareness Month is the ideal time to improve your defenses against phishing and other cyberattacks through our anti-spam service and security awareness training platform. Give the TitanHQ team a call today to discuss these and other solutions that can help improve your security posture. All TitanHQ solutions are available on a free trial and product demonstrations can be arranged on request.

New Phishing and Malware Delivery Tactics Observed in September

New SEO poisoning, phishing, and deepfake techniques have been identified in campaigns for malware delivery, credential theft, and financial fraud this month. It is important to ensure you have appropriate defenses in place and you update your training programs to raise awareness of these new tactics.

SEO Poisoning Used to Deliver Wikiloader Malware Masquerading as the GlobalProtect VPN

Early in September, Palo Alto Networks reported that its virtual private network, GlobalProtect, was being spoofed in a campaign to deliver Wikiloader (WailingCrab) malware – A malware variant used for delivering other malware payloads onto infected devices. The threat actors behind Wikiloader campaigns sell access to other cybercriminals. An infection with Wikiloader could lead to all manner of other infections.

This campaign was focused on the higher education and transportation sectors and like many malware distribution schemes used search engine (SEO) poisoning to get malicious websites to appear high in the search engine listings for key search terms targeting those sectors. The campaign claimed to offer a download of GlobalProtect and used a combination of cloned webpages and cloud-based git repositories and delivered a file – named GlobalProtect64.exe – offering the VPN. The file delivered was a trojanized version of a share trading application, that sideloaded a malicious DLL that allowed the execution of shellcode that delivered Wikiloader from a remote server. On execution, the user was told that GlobalProtect could not be installed due to missing libraries.

This was a marked change from other campaigns that have distributed Wikiloader, which has previously been delivered via phishing emails. This is the first time that GlobalProtect has been spoofed to deliver Wikiloader. The change in tactics is believed to be due to a different initial access broker starting using Wikiloader.

Threat Actors Increasingly Using Archive Files for Email Malware Distribution

One of the most common ways of delivering malware is via phishing emails with malicious attachments. For years, the most common method involved emailing Microsoft Office documents that contained malicious macros. If the files are opened and macros are allowed to run, a malware download will be triggered. A variety of file attachments are now used for malware delivery, including PDF files, which allow links, scripts and executable files to be incorporated into the files. To hide malicious files from email security solutions, they are often added to archive files.

According to a recent analysis by HP security researchers, 39% of malware deliveries came from archive files in Q2, 2024, up from 27% the previous quarter. The researchers noted that in addition to using the most popular and well-known archive formats such as.zip, .rar, and .7z, more obscure archive files are increasingly being used. The researchers identified around 50 different archive file formats in Q2. Threat actors are also moving away from documents and are instead favoring script languages such as VBScript and JavaScript for malware delivery, with the scripts hidden in encrypted archive files to evade email security defenses.

End users are less likely to identify obscure archive formats and script files as malicious, as security awareness training has tended to focus on malicious documents containing macros. Security awareness training programs should inform employees about the different file types that may be used for malware delivery and safeguards should be implemented to reduce the risk of malware downloads, such as advanced spam filter software and web filters for blocking malware downloads from the Internet.

Deepfakes Increasingly Used in Attacks on Businesses

Deepfakes are increasingly being used in attacks on businesses on both sides of the Atlantic, and these scams have proved to be highly effective in financial scams. According to a survey conducted by Medius, around half of UK and US businesses have been targeted with deepfake scams and around 43% have fallen victim to the scams. Deepfake scams use artificial intelligence to alter images, videos, and audio recordings, making it appear that respected or trusted individuals are requesting a certain action.

The individuals deepfaked in these scams include executives such as the CEO and CFO, as well as vendors/ suppliers. For example, a deepfake of the CEO of a company was used in a video conference call with the company’s employees. In one of these scams, an Arup employee was tricked into making 5 fraudulent transfers to Hong Kong bank accounts before the scam was detected. These scams highlight the importance of covering deepfakes in security awareness training.

TitanHQ Solutions That Can Help Protect Your Business

TitanHQ has developed a range of cybersecurity solutions for businesses and managed service providers to help defend against increasingly sophisticated cyberattacks.

  • SpamTitan Email Security – An advanced AI-driven cloud-based anti-spam service with email sandboxing that has been recently shown to block 99.98% of phishing threats and 100% of malware in independent performance tests.
  • PhishTitan Microsoft 365 Phishing Protection – A next-generation anti-phishing and phishing remediation solution for Microsoft 365 environments that augments native M365 defenses and blocks threats that EOP and Defender misses
  • WebTitan DNS Filter – A cloud-based DNS filtering and web security solution providing AI-driven threat protection with advanced web content controls for blocking malware delivery from the Internet and access to malicious websites.
  • SafeTitan Security Awareness Training – A comprehensive, affordable, and easy-to-use security awareness training and phishing simulation platform that delivers training in real-time in response to security mistakes.

For more information on these solutions, give the TitanHQ sales team a call today. All TitanHQ solutions are available on a free trial and product demonstrations can be arranged on request.

Evidence Found Indicating Cybercriminals Are Using GenAI Tools for Malware Creation

Generative artificial intelligence (GenAI) services are already being leveraged by cybercriminals to create convincing phishing emails, and it appears that these tools are being used for the creation of malware. GenAI services are capable of writing code; however, guardrails have been implemented to prevent malicious uses of these tools, such as the creation of malware. If those guardrails can be circumvented, the creation of malware would no longer be limited to skilled malware developers. Lower-skilled cybercriminals could develop their own malware using GenAI services, and there is growing evidence they are doing just that.

Over the summer, HP security researchers identified an email campaign targeting French users. The phishing email used HTML smuggling (encrypted HTML) to evade detection, and on analysis, the campaign delivered malicious VBScript and JavaScript code that appeared to have been created using GenAI tools. The entire malicious code included comments about what each function does, which is rare in malware development as the exact workings of the code tend not to be described. The comments, along with the use of native language function names and variables all suggest that GenAI was used to create the malware.

The code was used to deliver AsyncRAT malware, a widely available, open source malware that is an information stealer capable of recording the victim’s screen and logging keystrokes. The malware also acts as a malware downloader that can deliver other malware payloads, including ransomware. In this campaign, little technical skill was required as HTML smuggling does not require any programming, the malware being delivered is widely available, and the fact that the comments had not been removed and there was no obfuscation, points to the development of malware by an inexperienced cybercriminal.

There have been other examples of apparent malicious code creation using GenAI, such as a malicious PowerShell script identified earlier this year that was also used to deploy infostealer malware. That campaign targeted users in Germany and impersonated Metro cash-and-carry and was also delivered via email. Just as GenAI tools are helping writers rapidly create written content, GenAI tools can be used to rapidly develop malicious code. ChatGPT and Gemini have guardrails in place that it may be possible to circumvent, but there are many dark LLMs that lack those controls such as WormGPT and FraudGPT. If these tools are leveraged, relatively low-skilled cybercriminals can develop their own malware variants.

Traditional antivirus solutions use signature-based detection. When malware is identified, a signature is added to the antivirus solution for that specific malware variant that allows it to be detected in the future. There is a delay between the creation of malware and the addition of malware signatures to the definition lists of antivirus solutions, during which time malware can easily be smuggled onto devices undetected. If the creation of malware can be accelerated with GenAI tools, cybercriminals will have the upper hand.

The solution for businesses is to deploy security solutions capable of detecting novel malware variants by their behavior rather than a signature. Since malware is commonly delivered via email, having a cloud-based email security solution that incorporates behavioral analysis of attachments will help identify and neutralize these malware variants before they can be installed.

SpamTitan from TitanHQ is a cloud-based antispam software that incorporates email sandboxing. When standard antivirus checks are passed, suspicious emails and attachments are sent to a next-generation email sandbox for deep inspection, where the behavior of the attachments is assessed in an isolated sandbox environment.  If malicious actions are detected, the threat is neutralized. SpamTitan also incorporates AI-based and machine-learning detection mechanisms to assist with malicious email detection, and along with a host of other checks ensure malicious emails are detected and blocked. In recent independent tests, SpamTitan has a 99.99% phishing catch rate and a 100% malware catch rate, with zero false positives.

SpamTitan, like all other TitanHQ cybersecurity solutions, is available on a free trial to allow you to see for yourself the difference it makes. To find out more about protecting your business from increasingly sophisticated threats, give the TitanHQ team a call.

New MSP Features Added to SafeTitan Security Awareness Training Platform

TitanHQ has launched a new version of its SafeTitan security awareness training and phishing simulation platform, which now includes new features for Managed Service Providers (MSPs) to allow them to enhance their security awareness training services.

Security awareness training is now vital due to the increasing number and sophistication of phishing attempts. Even with an advanced anti-phishing solution in place, it is inevitable that some phishing attempts will reach their intended targets, so the workforce needs to be trained on how to recognize and avoid phishing attempts. Companies are increasingly turning to MSPs to provide security awareness training as they lack the time and resources to develop and administer training courses and conduct phishing simulations. By providing training as a service, MSPs can better protect their clients against phishing and reduce support time, while also improving their bottom line.

Two key features added to the platform in the latest release are a multi-lure feature and reactive training for MSPs. When conducting phishing simulations internally, there is a chance that an employee will correctly identify a simulated phishing email and tip off their colleagues. The multi-lure feature of the SafeTitan platform solves this problem by allowing randomized lures to be sent during a simulated phishing campaign.

When this feature is activated, phishing emails will be sent in randomized bursts during working hours to ensure a high level of diversity within a phishing campaign and to maintain the element of surprise. The variety will help to ensure that members of the workforce experience a genuine test of their knowledge to help equip them with the skills they need to identify real phishing attempts.

Another new feature has been added to the MSP layer of the platform to ensure that MSPs can provide enhanced security awareness training. Reactive training is often not available to MSPs, yet it is one of the most effective ways of changing user behavior. Administrators can configure the platform to provide training in response to insecure behaviors by employees in real-time, ensuring timely training is provided to correct a bad behavior at the time when it is most likely to have the greatest impact. SafeTitan captures all data from users’ interactions with simulated phishing emails. If the user responds inappropriately, such as clicking a link or opening an attachment, training can be provided in real time relevant to that insecure action ensuring the employee is made aware of the error and their behavior is corrected.

For the MSP, not only does that help to improve the security awareness of the workforce, it means there is no need for manual assessments, saving MSPs valuable time. Other updates in the latest release include several much-awaited feature requests, including updates to the user experience that make navigating the platform even easier.

If you are an MSP that does not currently offer security awareness training, give the TitanHQ team a call to find out more about the SafeTitan platform. Product demonstrations, including demos of the new features, can be arranged on request.

Don’t Rely on Email Security Solutions Alone

The primary defense against spam and malicious emails is anti-spam software, through which all emails must pass to be delivered to inboxes. A spam filter performs a variety of checks to ensure that the email is genuine and does not contain any threats, and if you use an advanced spam filtering service such as SpamTitan you will be well protected.

SpamTitan incorporates SPF, DKIM, and DMARC to identify and block spoofing, AI and machine learning algorithms to identify spam and malicious messages based on how they deviate from the genuine emails a business usually receives, and the solution performs checks of message headers and the message body including Bayesian analysis to identify unsolicited and malicious messages. SpamTitan also incorporates email sandboxing to identify malicious attachments based on their behavior. The Bitdefender-powered email sandbox service identifies the zero-day malware threats that antivirus controls miss. In recent independent tests, the engine that powers the SpamTitan and PhishTitan solutions scored second-highest in the tests with a phishing catch rate of 99.990%, a malware catch rate of 100%, and a false positive rate of 0.0%.

While these advanced antispam solutions can protect your business and block the majority of threats, spam filters for incoming mail will not block 100% of threats without also blocking an unacceptable number of genuine emails. That means that your corporate email filter may not catch all malicious and unwanted messages, which is why it is important not to totally rely on your enterprise spam filter for protection.

Cybercriminals are constantly developing new tactics to defeat spam filters and get their messages in inboxes where they can be opened by their intended targets. One tactic that has been increasing is callback phishing, where the emails contain no malicious links or attachments, only a phone number. The malicious actions take place over the phone, such as convincing the user to download software that provides remote access to their device. Spam filters cannot easily determine if a phone number is malicious, although the AI content detection mechanisms of SpamTitan can identify these types of threats.

Cybercriminals are increasingly leveraging legitimate third-party infrastructure for sending their spam and malicious emails, such as exploiting web forms with backend SMTP infrastructure, legitimate online services such as Google Drive, Dropbox, and SharePoint for hosting malware and phishing content, and services such as Google Forms for hosting fake quizzes for capturing sensitive information. All of these methods can be difficult to identify as they use legitimate services that are generally trusted by email security solutions. Then there are other forms of phishing that no email security solution can block, as the phishing occurs on social media pages and links are sent via instant messaging services and SMS. These “smishing” attacks bypass standard technical defenses and often reach their intended targets.

The reality is that no matter how good your technical defenses are, threats will be encountered by employees. An advanced spam filter like SpamTitan will help to reduce the number of malicious and unwanted messages that arrive in inboxes but without comprehensive security awareness training, employees may respond to the malicious messages that sneak past your spam filter, are encountered via the Internet, or are sent via SMS or instant messaging services.

This is why TitanHQ strongly recommends providing regular security awareness training to the workforce to train individuals how to recognize and avoid threats such as malware and phishing and to teach cybersecurity best practices to eradicate risky behaviors. This is also an area where TitanHQ can help. TitanHQ offers a comprehensive security awareness training platform (SafeTitan) that makes it easy for businesses to create security awareness training programs for the workforce, with those campaigns tailored for different departments and roles and the different threats that each is likely to encounter.

The training courses are modular, with each element lasting no more than 10 minutes, which makes it easy to fit training into busy workflows. Through regular training, reinforced with phishing simulations conducted through the platform, businesses will be able to improve their human defenses. If malicious messages do make it past your perimeter defenses or if employees encounter threats online or elsewhere, they will have the skills to recognize and avoid those threats.

Give the TitanHQ team a call today to discuss improving your defenses through advanced spam filtering, web filtering, and security awareness training. TitanHQ solutions are available on a free trial to allow you to put them to the test before making a purchase decision, and demonstrations can be arranged on request.

Compromised Credentials and Phishing Most Commonly Used to Access Business Networks

Cybercriminals and nation state threat actors are targeting businesses to steal sensitive information, often also using file encryption with ransomware for extortion. Initial access to business networks is gained through a range of tactics, but the most common is the use of compromised credentials. Credentials can be guessed using brute force tactics, by exploiting password reuse in credential stuffing attacks, using malware such as keyloggers to steal passwords, or via phishing attacks.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), compromised credentials are the most common method for initial access in attacks on critical infrastructure entities. CISA revealed that 41% of all attacks on critical infrastructure used compromised credentials and phishing and spear phishing were identified as the second most common attack vector. A separate study by Osterman Research and OPSWAT revealed that the majority of critical infrastructure entities have suffered an email security breach in the past 12 months, with 75% of critical threats arriving via email.

Should any of these email threats arrive in inboxes, they could be opened by employees resulting in the theft of their credentials or the installation of malware. Both could provide a threat actor with the access they need to steal sensitive data and encrypt files with ransomware. Email threats usually impersonate a trusted entity such as a vendor, well-known organization, colleague, or previous acquaintance, which helps to make the correspondence appear authentic, increasing the likelihood of an employee responding.

According to CISA, the success rate of these emails depends on the technical defenses a business has in place and whether security awareness training has been provided to the workforce. The primary defense against phishing and other email attacks is a spam filter, which can be a cloud-based spam filtering service or gateway spam filter. CISA recommends implementing email filtering mechanisms incorporating Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), as both are important for protecting against spoofing and email modification.

Antiphishing defenses should rewrite URLs to show their true destination, and for maximum protection – especially against AI-generated phishing attempts – anti-spam software should incorporate machine learning and AI-based detection mechanisms and analyze email content to determine how emails deviate from the typical emails received by a business. Malware is often used in attacks, so spam filters should incorporate antivirus protection, including email sandboxing to detect malware based on its behavior rather than signature since many novel threats can bypass the signature-based defenses of standard anti-virus products.

A web filter is a useful tool for protecting against the web-based component of phishing attempts, as it can block access to known malicious websites and also prevent visits to malicious websites from general web browsing. Security awareness training should be provided frequently to the workforce to improve human-based defenses and reduce the risk of employees being tricked by social engineering and phishing attempts. Employees should also be provided with an easy way of reporting suspicious requests to their security teams. Backing up security awareness training with phishing simulations can help reinforce training and identify knowledge gaps.

To protect against compromised credentials, multifactor authentication should be implemented, with phishing-resistant MFA providing the highest level of protection. Password policies should be implemented that require the use of unique, strong passwords, all default passwords should be changed, and any inactive or unnecessary accounts should be disabled.

TitanHQ can help protect against these attacks through a suite of cybersecurity solutions. SpamTitan email Security, the WebTitan DNS-based web filter, the PhishTitan anti-phishing solution for Microsoft 365, and the SafeTitan security awareness training platform. All solutions have been developed to be easy for businesses to implement and use and provide cutting-edge protection against the full range of cyber threats. For more information give the TitanHQ team a call and take the first steps towards improving your defenses against increasingly sophisticated cyber threats.

Ransomware Attacks Often Start with Malware Infections or Phishing Attacks

Ransomware attacks can cause an incredible amount of damage to an organization’s reputation as well as huge financial losses from the downtime they cause. Recovery from an attack, regardless of whether the ransom is paid, can take weeks and the theft and publication of sensitive data on the dark web can prompt customers to leave in their droves. Attacks are still being conducted in high numbers, especially in the United States and the United Kingdom. One recent survey indicates that 90% of businesses in those countries have experienced at least one attack in the past 12 months, with three-quarters of organizations suffering more than one attack in the past year.

The healthcare sector is often attacked as defenses are perceived to be weak and sensitive data can be easily stolen, increasing the chance of the ransom being paid. The Inc Ransom group has been targeting the healthcare sector and conducted an attack on an NHS Trust in Scotland earlier this year, stealing 3 TB of sensitive data and subsequently publishing that data on the dark web when the ransom wasn’t paid.

The Inc Ransom group also conducted an attack on a Michigan healthcare provider, preventing access to its electronic medical record system for 3 weeks in August. A group called Qilin attacked an NHS pathology provider, Synnovis, in June 2024 which had a huge impact on patient services, causing a shortage of blood in London hospitals that caused many surgeries to be postponed. Education is another commonly attacked sector. The Billericay School in Essex had its IT system encrypted, forcing the school to temporarily close. In all of these attacks, highly sensitive data was stolen and held to ransom. The public sector, healthcare, and schools are attractive targets due to the value of the sensitive data they hold, and attacks on businesses cause incredibly costly downtime, both of which can force victims into paying ransoms. What is clear from the reporting of attacks is no sector is immune.

There is increasing evidence that ransomware groups are relying on malware for initial access. Microsoft recently reported that a threat actor tracked as Vanilla Tempest (aka Vice Society) that targets the healthcare and education sectors has started using Inc ransomware in its attacks and uses the Gootloader malware downloader for initial access. A threat actor tracked as Storm-0494 is responsible for the Gootloader infections and sells access to the ransomware group. Infostealer malware is also commonly used in attack chains. The malware is installed by threat groups that act as initial access brokers, allowing them to steal credentials to gain access to networks and then sell that access to ransomware groups. Phishing is also commonly used for initial access and is one of the main initial access vectors in ransomware attacks, providing access in around one-quarter of attacks.

Infostealer malware is often able to evade antivirus solutions and is either delivered via malicious websites, drive-by malware downloads, or phishing emails. Gootloader infections primarily occur via malicious websites, with malvertising used to direct users to malicious sites where they are tricked into downloading and installing malware. Credentials are commonly compromised in phishing attacks, with employees tricked into disclosing their passwords by impersonating trusted individuals and companies.

Advanced cybersecurity defenses are needed to combat these damaging cyberattacks. In addition to traditional antivirus software, businesses need to implement defenses capable of identifying the novel malware threats that antivirus software is unable to detect. One of the best defenses is an email sandbox, where emails are sent for behavioral analysis. In the sandbox – an isolated, safe environment – file attachments are executed, and their behavior is analyzed, rather than relying on malware signatures for detection, and links are followed to identify malicious content.

DNS filters are valuable tools for blocking web-based delivery of malware. They can be used to control access to the Internet, prevent malvertising redirects to malicious websites, block downloads of dangerous file types from the Internet, and access to known malicious URLs. Employees are tricked into taking actions that provide attackers with access to their networks, by installing malware or disclosing their credentials in phishing attacks, so regular security awareness training is important along with tests of knowledge using phishing simulations.

There is unfortunately no silver bullet when it comes to stopping ransomware attacks; however, that does not mean protecting against ransomware attacks is difficult for businesses. TitanHQ offers a suite of easy-to-use cybersecurity solutions that provide cutting-edge protection against ransomware attacks. TitanHQ’s award-winning products combine advanced detection such as email sandboxing, AI and machine-learning-based detection, and are fed threat intelligence from a massive global network of endpoints to ensure businesses are well protected from the full range of threats.

Give the TitanHQ team a call today and have a chat about improving your defenses with advanced anti-spam software, anti-phishing protection, DNS filtering, and security awareness training solutions and put the solutions to the test on a free trial to see for yourself the difference they make.

Microsoft Forms Used in Phishing Campaign Targeting M365 Credentials

Microsoft credentials are being targeted in phishing campaigns that abuse Microsoft Forms. Microsoft Forms is a feature of Microsoft 365 that is commonly used for creating quizzes and surveys. Microsoft Forms has been used in the past for phishing campaigns, and Microsoft has implemented phishing protection measures to prevent abuse, but these campaigns show that those measures are not always effective.

To increase the probability of the phishing emails being delivered and the recipients responding, threat actors use compromised email accounts for the campaigns. If a business email account can be compromised in a phishing attack, it can be used to send phishing emails internally. Vendor email accounts are often targeted and used to conduct attacks on their customers. The emails are likely to be delivered as they come from a trusted account, which may even be whitelisted on email security solutions to ensure that their messages are delivered.

If the recipient clicks the link in the email they are directed to a Microsoft Form, which has an embedded link that the user is instructed to click. If the link is clicked, the user is directed to a phishing page where they are asked to enter their Microsoft 365 credentials. If the credentials are entered, they are captured by the attacker and are used to access their account.

The initial contact includes messages with a variety of lures, including fake delivery failure notifications, requests to change passwords, and notifications about shared documents. When the user lands on the form, they are told to click a link and fill in a questionnaire, that link then sends the user to a phishing page that appears to be a genuine login page for Microsoft 365 or another company, depending on which credentials are being targeted.

The attackers make their campaign more realistic by using company logos in the phishing emails and familiar favicons in the browser tab on the fake web pages. Since Microsoft Forms is used in this campaign, the URL provided in the phishing emails has the format https://forms.office[dot]com, as the forms are on a genuine Microsoft Forms domain. Not only does that help to trick the user into thinking the request is genuine, but it also makes it much harder for email security solutions to determine that the email is not legitimate as the forms.office[dot]com is generally trusted as it has a high reputation score.

When these phishing campaigns are detected, Microsoft takes prompt action to block these scams. Each form has a ‘report abuse’ button, so if the scams are identified by users, Microsoft will be notified and can take action to shut it down. The problem is that these emails are being sent in huge numbers and there is a considerable window of opportunity for the attacks. Further, if the attacker’s campaign is detected, they can just set up different web pages and forms and continue.

These phishing campaigns involve two phases, the first phase involves compromising email accounts to send the initial phishing emails. An advanced email security solution with sandboxing, URL rewriting, and AI-based detection capabilities will help to block this first phase of the attack. Advanced anti-phishing solutions for Office 365 can reduce the number of phishing emails that land in inboxes, even when sent from trusted email accounts. Banner warnings in emails will help to alert users to potential phishing emails; however, users need to be vigilant as it may be up to them to spot and report the phishing attempt. That means security awareness training should be provided to raise awareness of these types of phishing attempts.

Security awareness training should also incorporate phishing simulations, and it is recommended to create simulations of phishing attempts using Microsoft Forms. If users fall for the fake Microsoft Forms phishing attempts, they can be provided with further training and told how they could have identified the scam. If another Microsoft Forms phishing attempt is received, they are more likely to be able to identify it for what it is.

TitanHQ can help businesses improve their defenses against phishing through the TitanHQ cybersecurity suite, which includes SpamTitan cloud-based anti-spam service, the PhishTitan anti-phishing solution, and the SafeTitan security awareness and phishing simulation platform. SpamTitan and PhishTitan have exceptionally high detection rates with a low false positive rate, and SafeTitan is the only behavior-driven security awareness training platform that delivers training in real-time in response to employee mistakes. Give the TitanHQ team a call today for more information about these products, you can book a product demonstration to find out more, and all solutions are available on a free trial.

How Real-Time Security Awareness Training Improves Cybersecurity

Cybersecurity awareness training is now vital for businesses to raise employees’ awareness of cyber threats. Here we will explain why you need real-time security awareness training and phishing simulations and the difference they can make to your security posture.

The biggest cybersecurity threat faced by businesses is phishing. Phishing attacks target employees as cybercriminals and nation-state actors know all too well that employees are a weak link in security defenses. If they can get a phishing email in front of an employee and give them a plausible reason for taking the action they suggest, they can steal credentials that will give them the access they need or get the employee to download and open a malicious file, that will download malware and provide persistent access to the network.

If doesn’t always need to be a sophisticated phishing attempt if the email lands in the inbox of a busy employee or one who lacks security awareness. Many unsophisticated phishing attempts succeed due to human error. The problem is that phishing attempts are often sophisticated, and are now being crafted using LLMs that not only ensure that the emails are devoid of spelling mistakes and grammatical errors, but LLMs can also help to devise new phishing lures.

All it takes is for one phishing attempt to be successful to give an attacker the access they need for an extensive compromise. Cybercriminals often gain access to an employee’s email account and then use that account to conduct further phishing attempts internally, until they compromise large numbers of email accounts and manage to steal credentials with high privileges. Since email accounts often contain a wealth of sensitive and valuable data, the attack does not even need to progress further for it to be costly to remediate.

Businesses need to ensure that they have robust email security defenses, including an email security solution with sandboxing, AI, and machine learning detection to identify and block malware threats and zero-day phishing attacks, malicious URL detection capabilities, and a solution that is constantly updated with the latest threat intelligence. While the most advanced cloud-based email security solutions will block the vast majority of malicious emails, they will not block all threats. For example, in recent independent tests, SpamTitan email security was determined to have a spam catch rate of 99.984%, a phishing catch rate of 99.99%, and a malware catch rate of 100% with zero false positives, finishing second in the test.

For the small percentage of malicious emails that do reach inboxes, employees need to be prepared, be on their guard, and have the skills to identify and report suspicious emails, which is where security awareness training and phishing simulations are needed.

The purpose of security awareness training is to raise the level of awareness of cyber threats within the workforce, teach cybersecurity best practices, and eliminate risky behaviors. Training will only be effective if it is provided regularly, building up knowledge over time. Training should ideally be provided in short regular training sessions, with training programs running continuously throughout the year. Each week, every employee can complete a short training module which will help to build awareness and keep security fresh in the mind, with the ultimate goal of creating a security culture where every employee is constantly on their guard and aware that the next email they receive could well be a phishing attempt or contain malware.

Training is most effective when combined with phishing simulations. You can teach employees how to recognize a phishing email, but simulations give them practice at detecting threats and applying their training. Further, the emails will be received when the employees are completing work duties, just the same as a genuine phishing threat. A phishing simulator can be used to automate these campaigns, and administrators can track who responds to determine the types of threats that are tricking employees and the individuals who are failing to identify threats. Training programs can then be tweaked accordingly to address the weaknesses.

The most effective phishing simulation programs automatically deliver training content in real-time in response to security mistakes. When a phishing simulation is failed, the employee is immediately notified and given a short training module relevant to the mistake they made. When training is delivered in real time it serves two important purposes. It ensures that the employee is immediately notified about where they went wrong and how they could have identified the threat, and the training is delivered at the point when it is likely to have the greatest impact.

SafeTitan from TitanHQ makes providing training and conducting phishing simulations simple. The training modules are enjoyable, can be easily fitted into busy workflows, and the training material can be tailored to the organization and individual employees and roles. The training and simulations can be automated and require little management, and since the content is constantly updated with new material and phishing templates based on the latest tactics used by cybercriminals, employees can be kept constantly up to date.

For more information about SafeTitan security awareness training and phishing simulations, give the TitanHQ team a call.

Multi-Layered Phishing Protection for Businesses and MSPs

Phishing is one of the most common ways that cybercriminals gain initial access to networks. A single response to a phishing email can be all it takes to compromise an entire network. These attacks can be incredibly costly. According to the 2024 Cost of a Data Breach Report from IBM, the average cost of a data breach that starts with phishing has risen to $4.88 million. According to the Federal Bureau of Investigation (FBI), phishing was the leading reason for reports of cybercrime to its Internet Crime Complaint Center in 2023.

The best way to gain access to an internal network is to ask someone with access (an employee) to provide that access. That is essentially what phishing is about. Phishing involves deception to gain access, tricking employees into disclosing their credentials or installing software that provides remote access, such as malware or a remote desktop solution. Social engineering techniques are used to convince the employee to take an action that benefits the attacker. That action may be required to fix a problem, such as preventing an avoidable charge to an account, correcting a security issue before it is exploited, or recovering a missing package.

Phishing often involves the impersonation of a trusted entity, which could be the CEO, HR department, colleague, vendor, lawyer, government entity, or a trusted business. Emails may impersonate a trusted individual or company, provide a plausible reason for clicking a link in an email or opening a file attachment. When links are included in emails, they often direct the user to a website that requires them to log in. The log-in box presented will be familiar as it will be a carbon copy of the brand that is being spoofed. When the credentials are entered, they are captured and used to remotely log into that user’s account. Alternatively, they may be directed to a web page and told they must download and open a file, which unbeknown to them, contains a malicious script that silently installs malware.

Phishing targets human weaknesses so one of the best solutions for combatting phishing is end user training. Training the workforce on how to identify a phishing attempt and providing an easy way for them to report potential phishing attempts is vital. Security awareness training should cover cyber threats and how to identify and avoid them, as well as teach cybersecurity best practices and why they are important. If a threat actor can get phishing content in front of an employee, whether that is via email, SMS message, social media, an instant messaging platform, or over the phone, they will be more likely to recognize that threat for what it is and take the appropriate action. Security awareness training is about strengthening your defensive line.

Training can be provided in a one-time training session, but that is unlikely to be effective. If your child wants to drive, you would not pay for a 1-hour lesson and expect them to pass their driving test. Multiple lessons are required along with a lot of practice, and as experience builds, they will become a better driver and learn how to react to situations they have not seen before. It is the same with security awareness training. Providing training frequently will build knowledge and understanding and that knowledge can then be tested and employees given practice at recognizing phishing attempts by using a phishing simulator.

The best defense against phishing is to ensure that no phishing attempt ever reaches an end user; however, in practice that is a major challenge. The aim should be to make it as difficult as possible for attackers to reach end users by implementing technical solutions that can recognize phishing attempts and block them before they are delivered. The primary technical defense is anti-spam software.

Anti-spam software can be provided as a cloud-based anti-spam service or an anti-spam gateway for on-premises email systems, through which all inbound and outbound emails must pass. A spam filter for incoming mail is essential for blocking the majority of phishing threats, but an outbound spam filter is also important for identifying phishing attempts from compromised internal mailboxes.

An anti-spam server must be capable of identifying and blocking malware threats. Spam filters include anti-virus software that scans for known malware signatures, but that is no longer enough. Malware is constantly changing and can easily defeat signature-based detection measures, so email sandboxing is also required. Sandboxing uses pattern filtering and behavioral analysis in a safe environment to identify malware by what it attempts to do. Since phishing attempts are becoming more sophisticated, often not including any malicious content in the emails – such as callback phishing – an anti-spam solution should have AI and machine learning capabilities, to predict phishing attempts by how they deviate from the standard messages received by a business.

Technical defenses will reduce the number of threats that employees encounter, and security awareness training will prepare the workforce in case a threat is not blocked. Further technical defenses should also be considered to combat phishing. Multifactor authentication is important for preventing unauthorized access in the event of an employee disclosing their credentials. With multifactor authentication, a username and password are not enough to grant access to an account. Since multifactor authentication can be circumvented with some of the more advanced phishing kits used by cybercriminals, robust MFA is required, often referred to as phishing-resistant MFA.

No single anti-phishing measure is sufficient on its own. Layered defenses are key to mounting a good defense against phishing, and this is an area where TitanHQ can help. TitanHQ can offer cutting-edge anti-spam software (SpamTitan) that has been shown to block 100% of known malware and, through sandboxing, block novel malware threats, and has a phishing and spam detection rate of over 99.99%. To block phishing threats in Microsoft 365 environments and to help security teams with remediation, TitanHQ offers the PhishTitan solution, and security awareness training and phishing simulations can be created and automated with the SafeTitan platform.

Give the TitanHQ team a call today to find out more about these anti-phishing measures and the team will help you with improving your defenses and getting started on a free trial of these solutions.

ZeroFont Phishing Scam Targets Microsoft 365 Users

A ZeroFont phishing campaign is being conducted that targets Microsoft 365 users. Rather than using the ZeroFont technique to hide malicious content from anti-spam software, this method aims to trick end users into thinking the email is genuine and safe.

The ZeroFont phishing technique was first identified in phishing attempts around five years ago, so it is not a new technique; however, this version uses a novel approach. When an email is sent to a business user, before that email is delivered it will be subject to various checks by the anti-spam server. The business’s anti-spam solution will perform reputation checks, scan the email for malware, and analyze the content of the email to search for signs of spam or phishing. Only if those checks are passed will the message be delivered to the end user. ZeroFont is a technique for hiding certain words from email security solutions to ensure that the messages are not flagged as spam and are delivered.

According to Check Point, Microsoft is the most commonly impersonated brand in phishing emails. If a threat actor impersonates Microsoft, they obviously cannot send the email from the Microsoft domain as they do not have access. Spam filters will check to make sure that the domain from which the email is sent matches the signature, and if there is no match, that is a strong signal that the email is not genuine. With ZeroFont, the signature used would only display Microsoft to the end user, and the spam filter is presented with a nonsensical string of text. The user would not see that text as the padding text around the word Microsoft is set to a font size of zero, which means the text is machine-readable but cannot be seen by the user.

A recent campaign uses the ZeroFont techniques but with a twist. In this campaign, the aim is not to trick a spam filter but to instead trick Outlook users. In Outlook, it is possible to configure the mail client with a listing view option, which will show the user the first lines of text of an email. The problem for phishers is getting Outlook users to engage with the messages, which means the messages must be sufficiently compelling so as not to be deleted without opening them. This is especially important if the sender of the email is not known to the recipient.

The email was detected by Jan Kopriva, who noticed that ZeroFont was used to make the message appear trustworthy by displaying text indicating the message had been scanned and secured by the email security solution, rather than showing the first lines of visible content of the message. This was achieved by using a zero font size for some of the text. The threat actor knew that the first lines of the emails are displayed by the mail client in the listing view, regardless of the font size, which means if the font is set to zero, the text will be displayed in the listing view but will not be visible to the user in the message body when the email is opened.

The email used a fake job offer as a lure and asked the user to reply with their personal information: Full name, address, phone number, and personal email, and impersonated the SANS Technology Institute. The full purpose of the phishing attempt is not known. There were no malicious links in the email and no malware attached so the email would likely pass through spam filters. If a response is received, the personal information could be used for a spear phishing attempt on the user’s personal email account, which is less likely to have robust spam filtering in place, or for a voice phishing attempt, as we have seen in many callback phishing campaigns.

Security awareness training programs train employees to look for signs of phishing and other malicious communications, and they are often heavily focused on embedded links in emails and attachments. Emails such as this and callback phishing attempts lack the standard malicious content and as such, end users may not identify them as phishing attempts. It is important to incorporate phishing emails such as this in security awareness training programs to raise awareness of the threat.

That is easy with SafeTitan from TitanHQ, as is conducting phishing simulations with these atypical message formats. SafeTitan includes a huge library of security awareness training content, and the phishing simulator includes thousands of phishing templates from real-world phishing attempts. It is easy for businesses to create and automate comprehensive security awareness training programs for the workforce and provide training on how to identify novel techniques such as this when they are identified, to ensure employees are kept up to date on the latest tactics, techniques, and procedures used by cybercriminals.

TitanHQ Launches New MSP Security Awareness Training and Phishing Simulation Platform

One of the fastest areas of growth for Managed Service Providers (MSPs) is managed security services. The number of cyberattacks on businesses continues to increase and there is a major shortage of skilled cybersecurity staff. Further, the cost of hiring new talent can be prohibitively expensive for many small- and medium-sized businesses, who are turning to their MSPs to provide those services. Many MSPs have developed a technology stack to meet the demand and are offering managed security services such as identity protection and access management, endpoint security, spam filtering/email security, web security, data protection, network security, and mobile security, but one area that is often lacking in managed services is security awareness training. Currently, only 60% of MSPs offer security awareness training as part of their managed security services.

Technological solutions are implemented by MSPs to protect against hackers, malware, ransomware, and phishing attacks, and these solutions will detect and block the majority of threats, but it is not possible to prevent employees from encountering all threats. The workforce, therefore, needs to be prepared and be taught how to recognize the signs of phishing and other types of attacks, so that when these threats are encountered, they can be identified as such and avoided.

Studies conducted on companies that have conducted benchmarking phishing tests on employees prior to commencing security awareness training have shown that susceptibility to phishing attacks can be reduced considerably. Across all industry sectors, the average click rate for phishing is 37.9%. TitanHQ’s data shows that with regular security awareness training through the SafeTitan platform, susceptibility reduces to under 3%. Such a major reduction will significantly improve an organization’s security posture, yet as important as security awareness training is, a recent survey has shown that 57% of SMBs provide no security awareness training to their workforce whatsoever.

MSPs that do not offer security awareness training are missing out on easy, regular recurring revenue, and their clients are likely to be at risk of falling victim to phishing and other attacks that target employees. It is also worth noting that 69% of SMBs say they would hold their MSP accountable for a phishing attack!

TitanHQ Launches Security Awareness Training & Phishing Simulation Platform for MSPs

It has been a few months now since TitanHQ launched its new security awareness training and phishing simulation platform – SafeTitan.  The initial launch was aimed at SMBs and enterprises to help them create an effective, ongoing security awareness training program for the workforce, and conduct phishing simulations to reinforce training, identify weak links, and track improvements over time.

The platform includes an extensive library of training content on a wide range of topics including security best practices, cyber hygiene, phishing, vishing, and smishing, to allow businesses to easily create training programs to match their needs and risk profiles. The training is gamified, engaging, and delivered in short (max 10-minute) modules, which makes security awareness training enjoyable, while allowing it to be easily fit into busy workflows.

While the platform is well suited to businesses of all sizes, from the smallest of businesses to large enterprises, the platform had to be developed further to meet the needs of MSPs. To make a truly MSP-friendly solution, TitanHQ worked closely with the MSP advisory council and TitanHQ’s extensive MSP customer base to discover exactly what MSPs need to be able to start delivering security awareness training and phishing simulations as a managed service, which lead to the addition of several important new features.

TitanHQ is now happy to announce that SafeTitan for MSPs has now officially been launched. The new product incorporates an intuitive MSP dashboard, through which campaigns can be easily managed. The dashboard gives MSPs real-time live analytics and allows quick actions to be performed.

The phishing simulation platform includes more than 1.8K phishing templates, taken from real-world phishing attempts, with the campaigns easy to schedule for a group of customers, to be run at set intervals every week, month, or year. The platform allows mass training campaigns to be developed, along with mass phishing simulations. The addition of the direct email injection (Graph API) feature allows MSPs to deliver their phishing simulations directly to user inboxes, without having to spend time and effort configuring allowed lists and firewalls.

MSPs also benefit from dynamic user management, so changes can be made quickly and easily to existing campaigns if new users need to be added.  If any user fails a phishing simulation, they can be automatically enrolled in relevant training content to provide targeted training on the aspect of security relevant to the failure.

MSP clients will want to be provided with feedback on how their campaigns are progressing and the impact the training is having on phishing susceptibility, and to make this as easy as possible, the platform now includes scheduled reporting. Reports are automated and are sent to clients at regular intervals with no MSP interaction once configured.

Contact TitanHQ Today

If you have yet to add security awareness training and phishing simulations to your managed security services, contact TitanHQ today to find out more about SafeTitan for MSPs on +1 813 519 4430 (US) or +353 91 545555 (IRL).

5-Award Haul for TitanHQ in Expert Insights Fall 2022 ‘Best-Of’ Awards

TitanHQ has collected 5 awards for its cybersecurity solutions in the Expert Insights Fall 2022 ‘Best-Of’ Awards across 5 product categories.

Expert Insights is an online platform for businesses that provides independent advice on business software solutions to help businesses make informed purchasing decisions about software solutions. The advice provided on the website is honest and objective, and the site features helpful guides to help businesses purchase with confidence. The site is used by more than 85,000 businesses each month, with the website helping more than 1 million readers each year.

Twice yearly, Best-of awards are given to the top ten solutions in each of the 41 product categories. The awards showcase the best quality solutions that are helping businesses to achieve their goals and defend against the barrage of increasingly sophisticated cyberattacks. The awards are based on several factors, such as the features of products, market presence, ease of use, and customer satisfaction scores, with the award winners chosen by the in-house team of editors. The editorial team conducts research into each solution to assess its performance, functionality, and usability, and assesses the reviews from genuine business users of the solutions.

TitanHQ collected five awards for its products in the Spring 2022 Best-of awards, and this has been followed up with another 5 Fall 2022 Best-of awards. TitanHQ was given a Best-of award for SafeTitan in the Phishing Simulation and Security Awareness Training categories, SpamTitan Cloud received an award in the Email Security category, WebTitan Cloud got an award in the Web Security category, and ArcTitan won in the Email Archiving category. Further, ArcTitan Email Archiving was rated the top solution in the Email Archiving category and SpamTitan was rated the top solution in the Email Security category.

There were several big winners at the Fall 2022 Expert Insights Best-of awards, with TitanHQ joining companies such as ESET, CrowdStrike, and Connectwise in winning big.

“We are honored that TitanHQ was named as a Fall 2022 winner of Expert Insights Best-Of award for phishing simulation, email security, security awareness training, web security and email archiving” said TitanHQ CEO, Ronan Kavanagh.  “Our cloud-based platform allows partners and MSPs to take advantage of TitanHQ’s proven technology so they can sell, implement and deliver our advanced network security solutions directly to their client base”.

TitanHQ Adds Several New Features and Enhancements to the WebTitan DNS Filter

WebTitan Cloud is an award-winning DNS filter that prevents access to malicious websites and allows businesses to control the web content users can access with precision. This week, TitanHQ has announced the release of a new version of WebTitan Cloud, that includes new features to improve usability, security, protection for remote workers, and provides greater insights into DNS requests. These new features now form part of an industry-leading feature set that is in a cloud-delivered solution that is easy to set up, use, and maintain.

New UI with Advanced Reporting Features

If you are a current WebTitan Cloud user, the first change you will notice is the new user interface which provides easy access to all WebTitan Cloud features. The enhancements provide intuitive, advanced, relevant, and easy-to-digest data, through new interactive reports and data visualization tools, which are embedded into the UI to improve the user experience.

The advanced security reports show malware-infected clients, malware-infected domains, malware-infected users, blocked phishing sites, blocked phishing domains, and blocked phishing sites by user, and the view can be customized by date and client IP. New reports show behavior, blocked sites, and trends to provide insights into network use and threats. These reports have been added based on the feedback received by WebTitan Cloud users.

Interactive Threat Intelligence with DNS Data Offload

The latest version of WebTitan Cloud provides users with easier access to valuable threat intelligence to aid IT decision-making, network troubleshooting, and security planning. Users can now list DNS request history on screen, download DNS request logs, view all DNS data to gain valuable insights into activity, and easily extract DNS query data for sophisticated integrations and advanced data analysis.

DNSSEC Security Enhancements

WebTitan Cloud now benefits from security enhancements to protect against DNS attacks by strengthening authentication using Domain Name System Security Extensions (DNSSEC). DNSSEC uses digital cryptographic signatures to verify the origin and integrity of data during the DNS resolution process to protect against malicious DNS poisoning attacks. Users of WebTitan Cloud can implement DNSSEC through a simple and straightforward process to improve security.

WebTitan OTG Improvements for Protecting Off Network Users

The WebTitan On-the-Go (OTG) agent allows users to extend the protection of WebTitan Cloud to off-network users, no matter where they connect to the Internet. WebTitan OTG was introduced some time ago; however, the latest release includes several enhancements. The JSON Config filters have been replaced for OTG devices, and the agent used to protect, manage, and monitor off-network users has been significantly improved. It is also much easier to add and update exceptions to OTG devices through an easy-to-use interface.

“This WebTitan release is hitting so many key pillars of success for TitanHQ. The data offload feature has been requested by many customers and creates real differentiation for our solution in the market. This coupled with our new advanced reporting were major requests from our MSP customers,” said Ronan Kavanagh, CEO of TitanHQ. “Finally, security is at the heart of what we do and are, the addition of DNSSEC just continues to add to our credentials.”

New Reverse Proxy Phishing-as-a-Service Helps Low-Skilled Hackers Bypass MFA

When multifactor authentication is set up on accounts, attempts to access those accounts using stolen credentials will be prevented, as in addition to a correct username and password, another factor must be provided to authenticate users. Phishing attacks may allow credentials to be stolen, but that does not guarantee accounts can be accessed. More companies are implementing multifactor authentication which means phishing attacks need to be more sophisticated to bypass the protection provided by multifactor authentication.

One of the ways that multifactor authentication can be bypassed is by using a reverse proxy. In a phishing attack, an email is sent to a target and a link is provided to a malicious website hosting a phishing form that spoofs the service of the credentials being targeted – Microsoft 365 for example. Instead of just collecting the login credentials and using them to try to remotely access the user’s account, a reverse proxy is used.

The reverse proxy sits between the phishing site and the genuine service that the attacker is attempting to access and displays the login form on that service. When the credentials are entered, they are relayed in real-time to the legitimate service, and requests are returned from that service, such as MFA requests. When the login process is successfully completed, a session cookie is returned which allows the threat actor to access the genuine service as the victim. The session cookie can also contain the authentication token. In these attacks, once the session cookie has been obtained, the victim is usually presented with a notification telling them the login attempt has failed or they are directed to another site and will likely be unaware that their credentials have been stolen and their account is being accessed.

These attacks allow the victim’s account to be accessed for as long as the session cookie remains valid. If it expires or is revoked, the attacker will lose access to the account. To get around this and gain persistent access, account details may be changed or other authentication methods will be set up.

These types of phishing attacks are much more sophisticated than standard phishing attacks, but the extra effort is worth the investment of time, money, and resources. Many advanced persistent threat actors use reverse proxies in their phishing campaigns and have developed their own custom reverse proxies and tools.  There are, however, publicly available kits that can be used in phishing campaigns such as Modlishka, Necrobrowser, and Evilginx2. These kits can be used at a cost and allow MFA to be bypassed, although they can be complicated to set up and use.

Now a new phishing-as-a-Service (PaaS) platform has been identified – EvilProxy – that is being pushed on hacking forums. EvilProxy allows authentication tokens to be stolen from a range of vendors including Microsoft, Apple, Twitter, Facebook, Google, and more, according to Resecurity which recently reported on the phishing kit.

EvilProxy lowers the bar considerably and makes conducting reverse proxy phishing attacks far simpler. The service includes instructional videos, provides a user-friendly graphical interface, and even supplies templates of cloned phishing pages for stealing credentials and auth tokens. Through the graphical interface, threat actors can set up and manage their phishing campaigns with ease. EvilProxy comes at a cost, starting at $150 for 10 days up to $400 for a month. While the service is not cheap, the potential rewards can be considerable. EvilProxy allows low-skill threat actors to gain access to valuable accounts, which could be used or sold on to other threat actors such as ransomware gangs.

Multifactor authentication is strongly recommended as it will block the majority of attacks on accounts; however, it can be bypassed by using reverse proxies. Protecting against reverse proxy phishing attacks requires a defense-in-depth approach. An email security solution – SpamTitan for example – should be implemented to block the initial phishing email. A web filter – WebTitan – should be used to block attempts to visit the malicious websites used in these man-in-the-middle attacks. Security awareness training is important for training employees on how to recognize and avoid phishing threats, and employers should conduct phishing simulation tests as part of the training process. TitanHQ’s SafeTitan platform allows businesses to conduct regular training and phishing simulations with ease.

Vote for SpamTitan in the PeerSpot 2022 User Choice Awards!

For more than 10 years, PeerSpot (formerly IT Central Station) has been helping tech pros make intelligent decisions on the best information technology solutions to implement to ensure they get the solutions that perfectly address the needs of their businesses. The PeerSpot Buying Intelligence Platform is powered by the world’s largest community of enterprise tech buyers and bridges the gap between vendors and buyers. Vendors are helped through the voice of their customers, and enterprise tech buyers receive relevant and practical advice to help them make better purchasing decisions. The platform provides in-depth reviews of products, online forums, and tech buyers have access to direct Q&A support.

This year sees PeerSpot launch its first Annual User’s Choice Award program to recognize the products that are helping businesses to achieve their goals. Customers of enterprise technology vendors are invited to vote for their favorite B2B Enterprise Technology products across 11 product categories.

In 2022, those product categories are:

  • Endpoint Protection for Business
  • Firewalls
  • Backup and Recovery Software
  • Network Monitoring Software
  • HCI
  • All-Flash Storage Arrays
  • Email Security
  • Ethernet Switches
  • Application Security Tools
  • Functional Testing Tools
  • Rapid Application Development Software

In order for a solution to be included in the relevant category, it must be amongst the highest-rated products on the PeerSpot Buying Intelligence Platform. That requires a product to have generated significant user engagement on the platform and to have been rated highly by verified users of the solutions.

The winners in each category will be decided by popular vote.

TitanHQ is proud to have had its SpamTitan solution included as one of the top spam filtering, anti-phishing, and anti-malware solutions in the email security category. SpamTitan provides layered protection for enterprises, SMBs, and managed service providers and blocks email-based threats such as phishing, malware, spam, viruses, and botnets. The solution incorporates signature- and behavior-based detection to block malware threats and predictive technologies to anticipate zero-minute threats.  SpamTitan is much loved by users not just for its performance, but also ease of set up, use, maintenance, price, and the industry-leading customer support provided by TitanHQ. SpamTitan has an overall star rating of 4.6/5 on the platform.

If you love using SpamTitan and it has helped your business block more threats, cut down on the resources you have had to devote to email security, or saved you money, TitanHQ encourages you to vote for SpamTitan. Voting will take around a minute of your time. Votes are being accepted until September 16th, 2022, and the winners in each category will be announced by PeerSpot on October 25, 2022.

Vote for SpamTitan Email Security Here

Common Security Awareness Training Mistakes to Avoid

Technology is vital for defending against cyberattacks, but it is important not to neglect employee training. Training the workforce on how to recognize and avoid threats should be a key part of your security strategy, but if you want to get the best return on your investment it is important to avoid these common security awareness training mistakes.

Why Security Awareness Training is Essential

Data from the ransomware remediation firm, Coveware, shows phishing is the main way that ransomware gangs gain initial access to business networks, and IBM reports that phishing is the main way that data breaches occur. In 2021, 40% of all data breaches started with a phishing email. Businesses should implement technologies to block these attacks, such as a spam filter, antivirus software, and a web filter; however, even with these defenses in place, threats will arrive in inboxes, they can be encountered over the Internet, or via instant messaging services, SMS, or over the phone. Unless you totally isolate your business from the outside world, employees will encounter threats.

It is therefore important to provide security awareness training to teach employees how to recognize and avoid threats and to educate them on cybersecurity best practices that they should always follow. Security awareness training is concerned with equipping employees with the skills they need to play their part in the overall security of the organization, to give them practice at detecting threats, and build confidence. Through training, you can create a human firewall to add an extra layer to your cybersecurity defenses.

Security Awareness Training Mistakes to Avoid

It is important to avoid these common security awareness training mistakes, as they can seriously reduce the effectiveness of your training.

Infrequent training

Creating a training course that covers all security best practices and threats to educate the workforce is important, but if you want to change employee behavior and get the best return on your investment, it is important to ensure that your training is effective. If you provide a once-a-year training session, after a few weeks the training may be forgotten. One of the most common mistakes with security awareness training is not providing training often enough. Training should be an ongoing process, provided regularly. You should therefore be providing training regularly in small chunks. A 10-minute training session once a month is much more likely to change behavior than a once-a-year training session.

Not making training fun and engaging

Cybersecurity is a serious subject, but that does not mean that training cannot be enjoyable. If your training course is dull and boring, your employees are likely to switch off, and if they are not paying attention, they will not take the training on board. Use a third-party security awareness training course that includes interactive, gamified, and fun content that will engage employees, and use a variety of training materials, as not everyone learns in the same way.

Using the same training course for all employees

Don’t develop a training course and give the same course to everyone. Use a modular training course that teaches the important aspects of security, but tailor it to user groups, departments, and roles. Training should be relevant. There is no point in training everyone how to recognize specific threats that they will never encounter.

Not conducting phishing simulations

Training and then testing is important to make sure that the training content has been understood, but that is unlikely to change employee behavior sufficiently. The best way to reinforce training and change employee behavior is by conducting phishing simulations. These simulations should be relevant, reflect real-world threats, and should be conducted regularly. Phishing simulations will show you how employees respond to threats when they are completing their work duties and are not in a training setting. If a phishing simulation is failed, it is a training opportunity. Provide targeted training to employees who fail, specific to the mistake they made.

Not providing training in real-time

Intervention training is the most effective. When an employee makes a security mistake, training should be automatically triggered, such as when an employee fails a phishing simulation or takes a security shortcut. If the employee is immediately notified of the error and is told where they went wrong, that will be much more effective at changing behavior than waiting until the next scheduled training session.

Speak with TitanHQ About Security Awareness Training

TitanHQ offers a security awareness training and phishing simulation platform for businesses – SafeTitan – that makes workforce training simple. The platform includes an extensive library of gamified, fun, and engaging content on all aspects of security to allow businesses to create customized training for all members of the workforce and automate phishing simulations.

The platform is easy to set up, use, and customize, and the platform is the only security awareness training solution that provides intervention training in real-time in response to employees’ security errors. For more information contact TitanHQ and take the first step toward creating a human firewall.