titanadmin - Page 14
by titanadmin | Jul 11, 2016 | Email Scams, Phishing & Email Spam, Spam News |
A new, sophisticated Game of Thrones phishing scam has been uncovered which is targeting individuals who illegally download pirated copies of the HBO series. Game of Thrones is the most pirated TV show in history, with many individuals choosing to illegally download the latest episodes to get their GOT fix. This has not escaped the attention of scammers.
Game of Thrones Phishing Scam Emails Sent via ISPs
The scammers have used an innovative trick to make their scam more realistic. The emails claim to have been sent by IP-Echelon, the company that is used by HBO and other entertainment companies to enforce copyright claims. IP-Echelon has already sent many copyright infringement emails to illegal downloaders of movies and TV shows on behalf of a number of companies.
The Latest Game of Thrones phishing scam uses emails that appear to have been generated by IP-Echelon. The emails are extremely well written and contain the same language that is used by the organization when sending out legitimate notices to ISPs.
The ISPs, believing the copyright infringement notices to be genuine, then forward the emails to customers. Since the notice is sent by the ISP, the Game of Thrones phishing scam appears to be genuine.
The customer is told that they must settle the case promptly – within 72 hours – in order to avoid legal action. To settle the case, the customer must visit a link to review the settlement offer and make payment. Failure to do so will see that settlement offer withdrawn. The email says that the settlement about will increase as a result.
The scam has been run in the United States, although there have been a number of reports of individuals in Canada, Europe, and Australia also having been targeted with the same email scam.
A Convincing Phishing Scam That Has Fooled Many ISPs
It is unclear at this point whether the scammers are specifically targeting individuals who have accessed torrent sites and have downloaded torrent files, or whether the emails are being sent out randomly. Some individuals have taken to Internet forums to claim that they have not performed any illegal downloads, while others have been using torrent sites to illegally download TV shows and movies.
HBO has previously taken action over illegal downloaders and has used IP-Echelon to send out notices very similar to those being used by the scammers. Since the Game of Thrones phishing scam appears to be so realistic, many illegal downloaders may be fooled into making the payment. However, that payment will go directly to the scammers.
As is the case with all email requests such as this, the recipient should take steps to verify the authenticity of the email prior to taking any action. Contacting the company that sent the message – using the contact telephone number on the company’s official website – is the best way to confirm authenticity. Email recipients should never use any contact information that is sent in the email body.
Some ISPs have taken steps to confirm the authenticity of the emails and have discovered they are a scam, but not all. Many have been forwarded on by ISPs who believed the scam emails to be legitimate.
by titanadmin | Jul 7, 2016 | Email Scams, Phishing & Email Spam |
A new phishing scam has been discovered that is being used to steal the login credentials and phone numbers of employees. The new scam uses blurred images of invoices to lure victims into revealing sensitive information. In order to view the document or spreadsheet in higher resolution, the victim must supply their email address and password. It is not clear whether this blurred image phishing scam is being used for targeted attacks on businesses or whether the emails are being sent out randomly.
The Blurred Image Phishing Scam
A number of different versions of the same scam have been discovered by the Internet Storm Center, each of which uses a different document.
The initial email appears to have been sent from a legitimate company – a well-known company likely to be very familiar to most business users. HSBC for example. The emails contain corporate logos and are well written. They contain a link that must be clicked to view a purchase order or invoice.
Clicking the link will take the email recipient to a webpage where they are presented with what appears to be a legitimate document. The attackers use a screenshot of an excel spreadsheet (or word document) which appears blurred. The screenshot was taken on a low resolution yet is displayed in high resolution to ensure it cannot be read, although it is clear what the document is.
In order to view the file, the victim is required to enter their email and password in a popup box to confirm their identity. The popup asks for the victim’s email account credentials. The attackers use a JavaScript file to validate the email address.
The login credentials are harvested and sent to the attacker along with the victim’s location and IP address. Users are subsequently directed to a fake Google authentication portal where they are asked to supply their phone number. If the victim enters their details and clicks to view the document, a PDF file will open.
This blurred image phishing scam may not be particularly sophisticated – it uses simple JavaScript, HTML and PHP – but it is still likely to be effective. The blurred images and corporate images may be enough to fool many users into believing the emails are legitimate.
by titanadmin | Jul 5, 2016 | Email Scams, Phishing & Email Spam, Spam News |
The EU referendum that recently took place in the United Kingdom has sparked a spate of Brexit phishing attacks. Brexit – a contraction of British exit from the European Union – has caused considerable economic turmoil in the UK and a great deal of uncertainty about the future. It is not only the UK that has been affected. The decision of 52% of British voters to opt to leave the EU has had an impact on markets around the world.
Whenever a big news story breaks, criminals seek to take advantage. Cybercriminals have been quick to take advantage of the UK EU referendum result and have launched a wave of Brexit phishing attacks which trick people into downloading malware onto their computers.
The Brexit phishing attacks are being conducted using spam email messages. Attackers are sending out emails in the millions with subject lines relating to the Brexit result. The emails play on fears about the uncertainty of the financial markets, the economic turmoil that has been caused, and the political upheaval that has followed.
The emails contain malicious attachments which, if opened, install malware onto the victims’ computers. Many email messages contain links to malicious websites where drive-by malware downloads take place. Some of the emails offer victims help to keep their bank accounts and savings protected from currency fluctuations. In order to protect accounts, the victims are required to divulge highly sensitive information such as bank account details via scam websites.
The malware being sent is capable of logging keystrokes made on computers. These malicious software programs then relay sensitive information such as online banking login information to the attackers, allowing them to make fraudulent transfers.
All computer users should be extremely wary about unexpected email messages. Opening file attachments sent from unknown senders is risky and may result in malware being loaded onto computers. Ransomware can also be installed. The malicious software locks files until a ransom payment is made to the attackers.
Any email that contains a link to a news story should be deleted. The story will be covered by the usual news websites if it is genuine. Those sites should be accessed directly through the browser or via the search engines.
Organizations can protect their networks and users from Brexit phishing attacks and other malicious spam email campaigns by installing a spam filtering solution such as SpamTitan. SpamTitan captures more than 99% of spam email, preventing phishing emails from being delivered. This reduces reliance on employees being able to identify a phishing scam or malicious email.
by titanadmin | Jul 4, 2016 | Email Scams, Phishing & Email Spam, Spam News |
Facebook phishing attacks are fairly common. The website has 1.65 billion active monthly users, a considerable number of which access the social media platform on a daily basis. With such a huge number of users, it is understandable that criminals often target users of the platform.
However, the latest phishing scam to target Facebook users is notable for the speed and scale of the attacks. Kaspersky Lab reports that the latest Facebook phishing attacks have been claiming a new victim every 20 seconds.
The Facebook phishing attacks took place over a period of two days, during which time more than 10,000 Facebook users had their computers infected with malware.
The phishing scam involves site users being sent a message from their ‘friends’. The messages say the user has been mentioned in a comment on a Facebook post. However, when they respond to the message they download a Trojan onto their computers and inadvertently install a malicious Chrome browser extension. In the second phase of the attack, the Trojan and the browser extension are enabled.
When the victim next logs into Facebook the login details are captured and sent to the attacker. This gave the attackers full control of the victims’ Facebook accounts. This allows them to make changes to the privacy settings, steal data, and send their own messages to all of the victims’ contacts on Facebook. The attacks were also used to register fraudulent likes and shares.
The attackers took steps to prevent the infections from being detected. The malware was capable of blocking access to certain websites which could potentially result in the victims discovering the malware infection. The websites of a number of cybersecurity sites were blocked, for instance.
The phishing attack mostly affected Facebook users on Windows computers, although Kaspersky Lab noted that Windows mobile phones were also compromised in the attacks. Individuals who accessed Facebook via Android and Apple phones were immune.
The attacks concentrated on users in South America, with Brazil the worst hit, registering 37% of the Facebook phishing attacks. Columbia, Ecuador, Mexico, Peru, and Venezuela were also heavily targeted. Attacks in Europe were mostly conducted on users in Poland, Greece, and Portugal, with Germany and Israel also hit hard.
The malware used in the latest Facebook phishing attacks is not new. It was first identified about a year ago. Kaspersky Lab reports that the attackers are most likely of Turkish origin, or at least Turkish-speaking.
What sets this phishing scam apart from the many others is the speed at which users were infected. However, the response to the attacks was also rapid. Users who discovered infections spread the news on Facebook, while the media response helped to raise awareness of the scam. Google has also taken action and has now blocked the malicious Chrome extension.
by titanadmin | Jun 29, 2016 | Email Scams, Phishing & Email Spam, Spam News |
Cybercriminals are conducting CEO fraud scams with increasing frequency and many organizations have already fallen victim to these attacks. Many companies have lost tens of thousands of dollars as a result of these criminal attacks. In some cases, companies have lost hundreds of thousands or millions of dollars.
What are CEO Fraud Scams?
CEO fraud scams involve an attacker impersonating the CEO of an organization and sending an email to the CFO requesting a bank transfer to be made. The account details of the attacker are supplied, together with a legitimate reason for making the transfer. Oftentimes, these scams involve more than one email. The first requests the transfer, followed by a second email with details of the amount and the bank details for the transaction. By the time the fraudulent transfer is discovered, the funds have been withdrawn from the account and cannot be recovered.
The FBI has issued warnings in the past about these CEO fraud scams. A spate of attacks occurred in Arizona recently. The average transfer request was between $19,000 and $75,000. An April 2016 FBI warning indicated $2.3 billion in losses had been reported between October 2013 and February 2016, with CEO fraud scams increasing by 270% since January 2015.
By training all employees on the common identifiers of phishing emails and also to be more security aware, organizations can reduce the risk of attacks being successful. However, while training is often provided to employees, it is not always given to executives and the CEO. According to a recent survey conducted by Alien Vault, only 44% of IT security professionals said every person – including the CEO – received training on how to identify a phishing email.
Protecting Against CEO Fraud Scams
It is possible to take steps to prevent CEO fraud scams. Email security solutions – SpamTitan for example – can be configured to prevent emails from spoofed domains from being delivered; however, if the email comes from the account of a CEO, there is little that can be done to prevent that email from being delivered. It is therefore essential that training is provided to all members of staff – including executives – on phishing email identification techniques.
Alien Vault polled 300 IT security professionals at Info Security Europe 2016 to determine how prepared organisations were for phishing attacks and what steps had been taken to reduce risk. The results of the survey show that the majority of organisations now provide training to reduce risk, although almost one in five are not taking proactive steps to reduce the risk of phishing and CEO fraud scams.
Almost 45% of companies said they train every single person in the organization on phishing email identification techniques, while 35.4% said that most employees are trained how to identify malicious emails. 19.7% said they do not take proactive steps and deal with phishing problems as and when they occur.
37% of Executives Have Fallen for a Phishing Scam
Out of the 300 respondents, 37% reported that at least one executive had fallen for a phishing scam in the past, while 23.9% of respondents were unaware if they had. However, even though many had experienced phishing attacks, IT security professionals were not confident that such attacks would not happen again in the future.
More than half of respondents believed that company executives could fall for a scam, while nearly 30% said that if the scam was convincing, their executives may be fooled. Only 18.5% said that their executives had been thoroughly briefed and were well aware of the dangers and would not fall for such a scam.
CEO fraud scams can be extremely lucrative for attackers, and oftentimes a considerable amount of time is spent researching companies and crafting clever emails. A variety of social engineering techniques are used and the emails can be very convincing.
Training is important, but it is also vital that efforts are made to ensure the training has been effective. The best way to ensure that all individuals have understood the training is to conduct phishing exercises – Sending dummy phishing emails in an attempt to get a response. This allows IT departments to direct further training programs and ensure that weak links are addressed.
by titanadmin | Jun 28, 2016 | Phishing & Email Spam, Spam News |
A new Microsoft Office 365 zero day vulnerability is being exploited by hackers to deliver Cerber ransomware. The latest attack is being conducted on a large scale and it has been estimated that millions of business users have already been impacted by the latest Cerber ransomware campaign.
It can be difficult to keep up to date with all of the ransomware variants currently being used by cybercriminals. The malicious file-encrypting software is constantly being tweaked and reinvented by cybercriminals. Cerber ransomware especially. The criminals behind Cerber frequently change its attack mode.
Cerber was first seen in February this year and has already been delivered using a variety of methods, most recently via the Dridex botnet. Spam emails containing malicious Word macros has been favored in the past. If allowed to run, the macros would download Cerber onto victims’ devices. Cerber would then proceed to encrypt documents, images, and a host of other file types.
Victims would be presented with a warning message on screen alerting them to the infection, and an audio file would be played to chilling effect. Cerber was unique in this respect, essentially speaking to its victims. Cerber has also been delivered using malvertising – advertisements placed in third party ad networks that direct web visitors to malicious webpages hosting exploit kits. Those exploit kits probe for browser and plugin vulnerabilities which are exploited to deliver the ransomware. That campaign mainly infected users that had failed to keep their Flash plugins up to date.
It is the rapid changes being made by the attackers that has made it so difficult to detect Cerber and prevent infections. Earlier this month, Invincea discovered that Cerber was able to manufacture new payload variants “on the fly”, allowing the attackers to bypass traditional signature-based anti-virus products. Unique hashes and payloads were being generated every 15 seconds! In tests, 40 unique hashes were discovered.
Cerber Ransomware is Now Infecting Users via Microsoft Office 365 Zero Day Vulnerability
The latest attack has bypassed many users’ anti-virus products according to security firm Avanan. It is unclear at this stage exactly how many organizations have been affected, although Avanan reports that 57% of its clients that use Office 365 have been hit.
Users who have not implemented additional email security controls have been infected via their cloud email accounts. The latest attack is bypassing the controls put in place by Microsoft and the spam emails are being delivered to end user accounts. Unfortunately, should Cerber ransomware be installed, the victims will have to recover the encrypted files from backups or pay the ransom.
The criminals behind the latest campaign may currently be exploiting the Microsoft Office 365 zero day vulnerability, but we can be sure that Cerber will continue to evolve.
To protect against Cerber ransomware attacks, business users must ensure that all patches and software updates are applied promptly.
Since ransomware is capable of infecting or deleting back up files, it is essential that backup devices are air gapped. When backups have been performed, the drives need to be disconnected.
Implementing an anti-spam solution – and not relying on Microsoft or Gmail anti-spam filters – can also help to keep businesses protected by reducing the risk of ransomware and other phishing emails from being delivered to end users.
by titanadmin | Jun 24, 2016 | Internet Security, Network Security, Spam News, Website Filtering |
After a period of quiet, the Necurs botnet is back in action. A number of security companies have reported a massive surge in botnet activity which started on June 21, 2016.
The Necurs botnet has previously been used to send out huge volumes of Dridex malware and Locky; a sophisticated ransomware variant that was first discovered in February 2016. It is too early to tell whether this is just a temporary spike in activity or whether the botnet will be sending emails at the levels seen before the recent lull.
Necurs botnet activity dropped off on May 31. The volume of malicious emails being sent using the botnet fell to as few as 3 million emails per day. However, the number of emails being sent surged on June 21, shooting up to around 80 million emails. 24 hours later the volume of malicious emails had doubled to 160 million. The surge in activity comes is linked to a massive spam email campaign that is delivering emails containing malicious attachments which install Locky ransomware.
It is unclear why there was a period of quiet. Security experts having been pondering this since the dramtic fall in activity on May 31.
The Necurs botnet is massive and is believed to contain approximately 1.7 million computers, spread over 7 separate botnets. It is clear that the botnet had not been taken down, although activity across all seven of the botnets stopped. In April and May of this year, spam email volume was regularly exceeding 150 million emails a day. Now the Necurs botnet appears to be back up to speed.
Around the same time as the pause in activity, Russia’s FSB security service conducted raids resulting in the arrests of approximately 50 hackers. The gang was using the Lurk Trojan to defraud banks and other targets in Russia. It is unclear whether some of those arrests resulted in a disruption to the botnet, or whether the pause was for some other reason. Numerous theories have been suggested for the three-week pause, including the sale or the botnet and issues the operators may have had with the C&C infrastructure. If the botnet has changed hands, a single organization would likely be in control as activity across all seven botnets resumed at the same time.
The resurrection of the Necurs botnet is bad news. According to Proofpoint, the resurrection of the botnet has been accompanied by a new Locky variant which has new capabilities. The latest form of Locky is better at evading detection and determining whether it is running in a sandbox. The new capabilities were detected by Proofpoint shortly before the Necurs botnet went dark.
by titanadmin | Jun 24, 2016 | Email Scams, Phishing & Email Spam |
A new Eir phishing scam has been uncovered which has prompted the Irish communications company to issue a warning to customers. Hundreds of customers received emails offering them a refund yesterday. To claim the refund, the email recipients have been instructed to login to their My Eir account. A fake link is supplied in the email which must be clicked to claim the refund.
Eir Phishing Scam Captures Credit Card Details of Customers
That link directs the email recipient to a fake webpage. The malicious website has been designed to look identical to the Eir website. Users are required to confirm their credit card details in order to obtain the refund. Those credentials are logged by the website and are sent to the criminals running the Eir phishing scam.
Eir has warned customers to be on the lookout for the fraudulent email messages and to delete them if they are received. Any individual who has fallen for the Eir phishing scam and has provided credit card details via the malicious website faces a high risk of credit/debit card fraud.
Phishing email campaigns such as this are commonplace. Attackers use a variety of social engineering techniques to get users to reveal sensitive information such as credit and debit card numbers, which are used by the attackers to make online purchases and rack up huge debts in the victims’ names.
The malicious emails can be extremely convincing. Criminals use legitimate imagery in the phishing emails to fool email recipients into believing the emails are genuine. The malicious spam messages usually contain a link that directs to victims to malicious websites where personal information must be disclosed in order to receive a refund, free gift, or to view important documents. The websites can look identical to the legitimate sites.
Spam Email Poses a Considerable Risk to Businesses
Email scams often direct victims to malicious websites containing exploit kits which probe for weaknesses in browsers and plugins and leverage those vulnerabilities to download malware.
The malware poses a considerable risk for businesses. Malware is used to gain a foothold in a computer network, which can be used to launch cyberattacks to steal valuable data or to gain access to corporate email and bank accounts.
To protect against such attacks, employees should be instructed never to use links sent in emails and to login to websites directly via their browsers. Employees should be provided with training to help them identify phishing emails and email and web spam.
Businesses should also use an anti-spam service such as SpamTitan to capture spam and phishing emails. Preventing the messages from being delivered to end users is the best form of defense against such attacks, and reduces reliance of employees to identify phishing scams.
by titanadmin | Jun 17, 2016 | Email Scams, Phishing & Email Spam, Spam Advice, Spam News |
The FBI issued a new public service announcement which includes new business email compromise scam data. The new data indicates U.S. businesses have lost almost $960 million to business email compromise scams in the past three years, and the total losses from these scams is now almost $3.1 billion.
What is a Business Email Compromise Scam?
A business email compromise scam is a sophisticated attack on a company by scammers that attempt to trick individuals into wiring funds from corporate accounts to the bank accounts of the attackers. Businesses most commonly targeted are those that frequently make foreign transfers to international companies. The attackers must first gain access the email account of the CEO or another high level executive. Then an email is sent from that account to an individual in the accounts department requesting a bank transfer be made. Occasionally the scammer asks for checks to be sent, depending on which method the targeted organization most commonly uses to make payments.
A business email compromise scam does not necessarily require access to a corporate email account to be gained. Attackers can purchase an almost identical domain to that used by the targeted company. They then set up an email account in the name of the CEO using the same format as that used by the company. This can be enough to fool accounts department workers into making the transfer. Business email compromise scams use a variety of social engineering techniques to convince the targeted accounts department employee to make the transfer.
Business Email Compromise Scams are a Growing Problem
The FBI has previously warned businesses of the growing risk of business email compromise scams. In April this year, the FBI Phoenix Office issued a warning about a dramatic rise in BEC attacks. The data showed that between October 2013 and February 2016 there had been at least 17,642 victims of BEC attacks in the United States, and the losses had reached $2.3 billion.
New data from the FBI suggest that the problem is far worse. The FBI has now incorporated business email compromise scam data from the Internet Crime Complaint Center (IC3). 22,143 reports have now been received from business email compromise scam victims, which correspond to losses of $3,086,250,090.
Between October 2013 and May 2016, there have been 15,668 domestic and international victims, and losses of $1,053,849,635 have been reported. In the U.S. alone, there have been 14,032 victims. Since January 2015, there has been a 1,300% increase in losses as a result of BEC attacks. The majority of the funds have been wired to Asian bank accounts in China and Hong Kong.
The FBI warns of five scenarios that are used by criminals to commit fraud using BEC scams:
- Requests for W-2s or PII from the HR department – The data are used to file fraudulent tax returns in the names of employees
- Requests from foreign suppliers to wire money to new accounts – Attackers discover the name of a regular foreign supplier and send an email request for payment, including new bank details (their own).
- Request from the CEO for a new transfer – The CEO’s (or other executive) email account is compromised and a request for a new bank transfer is sent to an individual in the accounts department who is responsible for making bank transfers
- A personal email account of an employee of a business is compromised – That account is used to send payment requests to multiple vendors who have been identified from the employee’s contact list
- Impersonation of an attorney – Emails are sent from attackers claiming to be attorneys, or representatives of law firms, requesting urgent transfers of funds to pay for time-sensitive matters
To protect against BEC attacks, businesses are advised to use 2-factor authentication on all business bank transfers, in particular those that require payments to be sent overseas. Organizations should treat all bank transfer requests with suspicion if a request is sent via email and pressure is placed on an individual to act quickly and make the transfer.
The FBI recommends that businesses never use free web-based email accounts for business purposes. Organizations should also be careful about the information posted to social media accounts, in particular company information, job descriptions and duties, out of office details, and hierarchical information about the company.
by titanadmin | Jun 16, 2016 | Email Scams, Phishing & Email Spam, Spam News |
The self-proclaimed Spam King, Sandford Wallace, has been sentenced to 30 months in jail for a Facebook spam campaign conducted between November 2008 and February 2009.
Wallace hacked approximately 550,000 Facebook accounts and used those accounts to post spam messages to users’ walls which directed their Facebook followers to webpages which harvested login credentials and other personal information.
For each account that was compromised, Wallace gathered details of the users’ friends and posted spam messages to their walls. Wallace used an automated script to sign into the hacked accounts and post spam messages. In total, more than 27 million spam messages were sent via those accounts. Wallace was allegedly paid for sending traffic to websites via the spam messages. Wallace’s activities earned him the nickname “Spamford” Wallace.
It has been widely reported that Wallace was a career spammer, having first made a business out of spamming in the 1990’s with a company called Cyber Promotions. The company was reportedly sending around 30 million spam emails a day.
Wallace had been found guilty of Internet offenses in civil cases in the past, resulting in a fine of $4 million in 2006 for use of malicious popup adverts and a fine of $230 million for phishing attacks via MySpace in 2008. This is the first time the spam king has received a criminal conviction for his online activities.
Wallace was indicted in 2011 for the improper accessing of Facebook accounts and for sending unsolicited adverts on three occasions, spread over a period of 4 days. He was banned from accessing Facebook, yet violated the court order resulting in a charge of criminal contempt of court. Wallace was released on a bond, and while he was due to be sentenced in December, the case had to be delayed after two of Wallace’s lawyers quit.
The Spam King’s campaigns have resulted in him being ordered to pay more than $1 billion in damages, although Wallace was unable to pay the civil fines.
Wallace was convicted of one count of fraud and related activity in connection with electronic mail and one count of criminal contempt. The Office of the United States Attorney for the Northern District of California recently announced the sentence, which was passed down by Judge Edward J. Davila.
In addition to the jail term, the spam king has been ordered to pay fines of over $310,000. Wallace could have received a maximum jail term of three years. Wallace will also be required to undergo 5 years of supervised release once the sentence has been served. That sentence begins on Sept, 7, 2016.
by titanadmin | Jun 7, 2016 | Internet Security, Phishing & Email Spam, Spam News |
Researchers at a number of Internet security firms have discovered a surge in JavaScript spam emails in recent months. The emails are being used to download Locky ransomware onto users’ devices and the problem is getting more severe.
The volume of JavaScript spam emails is increasing, as is the frequency of spam email campaigns. The attacks first started in early February, spiking in March/early April. There was something of a lull around the middle of April, yet by the end of the month the campaigns started again at an increased level. Volumes of JavaScript spam emails continued to rise throughout May.
JavaScript Spam Emails Being Favored by Spammers
The latest wave of JavaScript spam emails is being sent from IP addresses in India and Vietnam, and while the United States and Canada have not escaped, the emails are predominantly being used to target users in Europe. The emails contain a ZIP file containing malicious JavaScript files. If the user opens and unzips the file and opens a file, the JavaScript is executed and silently runs via the Windows Script Host Service (WSH) and downloads an intermediate malware known as JS/Danger.ScriptAttachment. This malware will then download Locky ransomware, although the attackers could easily update the campaign to deliver different malicious payloads. One security firm has reported that the wave of JavaScript spam emails is the biggest spam email campaign seen in recent years.
There are no known fixes for Locky ransomware infections. If Locky is installed on a computer, the users’ only defense is to restore encrypted files from a backup or face losing them permanently. This campaign masks the JavaScript with a XOR encryption algorithm to reduce the likelihood of detection.
Spike in Spam Emails Containing Malicious Office Macros
Combo Threat Research Labs also detected a surge in spam emails on May 17, with the campaign lasting 12 hours. During this spam email blitz, more than 30 million messages were sent. While the aim of the attackers was to download Locky ransomware onto users’ devices, the gang behind this campaign used fake Amazon shipping notices rather than JavaScript spam emails.
The documents containing the shipping notices contained a malicious macro. In order to open the attached file, users were required to enable macros on their devices. Doing so would trigger a ransomware download. Email recipients who have their office settings configured to automatically allow macros to run are at particularly at risk, as simply opening the email attachment would result in Locky being downloaded onto their devices.
Proofpoint also recorded this spike in malicious spam emails, although the company put the total number of emails in the campaign at over 100 million, making this one of the largest spam email campaigns seen in recent years, and certainly one of the biggest campaigns of 2016.
The Amazon spam email campaign is being distributed using spam botnets on virtual machines and consumer devices. This campaign was notable because the attackers were able to manipulate the email headers. This made the messages appear legitimate to email recipients. Any email recipients who regularly use Amazon.com for purchases could easily be fooled into opening the file attachment.
The emails used the subject line: “Your Amazon.com order has dispatched” along with a code number, closely mimicking the emails sent up Amazon. The body of the email did not contain any text. If users want to find out which order the email refers to, they would need to open the file attachment. The emails also appear to have been sent from the Amazon.com domain, making it much harder for email recipients to determine that the messages are malicious spam.
Surge in Spam Email Highlights the Importance of Using Spam Filtering Solutions
Spam email may have been in decline in recent years, but the latest waves of attacks clearly demonstrate that criminal gangs have far from given up on the medium for delivering ransomware. Spam emails containing links to malicious websites have remained at a fairly constant level over the past few months, yet JavaScript spam emails and malicious macros have surged. These spam email spikes show just how important it is to use a robust spam filtering solution such as SpamTitan.
SpamTitan captures 99.97% of spam email and prevents malicious spam emails from being delivered to inboxes. Since malicious actors are getting much better at masking their messages and making them appear legitimate, it is essential to limit the volume that are delivered to end users rather than rely on individuals to be able to identify emails as spam.
by titanadmin | Jun 6, 2016 | Internet Security, Website Filtering |
A recent report issued by the Anti-Phishing Working Group highlights worrying phishing activity trends. According to the Phishing Activity Trends Report, the number of new phishing websites is growing at an alarming rate.
A recent report published by PhishMe showed that email phishing activity has now reached unprecedented levels. Phishing email volume increased by 789% quarter over quarter. The APWG report shows that cybercriminals are also increasingly conducting web-borne attacks. Phishing websites increased by 250% from the last quarter of 2015 through the first quarter of 2016.
APWG expected to see an increase in the number of phishing websites created in the run up to the holiday season. Every year, criminals take advantage of the increased number of online purchases being made around Christmas. Many new phishing websites are created in November and December and online fraud always increases in December.
However, typically, there is a drop in spamming an online fraud in January. This year that fall did not occur. In fact, the number of new phishing websites continued to rise in January. There was a slight fall in February, before a major increase in March. According to the Phishing Activity Trends Report, in December 2015, 65,885 unique phishing websites were detected. In January 2016, the total had risen to 86,557. By March the total had reached a staggering 123,555 unique phishing websites.
Cybercriminals are most commonly targeting the retail sector and are spoofing websites in an attempt to defraud consumers. 42.71% of phishing websites target the retail sector, with the financial sector in second place with 18.67% of sites. Payment services accounted for 14.74% of sites, ISPs 12.01%, and multimedia sites 3.3%.
The phishing activity trends report indicates an increase in the targeting of cloud-based or SAAS companies, which it is claimed is driving the attacks on the retail sector.
More than 55% of phishing websites contain the name of the target brand somewhere in the URL. Attackers are concentrating the attacks on the most popular brands. By March 2016, APWG reported that 418 different brands were being targeted using phishing websites.
Phishing email campaigns are known to be sent extensively from outside the United States, although when it comes to phishing websites they are usually hosted in the United States. 75.62% of phishing websites are hosted in the US.
The United States also hosts the most phishing-based Trojans and downloaders – 62.36%. China is also being extensively targeted. China hosted 5% of phishing-based Trojans and downloaders in January. By March, the figure had risen to 13.71%.
More than 20 million new malware samples were detected at the start of 2016 – That’s an average of 227,000 new malware samples every day. The majority of new malware are Trojans, which account for 66.81% of new samples. Viruses were second (15.98%) and worms third (11.01%).
The massive rise in phishing websites highlights how important it is for caution to be exercised when purchasing online. Businesses should also take additional precautions. Web filters can be used to block phishing websites from being visited by employees. A web filtering solution – WebTitan for example – can also be used to prevent drive-by downloads of malware and ransomware.
by titanadmin | Jun 4, 2016 | Phishing & Email Spam, Spam News |
The latest phishing email statistics released by the anti-phishing training company PhishMe show the extent to which the use of phishing has increased in recent months.
PhishMe compiles quarterly phishing email statistics and tracks the volume of phishing emails being sent. During the first three months of 2016, the volume of phishing emails increased by a staggering 789%. More than 6.3 million more phishing emails were sent in Q1, 2016 than in Q4, 2015.
According to the quarterly report, the biggest problem currently faced by personal and corporate computer users is ransomware. Ransomware emails now account for more than 93% of all phishing emails. Ransomware offers a quick payout for cybercriminals and the campaigns can be quickly developed and run. In fact, ransomware emails are being sent by criminals with little or no programming skill. They can simply purchase ransomware kits on darknet marketplaces and obtain a cut of the ransom payments that are made.
Targeted ransomware attacks are now being conducted on businesses of all sizes. Criminals are well aware that many organizations do not regularly perform backups of critical data. Even when backups are performed, many organizations do not unplug their backup devices. The latest ransomware variants are capable of deleting Windows shadow copies and encrypting backup files on connected storage devices. This gives organizations no alternative but to pay the ransom demand to recover files. The biggest threat is now Locky. Locky is delivered via spam email using JSDropper or malicious Word macros.
PhishMe’s phishing email statistics also show two other main trends. Cybercriminals are tending to concentrate on soft-targeted campaigns. Spear phishing emails target just one or two individuals, but the latest trend sees malicious emails messages sent to a group of individuals in an organization – the billing department for instance. The emails are targeting specific roles in an organization rather than specific individuals.
The phishing email statistics also show a rise in the use of JSDropper applications. JSDropper applications are now present in around a third of all phishing emails. Malicious Word macros are still extensively used to infect computers with malware and ransomware, but JavaScript applications are now the most common type of malicious files sent in phishing emails according to the report.
The increase in malicious spam email shows how important it is for organizations to employ a robust spam filtering solution – SpamTitan for example – and to also ensure that employees are informed of the high risk of phishing attacks occurring. Employees should also be instructed how to identify phishing emails and told how they should respond if they believe they have been sent a malicious email message.
by titanadmin | Jun 2, 2016 | Email Scams, Phishing & Email Spam, Spam Advice, Spam News, Spam Software |
A new report by anti-phishing training company PhishMe shows a marked rise in the volume of ransomware emails in March. The report shows that spam emails are now predominantly being used to deliver ransomware to unsuspecting victims. The spike in ransomware emails highlights how important it is to conduct anti-phishing training and to use anti-spam solutions to prevent the malicious file-encrypting software from being delivered to employee’s inboxes.
Spike in Ransomware Emails as Criminals Seek Easy Cash
Ransomware has been around for about a decade, yet it has not been favored by cybercriminals until recently. Throughout 2015, under 10% of phishing emails were being used to transmit ransomware. However, in December there was a major spike in ransomware emails, which accounted for 56% of all phishing emails in December. The upward trend has continued in 2016 and by March, 93% of phishing emails contained ransomware – or were used to infect users by directing them to malicious websites where drive-by downloads of the malicious software occurred.
Spam email volume has been in general decline, in no small part to the shutting down of major botnets in recent years. However, that does not mean that the threat of cyberattacks via email can be ignored. In fact, PhishMe’s figures show there has been a surge in the number of phishing emails being sent. In the first quarter of 2016, the number of detected phishing emails soared to 6.3 million, which represents a 789% increase from the volume captured in the last quarter of 2015.
Ransomware is increasingly being used by cybercriminals for a number of reasons. Ransomware is now easy to obtain and send out. Many ransomware authors offer ransomware-as-a-service to any criminal looking to make a quick buck. Not only can the ransomware be hired for next to nothing, instructions are supplied on how to use it and criminals are allowed to set their own ransoms and timescales for payment. All they need to do is pay a percentage of the ransoms they obtain to the authors.
What makes the use of ransomware even more attractive is the speed at which criminals can get paid. Time limits for paying ransoms are usually very short. Demands for payment within 48 hours are not uncommon. While phishing emails have commonly been used to obtain credit card details from victims, which then need to be sold on, criminals can run a ransomware campaign and rake in Bitcoin payments in just a few days.
The ransoms being demanded are also relatively low. This means that many individuals can afford to pay the ransom to obtain the decryption keys to unlock their files, and businesses are also likely to pay. The cost of recovering data and restoring systems, together with the lost revenue from the time that computer systems are down, is often less than the ransom being demanded.
Ransomware Is Becoming Much More Sophisticated
The latest forms of ransomware now being used – Locky, CryptXXX, TeslaCrypt, and Samas (Samsam) – are capable of spreading laterally. Not only can the ransomware infect files on a single computer, other networked computers can also be infected, as can network drives, servers, portable storage devices, and backup drives. Some forms are also capable of deleting Windows shadow copies and preventing the restoration of files from backups.
All that the criminals need is for one business computer to be infected in order to encrypt files throughout the network. That means only one end user needs to be fooled into opening an infected attachment or visiting a malicious webpage.
Ransomware emails often contain personal information to increase the likelihood of an individual clicking a malicious link or opening an infected attachment. Word files are now commonly being used to infect users. Embedded macros contain code that downloads the malicious payload.
The malicious software is sent out in spear phishing campaigns targeting one or two users in a company, such as accounts and billing department executives. Personal information is often used in the emails – names, addresses, and job titles for example – to increase the likelihood of attachments being opened and links being clicked.
As criminals get better at crafting phishing emails and the ransomware becomes more sophisticated, it is more important than ever to use anti-spam solutions such as SpamTitan to trap ransomware emails and prevent them from being delivered. SpamTitan traps 99.9% of spam emails, helping organizations protect their networks from ransomware attacks.
by titanadmin | May 26, 2016 | Email Scams, Phishing & Email Spam, Spam News |
With 1.65 billion active Facebook accounts, the social media network is a big target for scammers, so it is no surprise that there is a new Facebook phishing scam currently doing the rounds. If the spammers behind the latest attacks can get even a tiny percentage of users to fall for the scam they could be in for a very big payday.
Latest Facebook Phishing Scam Warns of Violation of Terms of Service
The latest Facebook phishing scam threatens account holders by telling them that their accounts will be closed due to a violation of Facebook’s terms of service. The email claims that the account owner has been reported for irregularities of content and that action must be taken to correct the issue of the account will be permanently closed.
The message contains an ow.ly shortlink that users must click to verify that they are the actual owner of the account. The link contains the works “Verify” and “Facebook,” which may fool some message recipients into thinking the message is genuine.
The link included in the email is fake of course. It directs the victim to a phishing website where they are asked to supply their login credentials. If account holders are fooled into clicking the link they are likely to proceed and enter in their account login and password, which will not grant access to Facebook to remove the offending violations. It will simply give those credentials to the attackers. Victims are also asked to supply their date of birth and a security question.
Since many people often use the same passwords for multiple social media accounts, email accounts, and online banking, the potential losses could be considerable. Worse still, many individuals use the same passwords for their private accounts as they do for their work accounts. The fallout from this single scam could therefore be considerable.
With the login and password, the attackers could abuse the account and use it to send phishing messages to all of the account holder’s friends. However, the latest scam does not stop there. After supplying these details, the second phase of the scam starts. The victim is directed to a new page where they are asked for their credit card details to confirm their identity. If supplied, the details would be used to make purchases in the victim’s name
This latest Facebook phishing scam is fairly easy to spot as it contains many tell-tale signs that the notification is not real. The message starts with “Dear Customer” for a start. It would be reasonable to assume that Facebook would know the account holder’s name and would address the email to them personally. Not that Facebook sends out email notifications such as this, although many users would be unaware of that. The message also uses poor grammar, and an ow.ly link rather than a facebook.com hyperlink.
Suspected Page Forgery Facebook Scam Email Targets Business Users
Another version of this scam uses the same format as Facebook notifications sent to account holders via email. This email is harder to identify as a Facebook phishing scam. The link supplied appears to be a genuine Facebook link and the address supplied in the email also appear to be genuine. Correct English is used and the email has been very carefully crafted.
Clicking the link will take the user to a webpage that uses the Facebook logo and color scheme. The page explains there has been a violation of Facebook’s Terms of Service and that an unacceptable offer has been made using Facebook’s offer creation tool. Users are asked to secure their account if this is a mistake. To secure the account users must enter their username and password, and set a new security question. As with the other version, the account details will be used to hijack the account.
All Facebook users – businesses and individuals – should be particularly wary about Facebook emails and be wary of scams. If any Facebook messages are received, the account should be checked by logging in via the browser or using the Facebook App, never using the link supplied in the email. If there is a problem with the account, users will be informed of this when they login.
by titanadmin | May 20, 2016 | Email Scams, Industry News, Phishing & Email Spam, Spam Advice, Spam News |
According to a recent report on spam email from anti-virus software developer Kaspersky Lab, the decline in spam email over the past few years appears to have reversed, with the first quarter of 2016 seeing a major increase in malicious spam email volume.
Major Increase in Malicious Spam Email Volume Reported by Kaspersky Lab
Over the past few years there has been a decline in the number of spam emails, as cybercriminals have sought other ways to deliver malware and defraud computer users. In 2015, the volume of spam emails being sent fell to a 12-year low. Spam email volume fell below 50% for the first time since 2003.
In June 2015, the volume of spam emails dropped to 49.7% and in July 2015 the figures fell further still to 46.4%, according to anti-virus software developer Symantec. The decline was attributed to the taking down of major botnets responsible for sending spam emails in the billions.
Malicious spam email volume has remained fairly constant during 2015. Between 3 million and 6 million malicious spam emails were detected by Kaspersky Lab throughout 2015; however, toward the end of the year, malicious spam email volume increased. That trend has continued in 2016.
Kaspersky Lab figures show that spam email messages containing malicious attachments – malware, ransomware, malicious macros, and JavaScript – started to increase in December 2015. That rise has continued, and in March 2016 malicious spam email volume had risen to four times the level seen in 2015. In March, 2016, Kaspersky Lab detected 22,890,956 malicious spam emails. Spam email volume as a whole increased over the quarter, rising to an average of 56.92% for the first three months of 2016.
Image source: Kasperky Lab
Wide Range of Malicious Files Being Sent in Spam Email
While it was common for virus-loaded executable files to be sent as email attachments, these are now commonly caught by email filters and are marked as spam. However, spammers have been developing new methods of getting past traditional webmail spam filters. The spam emails intercepted by Kaspersky Lab now contained a wide variety of malicious files.
One of the most common methods now used by spammers is to send office documents infected with malicious macros. Microsoft Word files with the extension DOC and DOCX are commonly used, as are rich text format files RTF, Adobe PDF files, and Microsoft Excel spreadsheets with the extensions XLS and XLSX.
These file formats are commonly opened as many end users are less suspicious of office documents than they are about ZIP, RAR, and EXE files. Most office workers would know not to open a EXE file that was emailed to them by a stranger, yet an office document – a file format they use on a daily basis – is less likely to arouse suspicion.
Instead of the emails containing the actual malware, virus, or ransomware payload, they contain Trojan downloaders that download JS scripts. Those scripts then perform the final stage of infection and download the actual malware or ransomware. This method of attack is used to bypass anti-virus protections.
Web Filters and Email Spam Filters Should be Used to Reduce the Risk of a Malware Infection
There has been an increase in drive-by downloads in recent years as attackers have lured victims to websites containing exploit kits that probe for vulnerabilities in browsers and browser plugins. Visitors are redirected to these malicious websites when visiting compromised webpages, via malvertising, and malicious social media posts. While drive-by downloads are still a major threat, the use of web filters and anti-virus software browser add-ons are blocking these malware downloads and malicious websites.
Email is still a highly effective way of getting past security defenses and getting end users to install malware on their devices. Carefully crafted emails that include unique text increase the likelihood of the scammers getting users to open malicious attachments. Oftentimes, the messages include personal information about the recipient such as their name or address. This has helped the spammers to get the victims to take the desired action and run malicious macros and install malware.
It may be too early to tell whether spam email volume has only temporarily spiked or if there is a reversal in the decline of spam, but organizations and individuals should remain vigilant. The increase in malicious spam email volume should not be ignored.
Staff members should receive regular training on how to identify malicious email messages and phishing scams. It is also a wise precaution to use a robust spam filter such as SpamTitan. SpamTitan blocks 99.97% of malicious spam email messages, dramatically reducing the probability of malware, ransomware, adware, and spyware being installed.
by titanadmin | May 12, 2016 | Email Scams, Phishing & Email Spam, Spam Advice, Spam News |
Scammers are constantly coming up with crafty ways to fool computer users into revealing login credentials and installing malware, with the latest speeding ticket email scam being used for the latter. Emails are being sent to individuals claiming they have been caught driving too fast and are sent a link to click to pay their speeding ticket.
If the targeted individual clicks on the link contained in the spam email they will be directed to a malicious website that will download malware onto their computer.
This particular scam has been used to target drivers in Philadelphia. While the majority of spam emails are sent out randomly in the millions in the hope of fooling some individuals into clicking on malicious links, this particular campaign is anything but random. Individuals are being targeted that are known to have exceed the speed limit.
Not only have the attackers obtained the email addresses of their targets, they have also send details of where the individual exceeded the speed limit. So how is this possible?
This particular speeding ticket email scam is understood to have been made possible by the attackers hacking a Smartphone app that has access to the GPS on the phone. The attackers use location data and the phones GPS to determine which individuals have exceeded the speed limit. They are then sent a speeding ticket scam email telling them to click on a link where they can see details of their vehicle license plate in the location where the infraction took place. They are also informed of the speed limit in that location together with speed that the individual was travelling. The speeding driver is told he or she has 5 days to pay the citation.
While this speeding ticket email scam could easily be used by the attackers to obtain credit card details or phish for other information, it appears to only be used to install malware. Clicking on the link in the email to view license plate details does not actually reveal the image. It silently installs malware.
The police department in Tredyffrin, PA, where drivers were targeted with this speeding ticket email scam, has not cited callers for their speeding violations when they have called to query the fine, even when they have confessed to speeding over the phone.
How to Protect Yourself Against Email Scams
This speeding ticket email scam is particularly convincing as it uses real data to fool users into clicking on the malicious link. Many spam email campaigns now use personal information – such as real names and addresses – to fool targets into opening infected email attachments or clicking on malicious links. This type of targeted spear phishing email is now all too common.
To protect against attacks such as this, there are a number of steps that should be taken.
- If contacted by email and asked to click a link, pay a fine, or open an attachment, assume it is a scam. Try to contact the individual or company to confirm, but do not use the contact information in the email. Perform a search on Google to obtain the correct telephone number to call.
- Carefully check the sender’s email. Does it look like it is genuine?
- Never open email attachments from someone you do not know
- If you receive an email offering you a prize or refund, stay safe and delete the email
- Ensure that anti-virus software is installed on your computer and is up to date.
by titanadmin | May 9, 2016 | Email Scams, Internet Security, Phishing & Email Spam |
File-encrypting ransomware is now one of the main UK cybersecurity threats. Rather than stealing sensitive corporate data, criminals have taken to locking it with powerful encryption to prevent businesses from performing day to day functions. Without access to data, business often grinds to a halt.
Ransomware is nothing new, but over the past few years it has become much more popular with cybercriminals who are increasingly targeting businesses. If criminals can succeed in breaching businesses’ security defenses and locking critical files, a ransom can be demanded in order to supply security keys to unlock the encryption. If no viable backup copy exists, businesses may be left with no alternative but to give in to attackers’ demands. Those demands include sizable payments in Bitcoin – A virtually anonymous currency.
Ransomware attacks in the United States have attracted the headlines, but across the pond, ransomware attacks on UK businesses have also been increasing. According to the latest research from ESET, ransomware is now one of the main UK cybersecurity threats accounting for more than a quarter of threats. In the week of April 19 to 26, 26.16% of threats involved ransomware.
How to Block Ransomware Infections
Unfortunately, there is no single method of blocking ransomware infections that is 100% effective, although by using a multi-layered approach, small to medium-sized businesses can greatly reduce the probability of ransomware being installed on their computers and networks.
Ransomware is installed via a number of different methods, although one of the most common methods of ransomware delivery is spam email. Spam email is used to send out malicious attachments that install malware, which in turn installs ransomware on computers. One of the most common methods of infection is Word documents containing malicious macros.
Attackers also use emails containing malicious links. End users are enticed to click those links using social engineering techniques. One click is often all that is required to install ransomware. While it is possible to train employees to be more security aware, all it takes is for one member of staff to install malware for a network to be encrypted. The latest strains of ransomware are capable of encrypting files on single computers, connected USB drives, and network drives. It is important to provide staff training, but a software solution should also be used to block spam emails and prevent them from being delivered.
SpamTitan can keep an organization well protected from malware and ransomware infections. SpamTitan uses two leading anti-virus engines – Bitdefender and ClamAV – to block the vast majority of spam email. SpamTitan detects and blocks 99.98% of spam email, which prevents end users’ spam and phishing email detection skills from being put to the test.
SpamTitan blocks malicious emails, infected email attachments, and links to phishing websites and sites where drive-by downloads of malware take place. This single software solution can help organization mitigate the risk from many of the main UK cybersecurity threats.
If you want to block ransomware and malware and reduce the time your employees spend sifting through spam email, contact the sales team today for further information or sign up for a free SpamTitan trial.
by titanadmin | Apr 29, 2016 | Email Scams, Phishing & Email Spam, Spam Advice, Spam News |
Businesses have been put on alert following the discovery of a new personalized phishing scam that attempts to trick users into installing malware on their company’s computers. These new personalized phishing scam emails are primarily being used to spread CryptoWall ransomware, although that is far from the only payload delivered.
New Personalized Phishing Scam Delivers Wide Range of Malware
The new scam is also being used to deliver the Arsnif/RecoLoad POS reconnaissance Trojan to organizations in the retail and hospitality industries, as well as the Ursnif ISFB banking Trojan.
The current attack does not target all employees. Instead it is used to try to install malware on the computers of users with elevated network privileges such as senior executives, CFO’s, senior vice presidents, CEO’s, heads of finance, and company directors. These individuals not only have access to a far greater range of data, they are also likely to have access to corporate bank accounts.
If the payload is delivered it can result in POS systems being infected, access to bank accounts being gained, as well as widespread data encryption with ransomware. Once single email could cause a considerable amount of damage. The emails are currently being used to target organizations in the financial services, although the retail, manufacturing, healthcare, education, business services, technology, insurance, and energy sectors have also received large volumes of these emails.
What makes this particular phishing campaign stand out is the fact that the emails have not been delivered to random individuals. Many spammers send out phishing emails in the millions in the hope that some individuals will respond. However, this is a personalized phishing scam targeting specific individuals. Those individuals have been researched and the emails include data specific to the target.
Each email refers to the recipient by name and includes their job title, address, and phone number in the body of the email. The subject is specific, the email crafted for a particular industry, and the attached files and links have been named to make them appear genuine. The emails have also been well written and do not contain the spelling and grammar mistakes typical of spam email.
A personalized phishing scam such as this is not usually conducted on such a large scale. Spear phishing emails are usually send to just a handful of individuals, but this personalized phishing scam is being sent to many thousands of people, in particular those in the Unites States, United Kingdom, and Australia.
The data used in the email body could have been harvested from a social media site such as LinkedIn, although the scale of the attack suggests data has been obtained from elsewhere, such as a previous cyberattack on another company such as a supplier or an Internet site. Companies that do not use a robust spam filter such as SpamTitan are particularly at risk.
by titanadmin | Apr 22, 2016 | Email Scams, Phishing & Email Spam, Spam News, Spam Software |
Eastern European hackers may only have had access to GozNym banking malware for a few days, but they have already used the malicious software to make fraudulent bank transfers from more than two dozen bank accounts. The new malware is primarily being used to target banks and credit unions, although the attackers have also used the malware to attack e-commerce platforms. 22 attacks have been conducted on financial institutions in the United States with a further 2 attacks in Canada. So far the attackers behind the GozNym banking malware have managed to steal at least $4 million from U.S and Canadian banks.
GozNym Banking Malware Combines Gozi ISFB with Nymaim Source Code
As the name suggests, GozNym banking malware was developed by combining two different malware strains – Nymaim and Gozi ISFB.
IBMs X-Force Research team believe the new malware is the work of the team behind Nymaim malware, as the source code of Nymaim is understood to be only held by the original developers of the malware. The source code for Gozi ISFB malware has previously been leaked on two occasions. X-Force analysts think the Nymaim malware developers obtained that source code and used the best parts to form the new hybrid Trojan.
Nymaim malware has previously been used almost exclusively as a method of ransomware delivery, although the group behind the malware started using it as a banking Trojan late last year. Nymaim malware is a two stage malware dropper that is loaded onto computers using an exploit kit.
Links to a website containing the Blackhole Exploit Kit are sent via spam email. Once Nymaim has been loaded onto a computer, the second payload is deployed. In the case of GozNym banking malware the second stage is the running of Gozi ISFB code.
GozNym banking malware is stealthy and persistent. The malware remains dormant on a computer until the user logs into their bank account. When account details are entered, GozNym records the login credentials and silently sends them to the attackers’ command and control server. If GozNym banking malware is installed, the user will be unaware that their banking sessions have been compromised.
IBM recommends using adaptive malware detection solutions to reduce the risk of an attack. Anti-spam solutions such as SpamTitan can prevent emails containing the malicious links from being delivered, while WebTItan web filtering solutions can be used to block websites containing malicious code and exploit kits.
With new malware constantly being developed – around 1,000,000 new malware samples are now being released every day according to Symantec – organizations now need to implement sophisticated multi-layered defenses to protect their networks from malware infections.
by titanadmin | Apr 15, 2016 | Email Scams, Industry News, Phishing & Email Spam, Spam News |
Over the past three years business email compromise scams have been conducted with increasing regularity. However, over the past year the number of business email compromise scams reported to the Federal Bureau of Investigation (FBI) have increased dramatically.
Since January 2015, the FBI reports there has been a 270% increase in BEC attacks. FBI figures suggest the total losses from business email compromise scams since October 2013 has risen to $2.3 billion. Reports of successful BEC scams have been sent to the FBI from over 79 different countries around the world, which have affected more than 17,642 businesses.
Business email compromise scams involve the attacker gaining access to a corporate email account, such as that of the CEO, and requesting a bank transfer be made to their account. An email is sent from the CEO’s account to an accounts department employee, and all too often the transfer is made without question.
Unfortunately for U.S Businesses, BEC attacks are likely to increase as more cybercriminals get in on the act. Security experts have warned that the situation is likely to get a lot worse before it gets better. With the average fraudulent bank transfer between $25,000 and $75,000 and considerable potential to obtain much higher sums, criminals are more than willing to conduct the attacks.
A recent report from Dell SecureWorks indicates some hackers are selling their services on underground marketplaces and are offering access to corporate email accounts for just $250. Since cybercriminals could buy access to corporate email accounts, even relatively unskilled criminals could pull off a BEC scam and potentially have a million dollar+ payday. A number of large corporations have been fooled by these scams and have recorded losses of well over $1 million.
Business Email Compromise Scams Can Be Highly Convincing
BEC scams are convincing because even with security training, staff members tend to assume attacks will come from outside their organization. Employees are suspicious about emails that request the disclosure of login credentials, and a request to make a bank transfer that has not come from within an organization is likely to be immediately flagged as a scam.
However, when the CEO sends an email to a member of the accounts department requesting a bank transfer, many employees would not think to question the request. The person arranging the transfer would be unlikely to call the CEO to confirm payment. The transfer may go unnoticed for a number of days, by which time the funds would have been withdrawn from the attackers account and would be impossible to recover.
To conduct this type of attack the attacker would need to gain access to the email account of the CEO or an executive in the company who usually sends bank transfer requests to the accounts department. Once access has been gained, the attacker can read emails and learn the terminology typically used by that member of staff.
An email can then be written in the same language used by that individual. This ensures that the email does not rouse suspicions. Attackers research the transfer requests that are typically made and set the dollar amounts accordingly.
Since the account transfers are made to bank accounts outside the United States, the companies most frequently targeted are those that often make International payments. To the targeted accounts department employee, the request would seem perfectly normal.
How to Reduce the Risk of Employees Falling for BEC Scams
There are a number of ways that organizations can reduce the risk of employees falling for business email compromise scams. SpamTitan could not block a request sent from a compromised email account, but oftentimes attackers spoof email addresses. They purchase a domain that looks very similar to the targeted company, often transposing two letters. Oftentimes a domain is purchased replacing a letter “i” or an “L” with a “1”. If the email address of the sender is not carefully checked, this could well go unnoticed. SpamTitan can be configured to automatically block these spoofed email addresses to prevent these emails from being delivered.
To prevent employees from falling for business email compromise scams sent from compromised email accounts, policies and procedures should be introduced that require all account transfers to be verified by two individuals. Large transfers should also, where possible, be confirmed by some means other than email. A quick call to sender of the email for instance.
Organizations that choose to do nothing could regret failing to take precautions. Take the Austrian Airline parts company FACC for example. It reportedly lost approximately $55 million to such a scam.
by titanadmin | Apr 8, 2016 | Internet Security, Phishing & Email Spam, Website Filtering |
Vulnerabilities in Adobe Flash Player are discovered with such regularity that news of another raises few eyebrows, but the latest critical vulnerability – discovered in Adobe Flash Player 21.0.0.197 and earlier versions – is a cause for concern. It is already being exploited by hackers and is being used to infect users with ransomware.
Any device that is running Adobe Flash Player 21.0.0.197 (or earlier) is at risk of the vulnerability being exploited and malicious file-encrypting software being installed. The latest vulnerability can be used to attack Windows, Macs, Linux systems and Chromebooks, according to ProofPoint, although Adobe reports that the vulnerability only affects Windows 10 and earlier versions running the vulnerable versions.
Flash vulnerabilities are usually exploited by visiting malicious websites or webpages that have been compromised and infected with exploit kits. Those exploit kits probe for a range of weaknesses, such vulnerabilities in Adobe Flash Player, and exploit them to download malware or ransomware to the user’s device.
These drive-by attacks occur without users’ knowledge, as the downloaded file is not displayed in the browser and is not saved to the download folder. It is also difficult to determine whether a website has been compromised or is malicious in nature without software solutions that analyze the website content.
Vulnerabilities in Adobe Flash Player Exploited to Deliver Cerber and Locky Ransomware
The latest attack uses the Magnitude exploit kit. The fact that it is Magnitude suggests the latest ransomware attacks are the work of an individual cybercriminal gang. That gang has acted quickly to include the latest Flash vulnerability into Magnitude.
According to Trend Micro, the vulnerability is being used to deliver Locky ransomware – the malicious file-encrypting software that has been used to attack hospitals in the United States in recent weeks. Locky was reportedly the ransomware used in the attack on Hollywood Presbyterian Medical Center in February. That infection cost the healthcare organization $17,000 to remove, not to mention the cost of attempting to remove the infection and restore backup files prior to the ransom being paid.
ProofPoint suggests the vulnerability is being used to deliver Cerber ransomware. Cerber is a new ransomware that has was released in the past month. It can be used to encrypt files on all Windows versions, although not those in Russian.
Cerber and Locky are being downloaded via malicious websites, although these are typically not visited by the vast majority of Internet users. In order to get traffic to these sites the attackers are using spam email containing malicious attachments.
In contrast to many malicious spam emails that install malware using executable files and zip files, the attackers are using Word documents containing malicious macros. The macros do not download the ransomware directly, instead they direct the victim, via a number of redirects, to a malicious site where the drive-by download takes place.
The vulnerability, named as CVE-2016-1019, will crash Adobe Flash when it is exploited. Adobe reports that the vulnerability exists in 21.0.0.197. Trend Micro says the exploit will not work on versions 21.0.0.197 and 21.0.0.182, only on Flash 20.0.0.306 and earlier versions due to mitigations put in place by Adobe.
ProofPoint’s Ryan Kalember said that the exploit has been engineered to only work on earlier versions of Flash and that attacks have been degraded to evade detection. All versions of Flash could potentially be used for the attack should the criminals behind the Magnitude exploit kit so wish.
Of course, this is just one of many vulnerabilities in Adobe Flash Player that can be exploited and used to deliver ransomware or other forms of malware. To prevent attacks, sysadmins should ensure that all devices are updated to the latest version of the software. Adobe said it was releasing a security update to address the vulnerability on April 7, 2016.
Vulnerabilities in Adobe Flash Player are addressed with updates, although there are two software solutions that can help to protect users from attack. Anti-spam solutions such as SpamTitan can be used to prevent spam email from being delivered, reducing the risk of end users opening Word documents infected with malicious macros.
WebTitan products tackle these attacks by blocking malicious websites, preventing users from visiting sites where drive-by downloads take place. There is usually a wait while vulnerabilities in Adobe Flash Player are addressed, and these two solutions can help keep devices malware free until updates are applied.
by titanadmin | Mar 31, 2016 | Industry News, Internet Security, Network Security |
The past two months have seen a number of healthcare organizations attacked by cybercriminals; however, the MedStar Health ransomware attack discovered on Monday this week must rank as one of the most severe.
The MedStar Health ransomware attack is the latest in a string of attacks on U.S. healthcare organizations, as hackers up the ante and go for much bigger targets where the potential rewards are greater. It would appear that the 10-hospital health system will not need to pay a ransom to regain access to its data, but for three days MedStar Health has been forced to work without access to some of its computer systems after they were shut down to prevent the spread of the infection.
MedStar Health Ransomware Attack Affects 10 Hospitals and More than 250 Outpatient Facilities
MedStar Health is a large U.S health system operating more than 250 outpatient facilities and ten hospitals in the Washington D.C., area. On Monday morning, a virus was discovered to have been installed. The infection triggered emergency IT procedures and rapid action taken to limit the spread of the virus. Three clinical information systems were shut down, including email and the electronic health record system used to record and view patient data.
Without access to email and patient data, services at the hospital were slowed although business continued as close to normal as possible. No facilities closed their door to patients. However, in the 48 hours since the virus was discovered, IT security teams have been working around the clock to bring systems back online. Yesterday, MedStar Health reported that systems were being brought back online with enhanced functionality added bit by bit.
MedStar Health has kept the media and patients notified of progress via social media. The health system reported that “The malicious malware attack has created many inconveniences and operational challenges for our patients and associates.”
While no information was initially released on the exact nature of the computer virus that was discovered to have infiltrated its systems, a number of sources indicate the malicious software was ransomware. It has since emerged that the MedStar Health ransomware attack involved a ransomware from the Samsam family. The ransomware is also known as MSIL and Samas. The attack occurred at the Union Memorial Hospital in Baltimore.
Some computer users were presented with a message demanding a ransom to unlock files. The Baltimore Sun reported that the MedStar Health ransomware attack saw attackers demand a ransom of 45 Bitcoin (approximately $18,500) to unlock all 18 computers that were infected, with an offer to unlock one machine for 3 Bitcoin (approximately $1233).
FBI Issued Warning About Samsam Ransomware on March 25
The FBI reached out to businesses for assistance dealing with the latest ransomware threat from Samsam. While many ransomware infections use email as the vector, Samsam is installed via a tool called JexBoss. JexBoss is used to discover a vulnerability that exists in JBOSS systems. This attack is not conducted using phishing or website exploit kits, instead it works by compromising servers and spreading the infection laterally.
The vulnerability exploited is in the default configuration of the Boss Management Console (JMX) which is used to control JBoss application servers. In its default state, JMX allows unsecured access from external parties and this is used to gain shell access to install the ransomware.
Once a web application server has been infected, the ransomware does not communicate with a command and control server, but will spread laterally and to infect Windows machines, hence the need to shut down systems. The MedStar Health ransomware attack could have been much more severe had rapid action not been taken.
This attack highlights just how important it is to ensure that all systems are patched and default software configurations are changed. Other attacks recently reported by healthcare organizations in the United States have involved Locky ransomware, which is spread via exploit kits on compromised websites and via email spam. Healthcare organizations can protect against those attacks by using web filtering and anti-spam solutions. However, it is also essential to train staff never to open email attachments from unknown sources.
by titanadmin | Mar 25, 2016 | Email Scams, Phishing & Email Spam, Spam News |
It is getting harder for cybercriminals to deliver malware via email, so attack methods have had to become more sophisticated; the latest attempt uses a malicious PNG file to deliver a banking Trojan.
Simply sending malware as an attachment in a spam email is certain to result in some unsuspecting users’ computers being infected, but cybercriminals are now having to use more advanced techniques to evade detection and get past spam filters and antivirus software. The latest attack method is an example of how attackers are using much more sophisticated methods to evading detection.
Malicious PNG File Used to Infect Windows, OS X, and Linux Machines
A new campaign has been discovered by SecureList which is being used, at present, to attack computers in Brazil. However, while the majority of victims are located in Brazil, the malware is also being used to attack users in Spain, Portugal, the United States and beyond.
To evade detection, the attackers have encrypted a malicious payload in a malicious PNG file – a common image format many people do not usually associate with malware.
The image file is not attached to an email and sent in a spam message, instead the initial attack takes place using a PDF file containing a malicious link. The PDF file is sent out in spam emails which use social engineering techniques to fool users into opening the attachment. The PDF file does not contain any malicious code, instead it uses a link to infect users. Clicking the link in the PDF file initiates the infection process.
The link is used to get users to download a malicious Java JAR file, which in turn downloads an infected ZIP file. The zip file contains a number of other files, including a malicious PNG file, or file with a PNG header. Researchers analyzed the binary file and determined that the PNG file size was much larger than it should be for the size of the image.
Further analysis showed how the malicious PNG file was loaded to the memory – using a technique called RunPE which is used by hackers to hide malicious code behind a legitimate process. In this case that process is iexplore.exe.
The malicious PNG file cannot infect a user on its own, as a launcher is required to decrypt the contents of the file. The attackers send the PDF file to start the infection process. Since the zip file contains the PDF extension, users downloading the file are likely to double click to open, thus infecting their systems. Since the malicious code in the PDF file is encrypted, it is not picked up by antivirus software. However, SecureList points out that the malicious files used in this attack are picked up by Kaspersky Lab products.
by titanadmin | Mar 16, 2016 | Email Scams, Phishing & Email Spam, Spam News |
A new wave of spam email has prompted antivirus companies to issue a warning about emails infected with Nemucod malware. The emails are rapidly spreading around the globe, with Japan currently the worst hit; however, the prevalence of infected spam email is also particularly high in Europe, Australia, Canada, and the United States.
Nemucod Malware Used to Infect Devices with Teslacrypt and Locky Ransomware
Nemucod malware is a Trojan downloader that is used to install a payload of ransomware. Currently Nemucod malware is being spread via spam email and is being used to download Locky and Teslacrypt ransomware onto the devices of anyone who opens the infected email attachments.
Nemucod malware (JSTrojan/Downloader.Nemucod) is a JavaScript downloader. The malware is being distributed as a ZIP file and will run when opened and will download a payload of file-locking ransomware. The ransomware will lock numerous files and a ransom will be demanded by the attackers. Only if that ransom is paid will a security key be supplied to unlock data.
In contrast to many malware-infected emails which contain numerous grammatical and spelling mistakes, the emails being used to spread this nasty malware are well written and convincing. The emails claim the attachment is an invoice or an official document such as a notice requiring the target to appear in court.
As we have previously reported, Teslacrypt and Locky ransomware are particularly nasty ransomware. On download they search the user’s computer for a wide variety of file types and lock all of those files with powerful encryption. They will also search for files on attached portable storage devices, virtual devices, and network drives. Locky is also capable of removing volume shadow copies (VSS) making it impossible for infected users to restore their devices to a point before the ransomware infection.
Documents, images, spreadsheets, system files, and data backups are all encrypted. Locky has been programmed to encrypts hundreds of file types. Fortunately, there are a number of steps that can be taken to prevent malware and ransomware infections.
How to Prevent a Ransomware Infection
Steps can be taken to reduce the risk of ransomware being installed, but even the best defenses can be breached. It is therefore also essential to ensure that all critical data files are backed up regularly. If a daily backup is performed, at worst, an organization should only lose a maximum of 24 hours of data.
It is essential that once backups are made, the drive uses to store the backup files is disconnected. Some ransomware variants are capable of scanning network drives and can encrypt backup files on connected backup devices.
Simply receiving a malicious spam email that has been infected with malware will not result in a device being infected. A device will only be infected if an end user opens the infected attachment.
The best way to defend against ransomware is never to open email attachments that have been sent from unknown individuals. While this is straightforward for individual users, for businesses it is harder to ensure that no member of staff will be fooled into opening an infected email attachment.
It is therefore essential to provide all members of staff with security training to ensure they are aware about best practices to adopt to reduce the risk of installing ransomware. However, all it takes is for one member of staff to open a malicious email attachment for the network to be infected. For peace of mind, a robust spam filtering solution for businesses should be implemented. SpamTitan blocks 99.9% of all spam email, drastically reducing the risk of ransomware and other malicious emails from being delivered to end users.
by titanadmin | Mar 10, 2016 | Email Scams, Network Security, Phishing & Email Spam, Spam News |
Locky ransomware may be a relatively new threat for IT security professionals to worry about, but it has not taken long for the malicious malware to make its mark. It has already claimed a number of high profile victims and is fast becoming one of the most prevalent forms of ransomware.
Early last month Hollywood Presbyterian Hospital in California experienced a ransomware attack that took some of its systems out of action for a week until a ransom demand of $17,000 was paid and the hospital’s EHR was decrypted. During that week, staff at the hospital were forced to record data on paper, were unable to check medical records, and X-Ray, CT scans and other medical imaging files were inaccessible. The hospital was not targeted, instead it was the victim of a random attack. That attack was linked to Locky ransomware.
Locky Ransomware Capable of Encrypting Files Stored on Network Drives
Locky ransomware infections occur via spam email messages and it appears that Hollywood Presbyterian hospital’s systems were infected via an email campaign. Locky ransomware is not delivered via spam email directly, instead infection occurs via a malicious Word macro.
When the macro is run, the malicious code saves a file to the disk and downloads the ransomware from a remote server. Upon download the malware searches for a range of file types located on the device on which it is saved, as well as searching portable drives, virtual devices, and network drives to which the computer is connected. Volume Snapshot Service (VSS) files are also removed, removing the option of restoring via Windows backup files.
Staff training on malicious file detection often covers common file types used to mask malicious software such as screensaver files (SCR), executables (EXE), and batch files (BAT). In the case of Locky ransomware, users are more likely to be fooled as infections occur as a result of Word document (DOC) macros. Any user who receives and opens an infected Word document will automatically download Locky to their computer if they have macros set to run automatically. Since users are instructed to enable macros upon opening the infected document, many may do so in order to read the contents of the file.
That is not the only way that Locky is spread. It is also being installed via a ZIP file, which when run, downloads a JavaScript installer that in turn downloads and runs the ransomware.
According to Trustwave SpiderLabs, 18% of the spam emails it had collected over the course of the past week were ransomware, and Locky is believed to comprise a large percentage of those emails. The ransomware is being delivered by the same botnet that was used to send out Dridex malware last year. While the mastermind behind the Dridex banking malware, Moldovan Andrey Ghinkul, has now been apprehended and extradited to the U.S, the botnet infrastructure is being used for this much simpler attack.
The attacks may be simpler but they are providing to be effective. According to Fortinet, over three million hits have been recorded from the Command and Control server used to communicate with Locky.
The infections are unlikely to end until the botnet is taken down. In the meantime, it is essential to exercise caution. While the ransomware does not attack Russian systems, all other users are at risk. Businesses in particular should take action to reduce risk, such as advising staff of the threat of infection via Word files and Zip files. Using a spam filtering solution such as SpamTitan to block malicious attachments is also strongly advisable to prevent malicious emails from being delivered to staff inboxes.
by titanadmin | Mar 4, 2016 | Email Scams, Phishing & Email Spam, Spam News |
A number of new tax season scams have been uncovered in recent weeks, with one in particular causing concern due to the sheer number of victims it has already claimed. Over the past three weeks, four healthcare providers in the United States have been added to the list of victims. The four healthcare providers have recently announced members of staff have fallen for a W-2 phishing scams and have emailed lists of employees to scammers. Names, Social Security numbers and details of employee earnings have been disclosed.
Healthcare Providers Targeted by New Tax Season Scams
Healthcare HR and payroll staff are being targeted by scammers attempting to gain access to the names, contact details, and Social Security numbers of hospital employees with a view to using the data to commit tax fraud. The latest tax season scams are convincing. The scammers find out the names of staff working in the HR and payroll departments who are likely to have access to employee W-2 forms. A spear phishing email is then sent to the employees requesting a list of W2 copies of employee wage and tax statements for the previous year. They are instructed to compile the lists and enter them in a spreadsheet or PDF and email them as soon as possible.
What makes the scams convincing, and employees likely to respond, is the requests appear to come from within the organization and appear to have been sent by either the CEO or a senior executive. The emails appear to have been sent from the correct email address of the CEO or executive, leading the employees to believe the requests are genuine.
The “From” email address is usually masked so that it appears genuine; although it is not. A reply to the email will be sent outside of the company to an email account being monitored by the scammers. In some cases, domains have been purchased that are very similar to those of the target organizations. Usually two letters have been transposed making the domains appear genuine. An email account is then set up with the same format as used by the company. A quick glance at the email address may not rouse any suspicion.
It may take days or weeks before these tax season scams are detected. By that time, fake tax returns are likely to have been filed in the names of the victims.
HR and payroll staff must be particularly vigilant at this time of year as tax season scams are rife. However, the rise in number of successful phishing attacks suggests that payroll and HR staff have not received refresher training on the dangers of phishing. With attacks still taking place, now is a good time to issue an email bulletin to all staff with access to employee data to warn them of the risk, and to advise them to exercise extreme caution and not send any employee data without checking and double checking the validity of the email request.
IRS Issues New Warning About W-2 Phishing Scams
At the start of February, the IRS issued a warning about the sharp rise in tax season scams this year. Just over a month into tax season and record number of phishing scams and tax season-related malware had been discovered. In January, 1,026 reports of tax-related incidents had been reported, which is an increase of 254 over the previous year.
The incidents continued to increase throughout February, with last year’s total of 1,361 already having been exceeded in the first two weeks of the month. The high volume of tax season scams reported in February prompted the IRS to issue another warning on February 29, with the W-2 phishing scams causing particular concern. So far this tax season, reported tax-related malware and phishing attacks have increased 400% year on year.
by titanadmin | Feb 23, 2016 | Email Scams, Phishing & Email Spam, Spam News |
Last week a healthcare provider had its electronic health record system locked by ransomware; now a Zika virus email scam has been uncovered, showing the depths that some hackers and cybercriminals will stoop to in order to make a quick buck.
The latest email scam takes advantage of the public interest in the Zika virus epidemic in Brazil. Since April last year, the number of reported cases of Zika fever has grown. Zika fever is caused by the transmission of the Zika virus by Aedes mosquitos. Zika fever produces similar symptoms to Dengue fever, although the symptoms are often milder.
Scientists have also been alerted to a rise in the number of cases of microcephaly reported in Brazil. Microcephaly is a birth defect resulting in babies being born with a smaller than average head as well as other poor pregnancy outcomes. The rise in microcephaly has been linked to the increase in cases of Zika virus.
While no concrete evidence has been uncovered to suggest that pregnant women contracting Zika are likely to give birth to babies with microcephaly, there is concern that Zika can cause the birth defect. The World Health Organization (WHO) reports the virus has now spread to 23 countries. People are naturally worried. Women in Brazil and Columbia have been told to avoid becoming pregnant and hold off having children, while the government in El Salvador has told women not to get pregnant until 2018.
A potentially global health issue such as Zika is naturally a worry for any woman looking to start a family, and understandably the latest news about the virus is likely to be read. Scammers have been quick to take advantage of the media interest, and a scam has been developed to take advantage and infect computers with malware
Zika Virus Email Scam Delivers JS.Downloader Malware
The Zika virus email scam is currently doing the rounds in Brazil and is being sent in Portuguese. The Zika virus email scam appears to have been sent from Saúde Curiosa (Curious Health), which is a legitimate health and wellness website in Brazil. The email contains an attachment infected with JS.Downloader. JS. Downloader is a malware that is used to download malicious malware to infected users’ devices.
The subject line of the email is “ZIKA VIRUS! ISSO MESMO, MATANDO COM ÁGUA!” which translates as Zika Virus! That’s Right, killing it with water!” The email tells the recipient to click on the link contained in the email to find out how to kill the mosquitos that carry the virus, although the email also contains a file attachment which the email recipient is urged to open. Doing so will install the malware onto the user’s device. The link directs the user to Dropbox with the same outcome.
Anyone receiving an unsolicited email with advice about the Zika virus, regardless of the language it is written in, should treat the email with suspicion. This is unlikely to be the only Zika virus email scam sent by cybercriminals this year. With the Olympics taking place in Brazil in the summer, criminals are likely to use topics such as the Zika virus to spread malware.
If you want information about Zika, check the WHO website. If you receive an Zika virus email, delete it and do not click on any links in the email or open any attachments.
by titanadmin | Feb 18, 2016 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam News, Spam Software |
Over the past 12 months, cybercriminals have used ransomware with increasing frequency to extort money out of businesses, leading some security experts to predict that healthcare ransomware infections would become a major problem in 2016.
Would cybercriminals stoop so low and attack the providers of critical medical care? The answer is yes. This week a U.S. hospital has taken the decision to pay a ransom to obtain the security keys necessary to unlock data that had been encrypted by ransomware. The attack does not appear to have been targeted, but the ransom still needed to be paid to unlock the hospital’s electronic medical record system.
Last year, Cryptowall infections were regularly reported that required individuals to pay a ransom of around $500 to get the security key to recover files. However, when businesses accidentally install ransomware the ransom demand is usually far higher. Cybercriminals can name their price and it is usually well in excess of $500.
Healthcare Ransomware Infection Results in Hospital Paying $16,664 to Unlock EHR
While businesses have been targeted by cybercriminal gangs and have had their critical data locked by ransomware, it is rare for healthcare providers to be attacked. The latest healthcare ransomware infection does not appear to have been targeted, instead a member of staff inadvertently installed malware which locked the hospital’s enterprise-wide electronic health record system (EHR): The system that houses patient health records and critical medical files.
The EHR of Southern California’s Hollywood Presbyterian Medical Center was locked on February 5, 2016., with physicians and other members of the hospital staff unable to access the EHR to view and log patient health information. An investigation into the IT issue was immediately launched and it soon became apparent that the database had been locked by ransomware.
No one wants to have to pay cybercriminals for security keys, and the hospital took steps to try to recover without having to give in to ransom demands. The Police and FBI were contacted and started an investigation. Computer experts were also brought in to help restore the computer system but all to no avail.
The news of the healthcare ransomware attack broke late last week, with early reports suggesting the hospital had received a ransom demand of 9,000 Bitcoin, or around $3.4 million. The EHR was taken out of action for more than a week while the hospital attempted to recover and unlock its files.
Eventually, the decision had to be taken to pay the ransom. While it may have been possible for patient health data to be restored from backups, the time it would take, the resources required to do that, and the disruption it would likely cause was not deemed to be worth it. Allen Stefanek, CEO of Hollywood Presbyterian Medical Center, took the decision to pay the ransom to obtain the security key to unlock the data.
In a statement posted on the company’s website he confirmed that the reports of a ransom demand of 9,000 Bitcoin were untrue. The attackers were asking for 40 Bitcoin, or $16,664, to release the security key to unlock the hospital’s data.
Stefanek said, “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”
Fortunately, healthcare ransomware attacks are relatively rare, as many healthcare providers in the United States already have controls in place to reduce the likelihood of an attack being successful. Staff are trained to be vigilant and not to install software on healthcare devices or open suspicious email attachments. Many use a spam filter to quarantine suspect emails. The latter being an essential protection against healthcare ransomware attacks.
The Importance of a Robust Spam Filter to Prevent Healthcare Ransomware Attacks
A healthcare ransomware attack does not just have a financial impact; it has potential to cause actual harm to patients. The delivery of healthcare services is slowed as a result of the inability to access and share healthcare data, and not being able to view patient health records could delay the delivery of critical patient care or result in incorrect medications being prescribed. That could be a life or death matter. Preventing healthcare ransomware attacks is therefore essential. A technological solution should be employed for maximum protection.
TitanHQ’s SpamTitan software has been developed to keep businesses protected from malware and ransomware attacks. SpamTitan uses two anti-malware engines to maximize the probability of spam emails and malicious attachments being caught and prevented from being delivered to end user inboxes. SpamTitan catches 99.9% of Spam email and quarantines emails with suspicious attachments to prevent them from being delivered.
If you want to reduce the risk of a suffering a ransomware attack and having to pay cybercriminals to unlock critical data, using a robust, powerful anti-spam solution such as SpamTitan is the best way to protect computers and networks from attack. Along with staff training to improve understanding of healthcare ransomware and other malware, it is possible to prevent attacks from being successful.
For further information on SpamTitan anti-spam solutions, contact the TitanHQ team today:
US Sales +1 813 304 2544
UK/EU Sales +44 203 808 5467
IRL +353 91 54 55 00
Or email sales@spamtitan.com
by titanadmin | Feb 12, 2016 | Email Scams, Phishing & Email Spam, Spam News |
Virgin Media customers have been complaining about an increase in spam emails since September last year, with many targeted with spoofed emails; however, the Virgin Media spoofed emails are not the result of a data breach according to a statement recently issued by the ISP.
Virgin Media Spoofed Emails Not the Result of a Data Breach
Customers first started to receive spam and spoofed emails in September last year, shortly after Virgin Media moved from Google to its own platform. The problem appears to be affecting individuals with blueyonder and ntlworld email accounts.
The Virgin Media spoofed emails indicate the company has suffered a data breach and hackers are in possession of email accounts and email address books. Virgin Media has denied it has suffered a data breach, although the ISP has acknowledged that some its users are being targeted by spammers and that it is aware of a “spoofed email message problem.”
Virgin Media are claiming that the increase in email spam is a consequence of the change of platform. The ISP maintains its own spam filters are not as effective as those used by Google, hence the increase in email spam since the switch of platform.
While this is plausible and would explain the increase in email spam, it does not adequately explain the Virgin Media spoofed emails. Customers have reported that a number of their address book contacts have received spoofed messages which would appear to have been sent from their email accounts.
Some of the affected customers claim that the spoofing occurs in waves every 3 to 4 weeks. Emails are sent to five address book contacts at a time. Those emails contain a link to a malicious website which is used to download malware to the users’ computers. The victim is aware of the spoofing as they often receive bounce-backs from undeliverable messages.
Customers Blamed for Virgin Media Spoofed Emails
The lack of a reasonable answer and a solution to stop the Virgin Media spoofed emails from being sent has led a number of customers to take to social media sites to vent their spleens and share details of their experiences. A Facebook group has been set up for this purpose. Around 70 customers have come forward and shared their experiences on the Facebook group so far.
Customers complaining about the email spoofing to Virgin Media are being informed that the message storm problem is due to customers, not a data breach. Customers disagree, with many claiming the problem cannot be local. Many bounce backs are generated as the email addresses are out of date, whereas the address books on local computers are not. The problem is therefore with the email address books stored on Virgin Media servers.
Disgruntled customers unhappy with the response they have received from Virgin Media have now complained to the Information Commissioner’s Office, which is looking into the issue.
by titanadmin | Feb 5, 2016 | Email Scams, Spam News |
What are the penalties for spamming? A man from Indianapolis has just discovered the penalties for sending spam can be severe, having been recently sentenced to serve over 2 years in jail.
Indianapolis man discovers the penalties for spamming can be severe
Phillip Fleitz, 31, of Indianapolis was recently sentenced to 27 months in a federal penitentiary after violating the CAN-SPAM Act of 2003: A law introduced to make the spamming of cell phones and email accounts illegal. The law was introduced by George W. Bush to protect U.S. citizens from unwanted marketing messages and pornography. Under the CAN-SPAM Act of 2003, the penalties for spamming include lengthy jail terms and hefty fines.
US District Judge Maurice Cohill Jr. passed sentence in a Philadelphia court earlier this month. The judge said the spam campaign orchestrated by Fleitz was “sophisticated and serious,” and resulted in millions of spam messages being sent to U.S. citizens. Fleitz, along with two other individuals involved in the massive spamming campaign, were raking in between $2,000 and $3000 per week. They were paid for the clicks they managed to generate by sending users to marketing websites.
The marketing websites gathered contact details from visitors, a practice which is legal. What is not legal, and contravenes the CAN-SPAM Act of 2003, is using spam marketing to generate traffic to those websites.
Fleitz was the only individual from the trio to receive a jail term as he was the architect of the scheme. “It was his idea. He was the first to do it,” said prosecuting US attorney Jimmy Kitchen. Last year, Fleitz pled guilty to using a protected computer to relay or retransmit multiple commercial electronic mail messages with the intent to deceive or mislead recipients, with the sentence only just being passed.
Spammer arrested after Darkode website takedown
Flietz was arrested as part of an FBI investigation into Darkode, a website used by hackers and cybercriminals to market illegal computer skills. The taking down of the website resulted in 12 individuals being charged for computer crimes.
The two other individuals involved in the spam campaign, Naveed Ahmed, 27, wrote the program that allowed the scheme to operate. He received 2-years’ probation and was sentenced last year. Dewayne Watts, wrote the spam messages which were designed to fool users into responding. He received 2-months’ probation, including a period of 6 months of being confined to his house.
The spamming campaign was run via servers based in China between September 2011 and February 2013. Fleitz recruited Ahmed to write a computer program that enabled the spammers to send millions of spam text messages and emails to mobile phones and computers. Ahmed’s program mined cellphone numbers and matched them up with carriers. The messages written by Watts advised the recipients they had won gift cards that could be claimed by clicking the links contained in the messages.
The penalties for spamming under the CAN-SPAM Act of 2003 can be severe. While Fleitz only received 27 months in jail, he could potentially have been sentenced to a maximum of 60 months of jail time and fined up to $250,000. When determining the penalties for spamming, judges take prior history into consideration as well as the severity of the offences.
TitanHQ.fr a cet article en français.
FAQ
Who is in charge of enforcing the CAN-SPAM Act?
The CAN-SPAM Act is enforced primarily by the Federal Trade Commission, which can seek civil penalties of up to $16,000 per violation. In certain circumstances the Act is enforced by various other federal agencies such as the Federal Communications Commission, state attorneys general, and Internet Service Providers. There is no private right of action.
Who can I complain to about spam and phishing emails?
It depends on the nature of the email and whether or not you have responded to it. For example, complaints about emails advertising financial investments should be sent to the Securities and Exchange Commission, while those relating to miracle medical cures should be sent to the Food and Drug Administration. You will find the full list of who to complain to on the Department of Justice website.
Has the CAN-SPAM Act been updated since it was first enacted?
In 2017, the Federal Trade Commission sought public comment on the CAN-SPAM Act ahead of a review. After receiving 92 comments “overwhelmingly” in favor of keeping the rules as they are, in 2019 the Commission concluded the Act still benefits businesses and consumers without imposing substantial economic burdens on genuine email marketing and the rules were kept the same.
How can I prevent my business receiving spam and phishing emails?
Speak with us about our email filtering service which can detect up to 99.97% of spam emails and significantly reduce the likelihood of a phishing email being delivered. Our team will be happy to organization a no-obligation demonstration of our service in action and give you the opportunity to take advantage of a free trial in order to evaluate our service in your own environment.
by titanadmin | Jan 25, 2016 | Internet Security, Network Security, Spam News, Website Filtering |
Each January, the PwC Annual Global CEO Survey is published detailing the major perceived threats to corporate growth. This year the results of the survey show that CEOs are more worried about the cost of dealing with cyberthreats, and believe that they can actually have a major negative impact on corporate growth.
Cost of dealing with cyberthreats a major impediment to 2016 growth
The global survey probed 1,409 CEOs about their concerns about impediments to growth, with cyberthreats ranking as one of the top ten major problems. 61% of respondents said they were worried about cyberthreats and the effect they will have on growth this year.
Over-regulation and geopolitical uncertainty were considered to be more pressing concerns, being cited by 79% and 74% or respondents, while the availability of key skills was mentioned as a major threat to growth by 72% of CEOs. The cost of dealing with cyberthreats was ranked as the eighth biggest impediment to growth in 2016.
While 60% of CEOs believe there are more opportunities for growth than 3 years ago, 66% said there were now more threats to growth. 26% said they only saw more opportunities, while 32% saying they only saw more threats.
The cost of dealing with cyberthreats is considerable, although nowhere near as high of the cost of failing to deal with them. Last year the Ponemon Institute calculated the cost of cyberthreats and determined the cost to businesses is soaring, with the IBM sponsored study determining the average cost of dealing with security breaches had risen to $3.8 million.
Some of the large organizations included in the study suffered cybercrime losses as high as $65 million, with the cost of cyberthreats having risen by 23% over the course of the past two years.
The IBM Cost of Data Breach Study determined the cost per stolen record to be between $145 and $154. When cybercriminals manage to steal millions of customer records, the cost to business can therefore be considerable.
Major cyberthreats of 2016
- Cloud computing
- Mobile devices
- Malware
- State sponsored hacking
- Phishing attacks
- Ransomware
- Medical devices
Cyberthreats may be an impediment to growth, but it doesn’t mean that those threats cannot be mitigated. Given the increasing risk it is imperative that adequate security defenses are put in place to repel attacks. Malware and ransomware are becoming more sophisticated and much more difficult to identify, as are the phishing campaigns that are used to deliver the malicious software. Anti-phishing strategies must therefore be implemented to block malicious emails and staff members must be trained how to identify phishing attacks when they do occur.
Implement SpamTitan to block emails from being delivered to employee’s inboxes, conduct regular staff training exercises to better educate employees, and perform phishing email tests to ensure that members of staff get practice at identifying dummy phishing emails.
It is also essential to develop policies and controls to limit the types of websites that employees are able to visit when using their work computers as well as for BYOD. Drive-by malware downloads are an increasing threat. Exploit kits are much more commonly used to probe for security vulnerabilities, such as out of date plugins. These can be exploited and used to download malware to devices without any interaction from the user.
To mitigate the risk, patch management policies must be developed. It is more essential than ever to ensure that all software is updated as soon as patches are released.
by titanadmin | Jan 22, 2016 | Industry News, Phishing & Email Spam, Spam Software |
What was the best antivirus software solution for 2015 for the enterprise?
Protecting against the ever increasing number of cyberthreats is a full time job. The attack surface is now broader than ever before and hackers are developing increasingly sophisticated methods of obtaining data. The measures that must now be implemented to keep cyberattackers at bay have also increased in diversity and complexity.
Once of the core protections required by all organizations and individuals is an anti-virus software solution, and there is certainly no shortage of choice. But what was the best antivirus software solution for 2015?
The best AV software engines rated by AV-Comparatives
What AV engine detects and removes the most malware? What product offers the best real world protection? Which boasts the best file detection rates? These are all important considerations if you want to keep your organization protected. These and other factors were assessed over the course of the year by AV-comparatives.
AV-Comparatives is an independent testing lab based in Innsbruck, Austria. Each year the company publishes a report detailing the results of the AV tests the company conducted over the course of the year. The report is an excellent indicator of performance.
The company tested 21 of the top AV products on the market, subjecting each to a wide range of rigorous tests to determine the potential of each to protect users against malicious attacks.
The test results clearly show that not all antivirus products are the same. While all AV engines under test offered an acceptable level of performance, “acceptable” may not be good enough for enterprise installations.
The best antivirus software solution of 2015
AC-Comparatives rated performance and issued a number of awards to companies that excelled in specific areas of antivirus and antimalware protection. Gold, Silver and Bronze awards were awarded along with an overall best antivirus software solution for 2015 award.
Antivirus award categories:
- Real-world detection
- File detection
- False positives
- Overall performance
- Proactive protection
- Malware removal
Contenders for the ‘Best Antivirus Software Solution for 2015 Awards’
The Antivirus protects tested and considered for the awards were:
- Avast Free Antivirus
- AVG Internet Security
- Avira Antivirus Pro
- Baidu Antivirus
- Bitdefender Internet Security
- BullGuard Internet Security
- Emsisoft Anti-Malware
- eScan Internet Security Suite
- ESET Smart Security
- F-Secure Internet Security
- Fortinet FortiClient (with FortiGate)
- Kaspersky Internet Security
- Lavasoft Ad-Aware Free Antivirus+
- McAfee Internet Security
- Microsoft Windows Defender for Windows 10
- Panda Free Antivirus
- Quick Heal Total Security
- Sophos Endpoint Security and Control
- Tencent PC Manager
- ThreatTrack VIPRE Internet Security
- Trend Micro Internet Security
The Best Antivirus Software Solution for 2015 Award
After assessing all categories of anti-virus protection there were two AV products that excelled in all categories and received an Advanced+ rating: Bitdefender and Kaspersky Lab, with Kaspersky Lab bestowed the best antivirus software solution for 2015. Kaspersky Lab is one of the two AV engines at the core of SpamTitan anti-spam solutions.
The Russian antivirus company also received a Gold Award for “Real-World” protection, file detection, and malware removal, as well as a Silver Award for proactive (Heuristic/Behavioral) protection, and a Bronze Award for overall low system impact performance.
Cet article est disponible en anglais.
by titanadmin | Jan 19, 2016 | Phishing & Email Spam, Spam News |
The astronomical cost of remediation after a cyberattack prompts many companies to take out a cyber insurance policy, but what exactly do cyber insurance policies cover? Is phishing covered by cyber insurance for instance? How about accidental data exposure by employees? Fraudulent bank transfers? Before taking out a cyber insurance policy it is vital to check exactly what the policy covers. If you already have a policy, it might be a good idea to check that too before you need to make a claim.
Debate over whether phishing covered by cyber insurance
In the United States, one company is currently embroiled in a dispute with their cyber insurer over whether phishing is covered by a cyber insurance policy taken out by the company to protect against computer fraud and cyberattacks.
Ameriforge Group Inc., took out cyber insurance with a subsidiary of Chubb Group. The policy, provided to AFGlobal Corp by Federal Insurance Co., was believed to cover computer fraud and funds transfer fraud. A claim was recently submitted to recover $480,000 after a member of staff from its accounting department fell for a spear phishing attack and made a $480,000 bank transfer to the account of the attacker. The insurance policy provided up to $3 million in cover, yet the claim was denied by the insurer on the grounds that the policy did not cover CEO fraud or business email compromise (BEC) as a result of phishing.
In order for the policy to payout, a cybersecurity attack must involve the forgery of a financial instrument. That did not occur in this case. The insurer maintains that the scam email did not qualify as a financial instrument, and therefore the losses suffered cannot be claimed under the terms of the policy.
The business email compromise scam that the policy does not cover
The phishing scam in question is one that is being conducted with increasing frequency. The risk is so high that last year the FBI issued a warning about BEC attacks. These attacks are being conducted all too often on U.S. businesses.
In this case, the person to fall for the BEC phishing scam was AFGlobal Corp’s accounting director Glen Wurm. He received an email from his CEO requesting a bank transfer be made for $480,000. The email was written in a style which was typical of the communications sent from the CEO. This suggested the attacker was well aware of the relationship between the two individuals and had been monitoring email communications.
The phishing email is reported to have contained the following message:
The email was followed up with a phone call from a person claiming to be Steven Shapiro, after which, wiring instructions were sent to allow the transfer of funds to an Agricultural Bank of China account. The money was transferred as requested and it was only when a follow up email was received a week later requesting a further transfer of $18 million that suspicions were raised. Of course, by that point the transferred funds had been withdrawn and the account had been closed.
Chubb Group claims phishing not covered by cyber insurance policy
Chubb Group maintains that this cyberattack is not covered by the insurance policy issued, as the incident falls outside the forgery coverage provided. The claim refers to forgery by a third party and that the email was a financial instrument. The issue in this case is whether the phishing email qualifies as a financial instrument. Chubb’s legal team claims it doesn’t.
In order to be a financial instrument, Chubb says:
For the claim to be paid, the financial instrument must have involved a written promise, order or direction to pay that is ‘similar’ to a “check” or “draft”. As it stands, Ameriforge Group will be required to cover the cost.
This is not the first time that Chubb Group has refused to pay a fraud claim, and Chubb Group is certainly not the only insurance company to refuse to pay out after a phishing attack. Companies are therefore advised to check whether phishing is covered by a cyber insurance policy, and also to find out the specific criteria that must be met in order for a successful claim to be made. It may be a wise precaution to obtain additional cover if the terms of the policy do not allow phishing fraud claims to be made.
by titanadmin | Jan 15, 2016 | Email Scams, Internet Security, Phishing & Email Spam, Spam News |
If you receive an email alerting you to a new WhatsApp voicemail message that you have received, it could well be the latest WhatsApp scam email that is currently doing the rounds. This new scam is particularly nasty.
Malicious WhatsApp scam email discovered
The WhatsApp scam email is being used as part of an attack on businesses and consumers, and will result in Nivdort malware being loaded onto the device used to open the email.
Security researchers at Comodo discovered the WhatsApp scam email and have warned that the malware contained in the email attachment has been developed to affect users of Android phones, iPhones, as well Mac and PC users.
The WhatsApp scam email looks like it has been sent by WhatsApp, although there are a number of tell-tale signs that the WhatsApp scam email is not legitimate. For a start, WhatsApp will not send messages to a user’s email account, but will only inform users of a missed call or voicemail message through the app itself. However, many of the 900 million users of the chat software program will not be aware of that.
The email contains the imagery typically associated with the Facebook-owned messaging platform, but a check of the sender’s address will reveal that this email has not been sent from WhatsApp. The email also contains a zipfile attachment. Opening the zip file will result in malware being installed onto the device used to open the attachment.
The attackers are sending out multiple variants of the email with different subject lines. Each subject line also contains a string of three, four, or five randomly generated characters after the message, such as “xgod” or “Ydkpda”
The subject lines in some of the scam emails have been detailed below:
If you receive any email from WhatsApp you should treat it as suspicious. You should never open any email attachment from any person you do not known, and must be particularly caution with .zip files. If in doubt, delete the email and remove it from your deleted email folder.
Malware Delivered by the WhatsApp scam email campaign
Nivdort is a family of Trojans that collect data from the computers on which they are installed. In order to avoid being detected the malware is loaded into the Windows folder. The latest variant is loaded to multiple system folders and also the registry. Even if detected by anti-virus software it is possible that not all traces of the malware will be removed. The malware may still be able to receive commands and exfiltrate data from the infected device.
by titanadmin | Jan 9, 2016 | Phishing & Email Spam, Spam News |
It seems like almost every day that a new bank transfer email scam is launched, yet the perpetrators of these email scam campaigns appear to rarely be caught and punished for their offenses. However, one such scammer has now been arrested and made to stand trial for his alleged crimes against companies in Texas.
Nigerian, Amechi Colvis Amuegbunam, 28, of Lagos was arrested in Baltimore and has now been charged with defrauding 17 companies in North Texas and obtaining $600,000 via bank transfers.
Nigeria is famed for 419 email scams, otherwise known as advance fee scams. These spam email campaigns receive their name from the section of the Nigerian criminal code that the email scams violate. These bank transfer scams typically require the soon-to-be victim to make a transfer of a sum of money to cover fees or charges in order to receive a substantial inheritance. This type of email bank transfer request scam is not only conducted by criminal gangs operating out of Nigeria, although that is where a substantial number of the criminals are based.
Convincing bank transfer request scam used to defraud Texas companies of over $600,000
However, Amuegbunam obtained funds from Texan companies using a much more believable scenario; one that is being increasingly used by organized criminal gangs operating out of Africa, the Middle East, and eastern Europe.
The emails Amuegbunam sent appeared to have come from the email accounts of company executives, which had been forwarded onto members of staff who were authorized to make bank transfers on behalf of the company. By using the real names of top executives, account department employees were fooled into believing the transfer requests were legitimate. The companies being targeted had been researched, the correct email account format determined, names of senior executives and management determined, and the names of account executive targets discovered.
To make the bank transfer request scam more believable, Amuegbunam used a domain name that differed from the real company domain by two characters. By transposing just two characters, the email address appeared to be genuine at first glance, certainly enough to fool the victims.
The FBI started investigating the bank transfer request scam in 2013 after employees from two companies in North Texas were fooled into making large bank transfers. Amuegbunam has used the domain lumniant.com instead of luminant.com to make an email appear to have come from within the company. The account executive who fell for the bank transfer request scam made a transfer of $98,550. The second company fell for the same scam and transferred $146,550.
Amuegbunam has now been charged with defrauding 17 Texas companies using the same method. If convicted of the crimes, he faces a fine of up to $1 million and a jail term of up to 30 years. He is just one individual however. Many more are operating similar scams.
It is therefore essential that members of the accounts department, and others who are authorized to make transfers on behalf of the company, are told how to identify a bank transfer request scam. They must also be instructed to carefully check domain names on any transfer requests and to specifically look for transposed letters.
by titanadmin | Dec 30, 2015 | Email Scams, Phishing & Email Spam, Spam News |
In the United States, tax season starts on January 1 and Americans are required to complete their annual tax returns before the April 15, deadline. As is customary at this time of year, new IRS tax refund spam email campaigns have been launched by cybercriminals.
During the first quarter of the year employees must get their tax documents from their employers and collect and collate all paperwork relating to their earnings over the year. Many dread having to pay out thousands of dollars in tax, but for some there is some good news.
The IRS has been sending emails to millions of Americans telling them that their previous tax returns have been assessed and they are due for a tax refund. The notifications have arrived by email and details of the refund are contained in an email attachment. All the recipient needs to do is to open the attached file to find out how much money they are due to have refunded.
Unfortunately, the email notifications are bogus and have not been sent from the IRS. This is just the latest IRS tax refund spam campaign to be launched by cybercriminals. The email is anything but good news. The IRS tax refund spam email contains a zip file, but instead of details of a refund, the file contains a rather nasty selection of malware and ransomware. Worse still, the batch of malware is sophisticated and capable of evading detection. The malware remains resident in the memory of the device used to open the email attachment. The mail recipient is unlikely to discover their device has been infected until it is too late.
If anti-spam solutions have been installed the IRS tax refund spam emails should be caught and quarantined. Even if not, some users will have to try hard to infect their devices. If security software has been installed on the device, opening the attachment should result in warnings being issued. The user will need to ignore those warnings before proceeding. Many do just that. The attraction of a tax refund after overspending at Christmas is too difficult to resist.
For many users the latest strains of malware included in the zip file will not trigger AV engines and even some anti-malware software programs will not identify the files as being malicious. The threat to businesses is therefore serious. If the attachment is opened and run, the malware will be installed and granted the same network and device privileges as the user.
IRS tax refund spam contains CoreBot and the Kovter Trojan
Opening the email attachment will deliver the latest strain of the Kovter Trojan. Kovter is not installed on the computer’s hard drive as commonly occurs with malware. This makes it much more difficult to detect. Instead, malicious code is run with the malware residing in the memory. Memory resident malware does not tend to persist. Once the infected computer is rebooted, the malware doesn’t reload. However, in the case of Kovter it does. Kovter is reloaded via the registry each and every time the computer is booted. Kovter is fileless malware that runs commands via Powershell in a similar fashion to Poweliks. If a computer does not have Powershell installed, the user is not protected. Kovter will just download it and install it on the device.
Kovter is not new of course. It was first identified two years ago, but it has since evolved to evade detection. In addition to being used to deliver ransomware, which locks the computer until a ransom is paid, it is also being used to perform click-fraud and generate revenue for the hackers via CPC campaigns.
Kovter is known to be used on an affiliate basis. Any individual who signs up is paid based on the number of devices they are able to infect. Cybercriminals have been spreading infections via a range of exploit kits such as Angler, Neutrino, and Fiesta. The IRS tax refund spam attack is a new way of getting the malware installed on devices.
The zip file also installs CoreBot; a particularly nasty malware that poses even bigger problems for businesses. If employees are fooled by the IRS tax refund spam and open the zip file, CoreBot can prove particularly problematic to detect, and can potentially cause a lot more damage. CoreBot is a modular malware that can have additional functions added by hackers as and when they desire. It has previously been used as a data stealer, although recently it has been used for man-in-the-middle-attacks on financial applications and web services. The malware is capable of stealing banking credentials and login information. It can also be used to exploit new zero-day vulnerabilities.
It security professionals should be wary and should warn their company’s employees of the tax refund spam, and instruct them not to open any zip file attachments, or any email attachments that have been sent from unknown senders. The IRS will not notify individuals of a tax refund in this manner. Any IRS email with a file attachment is likely to be spam and contain malware.
by titanadmin | Dec 29, 2015 | Email Scams, Phishing & Email Spam, Spam Advice |
If you work in the accounting department of your company, you need to be more vigilant as cybercriminals are specifically targeting account department executives. Whaling attacks are on the increase and cybercriminals are using domain spoofing techniques to fool end users into making bank transfers from corporate accounts. Once money has been transferred into the account of the attacker, there is a strong probability that the funds will not be recoverable.
Whaling, as you may suspect, is a form of phishing. Rather than cybercriminals sending out large volumes of spam emails containing malware or links to malicious websites, individuals are targeted and few emails are sent. Cybercriminals are putting a lot of time and effort into researching their targets before launching their attack.
The aim is to gather intel on an individual that has the authorization to make bank transfers from company accounts. Individuals are usually identified and researched using social media websites such as Twitter, LinkedIn, and Facebook.
When individuals are identified and the name and email address of their boss, CFO, or CEO is discovered, they are sent an email requesting a bank transfer be made. The email is well written, there is a pressing need for the transfer to be made, and full details are provided in the email. They are also given a reasonable explanation as to why the transfer must be made. The email also comes from senior management.
In the majority of cases, the transfer request will not follow standard company procedures as these are not known by the attackers. However, since an email will appear to have been sent from a senior figure in the company, some account department employees will not question the request. They will do as instructed out of fear of the individual in question, or in an attempt to show willingness to do what is required of them by their superiors.
Unfortunately for IT security professionals, whaling emails are difficult to detect without an advanced spam filtering solution in place. No attachments are included in the email, there are no malicious links, just a set of instructions. The attack just uses social engineering techniques to fool end users into making the transfer.
What is Domain Spoofing?
The whaling attacks are often successful, as users are fooled by a technique called domain spoofing. Domain spoofing involves the creation of an email account using a domain that is very similar to that used by the company. Provided the attacker can get the correct format for the email, and has the name of a high-level account executive, at first glance the email address will appear to be correct.
However, closer inspection will reveal that one character in the domain name is different. Typically, an i will be replaced with an L or a 1, an o with a zero, or a Cyrillic character may be used which is automatically converted into a standard letter. If the recipient looks at the email address, they may not notice the small change.
To reduce the risk of account department employees falling for whaling attacks, anti-spam solutions should be implemented and configured to block emails from similar domains. Staff must also be told not to make any transfer requests that arrive via email without first double checking with the sender of the email that the request is genuine, and to always carefully check the email address of the sender of such a request.
by titanadmin | Dec 22, 2015 | Phishing & Email Spam, Spam News |
A new Lloyds Bank phishing scam has been uncovered. The UK bank’s customers are being targeted just before Christmas with a highly realistic email, apparently sent from Lloyds Banking Group. Christmas is a time when people let their guard down. Its busy at work, there is much to do, and minds are invariably on Turkey, holidays, and rushing to get last minute preparations completed.
New Lloyds Bank phishing scam is highly realistic
The email contains the exact same font, logo, and styling that are used on the real online banking portal, making the campaign one of the most realistic online banking phishing scams we have seen.
The latest Lloyds Bank phishing scam is pure simplicity. It is brief and to the point, and has been designed to scare users into clicking on the link and signing into their account to check their bank balance.
All that the email says, is “You have One New Message. Your account has been accessed in multiple locations. Click below to update your Lloyds Bank Account, with a hyperlink using the anchor text “Sign In.” There are no spelling mistakes or grammatical errors to warn users that the email is anything but genuine.
In fact, even clicking the sign in link is unlikely to arouse suspicion. The link will direct the soon-to-be victim to a website containing an exact copy of the Lloyds Bank portal that customers will be very familiar with. All of the text is genuine, and the website features apparently clickable links in all the right places. It is an almost exact replica of the real site.
Only if a user decides to click on any of the links will they realize something is not quite right. The scammers have only taken an image of the real site. They have not made any of the links actually clickable.
But then again, after the recipient of the email has been sent a warning telling them their account is under threat, they are unlikely to suddenly decide to check the latest mortgage rates or take out a loan.
The only part of the website that works is the section where users are required to enter their user ID, password, and memorable word. Once the credentials have been entered, the victim will be redirected to Lloyds. That may arouse suspicion when their login attempt did not work, but the scammers hope that few will bother to change their password when they realize their account has not been compromised.
The scammers are likely to act quickly. Once they have a User ID, password, and memorable word, they have the basic information necessary to access the account. That information may be sufficient to gain access to the account and make a fraudulent transfer. If not, it will be used as the basis for a further spear phishing email to attempt to get the answer to a security question. If the victim fell for the first campaign, chances are they will fall for another.
There is only one other giveaway that this is a Lloyds Bank phishing scam. The URL is not lloydsbank.com.
The scam highlights the importance of checking the URL before entering any login credentials and checking to make sure the site address starts with https://. This site is clearly not genuine and has no green padlock, indicating something is amiss to anyone even casually checking the web address. However, not all online banking customers will do that when the website appears to look like the real deal.
by titanadmin | Dec 16, 2015 | Industry News, Internet Security, Phishing & Email Spam, Spam Software, Website Filtering |
Following the recent news that Intel Security will be discontinuing McAfee SaaS Email Protection products, SpamTitan is preparing for 2016 when business customers start looking for a new email security vendor to ensure continued protection.
McAfee SaaS Email Protection to Come to an End
Intel Security, the new company name for McAfee, has taken the decision to exit the email security business. The company will be dropping McAfee SaaS Email Protection products and will be concentrating on other areas of business.
From January 11, 2016, McAfee SaaS Email Protection and Archiving and McAfee SaaS Endpoint will stop being sold by Intel Security. The news is not expected to trigger a mass exodus in early 2016, as Intel Security has announced that it will continue to provide support for the products for a further 3 years. Support for both McAfee SaaS Email Protection and Archiving and SaaS Endpoint will stop after January 11, 2019. However, many customers are expected to make the switch to a new email security provider in the new year.
SpamTitan Technologies Anti-Spam Solutions
SpamTitan Technologies offers a range of cost effective business email security appliances which keep networks protected from malware, malicious software, and email spam. Users benefit from dual AV engines from Bitdefender and Clam Anti-Virus, offering excellent protection from email spam, phishing emails, and inbox-swamping bulk mail.
SpamTitan is a highly effective anti-spam solution that was first launched as an image solution. Following an agreement with VMware, SpamTitan was developed into a virtual appliance. The range of anti-spam products has since been developed to include SpamTitan OnDemand in 2011 and SpamTitan Cloud in 2013. In August 2015, SpamTitan blocked 2,341 billion emails and has helped keep business networks free from malware and viruses.
SpamTitan was the first Anti-Spam Appliance to be awarded with two Virus Bulletin VBSPAM+ awards and has also received 22 consecutive VBSpam Virus Bulletin certifications. Additionally, SpamTitan was awarded the Best Anti-Spam Solution prize at the Computing Security Awards in 2012.
Companies in over 100 countries around the world have chosen SpamTitan as their anti-email spam partner. The email security appliance stops 99.98% of email spam from being delivered.
WebTitan Web Filtering Solutions from SpamTitan Technologies
WebTitan Gateway offers small to medium businesses a cost effective method of blocking malware and malicious websites, with highly granular controls allowing individual, group, and organization-wide privileges to be set. Delivered as a software appliance that can be seamlessly integrated into existing networks, it is an essential tool to protect all business users and allow the Internet to be viewed securely.
WebTitan Cloud is a cloud-based web filtering solution requiring no software installations. Create your own web usership policies and block malware-infected websites, objectionable websites, and restrict Internet access to work-related content with ease. Benefit from a comprehensive set of reporting tools which allow the browsing activity of every end user in the organization to be easily monitored.
WebTitan Wi-Fi has been developed for Wi-Fi providers and MSPs to allow easy control of Internet access. WebTitan Wi-Fi allows users to easily block objectionable content and malicious websites, with controls able to be applied by location. The cloud solution requires no software installations. All that is required to start protecting your business is a simple DNS redirect to WebTitan cloud servers.
WebTitan web filtering solutions blocked 7,414 malware-infected webpages in August 2015, and have helped keep businesses better protected from malicious website content, phishing campaigns, and drive-by malware downloads.
