Blog
by titanadmin | Jan 31, 2023 | Phishing & Email Spam |
Phishers are constantly coming up with new ways to evade security solutions, steal credentials, and distribute malware. In January, two new tactics were observed in separate phishing campaigns, one hides malicious URLs from security solutions in a credential-stealing campaign, and the other uses OneNote attachments for distributing malware.
Blank Image Phishing Attacks
The blank image phishing attack involves hiding a Scalable Vector Graphics (SVG) image file within an HTML document sent via email. In this campaign, the email claims to include a DocuSign document, which office workers are likely to be familiar with. The email claims the document includes remittance advice. The user is required to click to view the document and will be directed to the legitimate DocuSign webpage if they do.
However, the attack starts when the user clicks to view the HTML document. The document contains a Base64 blank image file, which has embedded JavaScript that will redirect the victim to a malicious URL. The image itself contains no graphics, so does not render anything on the screen. It is just used as a placeholder for the malicious script. The URL that the user is directed to will prompt them to enter sensitive information. A similar technique using SVG files has previously been used to distribute QBot malware. Many email security solutions ignore HTML files, which increases the chance of the malicious email landing in inboxes. Security teams should consider blocking or quarantining HTML emails to protect against these types of attacks.
OneNote Attachments Used to Distribute Malware
Another campaign has been detected that uses OneNote attachments in phishing emails for distributing remote access malware, which can provide initial access to a victim’s system allowing further malicious payloads to be delivered, such as information stealers and ransomware. For many years, Office documents were the preferred attachment for distributing malware. These files can include macros that download a malicious payload, but Microsoft now blocks macros by default in Office files delivered via the internet, which has forced hackers to look for new ways to distribute their malware.
One new tactic is the use of OneNote attachments. OneNote is installed by default with Microsoft Office and Microsoft 365, which means OneNote files can be opened on most devices even if the user does not use the OneNote application. The lures used in these emails vary, although some of the intercepted emails claimed to be shipping notifications, with the details of the shipment included in the OneNote file.
OneNote files cannot contain macros, but it is possible to insert VBS attachments into a NoteBook. When opening the file, the user is told they must double-click to view the file. Doing so will launch the VBS script, which will download and install malware from a remote site. If the user does click, they will be warned that opening attachments can harm their computer. If that warning is ignored and the user chooses to open the attachment, the script will download a decoy OneNote file – a genuine file – so the user is unlikely to realize that anything untoward has happened, but the script will execute a batch file in the background and will install the second downloaded file, which is malware.
How to Defend Against Phishing Attacks
Cybercriminals are constantly developing new methods for distributing malware and stealing credentials, and phishing is the most common way to do this. Defending against these attacks requires a defense-in-depth approach, involving multiple overlapping layers of protection. If anyone measure fails to detect a threat, others are in place to detect and block the threat.
In addition to a secure email gateway or spam filter, businesses should consider a web filter for blocking the web-based component of the attack, multifactor authentication for all accounts, antivirus software/endpoint security solutions, and security awareness training for employees to help them identify and avoid phishing threats. For assistance improving your defenses against phishing, contact TitanHQ.
by titanadmin | Jan 30, 2023 | Phishing & Email Spam |
Toward the end of 2022, a new AI-based chatbot was made available to the public which has proven popular for creating written content. Concern is now growing about the potential for the tool to be used by cybercriminals for creating new phishing lures and for rapidly coding new malware.
ChatGPT was developed by OpenAI and was released on 30 November 2022 to the public as part of the testing process. Just a few days after its release, the chatbot had reached a million users, who were using the tool to write emails, articles, essays, wedding speeches, poems, songs, and all manner of written content. The chatbot is based on the GPT-3 natural language model and can create human-like written content. The language model was trained using a massive dataset of written content from the Internet and can generate content in response to questions or prompts that users enter into the web-based interface.
While articles written using the chatbot would be unlikely to win any awards, the content is grammatically correct, contains no spelling mistakes, and in many cases is far better than you could expect from an average high school student. One of the problems is that while the content may superficially appear to be correct, it is biased by the data it was trained on and may include errors. That said, the generated content is reasonable and sufficiently accurate to pass the Bar exam for U.S. lawyers and the US Medical Licensing exam, although only just. It is no surprise that many school districts have already implemented bans on students using ChatGPT.
To get ChatGPT to generate content, you just need to tell it what you want to create. It is no surprise that it has proven to be so popular, considering it is capable of writing content better than many humans could. While there are many benefits from using AI for chatbots that can create human-like text, there is growing concern that these natural language AI tools could be used for malicious purposes, such as creating social engineering scams and phishing and business email compromise attacks.
The potential for misuse has prompted many security researchers to put ChatGPT to the test, to see whether it is capable of generating malicious emails. The developer has put certain controls in place to prevent misuse, but those controls can be bypassed. For instance, asking ChatGPT to write a phishing email will generate a message saying the request violates the terms and conditions, but by experimenting with the queries it is possible to get the chatbot to generate the required content.
Further, it is possible to write a phishing email and spin up many different combinations that are all unique, grammatically correct, and free from spelling errors. The text is human-like, and far better than many of the phishing emails that are used in real phishing campaigns. The rapid generation of content has allowed security researchers to spin up an entire email chain for a convincing spear phishing attack. It has also been demonstrated that the technology can be rapidly trained to mimic a specific style of writing, highlighting the potential for use in convincing BEC attacks. These tests were conducted by WithSecure prior to public release and before additional controls were implemented to prevent misuse, but they continued their research after restrictions were added to the tool, clearly demonstrating the potential for misuse.
The potential for misuse does not stop there. The technology underlying the chatbot can also be used to generate code and researchers have demonstrated ChatGPT and its underlying codex technology are capable of generating functional malware. Researchers at CyberArk were able to bypass the restrictions and generate a new strand of polymorphic malware, then were able to rapidly generate many different unique variations of the code. Researchers at Check Point similarly generated malicious code, in fact, they generated the full infection process from spear phishing email to malicious Excel document for downloading a payload, and the malicious payload itself – a reverse shell.
At present, it is only possible to generate working malicious code with good textual prompts, which requires a certain level of knowledge, but even in its current form, the technology could help to rapidly accelerate malware coding and improve the quality of phishing emails. There are already signs that the tool is already being misused, with posts on hacking forums including samples of malware allegedly written using the technology, such as a new information stealer and an encryptor for ransomware.
With malicious emails likely to be generated using these tools, and the potential for new malware to be rapidly coded and released, it has never been more important to ensure that email security defenses are up to scratch. Email security solutions should be put in place that are capable of detecting computer-generated malware. SpamTitan includes signature-based detection mechanisms for identifying known malware along with email sandboxing. The sandbox is an isolated and secure testing environment where suspicious email attachments are subjected to behavioral analysis. The next-gen sandbox means SpamTitan can detect zero-day malware variants that would otherwise not be detected since their signatures have yet to be added to the blocklists. SpamTitan also uses machine learning mechanisms for detecting zero-day phishing threats, based on deviations from the standard messages received by companies.
TitanHQ also recommends implementing multifactor authentication, web filtering for blocking access to malicious websites, and security awareness training for employees. The quality of phishing emails may get better, but there will still be red flags that employees can be trained to recognize.
by titanadmin | Jan 24, 2023 | Phishing & Email Spam, Spam News |
This month has seen an increase in phishing campaigns targeting professionals purporting to be messages from Human Resources advising them about salary increases, promotions, updates to policies and procedures, and other annual updates. The start of the year typically sees the HR department issue updates to employees, including notifications about changes to employee benefits, proposed pay rises, and annual updates to policies and procedures. It is therefore no surprise that cybercriminals are taking advantage of the increase in HR communications and have adopted lures related to these start-of-year messages. Several campaigns have been detected this month that have targeted employees and used HR-related lures.
The emails have realistic subject lines, appear to have been sent internally, and have lures that are likely to prompt a quick response. Messages about changes to employee benefits, pay rises, and promotions are likely to be opened by employees quickly without thinking, as are other notifications from the HR department such as updates to internal policies. Phishing simulation data shows that these types of emails have some of the highest click rates.
These emails include a combination of attachments and hyperlinks. One campaign claimed to include important information about a new benefits package and required employees to open an attached .shtml file. The email claimed employees needed to review and digitally sign the document to acknowledge receipt. In this case, opening the attached file would load a local copy of a phishing page, which generated a fake Microsoft 365 login prompt in the user’s browser. The user’s email address is populated as the username, and they are required to enter their password. The user is told that their password must be entered as they are accessing sensitive internal information.
These phishing emails may be sent from external email addresses and spoof the HR department, but internal email accounts compromised in previous phishing attacks are often used, adding to the realism of the campaign and making it harder for email security solutions to detect the emails as malicious. It is common for these campaigns to include malicious hyperlinks rather than attachments, where the user is directed to a phishing page that mimics the domain of the organization or a well-known, unrelated company. In one campaign, a healthcare organization was impersonated in an email purporting to provide details of updated medical benefits for employees. One campaign involved notifications about changes to the employee security awareness training program for the new year.
Phishing is one of the most common tactics used by cybercriminals to gain initial access to business networks. The campaigns are easy to conduct, requiring little effort by the attackers, and they are often effective. Simply opening a malicious attachment and enabling the content to view the document is all that is needed to install malware, and if a user can be convinced to disclose their Microsoft credentials, the attacker can gain access to all associated Microsoft applications, including Email, OneDrive, Teams, and SharePoint, giving them the foothold they need for conducting a more extensive attack and access to a considerable amount of sensitive company data.
Cybercriminals mimic the types of emails that employees are likely to receive at different times of the year. Over the next few weeks, it is likely that there will be an increase in phishing campaigns targeting tax professionals, and phishing campaigns targeting individuals that use tax-related lures, such as notifications about tax returns, tax rebates, and unpaid tax as tax season gets into full swing.
Businesses need to take steps to block these attacks. While antivirus software and a spam filter were once effective and could block the vast majority of email-based attacks, phishing is becoming increasingly sophisticated and the speed at which new, previously unseen malware variants can be created and released means these defenses are no longer as effective as they used to be.
To block more phishing attempts, businesses need to adopt a defense in-depth approach. In addition to antivirus/endpoint detection software and an advanced spam filter, they should consider adding a web filter to block access to the web-based component of phishing attacks and block malware downloads from the Internet. Multi-factor authentication should be implemented for accounts, although phishing kits are now being used that can bypass MFA. While any form of MFA is better than nothing, phishing-resistance MFA is ideal and should be implemented, which is based on FIDO standards and provides a much greater level of protection.
While it is the responsibility of organizations to block malicious emails and prevent them from reaching employees, it is inevitable that some will be delivered. It is therefore important to also provide security awareness training to employees to train them how to identify and avoid phishing attempts. Security awareness training combined with phishing simulations, such as those provided by TitanHQ through the SafeTitan platform, are proven to reduce susceptibility to phishing attacks.
by titanadmin | Dec 29, 2022 | Spam Advice |
Entities covered by the Health Insurance Portability and Accountability Act (HIPAA) are required to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). PHI is individually identifiable information that relates to the past, present, or future health of an individual or payment for healthcare. The security safeguards are detailed in the HIPAA Security Rule and compliance is enforced by the Department of Health and Human Services’ Office for Civil Rights and state Attorneys General. When there is a data breach involving PHI, OCR investigates. Investigations are also commonly conducted by state attorneys general to determine if a data breach was the result of a failure to comply with HIPAA.
OCR and state attorneys general understand that it is not always possible to prevent data breaches. Many data breaches are reported each year that are investigated, and the cases are closed because the covered entities have implemented appropriate security measures, only for them to be bypassed. However, when insufficient measures are put in place to safeguard PHI, financial penalties are typically imposed.
The HIPAA Security Rule does not provide a list of security measures that must be implemented to block phishing attacks, as HIPAA was developed to be flexible. HIPAA-covered entities should conduct a risk analysis and reduce risks to a low and acceptable level using a range of measures and by adopting recognized security practices. HIPAA specifies access controls as a security safeguard, which involves the use of strong passwords and ideally multifactor authentication. HIPAA-covered entities must also stay abreast of recently disclosed vulnerabilities and make sure that patches are applied and software is updated to the latest version. The HIPAA Security Rule also calls for security awareness training to be provided to the workforce, and while the frequency of training is not specified, OCR has explained in its cybersecurity newsletters that the program should cover new and current threats and that the training program should be continuous, rather than providing a once-a-year training session.
Recently, Avalon Healthcare, a provider of skilled nursing and assisted living facilities, discovered that the failure to implement appropriate defenses to block phishing attacks is grounds for a financial penalty for non-compliance with the HIPAA Security Rule. After being notified by Avalon Healthcare that email accounts containing the PHI of 14,500 individuals had been accessed by unauthorized individuals, the Oregon and Utah Attorneys General launched an investigation to determine whether non-compliance with the requirements of HIPAA was a factor. The investigation was triggered by a very late breach report, which was 10 months after the phishing attack was detected when data breaches must be reported within 60 days. In addition to determining that the delay violated HIPAA and state laws, the investigation revealed a lack of security safeguards for combatting phishing.
Avalon Healthcare chose to settle the case and paid a $200,000 financial penalty and agreed to adopt a comprehensive information security program that includes email filtering and training for all members of the workforce on phishing and social engineering identification and avoidance, including conducting phishing simulations on the workforce. Had a comprehensive training program been in place, it is possible that the phishing attack would have been detected and avoided.
TitanHQ understands the importance of providing training to the workforce which is why a security awareness training solution has been added to the product portfolio. SafeTitan is a comprehensive training solution for businesses of all sizes that covers all aspects of security, including training employees to recognize phishing, social engineering, and other cyber threats. The platform also includes a phishing simulator for creating and automating phishing simulations on the workforce. SafeTitan security awareness training and phishing simulations have been shown to reduce the susceptibility of the workforce to phishing attacks by up to 80%, and will help to ensure that HIPAA-regulated entities comply with the security awareness training requirements of the HIPAA Security Rule.
If you do not currently provide ongoing security awareness training to your workforce, contact TitanHQ to find out more about the difference this will make to your security posture and how easy it is to provide training through the SafeTitan platform. Like all TitanHQ cybersecurity solutions, SafeTitan is available on a free trial to allow businesses to see for themselves how easy the platform is to use.
by titanadmin | Dec 28, 2022 | Email Scams, Phishing & Email Spam |
Cybercriminals are constantly coming up with new tactics for stealing credentials and other sensitive information. Phishing is one of the main ways that this is achieved, but most businesses have spam filters that block these malicious messages. If a phishing email is developed that can bypass email security measures and land in the inboxes of a business, there is a good chance that the emails will be clicked and at least some accounts can be compromised.
Spam filters such as SpamTitan incorporate a range of advanced measures for detecting phishing emails, including reputation checks of IP addresses, analyses of the message headers and bodies, and machine learning algorithms determine the probability that an email is malicious. Dual anti-virus engines are used for detecting known malware, and the next-gen email sandbox is used to detect zero-day malware threats by analyzing how files behave when opened, and hyperlinks in emails are scanned and followed to determine if they are malicious.
To bypass email security solutions, threat actors may link a legitimate website in an email, such as providing a URL for SharePoint, Google Drive, Dropbox, or another legitimate platform. These URLs are more difficult to identify as malicious as these websites pass reputation checks. Malicious URLs on these platforms are often reported and are then blocked by email security solutions, but the URLs often change and are never used for long.
A campaign has recently been detected that uses this tactic and attempts to direct users to the genuine Facebook.com site, with the phishing emails containing a link to a Facebook post. The phishing email comes from a legitimate-looking domain – officesupportonline.com – and warns the user that some of the features of their Facebook account have been deactivated due to copyright-infringing material. Like many phishing emails, the user is told they must take urgent action to prevent the deletion of their account. In this case, they are threatened with the deletion of their account if there is no response within 48 hours.
A link is supplied to a post on Facebook.com that the user is required to click to appeal the decision. The post masquerades as a Facebook.com support page from Facebook Page Support, which provides a link to an external webpage that the user is required to click to “Appeal a Page Copyright Violation”. The URL includes the name of Facebook’s parent company, Meta, although the domain is actually meta.forbusinessuser.xyz – A domain that is not owned by Meta or Facebook. URL shortening services are used in these campaigns to hide the true URL.
If the user clicks the link they will be directed to a page that closely resembles the genuine Facebook copyright appeal page. In order to appeal the decision, the user must complete a form that asks for their full name, email address, phone number, and Facebook username. If that information is submitted through the form, geolocation information is also collected along with the user’s IP address, and the information is sent to the scammer’s Telegram account.
The next stage of the scam sees the user redirected to another page where they are asked to provide a 6-digit one-time password, which they are told is required when a user attempts to sign into their account from a new device or browser. This is a fake 2-factor authentication box, and if the user enters any 6-digit code it will produce an error, but the code entered will be captured by the attacker. The user will be directed to the genuine Facebook site if they click the “need another way to authenticate?” option on the page.
Campaigns such as this highlight the importance of layered defenses. Spam filters are effective at blocking the majority of spam and phishing emails, but some messages will bypass spam filters and will be delivered to inboxes. One of the best ways to augment your phishing defenses is to provide security awareness training to your workforce, and this is key to combatting new phishing tactics such as this Facebook phishing scam.
Employees should be taught how to identify phishing attempts and what to do if a potentially malicious email is received. In addition to providing training, phishing simulations should be conducted on the workforce to give employees practice at identifying phishing threats while they are completing their usual work duties. If a simulation fails, the employee can be told what went wrong and how they could identify similar threats in the future.
TitanHQ offers businesses a comprehensive security awareness training and phishing simulation platform called SafeTitan. The platform includes an extensive range of training content on all aspects of security, and a phishing simulation platform with hundreds of phishing templates taken from real-world phishing attacks. SafeTitan automates the provision of training and is the only behavior-driven security awareness training platform that delivers intervention training in real-time in response to security mistakes by employees, ensuring training is provided at the time when it is likely to be most effective at changing employee behavior.
