With the number of cyber threats increasing, it has never been more important for business leaders to ensure their networks and systems are well defended. Throughout the pandemic, companies have been reporting data breaches at an alarming rate, with many of those cyberattacks having a devastating impact on victims.
Look no further than the ransomware attacks on the Irish Department of Health and the Health Service Executive in May 2021. Those attacks saw highly sensitive data stolen, files encrypted, and doctors and nurses were prevented from accessing patient records. The attacks resulted in almost all systems being taken offline, all core services were affected, and many outpatient services had to be canceled. The effects of the cyberattacks were still being felt several months later.
In light of the increased threat of attack and the seriousness of the consequences should an attack succeed, Think Business, Ireland has raised awareness to the importance of improving cybersecurity defenses. To help Irish businesses find the cybersecurity solutions they need, Think Business, Ireland has recently compiled a list of the top 26 Irish-owned businesses that are leading the charge in the fight against cybercrime.
Ireland punches well above its weight when it comes to cybersecurity. Ireland is a top investment location for global cybersecurity players, but there are many homegrown Irish companies that provide truly world-class cybersecurity solutions on the global stage, including software-as-a-service offerings and cloud-based security solutions.
One of those companies is Salthill, Galway-based TitanHQ, which has been included in the list of the country’s top cybersecurity firms. TitanHQ has been in business for 25 years and has won multiple awards for its email security, web filtering, and email archiving solutions and the company has been enjoying impressive growth at a time when many businesses were under incredible strain due to the COVID-19 pandemic.
The company has ambitious growth plans and has been heavily investing in product development and people, with that investment expected to significantly improve on the 12,000 businesses and 2,500 managed service providers that rely on its solutions to keep cyber threats at bay.
Helped by significant investment from Livingbridge investor group, the company’s growth has been turbocharged. Over the past 18 months, TitanHQ has more than doubled its workforce, which now consists of a rock-solid team of 90+ people. The company has certainly earned its place in Think Business, Ireland’s list of the top 26 Irish cybersecurity companies to watch out for.
“We are delighted to be listed next to some of the biggest names in the Irish Cybersecurity space. As the threat landscape continues to be a significant risk to organizations across the globe, we are dedicated to continuous innovation to provide consistent, secure, and reliable protection to our customers,” said TitanHQ CEO, Ronan Kavanah.
Left to Right: Ronan Kavanagh, CEO, Diane Wright, people operations manager, Sean Morris, chief technical officer, Gina Mc Grath, digital marketing executive, and Dryden Geary, marketing director.
Left to Right: Ronan Kavanagh, CEO, Diane Wright, people operations manager, Sean Morris, chief technical officer, Gina Mc Grath, digital marketing executive, and Dryden Geary, marketing director.
Phishing involves sending emails that try to trick the recipients into taking a specific action, which could be to send sensitive data via email, open an infected email attachment, or click a link to a malicious website.
Phishing campaigns require little effort or skill to conduct. Lists of email addresses can easily be purchased on hacking forums or can be scraped from websites using widely available programs. Malware does not need to be developed, as this can be purchased through many malware-as-a-service operations. Phishing campaigns that direct individuals to a malicious website where credentials are harvested require those websites to be set up to trick users and capture credentials, but even that process is made simple with phishing kits.
Phishing kits can easily be purchased on hacking forums. These kits contain files that can be uploaded to compromised or owned websites that will collect and transmit credentials when they are entered. Phishing kits are usually sold on hacking forums for a one-time payment and typically contain everything required to start conducting phishing campaigns, including scripts, HTML pages, images, and often phishing email templates. Phishing kits allow individuals without much knowledge of how to conduct a phishing campaign to easily start running their own campaigns.
New Phishing Kit Being Used in Extensive Series of Phishing Campaigns
There are many phishing kits currently available on hacking forums, but a new one has recently been discovered that appears to have been developed using at least six other phishing kits. The new phishing kit, which Microsoft calls TodayZoo, combines the best features of other available phishing kits and is believed to have been developed by an individual who has decided to get into the phishing kit market by plagiarizing others.
The TodayZoo kit has been active since at least December 2020 and is known to have been used in an extensive series of phishing campaigns to steal Microsoft 365 credentials. The TodayZoo phishing campaigns detected so far impersonate Microsoft, with the emails using lures such as password resets, and fake notifications about faxes and shared scanned documents.
The messages direct the recipients to a webpage hosting the phishing kit that similarly impersonates Microsoft, with victims told they must log in with their Microsoft 365 credentials to either reset their password or view the fake faxes or documents. If credentials are entered, the phishing kit captures the information and transmits it to the person running the campaign.
A large part of the TodayZoo phishing kit has been taken from the DanceVida kit, with Microsoft’s analysis revealing it also includes code from the Botssoft, FLCFood, Office-RD117, WikiRed, and Zenfo phishing kits.
So not only are phishing kits purchased for conducting campaigns, but those also kits themselves can be copied and customized and used by individuals to launch their own phishing-as-a-service operations.
Phishing Prevention Requires a Defense in Depth Approach
Phishing kits lower the bar for conducting phishing campaigns, and along with malware-as-a-service and ransomware-as-a-service offerings, allow low-level threat actors to start conducting their own campaigns with ease. These services are fueling the increase in cyberattacks on businesses. Fortunately, there are low-cost cybersecurity solutions that businesses can use to block these phishing and malware campaigns.
Unfortunately, there is no silver bullet. It is no longer sufficient given the level of the threat to rely on one method of blocking attacks. A defense-in-depth approach is required, which means implementing multiple layers of protection. If one of those layers fails to block a threat, others are there to provide protection.
Phishing protection should start with a spam filter. Spam filters conduct a range of checks on all incoming emails and will block more than 99% of spam and phishing emails. TitanHQ’s email security solution, SpamTitan, has been independently tested and shown to block in excess of 99.9% of spam and phishing emails. SpamTitan also includes dual anti-virus engines to detect malicious attachments, and a sandbox to subject attachments that pass AV controls to an in-depth analysis. SpamTitan uses blacklists of malicious IP addresses, performs a range of checks on the message body and headers, and incorporates machine learning technology to detect messages that deviate from standard messages ensuring the spam filter improves over time.
A web filter is another important security measure that should be included in a defense-in-depth strategy to block phishing and malware attacks. A web filter works in tandem with a spam filter but blocks the web component of the attacks. When a user clicks a link in an email that directs them to a phishing website, that attempt is blocked. A web filter also allows users to block certain file downloads from the Internet, such as those commonly associated with malware.
Antivirus software should be installed on all endpoints as additional protection against malicious file downloads, and security awareness training should be regularly provided to the workforce. In the event of credentials being obtained in a phishing attack, multifactor authentication can prevent those credentials from being used to gain access to accounts. With these measures in place, businesses will be well protected.
For further information on spam filtering, web filtering, and to find out more about SpamTitan and WebTitan, give the TitanHQ team a call today. Both solutions are available on a 100% free trial to allow you to evaluate the products in your own environment to see how effective they are and how easy they are to use before committing to a purchase.
A new malware variant dubbed Squirrelwaffle has been identified which is being distributed via spam emails. Squirrelwaffle was first identified in September 2021, with the number of spam emails distributing the malware increasing throughout the month and peaking at the end of September.
The takedown of the Emotet botnet in January 2021 left a gap in the malware-as-a-service market, and several new malware variants have since emerged to fill that gap. Emotet was a banking Trojan that was used to distribute other malware variants to Emotet-infected machines, with Squirrelwaffle having similar capabilities. Squirrelwaffle allows the threat group to gain a foothold in compromised devices and networks, which allows other malware variants to be delivered.
Investigations of the malspam campaign have revealed it is currently being used to distribute Qakbot and Cobalt Strike, although the malware could be used to download any malware variant. The spam emails that deliver Squirrelwaffle include a hyperlink to a malicious website which is used to deliver a .zip file that contains either a .doc or .xls file. The Office files have a malicious script that will deliver the Squirrelwaffle payload.
The Word documents use the DocuSign signing platform to lure users to activate macros, claiming the document was created using a previous version of Microsoft Office Word which requires the user to “enable editing” then click “enable content” to view the contents of the file. Doing so will execute code that will deliver and execute a Visual Basic script, which retrieves the Squirrelwaffle payload from one of 5 hardcoded URLs. Squirrelwaffle is delivered as a DLL which is then executed when downloaded and will silently download Qakbot or Cobalt Strike, which both provide persistent access to compromised devices.
As was the case with the Emotet Trojan, Squirrelwaffle can hijack message threads and send malspam emails from infected devices. Since replies to genuine messages are sent from a legitimate email account, a response to the message is more likely. This tactic proved to be highly effective at distributing the Emotet Trojan. The campaign is mostly conducted in English, although security researchers have identified emails in other languages including French, German, Dutch, and Polish.
The similarities with Emotet could indicate some individuals involved in that operation are attempting a return after the law enforcement takedown, although it could simply be an attempt by unrelated threat actors to fill the gap left by Emotet. Currently, the malware is not being distributed in anywhere near the volume of Emotet but it is still early days. Squirrelwaffle may turn out to be the malware distribution vehicle of choice in the weeks and months to come.
To counter the threat, it is vital for email security measures to be implemented to block the malspam at source and ensure the malicious messages are not delivered to inboxes. Since message threads are hijacked, a spam filtering solution that also scans outbound emails– SpamTitan for example – should be used. Outbound scanning will help to identify compromised devices and prevent attacks on other individuals in the organization and address book contacts. SpamTitan also incorporates sandboxing, which works in conjunction with antivirus engines. Suspicious attachments that bypass the AV engines are sent to the email sandbox for in-depth analysis.
As part of a defense-in-depth strategy, other measures should also be deployed. A web filter is a useful tool for blocking C2 communications, endpoint security solutions will help to protect against Squirrelwaffle downloads, and regular security awareness training for the workforce is recommended to teach cybersecurity best practices and train employees how to identify malicious emails. Employees should be told to never click links or open attachments in unsolicited emails or messages and to be wary of messages from unknown accounts. It is also important to explain that some malware variants can hijack message threads, so malicious emails may come from colleagues and other address book contacts.
The threat group known as TA505 (aka Hive0065) is known for conducting large-scale phishing campaigns but has not been active since 2020. Now phishing campaigns have been detected that indicate the threat group is conducting attacks once again, with the first mass-phishing campaigns by the group detected in September 2021.
The initial campaigns were small and consisted of a few thousand phishing emails, but as the month progressed larger and larger campaigns were conducted, with phishing campaigns conducted by the group now consisting of tens of thousands of messages. The geographic range has also been increased beyond North American where the gang was initially concentrating its attacks.
Social engineering techniques are used to convince victims to open email attachments or visit links and view shared files, with a variety of lures used by the gang in its phishing attacks. Emails intercepted from the latest campaigns claim to provide insurance claims paperwork, situation reports, media release requests, health claims, and legal requests. Many of the campaigns so far have targeted employees in financial services.
One of the hallmarks of the group is using Excel file attachments in emails that contain malicious macros which deliver a Remote Access Trojan (RAT), the downloading and execution of which gives the group control over victims’ devices. The group is also known to use HTML files that link to malicious websites where the malicious Excel files are downloaded.
While the attacks often start with a file attachment, later in the attack process a Google feedproxy URL is used with a SharePoint and OneDrive lure that appears to be a file share request, which delivers the weaponized Excel file.
The initial infection stage involves the downloading of a Microsoft installer package, which delivers either a KiXtart or REBOL malware loader, which pulls a different MSI package from the C2 server, which then installs and executes the malware. TA505 is known to use the FlawedGrace RAT, which first appeared in 2017, and the latest campaign delivers a new variant of this malware using a malware loader dubbed MirrorBlast. According to an analysis of MirrorBlast by Morphisec labs, the malware will only run in 32-bit versions of Microsoft Office as there are compatibility issues with ActiveX objects.
Macros are disabled by default in Microsoft Excel as a security measure, so social engineering techniques are used in the attacks to convince victims to enable macros. Macros are more commonly used in Excel files than Word files, and end users may not be as suspicious of Excel macros as Word macros.
Email security solutions are capable of detecting files containing malicious Excel macros, especially email security solutions with sandboxing. In an attempt to bypass those measures and ensure the emails are delivered, TA505 uses lightweight, legacy Excel 4.0 XLM macros rather than the newer VBA macros, which has seen many of the messages bypass email security gateways.SpamTitan incorporates a next-gen Bitdefender-powered email sandbox where suspicious attachments are sent for in-depth analysis, which allows Office files with malicious macros to be detected and blocked.
TA505 is a highly creative threat group that regularly changes its attack techniques to achieve its goals, with the gang known to have conducted campaigns to deliver the Dridex banking Trojan, Locky and Jaff ransomware, and the Trick banking Trojan.
The group is known for conducting high-volume phishing campaigns that have targeted a range of different industry sectors and geographical areas.
TA505’s tactics, techniques, and procedures are expected to continue to evolve so it is vital for organizations to ensure email security defenses are implemented to block the emails. Security awareness training should also be provided to the workforce and employees should be made aware of the latest tricks and tactics used by the gang, including raising awareness of the use of Excel files with macros in phishing emails.
Expert Insights has announced its Fall 2021 Best-of Cybersecurity Awards and each of TitanHQ’s products was ranked No1 in their respective categories. This is the second successive year where TitanHQ has had a clean sweep and topped the list for Best Email Security Gateway, Best Web Security Solution, and Best Email Archiving Solution for Business. In addition, SpamTitan ranked top in the Best Email Security Solution for Office 365 category.
Expert Insights is a recognized online cybersecurity publication and industry analyst, that has technical and editorial teams in both the United States and United Kingdom. The publication covers cybersecurity and cloud-based technologies, and its website is used by more than 80,000 business owners, IT admins, and others each month to research B2B solutions. Expert Insights produces editorial buyers’ guides, blog posts, conducts interviews, and publishes industry analyses and technical product reviews from industry experts.
The annual awards are intended to recognize the leading cybersecurity companies and their products, with the winners selected based on industry recognition, customer feedback, and research conducted by its editorial team and independent technical analysts.
SpamTitan Email Security and WebTitan Web Security were both recognized for their powerful threat protection, and along with ArcTitan Email Archiving, were praised for ease-of-use, cost-effectiveness, and industry-leading technical and customer support.
“TitanHQ are proud to have received continued recognition for all three of our advanced cybersecurity solutions. As the threat landscape continues to be a significant risk to organizations across the globe, we are dedicated to continuous innovation to provide consistent, secure, and reliable protection to our customers,” said Ronan Kavanagh, TitanHQ CEO.
The advanced threat protection, ease-of-use, and cost-effectiveness of the solutions are part of the reason why TitanHQ is the leading provider of cloud-based security solutions for managed service providers serving the SMB market. These factors have helped to make the solutions the gold standard for SMBs looking to improve security and ensure compliance.
The healthcare industry has long been targeted by cybercriminals looking to gain access to sensitive patient data, which is easy to sell on the black market to fraudsters such as identity thieves. In recent years hackers have turned to ransomware. They gain access to healthcare networks and encrypt data to prevent patient information being accessed and issue a ransom demand to the keys to decrypt files. Since the start of 2020, these two goals have been combined. Hackers have been gaining access to healthcare networks, then exfiltrate data prior to deploying ransomware. If the ransom is not paid, the data is leaked online or sold on. Patient data may even be sold even if the ransom is paid.
Both of these attack types can be achieved using phishing. Phishing allows threat actors to steal credentials and raid email accounts and use the credentials for more extensive attacks on the organization. Phishing emails can also trick healthcare employees into downloading malware that gives attackers persistent access to the network.
Protecting against phishing attacks is one of the most important ways to prevent data breaches and stop ransomware attacks, but there is no single measure that can be implemented that will provide total protection. Here we explain 5 steps that healthcare organizations should take to protect against healthcare phishing attacks. These include measures required by the HIPAA Security Rule so can help to ensure you achieve and maintain compliance.
5 Measures to Protect Against Healthcare Phishing Attacks
Each of the measures we have listed below is important and will work with the others to significantly improve your security posture; however, the first measure is the most important of all as it will stop the majority of phishing emails from being delivered to employee inboxes.
Spam Filtering
To achieve Security Rule compliance, HIPAA regulated entities must implement technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information. A ant-spam service is one of the most important technical safeguards to protect against email-based attacks such as phishing. Spam filters will generally block in excess of 99% of spam and phishing emails and 100% of known malware.
Any inbound email must pass through the spam filter where it will be subjected to a variety of checks. These include antivirus scanning to block malware, checks against blacklists of known malicious IP and email addresses, and frameworks such as SPF, DKIM, and DMARC to identify and block email impersonation attacks. Advanced spam filters such as SpamTitan include additional malware protection through the use of a sandbox. Email attachments are executed in this safe environment and are checked for potentially malicious actions. This measure helps to identify previously unknown malware and ransomware variants.
SpamTitan also uses techniques such as Bayesian analysis to determine the probability of an email being spam or malicious. Greylisting is also used, which involves the initial rejection of a message with a request to resend. Spam servers do not tend to respond to these requests, so the lack of response or delay is a good indicator of spam.
SpamTitan also incorporates machine learning techniques, ensuring spam filtering improves over times. Thresholds can also be set for individual users, user groups, departments, and organization-wide, to give the greatest protection to accounts that are most likely to be targeted.
2-Factor or Multi-Factor Authentication
2-factor or multi-factor authentication is another technical safeguard to protect against phishing attacks. 2FA/MFA blocks the next stage of a phishing attack, where credentials for an account have already been obtained by an attacker, either through phishing, brute force attacks or other methods.
In addition to a password, a second factor must be provided before an individual is authenticated. This is often a token on a verified device. When an attempt is made to use a password to access the account from an unfamiliar device, location, or IP address, another factor must be provided before access is granted. This is typically a code sent to a mobile phone. 2-factor authentication will block more than 99.9% of automated attempts to gain access to an account according to Microsoft.
Security Awareness Training
Security awareness training is concerned with educating the workforce about threats such as phishing and teaching them how to recognize and avoid those threats. In security awareness training, employees are taught how to identify phishing emails and social engineering scams and are taught cybersecurity best practices to eradicate risky behaviors. Employees are targeted by phishers and not all phishing emails will be blocked by a spam filter. By training the workforce, and providing regular refresher training sessions, employees will get better at identifying and avoiding threats.
The HHS’ Office for Civil Rights explained in guidance for the healthcare industry that teaching employees how to recognize phishing is part of the requirements for HIPAA compliance. Financial penalties have been imposed for organizations that have not provided security awareness training to the workforce.
Conduct Phishing Email Simulations
Training for the workforce will raise awareness of threats, but it is important to test whether training has been assimilated and if it is being applied in real world situations. By setting up a phishing simulation program, security teams will be able to gauge how effective training has been. A failed phishing simulation can be turned into a training opportunity, and employees who regularly fail phishing email simulations can be provided with further training.
Phishing email simulation programs use real-world phishing examples on employees to see how good they are at identifying phishing emails. They can be used to gain an understanding of the types of phishing emails that are being opened and which links are being clicked. This information can be used to improve security awareness training programs.
Sign Up to Receive Threat Intelligence
Another important step to take to protect against phishing attacks is to stay up to date on the latest threats. The tactics, techniques, and procedures (TTP) of hackers and phishers is constantly evolving, and being aware of the latest TTPs will help healthcare organizations mitigate the threats.
Stay up to date by reading the threat alerts published by agencies such as CISA, the FBI, NSA, and HC3, and consider signing up an information sharing and analysis center to receive timely cyber threat intelligence updates. Knowing about new phishing campaigns targeting the sector will allow steps to be taken to block those threats, whether that is a cybersecurity newsletter for staff, implementing new spam filter rules, or other proactive steps to reduce risk.
Phishing is one of the most common ways that cybercriminals gain access to networks to steal credentials and sensitive data, deploy malware, and conduct ransomware attacks. Phishing is most commonly conducted via email and uses deception and ‘social engineering’ to trick people into disclosing sensitive information or running code that downloads malicious software.
Phishing emails often impersonate trusted individuals or companies. The email addresses used to send these messages can appear legitimate, and the messages often include the logos and layouts of the genuine communications they spoof. The emails often include a hyperlink to a website where credentials are harvested. The online component of the phishing scam similarly spoofs a trusted entity and, in many campaigns, it is difficult to distinguish the phishing website from the genuine site being spoofed.
Phishing attacks are increasing and for one very simple reason. They work. Not only do these messages fool huge numbers of people, but they are also easy to conduct and there is little risk of phishers being caught. Even the Italian mafia and other organized crime operations have adopted phishing in addition to the standard protection rackets as a way to rake in money. This week, Europol announced it broke up an organized crime gang with links to the Italian mafia which had raked in €10 million in revenue from phishing and other online fraud scams in the past year.
Phishing Lures are Constantly Changing
The lures used in phishing scams are constantly evolving. While standard phishing campaigns involving fake invoices and resumes, missed deliveries, and fake account charge notifications are regularly used, topical lures related to news stories and COVID-19 are also thrown into the mix. The lures may change, but there are commonalities with these phishing scams that individuals should be able to recognize.
Phishing scams attempt to get the recipient to take a specific action, such as visiting a link in the email or opening an email attachment. There is usually a sense of urgency to get recipients to take prompt action, such as a threat of account closure or potential legal action. While suspicions may be raised by these messages, many people still take the requested action, either through fear of missing out or fear of negative repercussions if no action is taken.
It is best to adopt a mindset where every email received is potentially a phishing scam, and any request suggested in an email could well be a scam. Any email received that threatens account closure if no action is taken can easily be checked for legitimacy by logging in to the account via a web browser (never use the links in the email). If there is an unauthorized charge or a problem with the account, this will be clear when you log in.
If you receive a message from a company stating there is an unpaid invoice or an order has been made that is not recognized, search for the company online and use trusted contact information to verify the legitimacy of the email.
If you receive an email from your IT team telling you to install a program or take another action that seems suspicious, give the support desk a call to verify the legitimacy of the request.
Links in emails are the most common way to direct people to phishing web pages. You should always hover your mouse arrow over the link to check the true destination, and if the URL is not on an official domain, do not click.
Common Phishing Lures You Should Be Aware Of
An email about a charge that has been applied to your account that has been flagged as suspicious and requires you to log in to block the charge
An email threatening imminent account closure or loss of service if you do not take immediate action to correct the issue
An email from law enforcement threatening arrest or legal action for a crime you are alleged to have committed
An email from the IRS or another tax authority offering a refund as you have overpaid tax or legal action over nonpayment of tax
An email with an invoice for a product or service you have not purchased
An email telling you malware has been detected on your computer that requires a software download to remove it
An email with a link that requires you to provide credentials to view content or confirm your identity by verifying your credit/debit card number.
If you receive any message, the important thing is to stop and think before taking any action and to carefully assess the legitimacy of the request.
Spam Software will Block the Majority of Phishing Emails
One of the best ways that businesses can improve email security is to implement an advanced spam filtering solution. SpamTitan provides protection against phishing and other malicious emails using a wide range of tools that include machine learning to identify suspicious messages, email sandboxing, dual anti-virus engines, greylisting, and malicious link detection mechanisms. SpamTitan will ensure that malicious messages are not delivered to end users where they can be clicked. When combined with security awareness training to teach cybersecurity best practices, businesses can mount a formidable defense against phishers.
To find out more about how you can protect against phishing and other malicious emails, give the TitanHQ team a call. SpamTitan is available on a free trial, product demonstrations can be arranged on request, and you may be surprised to discover how little it costs to improve protection against all types of email attacks.
TitanHQ has released a new version of its award-winning email security solution that includes a new security feature – Geo-blocking email filtering, as well as several other security updates and fixes to improve usability.
Geo-blocking is a feature that has been requested by customers and has now been included in the product at no additional cost to users. Geo-blocking, as the name suggests, allows SpamTitan users to block or allow emails originating from certain geographical locations, based on either IP address or country. This feature allows businesses to add an extra layer of protection to block geographic threat vectors and stop malware, ransomware, and phishing emails from reaching inboxes.
The new feature allows businesses and organizations to block emails coming from any country. This extra control is important, as most malware-containing emails come from a handful of overseas countries – Countries that most small- to medium-sized businesses do not normally work with. Blocking emails from those countries eliminates threats, without negatively impacting the business.
Activating the geo-blocking feature could not be any easier. SpamTitan users can click to restrict emails from any country in the SpamTitan Country IP Database and all emails coming from those countries will be blocked. There will naturally be instances where things are not so cut and dry, but that is not a problem. Geo-blocking can be activated for a specific country, and IP addresses, domains, or email addresses of trusted senders within those countries can simply be whitelisted to ensure their messages are delivered.
“Geoblocking has been a much-requested feature and as always we listen to our customers and provide what they need to implement the very best email security they can,” said TitanHQ CEO Ronan Kavanagh. “After experiencing 30% growth in 2021, TitanHQ expects these product enhancements and new features to make 2021 another record-breaking year.”
Several other security enhancements have been made to further improve the already excellent threat detection and blocking mechanisms within SpamTitan. SpamTitan 7.11 includes an upgraded email sandboxing feature to provide even greater protection against malware, ransomware, phishing, spear-phishing, Advanced Persistent Threats, and malicious URLs embedded in emails. These enhancements also provide more detailed information about new threats to help SpamTitan users mitigate risk.
As always with a new release, recently reported bugs have been fixed, and SpamTitan has been further improved with enhanced email rendering in Mail Viewer. Users also now have the ability to remove quarantine report token expiry and improve domain verification, to name but a few of the enhancements.
SpamTitan is delivered either as a 100% cloud-based solution or as an anti-spam gateway, which is run as a virtual appliance on existing hardware. Existing SpamTitan Cloud customers need to do nothing to upgrade to the new version of the solution, released on September 14, 2021. SpamTitan Cloud is automatically updated to the latest version.
Users of SpamTitan Gateway will need to manually upgrade to the latest version via System Setup > System Updates.
Ransomware attacks are being conducted at alarming rates, but even though the cost of these attacks is considerable, they are not the leading cause of losses to cybercrime. According to figures from the Federal Bureau of Investigation (FBI), business email compromise attacks are the costliest type of cyber fraud. In 2020, the FBI’s Internet Crime Complaint Center (IC3) received 19,369 complaints about business email compromise scams. $1.8 billion was lost to these sophisticated email scams in 2020 and many of these scams are never reported.
Business email compromise (BEC) scams, also known as email account compromise (EAC) scams, involve business email accounts being compromised by attackers and then used to send messages to individuals in the company responsible for making wire transfers. The goal of the attacks is to compromise the email account of the chief executive officer (CEO) or the chief financial officer (CFO), and to use that account to send messages to others in the company asking them to make a wire transfer to an attacker-controlled account.
Attacks are also conducted on vendors and their accounts are used to send requests to change payment methods or the destination account for an upcoming payments. In addition to requesting wire transfers, the scammers are also known to request sensitive data such as W2 forms, the information on which can be used to submit fraudulent tax returns to claim tax refunds. BEC scammers are also known to request gift cards or request changes to payroll direct deposit information.
BEC scams can result in major losses. Recently, a town in New Hampshire (Peterborough) was targeted by BEC scammers who successfully redirected multiple bank transfers before the scam was uncovered. The attackers sent forged documents to staff members in the Finance Department of the town to make changes to account information for various payments. The scam was sophisticated, and the scammers participated in multiple email exchanges between staff members. The attackers had conducted extensive research to find out about the most valuable transactions to redirect.
The scam was uncovered when the ConVal School District notified the town when they failed to receive a $1.2 million transfer of funds. Peterborough officials confirmed that the transfer had been made, with the investigation revealing the bank account details had been changed. Further investigation revealed two large bank transfers to the contractor used for the Main Street Bridge Project had also been redirected to attacker-controlled accounts. In total, $2.3 million was lost to the scammers and there is little hope of any of the funds being recovered.
BEC attacks are sophisticated, the attackers are skilled at what they do, and it is all too easy for employees in the finance department to be fooled into thinking they are conversing with the CEO, CFO, or a vendor via email, since the genuine email account is being used. The attackers also study the style of emails sent by the owner of the account and copy that style so as not to arouse suspicion.
There are steps that organizations can take to block the initial attack vector and to identify scams in time to stop any fraudulent transfers of funds. The primary defense against BEC attacks is a spam filtering solution, which will block the initial phishing emails used to obtain the credentials for internal email accounts. SpamTitan incorporates a range of features to detect and block these phishing emails, including machine learning technology that can identify email messages that deviate from the normal messages usually received by individuals. Outbound scanning is also incorporated, which can detect phishing attempts as the attackers try to use employee email accounts to compromise the accounts of their final target – the CFO or CEO. Rules can also be set to flag attempts to send sensitive data – such as W-2 forms – via email.
In addition to spam filtering, it is important for organizations to raise awareness of the threat of BEC attacks with the workforce, especially employees in the finance department. Policies and procedures should also be put in place that require any change to payment details to be verified by telephone using previously confirmed contact information. Implementing these simple measures can be the difference between blocking an attack and transferring millions of dollars directly to the attackers’ accounts.
If you want to improve your defenses against BEC and phishing attacks, give the TitanHQ team a call. Demonstrations of SpamTitan can be booked on request, and the full product – including full technical and customer support – is available on a free trial to allow you to see the solution in action and test it within your own environment before making a decision about a purchase.
Ransomware attacks have been rife in 2021, with the increase in attacks seen in 2020 continuing throughout 2021. The number of attacks conducted in 2021 has been staggering. There were more attempted ransomware attacks in the first 6 months of 2021 than there were in all of 2020, according to one report.
Ransomware-as-a-service (RaaS) operations that were active throughout 2020 have increased their attacks, and while some RaaS operations have been shut down, attack volume is showing no sign of reducing. There is also a new ransomware threat to defend against. The Federal Bureau of Investigation (FBI) has issued a warning about a new ransomware threat actor that has been particularly active in the United States. The group, known as OnePercent, has been using its ransomware to attack U.S. businesses since at least November 2020, according to a recent FBI Flash Alert. The group is known to use the legitimate penetration testing tool Cobalt Strike in its attacks, and prior to using their OnePercent ransomware variant to encrypt files, the attackers exfiltrate sensitive data from victims’ systems. A ransom demand is issued for the keys to decrypt files and to prevent the publication of the stolen data on the group’s data leak sites on the TOR network and the publicly accessible Internet.
Like many ransomware gangs, the initial attack vector is phishing emails. Phishing emails are sent to targeted organizations that have malicious .ZIP email attachments which contain Word documents or Excel spreadsheets with malicious macros that deliver the IcedID banking Trojan. The Trojan downloads and installs Cobalt Strike on endpoints to allow the attacker to move laterally within victims’ networks to compromise as many devices as possible. The group is also known to use PowerShell, Mimikatz, SharpKatz, BetterSafetyKatz, and SharpSploit, and Rclone for data extraction.
The attackers are known to take their time within networks to identify and steal critical data. In attacks reported to the FBI, the group has spent up to a month from the initial compromise to the deployment of OnePercent ransomware. During that time, considerable volumes of data are exfiltrated. The ransomware itself encrypts files and uses a random 8-character extension for encrypted files.
As is now the norm, there is no fixed ransom payment. Victims are required to make contact with the attackers to receive ‘technical support’ recovering their files and to discover how much needs to be paid for the decryptors and to ensure data deletion. If the ransom is paid, the attackers say they will deliver the decryption keys within 48 hours. The threat group is also known to contact the victim by telephone using spoofed telephone numbers to pressure victims into paying by threatening to publish the stolen data. The group has also threatened to sell the stolen data to the Sodinokibi ransomware gang to list for sale at a public auction.
Since the group uses phishing emails as the initial attack vector, preventing those messages from reaching inboxes is the best defense against attacks. That requires an advanced spam filtering solution such as SpamTitan. It is also recommended to configure emails to display a warning when they are received from a sender that is outside the organization.
It is also important to follow cybersecurity best practices such as network segmentation to limit the potential for lateral movement, to audit user accounts with admin privileges and restrict their use as far as possible, and to configure access controls using the principle of least privilege. All critical data should be backed up offline on an external hard drive or storage device that is disconnected once the backup has been performed. Backups should also be tested to make sure file recovery is possible.
While the OnePercent ransomware gang is only known to use phishing emails as the attack vector, other methods of attack may also be adopted. It is therefore recommended to ensure that remote access and RDP ports are disabled if not used, to monitor remote access/RDP logs, to keep computers and applications up to date and to apply patches promptly, and to ensure that strong passwords are set and multi-factor authentication is implemented.
Ransomware attacks can be incredibly expensive and business email compromise (BEC) scams can result in transfers of millions of dollars to attackers, but these breaches often start with an email.
Phishing emails are sent to employees that ask them to click on a link, which directs them to a webpage where they are asked to provide their login credentials, for Microsoft 365 for example. Once credentials are entered, they are captured and used to access that individual’s account. The employee is often unaware that anything untoward has happened.
The stolen credentials give an attacker the foothold in the network that is needed to launch a major cyberattack on the business. The phisher may use the email account to send further phishing emails to other employees in the company, with the aim being to gain access to the credentials of an individual with administrative privileges or the credentials of an executive.
An executive’s account can be used to send emails to an individual in the company responsible for making wire transfers. A request is sent for a wire transfer to be made and the transfer request is often not recognized as fraudulent until the funds have been transferred and withdrawn from the attacker’s account. These BEC scams often result in tens of thousands of dollars – or even millions – being transferred.
An alternative attack involves compromising the email accounts of employees and sending requests to payroll to have direct deposit information changed. Salaries are then transferred into attacker-controlled accounts.
Phishers may act as affiliates for ransomware-as-a-service (RaaS) gangs and use the access they gain through phishing to compromise other parts of the network, steal data, and then deploy ransomware, or they may simply sell the network access to ransomware gangs.
When email accounts are compromised, they can be used to attack vendors, customers, and other contacts. From a single compromised email account, the damage caused is considerable and often far-reaching. Data breaches often cost millions of dollars to mitigate. All this from a single response to a phishing email.
Phishing campaigns require very little skill to conduct and require next to no capital investment. The ease at which phishing attacks can be conducted and the potential profits that can be gained from attacks make this attack method very attractive for cybercriminals. Phishing can be used to attack small businesses with poor cybersecurity defenses, but it is often just as effective when attacking large enterprises with sophisticated perimeter defenses. This is why phishing has long been one of the most common ways that cybercriminals attack businesses.
See how SpamTitan Plus inspects all URLs to identify links to malicious websites. Book a free demo. Book Free Demo
How to Deal with the Phishing Threat
Phishing attacks may lead to the costliest data breaches, but they are one of the easiest types of cyberattacks to prevent; however, some investment in cybersecurity and training is required. The most important first step is to purchase an advanced spam filter. This technical control is essential for preventing phishing emails from reaching end users’ inboxes. If the phishing emails do not arrive in an inbox, they cannot be clicked by an employee.
Not all spam filtering solutions are created equal. Basic spam filters are effective at blocking most threats, but some phishing emails will still be delivered to inboxes. Bear in mind that phishers are constantly changing tactics and are trying to get one step ahead of cybersecurity firms. Most spam filtering solutions will block messages from malicious IP addresses and IP addresses with poor reputations, along with any messages identified in previous phishing campaigns and messages containing known variants of malware.
Advanced spam filtering solutions use AI and machine learning techniques to identify messages that deviate from the normal emails a business typically receives, are able to detect previously unseen phishing emails, and incorporate Sender Policy Framework and DMARC to identify email impersonation attacks. Email sandboxing is also included which is used to identify previously unseen malware threats. Greylisting is a feature of advanced spam filters that involves initially rejecting a message and requesting it be resent. The delay in a response, if one is received at all, indicates the mail server is most likely being used for spamming. Spam servers are usually too busy on huge spam runs to resend messages that have initially been rejected.
Advanced spam filters also feature outbound email scanning, which can identify compromised email accounts and can block phishing messages from being sent internally or externally from a hacked mailbox.
SpamTitan incorporates all of these advanced controls, which is why it is capable of blocking more threats than basic spam filters. Independent tests have shown SpamTitan blocks in excess of 99.97% of malicious messages.
SpamTitan Plus provides leading-edge anti-phishing protection with “zero-day” threat protection and intelligence. Book Free Demo
Don’t Neglect End User Training
No spam filter will be 100% effective at blocking phishing threats, at least not without also blocking an unacceptable number of genuine emails. It is therefore important to provide regular security awareness training to the workforce, with a strong emphasis on phishing. Employees need to be taught how to identify a phishing email and conditioned how to respond when a threat is received (alert their security team).
Since phishing tactics are constantly changing, regular training is required. When training is reinforced, it is easier to develop a security culture and regular training sessions will raise awareness of the latest phishing threats. It is also recommended to conduct phishing simulation exercises to test the effectiveness of the training program and to identify individuals who require further training.
Web Filtering is an Important Anti-Phishing Control
The key to blocking phishing attacks is to adopt a defense-in-depth approach. That means implementing multiple overlapping layers of security. One important additional layer is a web filtering solution. Spam filters target the phishing emails, whereas web filters work by blocking access to the webpages hosting the phishing kits that harvest credentials. With a spam filter and web filter implemented, you are tackling phishing from different angles and will improve your defenses.
A web filter will block access to known malicious websites, providing time-of-click protection against malicious hyperlinks in phishing emails. A web filter will also prevent employees from being redirected to phishing web pages from malicious website adverts when browsing the Internet. Web filters also analyze the content of web pages and will block access to malicious web content that has not previously been identified as malicious. Web filters will also block malware and ransomware downloads.
WebTitan is a highly effective DNS-based web filtering solution that protects against phishing, malware, and ransomware attacks. The solution can protect office workers but also employees who are working remotely.
SpamTitan Plus provides multi-layered detection and blocking of malicious URLs. Book a free demo now. Book Free Demo
Speak to TitanHQ Today About Improving your Phishing Defenses
TitanHQ has been developing anti-phishing and anti-malware solutions for more than two decades. TitanHQ’s email and web security solutions are cost effective, flexible, easy to implement, and easy to maintain. They are consistently given top marks on software review sites and are a big hit with IT security professionals and managed service providers (MSPs). TitanHQ is the leading provider of email and web security solutions to MSPs serving the SMB market.
If you want to improve your phishing defenses and block more threats, contact the TitanHQ team today for further information on SpamTitan and WebTitan. Both solutions are available on a 100% free trial of the full product complete with product support. Product demonstrations can also be booked on request.
New phishing campaigns are constantly being launched that impersonate trusted companies, organizations, and individuals, and use social engineering techniques to trick end users into divulging sensitive information such as their email credentials. Two such phishing campaigns have recently been discovered that use sneaky tactics to fool the unwary.
Sneaky Tactics Used to Obtain Office 365 Credentials
Organizations using Office 365 are being targeted in a sneaky phishing campaign that has been ongoing for several months. The phishing campaign incorporates a range of measures to fool end users and email security solutions. The goal of the campaign is to steal Office 365 credentials.
The phishing emails are sent from believable email addresses with spoofed display names to make the sender appear legitimate. The campaign targets specific organizations and uses believable usernames and domains for sender display names related to the target and the messages also include genuine logos for the targeted company and Microsoft branding.
The messages use believable Microsoft SharePoint lures to trick end users into clicking an embedded hyperlink and visiting the phishing URL. Recipients of the messages are informed that a colleague has sent a file-share request that they may have missed, along with a link directing the recipient to a webpage hosting a fake Microsoft Office 365 login box.
To encourage users to click, the emails suggest the shared file contains information about bonuses, staff reports, or price books. The phishing emails include two URLs with malformed HTTP headers. The primary phishing URL is for a Google storage resource which points to an AppSpot domain. If the user signs in, they are served a Google User Content domain with an Office 365 phishing page. The second URL is embedded in the notification settings and links to a compromise SharePoint site, which again requires the user to sign in to get to the final page.
To fool email security solutions, the messages use extensive obfuscation and encryption for file types often associated with malicious messages, including JavaScript, in addition to multi-layer obfuscation in HTML. The threat actors have used old and unusual encryption methods, including the use of morse code to hide segments of the HTML used in the attack. Some of the code segments used in the campaign reside in several open directories and are called by encoded scripts. Microsoft researchers discovered and tracked the campaign and likened it to a jigsaw puzzle, where all the pieces look harmless individually and only reveal their malicious nature when correctly pieced together.
This campaign is particularly sneaky, with the threat actor having gone to great lengths to fool both end users and security solutions.
FINRA Impersonated in Phishing Campaign
A new phishing campaign has recently been detected that impersonates the U.S. Financial Industry Regulatory Authority (FINRA). In this campaign, cyber threat actors have used domains that mimic FINRA, which are close enough to the genuine finra.org domain to fool unsuspecting individuals into disclosing sensitive information.
The phishing emails have been sent from three fraudulent domains: finrar-reporting.org, finpro-finrar.org, and gateway2-finra.org. The use of hyphens in phishing domains is very common, and it is often enough to trick people into thinking the site is a subdomain of the official website that the campaign mimics.
The emails ask the recipients to click a link in the email to “view request.” If the link is clicked, the users are prompted to then provide information to complete the request. As is typical in phishing campaigns, there is a threat should no action be taken, which in this case is “late submission may attract financial penalties.”
The financial services regulator has taken steps to take down these fraudulent domains, but it is likely that the threat actor will continue using other lookalike domains. Similar domains were used in the campaign spoofing FINRA earlier this year, including finra-online.com and gateway-finra.org.
These campaign highlights the need for security awareness training, an advanced email security solution, and other anti-phishing measures such as a web filter.
If you are concerned about your cybersecurity defenses and want to block threats such as these, give the TitanHQ team a call for advice on security solutions that can be easily implemented to block phishing and other email threats to improve your security posture and prevent costly data breaches.
Ransomware attacks have increased significantly since the start of 2020 and that increase has continued in 2021. While these attacks are occurring more frequently than ever, the threat from phishing has not gone away and attacks are still rife. Phishing attacks may not make headline news like ransomware attacks on hospitals that threaten patient safety, but they can still be incredibly damaging.
The aim of many phishing attacks is to obtain credentials. Email credentials are often targeted as email accounts contain a treasure trove of data. That data can be extremely valuable to cybercriminals. In healthcare for example, email accounts contain valuable healthcare data, health insurance information, and Social Security numbers, which can be used to commit identity theft, obtain medical treatment, and for tax fraud. Entire email accounts are often exfiltrated in the attacks and the accounts used to send tailored phishing emails to other individuals in the company.
Many data breaches start with a phishing email, with phishing often used by an attacker to gain a foothold in a network that can be used in a much more extensive attack on an organization. Phishing emails are often the first step in a malware or ransomware attack.
Multiple surveys have recently been conducted on IT leaders and employees that show phishing is a very real and present danger. Two recent surveys conducted in the United States and United Kingdom indicate almost three quarters of businesses have experienced a data breach as a result of a phishing attack in the past 12 months. One study indicated over 50% of IT leaders had seen an increase in phishing attacks in the past 12 months, while the other put the figure at 80%.
During the pandemic, many businesses were faced with the option of switching to a remote workforce or shutting down. The increase in remote working was a godsend for phishers, who increase their attacks on employees. Many IT departments lacked visibility with a remote workforce and found it harder to block phishing attacks than when employees are in the office. Staff shortages in IT have certainly not helped.
Staff training is important to raise awareness of the threat from phishing, but remote working has made that harder. Training needs to be provided regularly as it can easily be forgotten and bad habits can slip in. Phishing tactics are also constantly changing, so regular training is needed to keep employees aware of the latest threats and phishing techniques, so they know what to look for. It does not help that phishing attacks are increasingly targeted and more sophisticated and can be difficult for employees to spot even if they have received regular training.
So how can businesses combat the threat from phishing and avoid being one of the three quarters of companies that experience a phishing data breach each year? Training is important, but the right technology is required.
Two of the most important technical solutions that should be implemented to block phishing attacks are spam filters and web filters. Both are effective at combatting phishing, albeit from different angles. When both are used together, protection is better than the sum of both parts.
A spam filter must have certain features to block sophisticated phishing threats. Blacklists are great for identifying emails from known malicious IP addresses, but IP addresses frequently change. Machine learning approaches are needed to identify previously unseen phishing tactics and threats from IP addresses not known to be malicious. Multiple AV engines can help block more malware threats, while email sandboxing can identify new malware variants. DMARC is also vital to block email impersonation attacks, while outbound scanning is important to rapidly detect compromised mailboxes. All of these features are employed by SpamTitan, which is why the solution has such a high block rate (over 99.97%) and low false positive rate.
Web filters are primarily used to restrict access to malicious and undesirable websites, whether they are sites with pornographic content or malicious sites used for phishing and malware distribution. Web filters, especially DNS-based filters, greatly improve protection against threats and will block access to known malicious websites. They will also block malware downloads and restrict access to questionable websites that serve no work purpose but increase risk. WebTitan will do this and more, and can easily be configured to protect remote workers, no matter where they choose to access the Internet.
With phishing attacks increasing it is important that businesses deploy solutions to counter the threat to stay one step ahead of the phishers. For further information on SpamTitan and WebTitan, and how they can protect your business, give the TitanHQ team a call. Both solutions are available on a free trial to allow you to see for yourself the difference they make. You can sign up for a free trial of SpamTitan here, and WebTitan on this link.
One of the most common ways for malware to be distributed is in phishing emails. These emails usually require some user interaction, such as clicking on a link and opening an attached Microsoft Office file. Word and Excel files are often used in malware distribution, with macros used to deliver the malicious payload.
Macros are potentially dangerous as they can contain malicious code, so they are usually disabled by default and will only be allowed to run if they are manually enabled by the end user. When an Office file is opened which contains a macro, a warning message will appear instructing the user that there is a macro and that it is potentially malicious. If the macro is not manually enabled by the end user, malware cannot be downloaded.
A phishing campaign has recently been detected that is typical of most phishing campaigns distributing malware. The initial attack vector is a phishing email, and Office files are used which contain macros that download the malware payload – in this case ZLoader. However, a novel method is used to deliver the malicious Office files that disables to usual macro warnings and protection mechanism.
In this campaign, malicious DLLs – Zloader malware – are delivered as the payload, but the initial phishing email does not contain the malicious code. The phishing email has a Microsoft Word attachment which will trigger the download of a password-protected Excel spreadsheet from the attacker’s remote server when the file is opened and macros are enabled.
The attack relies on Microsoft Word Visual Basic for Applications (VBA) and the Dynamic Data Exchange (DDE) fields of Microsoft Excel, and is effective on systems that support the legacy .xls file format.
Once the encrypted Excel file is downloaded, Word VBA-based instructions in the document read the cell contents from the specially crafted XLS file. Word VBS then writes the cell contents into XLS VBA to create a new macro for the XLS file. When the macros are ready, Excel macro defenses are disabled by the Word document by setting the policy in the registry to Disable Excel Macro Warning. The Excel VBA is then run and downloads the malicious DLL files, which are executed using rundll32.exe.
While the malicious files will be silently downloaded and executed, this attack still requires the victim to enable macros in the initial Word document. Victims are tricked into doing this by telling them “This document created in previous version of Microsoft Office Word. To view or edit this document, please click ‘Enable editing’ button on the top bar, and then click ‘Enable content’,” when they open the Word file. That one click will start the entire infection chain.
ZLoader is a variant of the infamous Zeus banking Trojan, which first appeared in 2006. The malware is also known by the name ZBot and Silent Night and is used by multiple threat groups. The malware was used in large scale campaigns in 2020 using COVID-19 themed lures, such as COVID-19 prevention tips, along with more standard lures such as job applications.
Once installed, the malware uses webinjects to steal passwords, login credentials and browser cookies. When an infected computer is used to access online banking and financial accounts, banking information and other sensitive data are stolen and exfiltrated to the attacker’s C2 server.
If you want to improve your defenses against malware and phishing, give the TitanHQ team a call and enquire about SpamTitan Email Security and WebTitan Web Security. These solutions can both be downloaded, configured, and protecting you from the full range of web and email threats in under an hour, and both are available on a no obligation 14-day free trial so you can see for yourself how easy they are to use and how effective they are at blocking threats before making a purchase decision.
Apple Mac users are comparatively safe when it comes to malware as most malware variants target Windows users; however, the number of malware variants targeting Mac users has been increasing. When there is a very low risk of a malware infection, it is easy to become complacent, but threats do come along so it is important to remain on one’s guard.
That is especially true now as a new malware threat has been discovered and Mac users are in the attackers’ crosshairs. Further, this is not some half-baked malware. This is a very serious threat. This new malware variant is very malicious, very dangerous, and it has been getting past Apple Mac security defenses.
The threat is more likely to be familiar to Windows users, as it is them who have previously been targeted; however, the malware has now jumped platforms and is being used to target Mac users. The malware is a new variant of FormBook malware. FormBook malware is a well-known commercially available malware that has been around since 2016. The malware, which was rebranded as XLoader last year, is sold as-a-service on hacking forums and is usually delivered via malicious attachments in emails – often PowerPoint documents. The malware has been developed to log keystrokes and, as the name suggests, grab data from online forms when input by users. It can also steal data from instant messenger apps, email clients, and FTP clients. In the latter half of 2020, attacks involving the malware increased substantially, and during the first 6 months of 2021 it has been prolific.
The Apple version of the malware similarly has a wide range of malicious capabilities. It will harvest credentials from web browsers, steal form data, take screenshots, monitor and log keystrokes, and can also download and execute files from the attackers’ C2 servers. The malware also incorporates several features to resist attempts at reverse engineering.
The Mac version of XLoader is under active development and it is likely that throughout the remainder of 2021 it will grow into an even bigger threat. Already, this version is able to move much deeper into systems and move much faster.
Mac users may be complacent as they are not often targeted, but this is not due to Macs being harder to attack. Malware developers simply choose to target Windows devices as there are many more users that can be targeted. Fewer Mac users mean the potential profits from attacks will be lower, but attacks are growing and the complacency of Mac users works to the advantage of attackers. It makes it easier to get their malware installed as users are not anticipating threats. A much broader range of threat actors will be able to use the latest XLoader version and target Mac users, as they can simply pay a licensing fee and use it under the malware-as-a-serve model. That fee can be as low as $69.
As with the Windows campaigns, XLoader is primarily delivered via phishing emails, mostly using malicious Microsoft Office documents. Check Point says it has tracked infections in 69 countries, although the majority of infected devices are in the United States.
Since the malware can bypass Mac security defenses, it is important to check whether it has already been installed by looking for suspicious filenames in the LaunchAgents directory in the library, which is normally hidden from view. While various different file names have been used, an example of XLoader is com.wznlVRt83Jsd.HPyT0b4Hwxh.plist.
Blocking attacks is actually straightforward. Antivirus software should be installed and kept up to date, and businesses should implement a spam filtering solution such as SpamTitan to block the malicious emails that deliver the malware. End users should also exercise caution opening emails and should never open attachments or click links in emails from unknown sources or click unsolicited links in messaging apps.
The threat actors behind LemonDuck malware have escalated their operation and have added new capabilities to the malware making it far more dangerous. LemonDuck malware is best known for its botnet and cryptocurrency mining objectives; however, the malware is being actively developed. While its bot and cryptocurrency mining activities continue, the malware is also capable of removing security controls on infected devices, rapidly moving laterally within networks, dropping a range of tools onto infected devices, and stealing and exfiltrating credentials. The malware is also capable of spreading via email.
The threat group behind the malware is known to take advantage of the latest news and events to create topical and convincing phishing emails to spread the malware, often through malicious Microsoft Office attachments; however, the threat actor also takes advantage of new exploits to infect devices, as well as several older vulnerabilities. Last year, the threat group was distributing the malware using phishing emails with OVID-19 themed lures, and while phishing emails are still being used to distribute the malware, the threat actor has also been exploiting the recently disclosed vulnerabilities in Microsoft Exchange to gain access to systems, according to a recent security alert from Microsoft.
LemonDuck malware is a somewhat atypical bot malware, as it is relatively rare for these types of malware variants to be used to attack both Windows and Linux systems. The malware operators like to have sole control of infected devices and remove competing malware if they are encountered. To make sure no other malware variants are installed, after gaining access to a device, the vulnerability LemonDuck exploited to gain access to a system is patched.
If the malware is installed on a device with Microsoft Outlook installed, a script is run that uses saved credentials to gain access to the mailbox and copies of itself are then sent in phishing emails to all contacts in the mailbox, using a preset message and the a malware downloader as an attachment.
The malware was first detected in May 2019, with the earlier forms of LemonDuck malware used in attacks within China, but the malware is now being distributed much more widely. It has now been detected in United States, United Kingdom, Russia, France, India, Germany, Korea, Canada, and Vietnam.
Microsoft has identified two distinct operating structures that both use LemonDuck malware which could indicate the malware is being used by different groups with different objectives. The ‘LemonCat’ infrastructure was used in a campaign exploiting Microsoft Exchange Server vulnerabilities to install backdoors, steal credentials and data, and deliver other malware variants, including Ramnit.
Blocking attacks involving this malware requires a combination of approaches. An advanced spam filter such as SpamTitan should be used to block the phishing emails used to deliver the malware. SpamTitan also scans outbound messages to prevent malware variants with emailing capabilities from being sent to contacts. Since vulnerabilities are exploited to gain access to networks, it is important to have a rigorous patch management policy and to apply patches quickly after they are released. Antivirus software should be implemented and set to automatically update, and a web filter is recommended to block malware downloads over the Internet.
For further information on improving your defenses against LemonDucck malware and other malware threats, give the TitanHQ team a call. Both the SpamTitan email security and WebTitan web security solutions are available on a free trial, and can be implemented, configured, and protecting your devices in less than an hour.
On June 24, 2021, Microsoft announced Windows 11 will soon be released. Windows 11 is a major upgrade of the Windows NT operating system, which will be the successor to Windows 10. Such a major release doesn’t happen that often – Windows 10 was released in 2015 – so there has been a lot of interest in the new operating system. The new Windows version is due for public release at the end of 2021, but there is an opportunity to get an early copy for free.
On June 28, Microsoft revealed the first Insider Preview of Windows 11. Upgrading to the new Windows version is straightforward. For a lucky few (or unlucky few if Windows 11 turns out to be exceptionally buggy), an upgrade just requires a user to enroll in the Dev channel of the Windows Insider Program. That said, many people have been trying to get an upgrade from unofficial sources.
Unsurprisingly, unofficial ISOs that claim to provide Windows 11 do not. Instead, they deliver malware. Threat actors have been distributing these fake Windows 11 installers and using them to deliver a wide range of malicious payloads. At best, these fake Windows 11 installers will deliver adware or unwanted programs. More likely, malware will be installed with various degrees of maliciousness, such as Remote Access Trojans and backdoors that give the attackers full access to the victims’ devices, information stealers such as keyloggers that steal passwords and other sensitive data, cryptocurrency miners, and ransomware.
Researchers at Kaspersky Lab have identified several fake Windows 11 installers doing the rounds, including one seemingly legitimate installer named 86307_windows 11 build 21996.1 x64 + activator.exe. Despite the name and 1.76GB file size, it was not what it seemed. If the user executed the file and agreed to the terms and conditions, the file would proceed to download a different executable that delivers a range of malicious software onto the user’s device.
As the hype builds ahead of the official release date, we can expect there to be many other fake installers released. Hackers do love a major software release, as its easy to get users to double click on executable files. Malicious adverts, websites, and emails offering free copies of Windows 11 will increase, so beware.
Ensure you have an advanced and effective spam filtering solution such as SpamTitan in place to protect against malicious emails, and a web filter such as WebTitan installed to block malicious file downloads. You should also make sure that you only install software or applications from official sources and take care to ensure that you really are on the official website of the software developer before downloading any files. A double click on a malicious executable file could cause a great deal of pain and expense for you and your employer.
On July 2, 2021, IT management software provider Kaseya suffered a ransomware attack that impacted its managed service provider (MSP) customers. Ransomware was pushed out to users of the Kaseya Virtual System Administrator (VSA) platform through the software update mechanism and, through them, to MSP clients. Kaspersky Lab said it found evidence of around 5,000 attempts to infect systems with ransomware across 22 countries in the first 3 days since the attack was identified. Kaseya recently said it believes around 1,500 of its direct customers and downstream businesses were affected.
The attackers exploited vulnerabilities in the KSA platform that had been reported to Kaseya by the Dutch Institute for Vulnerability Disclosure (DIVD) in April. Kaseya had issued updates to fix four of the seven reported vulnerabilities in April and May and was working on patches to fix the remaining three flaws. One of those flaws, CVE-2021-30116, was a credential leaking flaw which was exploited by the REvil ransomware gang before the patch was released.
Kaseya detected the attack quickly and was able to implement mitigations that limited the extent of the attacks. the steps taken by Kaseya have been effective at blocking any further attacks, customers are now at risk from Kaseya phishing campaigns.
Cybercriminals have started conducting phishing campaigns targeting Kaseya customers pushing Cobalt Strike payloads disguised as Kaseya VSA security updates. Cobalt Strike is a legitimate penetration testing and threat emulation tool, but it is also extensively used by hackers and ransomware gangs to gain remote access to business networks.
The campaign was first detected by the Threat intelligence team at Malwarebytes. The emails contain an attachment named SecurityUpdates.exe and a hyperlink that claims to provide a Microsoft update to fix the Kaseya vulnerability exploited by the ransomware gang.
Users are told to open the attached file or click the link in the email to update the Kaseya VSA to protect against ransomware attacks but doing so delivers Cobalt Strike beacons and will give attackers persistent access to victims’ networks.
Since Kaseya is working on a patch to fix the flaw exploited in the attack, customers will be expecting a security update and may be fooled into installing the fake update.
Kaseya has issued a warning to all customers telling them not to open any attachments or click links in emails that claim to provide updates for the Kaseya VSA. Kaseya said any future email updates it sends to customers will not include any hyperlinks or attachments.
A similar campaign was conducted following the Colonial Pipeline ransomware attack. The emails claimed to provide system updates to detect and block ransomware attacks.
Any email received that claims to offer a security update should be treated as suspicious. Do not click links in those emails or open attachments, instead visit the software vendor’s official website to check for security updates that have been released.
Phishing is the most common way that cybercriminals gain access to business networks, and the primary defense against these attacks is a spam filter. Spam filters inspect all inbound emails for the signatures of spam, phishing, and malware and keep inboxes free of these threats.
There are many spam filtering services on the market that can protect against advanced email threats, but why have so many managed service providers (MSP) chosen TitanHQ has their email security solution provider? What does SpamTitan provide that is proving to be such a bit hit with MSPs?
Why Managed Service Providers Choose SpamTitan Email Security for Their Clients
SpamTitan in a multi-award-winning anti-spam solution that incorporates powerful features to protect against phishing and other email-based attacks. The solution is currently used by more than 1,500 MSPs worldwide with that number growing steadily each month.
We have listed 10 of the main reasons why SpamTitan is proving to be such a popular choice with MSPs.
Excellent malware protection
SpamTitan includes dual anti-virus engines from two leading AV providers and email sandboxing that incorporates machine learning and behavioral analysis to safely detonate suspicious files.
Defense in depth protection for Office 365 environments
SpamTitan includes multiple protection measures that provide defense in depth against email threats, with easy integration into Office 365 environments to significantly improve defenses against phishing and email-based malware attacks.
Advanced email blocking
SpamTitan supports upload block and allow lists per policy, advanced reporting, recipient verification and outbound email scanning, with the ability to whitelist/blacklist at both a global level as well as a domain level.
Protection against zero-day attacks
SpamTitan uses machine learning predictive technology to block zero-day threats, with AI-driven threat intelligence to block zero-minute attacks.
Data leak prevention
Easily set powerful data leak prevention rules and tag data to identify and prevent internal data loss.
Simple integration
SpamTitan is easy to integrate into your existing Service Stack through TitanHQ API’s and MSPs benefit from streamlined management with RMM integrations.
Competitive pricing with monthly billing
MSPs benefit from a fully transparent pricing policy, competitive pricing, generous margins, and monthly billing. There is also a short sales cycle – only 14 days of a free trial is required to fully test the solution.
White label option to reinforce your brand
SpamTitan can be provided to managed service providers as a white label version that can be fully rebranded to reinforce an MSPs brand.
Intuitive multi-tenant dashboard
MSP-client hierarchy enables you to keep clients separated and choose whether to manage client settings in bulk or on an individual basis. SpamTitan is also a set and forget solution, requiring minimal IT service intervention.
Industry-leading customer support
TitanHQ provides the best customer service in the industry. MSPs benefit from world class pre-sales and technical support and sales & technical training. MSPs get a dedicated account manager, assigned sales engineer support, access to the Global Partner Program Hotline, and 24/7 priority technical support.
If you have not yet started offering SpamTitan to your clients, give the TitanHQ channel team a call today for more information, to get started on a free trial, or for a product demonstration.
Cybercriminals often impersonate trusted entities in phishing campaigns. While Microsoft tops the list of the most impersonated brand, phishing scams impersonating tax authorities are also common. In the United Kingdom, Her Majesty’s Revenue and Customs (HMRC) – the UK government department responsible for tax collection – it is often impersonated, and phishing attacks are on the rise. In the past 12 months, the number of phishing attacks impersonating HMRC increased by 87%.
The number of HMRC phishing attacks jumped from 572,029 in 2019/2020 to 1,069,522 in 2020/2021, according to official figures obtained by Lanop Outsourcing under a Freedom of information request.
Phishing can take many forms, but email scams are the most common. The number of HMRC phishing attacks conducted via email increased by 109% to 630,193 scams in 2020/2021. The most common lures used in these phishing campaigns were fake notifications about tax rebates and refunds, which were up 90% year-over-year. There were also major increases in text-based phishing (smishing) scams, which rose 52% year-over-year, and voice phishing (vishing) scams which increased by 66%.
There was an even bigger increase in phishing scams impersonating the Driver and Vehicle Licensing Agency (DVLA). In 2019/2020, HMRC received 5,549 reports of phishing scams impersonating the DVLA, but in 2020/2021 there was a whopping 661% increase with 42,233 reports.
Phishing scams impersonating HMRC and the DVLA target individuals, but they are dangerous for businesses too. The aim of these scams is to obtain sensitive data such as passwords, which could then be used in attacks on businesses. Phishing scams are also conducted to distribute malware. If malware is downloaded onto the business network, the attackers can use the access provided by the malware to move laterally and compromise an entire network.
Protecting against phishing scams requires a defense in depth approach. End user training is important as it is employees who are targeted. Employees need to be taught how to identify phishing scams and told what to do if a suspicious email is received. This is even more important at a time when employees are working from home as IT departments often lack visibility into the devices of remote workers.
Even with training, employees make mistakes. One study conducted on home workers revealed many have taken security shortcuts when working from home which has put their organization at risk. It is therefore important to implement technical defenses to ensure phishing emails do not reach inboxes.
An advanced spam filtering solution is a must. A spam filter is the most important technical measure to implement to block phishing attacks. While spam filters are good at blocking phishing emails from known malicious IP addresses, advanced spam filters such as SpamTitan have superior detection rates and can identify never-before-seen phishing scams. SpamTitan uses predictive technologies and AI to identify zero-day attacks involving IP addresses that have yet to be identified as malicious. Email sandboxing provides protection from malware that has yet to have its signature added to antivirus engines, while DMARC is used to block email impersonation attacks such as those impersonating HMRC.
In phishing attacks, a lure is sent via email but the harvesting of credentials takes place on an attacker-controlled website. Links in emails to known malicious sites will be blocked, but protection can be significantly improved by using a web filter. A web filter will also block attempts to visit malicious sites via smishing messages and through web browsing as well and will block downloads of files associated with malware.
If you want to protect your business from phishing attacks, malware and ransomware and avoid costly data breaches, give the TitanHQ a team a call and find out more about improving your security posture by blocking more email- and web-based threats.
The recent TitanHQ/Osterman Research survey of IT security professionals showed the most common security incidents experienced by businesses were business email compromise (BEC) attacks. A BEC attack is where a cybercriminal spoofs a trusted contact or company, usually to trick an employee into making a fraudulent wire transfer, send sensitive data via email, or obtain money by other means.
In a BEC attack, the attacker usually spoofs an email account or website or uses a genuine, trusted email account that has previously been compromised in a phishing attack. If a compromised email account is not used, an individual is usually spoofed by changing the display name to make it appear that the email has been sent by a genuine contact, often the CEO, CFO, or a vendor.
It is also common for lookalike domains to be used in BEC attacks. The attacker discovers the spoofed company’s format for email accounts, and copies that format using a domain that very closely resembles the genuine domain used by that company. At first glance, the spoofed domain appears perfectly legitimate.
BEC attacks are usually highly targeted. An email is carefully crafted to target an individual within an organization or a person in a particular role. Since many attacks attempt to get employees to make fraudulent wire transfers, it is most common for individuals in the finance department to be targeted, although BEC attackers also commonly target the HR department, marketing department, IT department, and executives.
Since the requests in the emails are plausible and the message format, signatures, and branding are often copied from genuine emails, the BEC emails can be very convincing. It is also not uncommon for the attacks to involve conversations that span multiple messages before the attacker makes a request.
While phishing attacks are more common, losses to BEC attacks are far greater. According to FBI figures, BEC attacks are the leading cause of losses to cybercrime.
Defending against BEC attacks requires a combination of measures. Naturally, since these attacks target employees, it is important to raise awareness of the threat and teach employees how to identify a BEC attack. Policies and procedures should also be implemented that require any email request to change bank account details, payment methods, or make changes to direct deposit information for payroll to be verified using trusted contact information. A quick telephone call could easily thwart an attack.
While these measures are important, the best defense is to prevent BEC emails from reaching end users’ inboxes as that eliminates the potential for human error. For that you need to have solid email security. A good email security solution will block attempts to steal email credentials – the precursor to many BEC attacks. An advanced spam filtering solution that incorporates machine learning techniques can detect and block zero-day attacks – the tailored, often unique messages that are used by the attackers to target individuals. Solutions that incorporate DMARC and sender policy framework (SPF) will help to detect emails from individuals not authorized to send messages from a particular domain – A vital protection against BEC attacks.
SpamTitan incorporates all of those measures – and more – to keep businesses protected. When combined with end user training and administrative measures, businesses can greatly improve their defenses against BEC attacks. For more information on how SpamTitan can protect your business from the full range of email attacks, give the TitanHQ team a call today.
You can also find out about other measures you can implement to block phishing and ransomware attacks at the upcoming TitanHQ webinar on June 30, 2021 – How to Reduce the Risk of Phishing and Ransomware. During the webinar – hosted by TitanHQ and Osterman Research – you will discover the results of the latest TitanHQ survey of security professionals and gain valuable insights into how you can improve your cybersecurity posture.
In April 2021, hackers gained access to the network of Colonial Pipeline and deployed ransomware that forced the shutdown of a fuel pipeline system serving the Eastern Seaboard of the United States. With fuel supplies threatened, there was panic buying of fuel by Americans on the East Coast which led to local fuel shortages. Gasoline prices rose to their highest level in more than 6 years, and stockpiles of gasoline on the East Coast fell by 4.6 million barrels.
The attack has been attributed to the DarkSide ransomware-as-a-service operation, which has since shut down. Prior to the shutdown, Colonial Pipeline paid a $4.4 million ransom for the keys to unlock the encrypted files. The decision to pay the ransom was made because of the threat to fuel supplies. Colonial Pipeline supplied 45% of fuel to the East Coast, and while paying the attackers was a difficult decision, payment was made due to the threat to fuel supplies given how long it was likely to take to recover without the attacker-supplied decryption keys.
Such a major attack on a critical infrastructure firm should have been difficult; however, an investigation into the cyberattack revealed gaining access to the company’s computer system couldn’t have been simpler. The attackers used a compromised password to remotely access Colonial Pipeline’s systems, and that account was not protected with multi-factor authentication.
The password was for a virtual private network account, according to Charles Carmakal, senior vice president at cybersecurity firm Mandiant which was involved in the investigation. The account was not in use, but it was still possible to use the login credentials to access Colonial Pipeline’s network.
It is not known how the hackers obtained the password. The password has since been found in a database of breached passwords that was leaked on the darkweb. It is possible that an individual had set a password for the account that had been used on another account that had been breached. It is common for passwords from data breaches to be attempted in brute force attacks as password reuse is common. Passwords are also often obtained in phishing attacks.
Mandiant looked for evidence of how the password was obtained by the hackers. The researchers found no signs of attacker activity before the April 29, 2021 nor any evidence of phishing. How the password was obtained and the username determined may never be known.
What is clear is that the attack could have easily been prevented had cybersecurity best practices been followed such as conducting audits of accounts and shutting down accounts that are no longer in use, setting unique, complex passwords for each account, implementing multi-factor authentication to stop compromised passwords from being used, and implementing an effective anti-spam solution to block phishing emails.
The two main cybersecurity threats that businesses now have to deal with are phishing and ransomware attacks and those threats have become even more common over the past 12 months. Cybercriminals stepped up their attacks during the pandemic with many phishing campaigns launched using the novel coronavirus as a lure. These campaigns sought to distribute malware and steal credentials.
Ransomware attacks also increased in 2020. Several new ransomware-as-a-service (RaaS) operations were launched in 2020 and the number of attacks on businesses soared. In addition to encrypting files, data theft was also highly prevalent n 2020, with most ransomware operators stealing data prior to encrypting files. This double extortion tactic proved to be very effective. Many businesses were forced to pay the ransom even though they had backups and could have recovered their files. Payments were made to ensure data stolen in the attack was deleted and not misused, published, or sold.
Phishing and ransomware attacks often go hand in hand and are often used together in the same attack. Phishing emails are used to install malware, which in turn is used to provide access for ransomware gangs. The Emotet and TrickBot Trojans are notable examples. Operators of both of those Trojans teamed up with ransomware gangs and sold access once they had achieved their own objectives. The credentials stolen in phishing attacks are also sold onto RaaS affiliates and provide the foothold they need to conduct their devastating attacks.
Phishing campaigns are easy to conduct, low cost, and they can be very effective. Largescale campaigns involve millions of messages, and while most of those emails will be blocked by email security solutions or will be identified by employees as a threat, all it takes is for one employee to respond to a phishing email for an attacker to gain the access they need.
TitanHQ recently partnered with Osterman Research to explore how these and other cyber threats have affected businesses over the past 12 months. This new and original study involved an in-depth survey of security professionals to find out how those threats have affected their organization and how effective their defenses are at repelling attackers.
The survey showed the most common security incidents suffered by businesses were business email compromise (BEC) attacks, where employees are tricked into taking an action suggested in a scam email from the CEO, CFO or another high-level executive. These attacks often involve the genuine email account of an executive being compromised in a phishing scam and the attacker using that account to target employees in the same organization.
The next biggest threat was phishing emails that resulted in a malware infection, followed by phishing messages that stole credentials and resulted in an account compromise. The survey showed that these attacks are extremely common. 85% of interviewed security professionals said they had experienced one or more of 17 different types of security breaches in the past 12 months. While attacks were common, only 37% of respondents said their defenses against phishing and ransomware attacks were highly effective.
There are several steps that can be taken to improve defenses against phishing and ransomware attacks. End user training is important to teach employees what to look for and how to identify these types of threats. However, there is always potential for human error, so training alone is not the answer. Email security is the best defense. By blocking these threats at source, they will not land in inboxes and employees will not be tested. Email security should be combined with a web security solution to block the web-based component of phishing attacks and stop malware and ransomware downloads from the Internet.
The findings of the Osterman and TitanHQ survey will be explained in detail at an upcoming webinar on June 30, 2021. Attendees will also learn how they can significantly reduce the risk of ransomware and phishing attacks.
The webinar will be conducted by Michael Sampson, Senior Analyst at Osterman Research and Sean Morris, Chief Technology Officer at TitanHQ. You can Register Your Place Here
Threat actors seized the opportunities provided by the pandemic and conducted many phishing campaigns using COVID-19 themed lures. These campaigns took advantage of global interest in the novel coronavirus and preyed on fears of contracting COVID-19 to get people to open the emails, click on malicious hyperlinks, or open attachments that downloaded malware and ransomware payloads. Now that a large percentage of the population has been vaccinated, employers are opening up their offices again and employees are returning to the workplace.
The return to offices has presented another opportunity for scammers, who have launched a new phishing campaign targeting workers returning to offices. The emails appear to be a message from the CIO welcoming employees back to the workplace and claims to provide information about post-pandemic protocols and the procedures that have been put in place to accommodate returning workers to reduce the risk of infection.
The emails have been crafted to make them appear as if they have been sent internally, and include the logo of the targeted company and are signed by the CIO. The emails include a hyperlink that directs employees to a fake Microsoft SharePoint page that hosts two documents, both of which have the company’s branding. The documents are a COVID-19 factsheet and an implementation letter that includes steps that the company has taken based on updates provided by the Centers for Disease Control and Prevention (CDC), World Health Organization (WHO), and local health officials.
Most phishing campaigns would simply direct people to a landing page that hosts a phishing form where they are asked to enter their Office 365 credentials. This campaign is more sophisticated and includes an additional step. Nothing happens when an employee lands on the page. They are first required to click to open a document before the phish is activated. When the document is clicked, a fake Microsoft login prompt appears and credentials must then be entered in order to view the documents.
If credentials are entered, a message is then generated advising the employee that their account or password is not correct, and they are made to reenter their credentials several times before they are finally redirected to a genuine Microsoft page and are given access to the documents on OneDrive, most likely unaware that their credentials have been phished.
This COVID-19 phishing scam, like many others conducted throughout the pandemic, has a plausible lure. In this case, the emails have been well written and have been targeted for specific companies, making them very believable and likely to fool a great many employees. It is unclear what aims the attackers have once credentials have been harvested. They could be used to plunder sensitive information in Office 365 email accounts, would give the attackers a foothold in the corporate network for a more extensive compromise, or they could be sold to other threat groups such as ransomware gangs.
The best way to counter the threat is to prevent the malicious emails from arriving in inboxes, which requires an advanced spam filtering solution such as SpamTitan. With SpamTitan in place, phishing threats such as this will be identified and blocked at the gateway to ensure that employees’ phishing email identification skills are not put to the test.
If you want to improve your security posture and block more phishing threats, give the TitanHQ team a call today to discover how SpamTitan Email Security and the WebTitan DNS Filter can improve cybersecurity in your organization.
Reselling Office 365 doesn’t offer much in the way of profit for MSPs, although there are benefits for MSPs that come from offering Office 365 and it is possible to make Office 365 more profitable.
Before explaining where the margin is for MSPs in Office 365, let’s first take a look at the benefits for MSPs from offering Office 365.
Benefits for MSPs from Offering Office 365 to Clients
SMBs are increasingly moving from on-premises solutions to the cloud and Office 365 is one of the most popular cloud services. Office 365 now has more than 135 million commercial monthly users and that number is growing rapidly.
MSPs may not be able to make much from Office 365 alone, but by providing Office 365 MSPs can win more business and gain a competitive advantage. There is no outlay involved with offering Office 365 to clients, the product is great and meets clients’ needs, and money can be made from handling Office 365 migrations.
MSPs can also benefit from migrating existing clients from Exchange or SBS Exchange to Office 365. Office 365 is far easier to manage so they stand to save a great deal of time on troubleshooting and maintenance, which can be a major headache with Exchange.
By offering Office 365 you can win more business, reduce operational costs, and stay competitive. However, the best way to make money from Office 365 is through add-on services.
How MSPs Can Make Office 365 More Profitable
The margins for MSPs on Office 365 are rather thin to say the least. Many MSPs find that offering Office 365 on its own doesn’t provide any profit at all. Charging extra per license to improve profitability is an option, but clients could just go direct to avoid the extra cost.
The margins may be small, but managing Office 365 does not require a great deal of effort. You may only make around 50c or $1 per user but sign up enough clients and you could get a reasonable return. There is an opportunity for profit at scale; however, to make a decent return you need to sell services around Office 365.
One of the best ways to make Office 365 more profitable is by offering additional security services. Security is an area where Office 365 can be significantly improved, especially spam filtering. Microsoft has incorporated a spam filter and anti-phishing protections into Office 365, but they fall short of the protection offered by a dedicated third-party spam filter.
Phishing is the number one security threat faced by businesses and Office 365 anti-phishing protections leave a lot to be desired. By offering enhanced spam and phishing protection through a third-party spam filter, not only can MSPs make a decent margin on the add-on solution, by blocking phishing attacks and malware at source, a considerable amount of time can be saved on support. Offering spam filtering can help to generate additional recurring revenue, with SpamTitan provided as a high margin, subscription based SaaS solution.
There are plenty of other opportunities for selling third-party solutions to make up for the lack of options in Office 365. Email archiving is an easy sell and a quick win for MSPs. An email archive is important for compliance and security, saves on storage space, and improves efficiency, and gives clients access to emails from any location. Email archiving is available with office 365, but the solution has some severe drawbacks, and may not meet compliance requirements. Offering a feature-rich email archiving solution that is fully compliant, easy to use, with lightning fast search and retrieval should be an easy sell to Office 365 users.
Spam filtering, email archiving, web filtering, and encryption can be bundled together as an enhanced security package, with each element providing a decent return for MSPs. Given the cost of mitigating a data breach, by preventing breaches, an enhanced security offering will pay for itself and should not be too difficult to sell to Office 365 users.
Office 365 MSP Add-ons from TitanHQ
For more than 20 years TitanHQ has been developing innovative security solutions for businesses. Today, more than 7,500 businesses are protected by TitanHQ security solutions and more than 2,000 MSPs have signed up to the TitanHQ Alliance Program.
All TitanHQ solutions have been developed from the ground to meet the needs of the SMB marketplace and MSPs. TitanHQ’s spam filtering solution – SpamTitan, email archiving solution – ArcTitan, and web filtering solution – WebTitan, save MSPs support and engineering time, have great margins, and can be easily integrated into MSPs security stacks to make Office 365 more profitable. All TitanHQ solutions are quick and easy to deploy, and can be implemented into your existing Service Stack through API’s and RMM integrations. The MSP-client hierarchy enables you to keep clients separated and choose whether to manage client settings in bulk or on an individual basis. MSPs benefit from competitive pricing strategies, including monthly billing as we understand your clients are billed monthly.
There are multiple hosting options, including hosting the solution within your own data center, and all TitanHQ products can be supplied as a white label, ready to take your own branding. We have made our solutions as easy as possible to use, with intuitive controls and everything placed at your fingertips. However, should you ever have a problem, you will benefit from the best customer service in the industry, as well as scalable pre-sales and technical support and sales & technical training.
Low management overhead – A set and forget solution
Use our private cloud or your own data center
Extensive suite of APIs for integration into your central management system
Multi-tenant solution with multiple management roles
Scalable to thousands of users
In and outbound email scanning with IP domain protection
Extensive drill down reporting
Flexible pricing models to suit your needs, including monthly billing
Generous margins for MSPs
Fully customizable branding
TitanSHIELD Program for MSPs
To make it as easy as possible for MSPs to incorporate our world class network security solutions into their service stacks, TitanHQ developed the TitanSHIELD program. The TitanShield MSP Program allows MSPs to take advantage of TitanHQ’s proven technology so that they can sell, implement and deliver our advanced network security solutions directly to their client base. Under the TitanSHIELD program you get the following benefits:
TitanSHIELD Benefits
Sales Enablement
Marketing
Partner Support
Private or Public Cloud deployment
Access to the Partner Portal
Dedicated Account Manager
White Label or Co-branding
Co-Branded Evaluation Site
Assigned Sales Engineer Support
API integration
Social Network participation
Access to Global Partner Program Hotline
Free 30-day evaluations
Joint PR
Access to Partner Knowledge Base
Product Discounts
Joint White Papers
Technical Support
Competitive upgrades
Partner Events and Conferences
24/7 Priority Technical Support
Tiered Deal Registration
TitanHQ Newsletter
5 a.m. to 5 p.m. (PST) Technical Support
Renewal Protection
Better Together Webinars
Online Technical Training and FAQs
Advanced Product Information
Partner Certificate – Sales and technical
Access to Partner Technical Knowledge Base
Competitive Information and Research
Sales Campaigns in a box
Not-for-Resale (NFR) Key
Public Relations Program and Customer Testimonials
Product Brochures and Sales Tools
TitanHQ Corporate Style Guide and Logo Usage
Partner Advisory Council Eligibility
TitanHQ Partner Welcome Kit
QTRLY Business Planning and Review
Access to TitanHQ’s MVP Rewards Program
Access to Partner Support
To find out more about TitanHQ’s MSP offerings, for details of pricing and MSP margins, contact the TitanHQ Alliance Program team today and take the first step toward making Office 365 more profitable.
Phishing is the leading cause of data breaches and 2020 saw phishing-related data breaches increase again. The recently released Verizon 2021 Data Breach Investigations Report shows there was an 11% increase in phishing attacks in 2020, with work-from-home employees extensively targeted with COVID-19 themed phishing lures.
Phishing attacks are conducted to steal credentials or deliver malware, with the former often leading to the latter. Once credentials have been obtained, they can either be used by threat actors to gain access to business networks to steal data and launch further attacks on an organization. Credentials stolen in phishing attacks are often sold to other threat groups such as ransomware gangs. From a single phishing email, a business could be brought to its knees and even prevented from operating.
The fallout from a phishing attack can be considerable, and it is therefore no surprise that many businesses fail after a successful cyberattack. According to ID Agent, 60% of companies go out of business within 6 months of a cyberattack – The cost of recovery and the damage to the company’s reputation can simply be too great.
Considering the potentially devastating consequences of a phishing attack it is surprising that many businesses fail to implement appropriate protections to block attacks and do not make sure their employees are able to recognize and avoid phishing threats.
A recent study conducted by the phishing simulation vendor KeepNet Labs highlighted just how often employees fall for these scams. In a test involving 410,000 simulated phishing emails, more than half of the emails were opened, 32% of individuals clicked a (fake) malicious link or opened an attachment, and 13% of individuals provided their login credentials in response to the emails.
How to Defend Against Phishing Attacks
It is vital for the workforce to be prepared, as phishing emails can easily end up in inboxes regardless of the security protections in place to block the messages. Fortunately, through regular security awareness training, employees can be trained how to spot a phishing email. Following security awareness training, phishing email simulations are useful for identifying weak links – employees that need further training. Over time, it is possible to significantly improve resilience to these damaging and incredibly costly cyberattacks.
The importance of solid technical email security defenses cannot be overestimated as even with training, phishing emails can be very difficult for employees to identify. Phishing emails often have plausible lures, the email messages can be extremely well written, and often appear to have come from trusted sources. It is common for the emails to impersonate trusted companies and include their color schemes and logos and the websites that users are directed to are often carbon copies of the genuine websites they spoof.
There are three technical solutions that can be implemented in addition to the provision of training that can greatly improve the security posture of an organization against phishing attacks. These three solutions provide three layers of defenses, so should one fail to detect and block a threat, the others will be in place to provide protection.
3 Essential Technical Phishing Controls for Businesses
The most important technical control against phishing is a spam filter. A spam filter will block the majority of phishing and spam emails and will stop them reaching inboxes, but the percentage of emails blocked can vary considerably from solution to solution. Most spam filters will block 99% or more of spam and phishing emails, but what is needed is a solution that will block more than 99.9% of spam and malicious emails. SpamTitan for instance, has an independently verified catch rate of 99.97%, ensuring your inboxes are kept free of threats.
An often-neglected area of phishing protection is a web filter. Web filters are extensively used by businesses and the education sector for blocking access to inappropriate web content such as pornography. Web filters are also an important anti-phishing measure for blocking the web-based component of phishing attacks. When an employee clicks a link in an email that directs them to a phishing page, the web filter will block access. WebTitan Cloud is constantly updated with new malicious URLs as they are created via multiple threat intelligence feeds. WebTitan blocks malware downloads from the Internet and can be configured to block access to risky websites that serve no work purpose.
The last measure that should be implemented is multi-factor authentication for email accounts. In addition to a password, MFA requires another form of authentication to be provided before access is granted. Without that additional factor, the account cannot be accessed. This is an important security measure that kicks in when credentials have been stolen to block unauthorized account access.
If you want to improve your defenses against phishing, these three technical controls along with end user training will keep your business safe. To find out more, and how little these protections cost, give the TitanHQ team a call today!
TitanHQ has announced the release of a new version of WebTitan Cloud that includes new security features, easier administration, and the introduction of WebTitan OTG (on-the-go) for Chromebooks for the education sector.
One of the main changes introduced with WebTitan Cloud version 4.16 is the addition of DNS Proxy 2.06, which supports filtering of users in Azure Active Directory. This is in addition to on-premise AD and directory integration for Active Directory. The support for Azure Active Directory will make it easier for customers to enjoy the benefits of WebTitan Cloud, while making management easier and less time-consuming. Support for further directory services will be added with future releases to meet the needs of customers.
Current WebTitan customers do not need to do anything to upgrade to the latest version of WebTitan, as updates to WebTitan Cloud are handled by TitanHQ and users will be upgraded to the latest version automatically to ensure they benefit from improved security, the latest fixes, and new functionality.
The latest WebTitan Cloud release has allowed TitanHQ to introduce a new solution specifically to meet the needs of clients in the education sector – WebTitan OTG (on-the-go) for Chromebooks.
The use of Chromebooks has grown significantly over the past year, which corresponds with an increase in student online activity. WebTitan OTG for Chromebooks allows IT professionals in the education sector to ensure compliance with federal and state laws, including the Children’s Internet Protection Act (CIPA), and ensure students can use their Chromebooks safely and securely.
WebTitan OTG for Chromebooks is a DNS-based web filtering solution that requires no proxies, VPNs or any additional hardware and since the solution is DNS-based, there is no impact on Internet speed. Once implemented, filtering controls can be set for all Chromebook users, no matter where they connect to the Internet. The controls will be in place in the classroom and at home and all locations in between.
Administrators can easily apply filtering controls for all students, different groups of students, and staff members, including enforcing Safe Search. The solution will block access to age-inappropriate content, phishing web pages, malicious websites used for distributing malware, and any category of website administrators wish to block. Chromebooks can also easily be locked down to prevent anyone bypassing the filtering controls set by the administrator.
WebTitan OTG for Chromebooks delivers fast and effective user- and device-level web filtering and empowers students to discover the Internet in a safe and secure fashion. Reports can be generated on demand or scheduled which provide information on Chromebook user locations, the content that has been accessed, and any attempts to bypass filtering, with real-time views of Internet access also possible.
“This new release comes after an expansive first quarter. The launch of WebTitan Cloud 4.16 brings phenomenal new security features to our customers,” Said TitanHQ CEO, Ronan Kavanagh. “After experiencing significant growth in 2020, TitanHQ expects these product enhancements and new features to make 2021 another record-breaking year.”
Following on from a supply chain attack that saw the software update feature of the Passwordstate password manager hijacked the threat group developed a convincing phishing campaign targeting enterprise users of the password manager solution.
The supply chain attack was used to infect users of the password manager with malware dubbed Moserpass. Between April 20 and April 22, users of the password manager who downloaded an update through the In-Pass Upgrade mechanism may have had a malicious file downloaded – a malformed Passwordstate_upgrade.zip file.
Downloading the file started a chain of events that resulted in Moserpass being installed, which collected and exfiltrated information about the computer, users, domains, running services and processes, along with password data from the Passwordstate app. The malware also had a loader module, so could potentially download other malware variants onto victims’ devices. Since passwords were potentially compromised, affected users have been advised to reset all of their passwords.
The attack only lasted 28 hours before it was identified and blocked, but in order to remove the malware from customers’ devices, Click Studios, the developer of the password app, emailed customers and encouraged them to apply a hotfix to remove the malware.
Some customers who received the email from Click Studios shared a copy of the message on social media networks. The threat group behind the attack were monitoring social media channels, obtained a copy of the genuine Click Studios email about the hotfix, and used the exact same email for a phishing campaign. Instead of directing users to the hotfix to remove Moserpass malware, the phishing email directed users to a website not under the control of Click Studios which installed an updated version of Moserpass malware.
Since the Passswordstate breach notification emails were virtual carbon copies of genuine communications from Click Studios they were very convincing. Users who followed the instructions in the email would likely think they were removing malware, when they were actually installing it. The fake versions of the emails do not have a domain suffix used by Click Studios, request the hotfix is downloaded from a subdomain, and claim an ‘urgent’ update is required to fix a bug, but it is easy to see how these messages could fool end users.
Click Studios supplies its password manager to around 29,000 enterprises and the solution has hundreds of thousands of users, many of whom will have heard of the breach and be concerned about a malware infection. Click Studios said only a very small number of its customers were affected and had the malware installed – those who downloaded the update in the 28-hour period between April 20 and April 22 – but anyone receiving the fake email could well have been convinced that the email was genuine and taken the requested action.
Phishers often use fake security warnings as a lure, and data breach notifications are ideal for use in phishing attacks. This Passswordstate breach notification phishing campaign highlights the importance of carefully checking any message for signs of phishing, even if the email content seems genuine and the message includes the right branding, and the risks of posting copies of genuine breach notification letters on social media networks.
Many phishing attacks are sophisticated, and it can be difficult for employees to differential between genuine and malicious messages, which is why advanced spam and phishing defenses are required. If you want to improve your defenses against phishing, get in touch with TitanHQ and discover how SpamTitan Email Security can improve your security posture and better protect your organization from phishing and other email-based threats.
Virtually everyone uses email which makes it an attractive attack vector for cybercriminals who use phishing emails to steal credentials, deliver malware, and gain a foothold in corporate networks, but what is a common indicator of a phishing attempt? How can these malicious emails be identified and avoided?
In this post we will list some of the main signs of phishing emails that that all email users should be looking out for in their inboxes.
Phishing is the Number 1 Attack Vector!
In 2021, and for several years previously, phishing has been the main way that cybercriminals obtain login credentials to allow them to access sensitive business data and gain the foothold they need in business networks for more extensive compromises. Phishing emails are also used to deliver malware that provides persistent access to computers and the networks to which they connect. Malware downloaders are commonly delivered via email that download other malicious payloads such as ransomware. Most data breaches start with a phishing email!
Phishing emails were once easy to detect, but that is not always the case now. Many phishing attempts are extremely sophisticated. Emails may only be sent to a handful of people, and even individuals are targeted. The emails are convincing and can be almost impossible to distinguish from the genuine email messages that they spoof.
With an advanced email security solution in place, the majority of these messages will be blocked; however, no email security solution will block every malicious message without blocking an unacceptable number of genuine messages. That means all employees must have the necessary skills to identify a phishing email when it arrives in their inbox.
What is a Common Indicator of a Phishing Attempt?
In order to identify a phishing email, you need to know what to look for, so what is a common indicator of a phishing attempt? Listed below are some of the most common signs of phishing emails for you to look out for.
Unfortunately, there is no single common indicator of a phishing attempt. Tactics, techniques, and procedures are constantly changing, but if you identify any of these signs in an email in your inbox or spam folder, there is a reasonable chance that the message is not genuine and should be reported to your security team. Chances are, there will be other copies of the message in the email system that will need to be removed.
The message is in your spam folder
There is a reason why messages are classified as spam by email security solutions. Analysis of the message has highlighted telltale signs of spam or phishing, but not enough for the message to be blocked at the email gateway. If a message is sent to your spam folder you should exercise caution when opening the message.
It is an unsolicited message
Phishing emails are unsolicited – You certainly didn’t ask to be phished! There may be a seemingly valid reason why you have been sent the message, but if you didn’t request the email and are not on a marketing list for the company or individual sending the message it should be treated as suspect.
Important information is in an attachment
One of the ways that phishers attempt to conceal their malicious intent is to use email attachments. This could be a link in an attached file that you need to click (why not just add it to the message body?) or commonly, you must enable content in an Office file to view the content of the attachment. Doing so will allow macros to run that will download a malicious file. Zip files are also commonly used as they are hard for spam filters to access, or files may be password protected. The files must always be scanned with AV software prior to opening and, even then, treat them with extreme caution.
Book a free SafeTitan Security Awareness Training demonstration with an expert. Book Free Demo
Urgent action is required and there is a threat in the email
Phishing emails often convey a sense of urgency to get people to respond quickly without thinking too much about the request. There may be a threat of bad consequences if no action is taken – your account will be closed – or some other sense of urgency, such as missing out on an amazing opportunity. Always take time to carefully consider what is being asked and check the email for other signs of phishing.
You are asked to click a link in an email
Spam filters scan messages for malware, so it is common for the malware to be hosted on a website. A link is included that users must click to obtain information or to download a file. The link may take you to a website where you are required to enter your login credentials, and that site may have an exact copy of your usual login prompt – for Google or Office 365 for example. You should carefully check the link to find out the true destination (hover your mouse arrow over it) and then double check the full URL on the destination site. You may have been redirected to a different site after clicking. Is the page on the genuine website used by that company?
The sender of the email is not known to you or the email address is suspect
Phishers spoof email addresses and change the display name to make it appear that the email has been sent from a contact or official source. Check that the actual email address is legitimate – it is the correct domain for the company or individual. Check against past messages received from that individual or company to make sure the email address is the same. Remember, the sender’s email account may have been compromised, so even if the email address is correct that doesn’t necessarily mean the account holder sent the message!
The message has grammatical and spelling errors
Grammatical and spelling errors are common in phishing emails. This could be because English is not the first language of the sender or be deliberate to only get people to respond who are likely to fall for the next stage of the scam. Business emails, especially official communications and marketing emails, do not contain spelling errors or have grammatical mistakes.
The request is unusual, or the tone seems odd
Often the language used in phishing emails is a little odd. Emails impersonating known contacts may be overly familiar or may seem rather formal and different to typical emails you receive from the sender. If the tone is off or you are addressed in a strange way, it could well be a phishing attempt. Phishing emails will also try to get you to take unusual actions, such as send data via email that you have not been asked to send before. A quick phone call using trusted contact information is always wise to verify the legitimacy of an unusual request.
How Businesses can Improve their Phishing Defenses
If you want to block more phishing emails and malware you will need an advanced email security solution. The email security gateway is the first line of defense against malicious emails, but it is not necessary to spend a fortune to have good protection. If you have a limited budget or simply want to save money on email security, TitanHQ is here to help.
SpamTitan is an award-winning advanced email security solution that blocks in excess of 99.97% of malicious messages and spam. The solution is easy to implement, configure, maintain and use, the pricing policy is transparent and extremely competitive, and with TitanHQ you will benefit from industry-leading customer support. You can even try SpamTitan for free to see for yourself how effective it is. Get in touch with us today to find out more via email or just pick up the phone and speak to our friendly and knowledgeable sales team.
Ransomware attacks on the education sector in the United Kingdom have increased sharply since February, and the sector was already extensively targeted by threat groups long before then. The education sector is an attractive target for cybercriminals as sizeable amounts of sensitive data are stored within computer systems that can be easily monetized if stolen.
Students’ personally identifiable information is of more value than that of adults, and it can often be used for years before any fraud is detected. Higher education institutions often have intellectual property and research data that is incredibly valuable and can easily be sold on for a huge profit. Ransomware attacks prevent access to essential data, and with the pandemic forcing the education sector to largely switch to online learning, when communication channels and websites are taken out of action learning can grind to a halt.
In the United Kingdom, the reopening of schools and universities has only been possible with COVID-19 testing and contact tracing, which is also disrupted by ransomware attacks. Files are encrypted which prevents access to essential testing and monitoring data, further hampering the ability of schools, colleges, and universities to operate.
As is the case with healthcare, which has also seen a major increase in cyberattacks during the pandemic, services are majorly disrupted without access to computer systems, and there is considerable pressure on both industries to pay the ransom demands to recover from the attacks more quickly. Ransoms are more likely to be paid than in other industry sectors.
What makes the education sector an even more attractive prospect for cybercriminals is poorer security defenses than other industries. The lack of security controls makes attacks much more likely to succeed. On top of that, students often use their own devices to connect to networks so security can be very difficult to police, and many departments make their own IT decisions, which can easily result in vulnerabilities being introduced and remaining unaddressed.
The ease and profitability of attacks has made education a top target for ransomware gangs. Emsisoft reports education was the sector most targeted by ransomware gangs in 2020.
The increase in ransomware attacks on educational institutions in the United Kingdom prompted the UK’s National Cyber Security Center to issue a warning in March to all entities in the education sector about the risk of cyberattacks. NCSC noted in its alert that there was a significant increase in attacks in August and September 2020, and a further rise in attacks since February 2021.
University of Hertfordshire Suffers Major Cyberattack
One of the most damaging university cyberattacks in recent months occurred at the University of Hertfordshire. Late on April 14, cybercriminals struck, with the attack impacting all of the university’s systems. No cloud systems were available, nor MS Teams, Canvas, or Zoom. The attack forced the university to cancel all of its online classes for the following day, although in person teaching was able to continue provided computer access was not necessary.
It has been more than a week since the attack, and while some systems are now back online, disruption is still being experienced with student records, university business services, learning resource centre services, data storage, student services, staff services, and the postgraduate application portal, with the email system also considered to be at risk.
The university has not confirmed the nature of the attack, but it has the hallmarks of a ransomware attack, although the university has issued a statement stating that the attack did not involve data theft.
The University of Hertfordshire is certainly not alone. In March, South and City College of Birmingham was hit with a ransomware attack that took all of its computer systems out of action, with the college forced to switch to online learning for its 13,000 students.
UK Schools also Under Attack
The cyberattacks in the United Kingdom have not been limited to universities. School systems have also suffered more than their fair share of attacks. In March, the Harris Federation, which runs 50 schools in the UK, suffered a ransomware attack that took out communications systems and majorly affecting online learning for 37,000 students.
Also in March, the Nova Education Trust suffered a ransomware attack that took its systems out of action and affected 15 schools, all of which lost access to their communication channels including the phone system, email, and websites. The Castle School Education Trust also suffered a ransomware attack in March that disrupted the online functions of 23 schools.
What Can Be Done to Stop Cyberattacks in Education?
Cybersecurity must become a major focus for schools, colleges, and universities. The attacks are being conducted because they are easy and profitable and, until that changes, the attacks are not likely to slow and, in all likelihood, will continue to increase.
To protect against attacks, the education sector needs to implement multi-layered security defenses and find and address vulnerabilities before they are discovered by ransomware gangs and other cybercriminal operations.
The best place to start is by improving security for the two main attack vectors: email and the Internet. That is an area where TitanHQ can help. To find out more, get in touch with the TitanHQ team today and take the first step towards improving your security posture and better protecting your networks and endpoints from extremely damaging cyberattacks.
A previously unknown malware variant dubbed Saint Bot malware is being distributed in phishing emails using a Bitcoin-themed lure. With the value of Bitcoin setting new records, many individuals may be tempted into opening the attachment to get access to a bitcoin wallet. Doing so will trigger a sequence of events that will result in the delivery of Saint Bot malware.
Saint Bot malware is a malware dropper that is currently being used to deliver secondary payloads such as information stealers, although it can be used to drop any malware variant. The malware was first detected and analyzed by researchers at Malwarebytes who report that while the malware does not use any novel techniques, there is a degree of sophistication to the malware and it appears that the malware is being actively developed. At present, detections have been at a relatively low level but Saint Bot malware could develop into a significant threat.
The phishing emails used to distribute the malware claim to include a Bitcoin wallet in the attached Zip file. The contents of the Zip file include a text file with instructions and a LNK file that has an embedded PowerShell script. A PowerShell downloader delivers an obfuscated .Net dropper and downloader, which in turn deliver a BAT script that disables Windows Defender and the Saint Bot malware binary.
The malware is capable of detecting if it is in a controlled environment and terminates and deletes itself should that be the case. Otherwise, the malware will communicate with its hardcoded command and control servers, send information gathered from the infected system, and download secondary payloads to the infected device via Discord.
The malware has not been linked with any specific threat group and could well be distributed to multiple actors via darknet hacking forums, but it could well become a major threat and be used in widespread campaigns to take advantage of the gap in the malware-as-a-service (MaaS) market left by the takedown of the Emotet Trojan.
Protecting against malware downloaders such as Saint Bot malware requires a defense in depth approach. The easiest way of blocking infections is to implement an advanced spam filtering solution such as SpamTitan to block the phishing emails that deliver the malware. Antivirus software should also be installed on all endpoints and set to update automatically, and communication with the C2 servers should be blocked via firewall rules.
In addition to technical defenses, it is important to provide security awareness training to the workforce to help employees identify malicious emails and condition them how to respond when a potential threat is detected.
How SpamTitan Can Protect Against Phishing and Malware Attacks
SpamTitan is an award-winning anti-spam and anti-phishing solution that provides protection against the full range of email threats from productivity-draining spam to dangerous phishing and spear phishing emails, malware and ransomware.
SpamTitan has a catch rate in excess of 99.99% with a low false positive rate and uses a variety of methods to detect malicious emails, including dual antivirus engines, email sandboxing for detecting new malware variants, and machine learning techniques to identify zero-day threats.
SpamTitan’s advanced threat protection defenses include inbuilt Bayesian auto learning and heuristics to defend against sophisticated threats and evolving cyberattack techniques, with 6 specialized Real Time Blacklists to block malicious domains and URLs, DMARC to block email impersonation attacks, and outbound email policies for data loss prevention.
SpamTitan is quick and easy to set up and configure and is frequently praised for the level of protection provided and ease of use. SpamTitan is a 5-star rated solution on Spiceworks, Capterra, G2 Crowd and has won no less than 37 consecutive Virus Bulletin Spam awards.
If you want to improve your email defenses at a very reasonable price and benefit from industry-leading customer support, give the TitanHQ team a call today. Product demonstrations can be arranged, and you can trial the solution free of charge, with full support provided during the trial to help you get the most out of SpamTitan.
Threat actors are constantly changing their tactics, techniques, and procedures (TTP) to increase the chances of getting their malicious payloads delivered. Spam and phishing emails are still the most common methods used for delivering malware, with the malicious payloads often downloaded via the web via hyperlinks embedded in emails.
A new tactic that has been adopted by the threat group behind the IcedID banking Trojan cum malware downloader involves hijacking contact forms on company websites. Contact forms are used on most websites to allow individuals to register interest. These contact forms typically have CAPTCHA protections which limit their potential for use in malicious campaigns, as they block bots and require each contact request to be performed manually.
However, the threat actors behind the IcedID banking Trojan have found a way of bypassing CATCHA protections and have been using contact forms to deliver malicious emails. The emails generated by contact forms will usually be delivered to inboxes, as the contact forms are trusted and are often whitelisted, which means email security gateways will not block any malicious messages.
In this campaign, the contact forms are used to send messages threatening legal action over a copyright violation. The messages submitted claim the company has used images on its website that have been added without the image owner’s permission. The message threatens legal action if the images are not immediately removed from the website, and a hyperlink is provided in the message to Google Sites that contains details of the copyrighted images and proof they are the intellectual property of the sender of the message.
Clicking the hyperlink to review the supplied evidence will result in the download of zip file containing an obfuscated .js downloader that will deliver the IcedID payload. Once IcedID is installed, it will deliver secondary payloads such as TrickBot, Qakbot, and Ryuk ransomware.
IcedID distribution has increased in recent weeks, not only via this method but also via phishing emails. A large-scale phishing campaign is underway that uses a variety of business-themed lures in phishing emails with Excel attachments that have Excel 4 macros that deliver the banking Trojan.
The increase in IcedID malware distribution is likely part of a campaign to infect large numbers of devices to create a botnet that can be rented out to other threat groups under the malware-as-a-service model. Now that the Emotet botnet has been taken down, which was used to deliver different malware and ransomware variants, there is a gap in the market and IcedID could be the threat that takes over from Emotet. In many ways the IcedID Trojan is very similar to Emotet and could become the leading malware-as-a-service offering for delivering malware payloads.
To find out how you can protect your business against malware and phishing threats at a reasonable price, give the TitanHQ team a call today and discover for yourself why TitanHQ email and web security solutions consistently get 5-star ratings from users for protection, price, ease of use, and customer service and support.
It has been an exceptionally busy year for TitanHQ with global demand for TitanHQ solutions has skyrocketing. Enterprises, SMBs and Managed Service Providers (MSPs) have been turning to TitanHQ to provide the security they need to protect their now largely distributed workforces from email and web-based attacks during the pandemic and block malware, ransomware, phishing attacks and other growing threats.
TitanHQ’s email security solution – SpamTitan; web security solution – WebTitan; and email archiving solution – ArcTitan, have now been adopted by more than 12,000 businesses worldwide, including more than 2,500 MSPs, with customers including well-known names such as Pepsi, Virgin, T-Mobile, O2, Nokia, Datto, Viasat, and Purple.
The past year has seen tremendous organic year-on-year growth and during the pandemic the company received significant investment from the Livingbridge investor group, which has really helped turbocharge company growth with significant investment in product development.
While many businesses have been forced to contract during the pandemic, business has gone from strength to strength for TitanHQ, as can clearly be seen from the huge investment in people. TitanHQ has embarked upon a major recruitment drive that has seen the TitanHQ workforce almost double since September 2020, with many of the new members of the workforce widely distributed and working remotely.
“As a result of increased demand globally for our solutions, we have invested heavily and embarked on a recruitment campaign to double our workforce in a programme that will allow that growth to continue,” said TitanHQ CEO, Ronan Kavanagh. “We have also invested because while we believe remote working is a by-product of the current pandemic, it is very much going to be the mode of future work. The quick move to remote working last year has made us all aware of how important it is to be adaptable and have the right security solutions in place to protect users, customers, company data, and systems.”
The ambitious growth plans are sent to continue, with new roles created across many departments including sales, technical support, software development, and marketing, with the expanded workforce helping the company to achieve even greater heights and reach even more clients internationally.
If you want to join the growing team at TitanHQ and become a member of an innovative and growing workforce, positions are still available.
During tax season, tax professionals and tax filers are targeted with a variety of IRS phishing scams that attempt to obtain sensitive information that can be used by the scammers to steal identities and file fraudulent tax returns in the names of their victims. The potential rewards for the attackers are significant, with the fake tax returns often resulting in refunds of thousands of dollars being issued by the U.S. Internal Revenue Service (IRS).
This year is certainly no exception. Several tax season phishing scams have been identified in 2021 with one of the latest scams using phishing lures related to tax refund payments. The phishing emails have subject lines such as “Tax Refund Payment” and “Recalculation of your tax refund payment” which are likely to attract the recipient’s attention and get them to open the emails.
The emails use the genuine IRS logo and inform recipients that they are eligible to receive an additional tax refund, but in order to receive the payment they must click a link and complete a form. The form appears to be an official IRS.gov form, with the page an exact match of the IRS website, although the website on which the form is hosted is not an official IRS domain.
The form asks for a range of highly sensitive personal information to be provided in order for the refund to be processed. The form asks for the individual’s name, date of birth, Social Security number, driver’s license number, current address, and electronic filing PIN. For added realism, the phishing page also displays a popup notification stating, “This US Government System is for Authorized Use Only”, which is the same warning message that is displayed on the genuine IRS website.
The attackers appear to be targeting universities and other educational institutions, both public and private, profit and nonprofit with many of the reported phishing emails from staff and students with .edu email addresses.
Educational institutions should take steps to reduce the risk off their staff and students being duped by these scams. Alerting all .edu account holders to warn them about the campaign is important, especially as these messages are bypassing Office 365 anti-phishing measures and are arriving in inboxes.
Any educational institution that is relying on Microsoft Exchange Online Protection (EOP) for blocking spam and phishing emails – EOP is the default protection provided free with Office 365 licenses – should strongly consider improving their anti-phishing defenses with a third-party spam filter.
SpamTitan has been developed to provide superior protection for Office 365 environments. The solution is layered on top of Office 365 and seamlessly integrates with Office 365 email. In addition to significantly improving spam and phishing email protection, dual antivirus engines and sandboxing for emails provide excellent protection from malware.
For further information on SpamTitan anti-phishing protection for higher education, give the SpamTitan team a call today. You can start protecting your institution immediately, with installation and configuration of SpamTitan taking just a few minutes. The solution is also available on a free trial to allow you to assess SpamTitan in your own environment to see the difference it makes before deciding on a purchase.
A phishing attack on an employee of the California State Controller’s Office Unclaimed Property Division highlights how a single response from an employee to a phishing email could easily result in a massive breach. In this case, the phishing attack was detected promptly, with the attacker only having access to an employee’s email account for less than 24 hours from March 18.
In the 24 hours that the attacker had access to the email account, the contents of the account could have been exfiltrated. Emails in the account included unclaimed property holder reports. Those reports included names, dates of birth, addresses, and Social Security numbers – the type of information that could be used to steal identities.
The email that fooled the employee into clicking a link and disclosing login credentials appeared to have been sent from a trusted outside entity, which is why the email was assumed to be legitimate. After stealing the employee’s credentials undetected, the attacker immediately went to work and tried to compromise the email accounts of other state workers.
In the short time that the individual had access to the account, around 9,000 other state workers were sent phishing emails from the compromised account. Fortunately, the attack was detected promptly and all contacts were alerted about the phishing emails and told to delete the messages. That single compromised account could easily have led to a massive email account breach.
Phishing is now the biggest data security threat faced by businesses. The attacks are easy to conduct, require little skill, and can be extremely lucrative. Email accounts often contain a treasure trove of data that can be easily monetized, the accounts can be used to send further phishing emails internally and to external contacts and customers, and a breach of Microsoft 365 credentials could allow a much more extensive attack on a company. Many ransomware attacks start with a single response to a phishing email.
To improve protection against phishing attacks it is important to train the workforce how to identify phishing emails, teach cybersecurity best practices, and condition employees to stop and think before taking any action requested in emails. However, phishing attacks are often highly sophisticated and the emails can be difficult to distinguish from genuine email communications. As this phishing attack demonstrates, emails often come from trusted sources whose accounts have been compromised in previous phishing attacks.
What is needed is an advanced anti-phishing solution that can detect these malicious emails and prevent them from being delivered to employee inboxes. The solution should also include outbound email scanning to identify messages sent from compromised email accounts.
SpamTitan offers protection against these phishing attacks. All incoming emails are subjected to deep analysis using a plethora of detection mechanisms. Machine learning technology is used to identify phishing emails that deviate from typical emails received by employees, and outbound scanning can identify compromised email accounts and block outbound phishing attacks on company employees and contacts.
If you want to improve your defenses against phishing, give the SpamTitan team a call today to find out more. The full product is available on a free trial, and during the trial you will have full access to the product support team who, will help you get the most out of your trial.
Ransomware attacks are soaring and phishing and email impersonation attacks are being conducted at unprecedented levels. In 2020, ransomware attacks ran amok. Security experts estimate the final cost to global businesses from ransomware in 2020 will be $20 billion. They also predict that the ransomware trend will continue to be the number one threat in the coming years. Why? Because ransomware makes money for cybercriminals.
Ransomware criminals know no boundaries in their rush to make money. Every social engineering trick in the book has played out over the years, from sextortion to phishing. Feeding the loop of social manipulation to generate a ransom demand is the proliferation of stolen data, including login credentials: credential stuffing attacks, for example, are often related to ransomware attacks, login to privileged accounts allowing malware installation. Cybersecurity defenses are being tested like never before.
Find out more about securing email accounts and blocking email impersonation attacks. Sign up for a free SpamTitan demo today. Book Free Demo
Personal Data is Targeted
Large enterprises are big targets as they store vast quantities of personal data which can be used for identity theft. Retailers are being attacked to obtain credit/debit card information and attacks on hospitals provide sensitive health data that can be used for medical identity theft.
Small businesses are not such an attractive target, but they do store reasonable amounts of customer data and attacks can still be profitable. A successful attack on Walmart would be preferable, but attacks on SMBs are far easier to pull off. SMBs typically do not have the budgets to invest in cybersecurity and often leave gaps that can be easily exploited by cybercriminals.
One of the most common methods of attacking SMBs is phishing. If a phishing email makes it to an inbox, there is a reasonable chance that the message will be opened, the requested action taken and, as a result, credentials will be compromised or malware will be installed.
The 2018 KnowBe4 Phishing Industry Benchmarking Report shows that on average, the probability of an employee clicking on a malicious hyperlink or taking another fraudulent request is 27%. That means one in four employees will click a link in a phishing email or obey a fraudulent request.
Email impersonation attacks are often successful. They involve sending an email to an individual or small group in an organization with a plausible request. The sender of the message is spoofed so the email appears to have been sent from a known individual or company. The email will use a genuine email address on a known business domain. Without appropriate security controls in place, that message will arrive in inboxes and several employees are likely to click and disclose their credentials or open an infected email attachment and install malware. Most likely, they will not realize they have been scammed.
One method that can be used to prevent these spoofed messages from being delivered is to apply Domain-based Message Authentication, Reporting and Conformance (DMARC) rules. In a nutshell, DMARC consists of two technologies – Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).
SPF is a DNS-based filtering control that helps to identify spoofed messages. SPF sets authorized sender IP addresses on DNS servers. Recipient servers perform lookups on the SPF records to make sure that the sender IP matches one of the authorized vendors on the organization’s DNS servers. If there is a match the message is delivered. If the check fails, the message is rejected or quarantined.
DKIM involves the use of an encrypted signature to verify the sender’s identity. That signature is created using the organization’s public key and is decrypted using the private key available to the email server. DMARC rules are then applied to either reject or quarantine messages that fail authentication checks. Quarantining messages is useful as it allows administrators to check to make sure the genuine emails have not been flagged incorrectly.
Reports can be generated to monitor email activity and administrators can see the number of messages that are being rejected or dropped. A sudden increase in the number of rejected messages indicates an attack is in progress.
DMARC seems complex, but with the right setup, it’s an invaluable security tool that defends against phishing and malicious email content. With phishing one of the most common ways attackers steal data, it’s important for organizations to implement the right solutions and rules that stop these messages before they can reach a user’s inbox.
While SPF provides a certain degree of protection against email spoofing, DMARC is far more dependable. SpamTitan email security incorporates DMARC authentication to provide even greater protection against email spoofing attacks. DMARC is not a silver bullet that will stop all email impersonation and phishing attacks. It is an extra layer of security that can greatly reduce the number of threats that arrive in inboxes.
Find out more about securing email accounts and blocking email impersonation attacks. Sign up for a free SpamTitan demo today. Book Free Demo
Organizations must adapt to Cyber-Threats
Phishing, Impersonation attacks, ransomware – all must be stopped before the point of entry and not left to be dealt with after an attack has taken hold. The use of social engineering to manipulate users, along with stolen data and credentials to propagate attacks, and adaptive tools that evade detection, makes ransomware a formidable security threat.
Endpoint protection is clearly not enough. A powerful anti-spam solution like SpamTitan can detect threats in real-time before they become an infection. Unlike traditional endpoint anti-malware, smart monitoring platforms perform real-time updates and protect against active and emerging phishing URLs and threats. Cybercriminals are masters of invention and have many tricks up their sleeve, however, businesses can fight back, but to do so, they must take real-time action.
TitanHQ’s anti-phishing and anti-spam solution – SpamTitan – incorporates DMARC to stop email impersonation attacks along with advanced anti-malware features, including a Bitdefender-powered email sandbox.
For further information securing email accounts and blocking email impersonation attacks, contact TitanHQ today.
FAQs
Can you explain how to stop email impersonation with DMARC?
You need to create a DMARC record with your DNS hosting provider. You create a new TXT record, add a _DMARC host value, add value information by setting v=DMARC1 and the p tag as p=none or p=quarantine or p=reject. Then perform a DMARC check to verify the values and syntax are correct. Start with p=none to verify, then change to p=quarantine or p=reject once you have checked the validity of the record. The p record tells the receiving mail server what to do with a message that doesn’t pass DMARC checks.
How to stop email impersonation using DMARC on SpamTitan
Configuring DMARC settings in SpamTitan is quick and easy. You can do this by navigating to System Setup > Mail Authentication > DMARC. We have produced a step-by-step guide on how to enable and configure DMARC in SpamTitan, which can be found in the SpamTitan Gateway Admin Guide.
How does DMARC prevent an email impersonation attack?
DMARC is a protocol that works in conjunction with SPF and DKIM to ensure a message is sent from a sender indicated in the From header. DMARC uses the SPF and DKIM authentication checks and authenticates them against the same domain that is visible in the From header field. In short, DMARC checks whether the message was really was sent from the email address that is visible to the recipient.
I need to know how to prevent impersonation attacks on our clients
SpamTitan helps to stop impersonation and manipulation attacks on clients by scanning outbound emails. In the event of a mailbox being compromised, outbound scanning will alert your SpamTitan administrator about any email impersonation attack being attempted from that mailbox, as well as identifying mailboxes that are being used for spamming or malware delivery.
Do employees need to be taught how to prevent impersonation attacks?
With SpamTitan, email impersonation attacks can be blocked; however, it is still recommended to provide training to the workforce on how to identify phishing emails and other malicious messages. Training should include telling employees the signs of an email impersonation attack and should be tailored to user groups based on the level of risk. Training should be reinforced throughout the year.
Find out more about securing email accounts and blocking email impersonation attacks. Sign up for a free SpamTitan demo today. Book Free Demo
A new PayPal phishing scam has been identified that attempts to obtain an extensive amount of personal information from victims under the guise of a PayPal security alert.
Fake PayPal Email Notifications
The emails appear to have been sent from PayPal’s Notifications Center and warn users that their account has been temporarily blocked due to an attempt to log into their account from a previously unknown browser or device.
The emails include a hyperlink that users are asked to click to log in to PayPal to verify their identity. A button is included in the email which users are requested to click to “Secure and update my account now !”. The hyperlink is a shortened bit.ly address, that directs the victim to a spoofed PayPal page on an attacker-controlled domain via a redirect mechanism.
If the link is clicked, the user is presented with a spoofed PayPal login. After entering PayPal account credentials, the victim is told to enter a range of sensitive information to verify their identity as part of a PayPal Security check. The information must be entered to unlock the account, with the list of steps detailed on the page along with the progress that has been made toward unlocking the account.
First of all, the attackers request the user’s full name, billing address, and phone number. Then they are required to confirm their credit/debit card details in full. The next page requests the user’s date of birth, social security number, ATM or Debit Card PIN number, and finally the user is required to upload a proof of identity document, which must be either a scan of a credit card, passport, driver’s license, or a government-issued photo ID.
Request for Excessive Information
This PayPal phishing scam seeks an extensive amount of information, which should serve as a warning that all is not what it seems, especially the request to enter highly sensitive information such as a Social Security number and PIN.
There are also warning signs in the email that the request is not what it seems. The email is not sent from a domain associated with PayPal, the message starts with “Good Morning Customer” rather than the account holder’s name, and the notice included at the bottom of the email telling the user to mark whitelist the sender if the email was delivered to the spam folder is poorly written. However, the email has been written to encourage the recipient to act quickly to avoid financial loss. As with other PayPal phishing scams, many users are likely to be fooled into disclosing at least some of their personal information.
Consumers need to always exercise caution and should never respond immediately to any email that warns of a security breach, instead they should stop and think before acting and carefully check the sender of the email and should read the email very carefully. To check whether there is a genuine issue with the account, the PayPal website should be visited by typing in the correct URL into the address bar of the browser. URLs in emails should never be used.
To find out more about current phishing scams and some of the key protections you can put in place to improve your resilience against attacks, contact the SpamTitan team today.
Do you use the same password across online accounts?
Make your password hard to guess - use a combination of upper and lower case letters, numbers, and special characters.
Change your password frequently.
Never use the same password with more than one account. If you do and you password is stolen you are exposed and hackers could potentially gain access to every single account that that email address is associated.
If you receive one of these Paypal texts, to delete it immediately. Always read your messages before you click, or even better – don’t click on the link and contact PayPal directly.
Phishing Sources
Phishing messages can come from a range of sources, including:
Email
Phone calls
Fraudulent software
Social Media messages
Advertisements
Text messages
SpamTitan provides phishing protection to prevent whaling and spear phishing by scanning all inbound email in real-time. SpamTitan searches for key indicators in the email header, domain information, and content. SpamTitan also performs reputation analysis on all links (including shortened URLs) contained in emails and block malicious emails before being delivered to the end user. How SpamTitan protects from phishing attempts:
URL reputation analysis during scanning against multiple reputations.
Detect and block malicious spear-phishing emails with either existing or new malware.
Heuristic rules to detect phishing based on message headers. These are updated frequently to address new threats.
Easy synchronization with Active Directory and LDAP.
Spam Confidence Levels can be applied by user, user-group and domain.
Whitelisting or blacklisting senders/IP addresses.
Infinitely scalable and universally compatible.
SpamTitan checks every URL in an email against known blacklists - with 100% active web coverage. Protect your users from email links to malicious sites with SpamTitan. SpamTitan's sandboxing feature protects against breaches and sophisticated email attacks by providing a powerful environment to run in-depth, sophisticated analysis of unknown or suspicious programs and files.
Our free trial gives you the opportunity to evaluate our industry-leading email security solution in your own environment, and your clients the opportunity to provide feedback on how effective SpamTitan is at preventing all types of malware, ransomware and phishing attacks from entering your network.
SpamTitan is a multi-award-winning email protection, anti-phishing, and email filtering solution. Start your free trial for SpamTitan today to discover how we can prevent malware attacks.
Phishing attacks are extremely complex and increasing. The best way to protect against phishing scams is with a modern, robust email security solution such as SpamTitan. SpamTitan utilizes an array of anti-phishing tools such as antivirus scanning, heuristic analysis, DMARC authentication and sandboxing. Few vendors offer all of these solutions in one package.
Find out about some of the key protections you can put in place to improve your resilience against attacks. Book a free SpamTitan demo today. Book Free Demo
Throughout 2020 the healthcare sector has been a major target of ransomware gangs, but the education sector is also facing an increase in attacks, with the Pysa (Mespinoza) ransomware gang now targeting the education sector.
Pysa ransomware is a variant of Mespinoza ransomware that was first observed being used in attacks in October 2019. The threat group behind the attacks, like many other ransomware threat groups, uses double extortion tactics on victims. Files are encrypted and a ransom demand is issued for the keys to decrypt files, but to increase the probability of the ransom being paid, data is exfiltrated prior to file encryption. The gang threatens to monetize the stolen data on the darkweb if the ransom is not paid. Many attacked entities have been forced to pay the ransom demand even when they have backups to prevent the sale of their data.
Since October 2019, the Pysa ransomware gang has targeted large companies, the healthcare sector, and local government agencies, but there has been a recent increase in attacks on the education sector. Attacks have been conducted on K12 schools, higher education institutions, and seminaries, with attacks occurring in 12 U.S. states and the United Kingdom. The rise in attacks prompted the FBI to issue a Flash Alert in March 2020 warning the education sector about the increased risk of attack.
Analyses of attacks revealed the gang conducts network reconnaissance using open source tools such as Advanced Port Scanner and Advanced IP Scanner. Tools such as PowerShell Empire, Koadic, and Mimikatz are used to obtain credentials, escalate privileges, and move laterally within networks. The gang identifies and exfiltrates sensitive data before delivering and executing the ransomware payload. The types of data stolen are those that can be used to pressure victims into paying and can easily be monetized on the darkweb.
Identifying a Pysa ransomware attack in progress is challenging, so it is essential for defenses to be hardened to prevent initial access. Several methods have been used to gain access to networks, although in many cases it is unclear how the attack started. In attacks on French companies and government agencies brute force tactics were used against management consoles and exposed Active Directory accounts. Some attacks have involved exploitation of Remote Desktop Protocol vulnerabilities, with the gang is also known to use spam and phishing emails to obtain credentials to get a foothold in networks.
Since several methods are used for gaining access, there is no single solution that can be implemented to block attacks. Educational institutions need to use a combination of security solutions and cybersecurity best practices to harden their defenses.
Antivirus/antimalware solution is a must, as is ensuring it is kept up to date. Since many attacks start with a phishing email, an advanced email security gateway is also important. Choosing a solution such as SpamTitan that incorporates dual AV engines and email sandboxing will maximize the chance of detecting malicious emails. SpamTitan also incorporates machine learning methods to identify new methods of email attacks.
End user training is also important to teach staff how to identify potentially malicious emails and train them on cybersecurity best practices such as setting strong passwords, not reusing passwords, and the dangers of using public Wi-Fi networks. Also consider disabling hyperlinks in emails, flagging emails that arrive from external sources, and implementing multi-factor authentication on accounts.
Patches and security updates should be implemented promptly after they have been released to prevent vulnerabilities from being exploited. You should use the rule of least privilege for accounts, restrict the use of administrative accounts as far as possible, and segment networks to limit the potential for lateral movement. You should also be scanning your network for suspicious activity and configure alerts to allow any potential infiltration to be rapidly identified. All unused RDP ports should be closed, and a VPN used for remote access.
It is essential for backups to be made of all critical data to ensure that file recovery is possible without paying the ransom. Multiple backups of data should be created, those backups should be tested to make sure file recovery is possible, and at least one copy should be stored securely on an air-gapped device.
A PayPal phishing scam was first detected in 2019 – the scam used unusual activity alerts as a lure to get users to login to PayPal to secure their account. This is a common tactic that has been used to steal PayPal credentials before, but this campaign was different as the attackers are after much more than just account credentials. This PayPal phishing campaign stole credentials, credit card details, email addresses and passwords, and security questions and answers.
This PayPal phishing scam has mutated over the years and has proved to be one of the most dangerous to date in terms of the financial harm caused. PayPal accounts can be drained, credit cards maxed out, sensitive information can be stolen from email accounts, and email accounts can be then used for further phishing scams on the victim’s family members, friends, and contacts.
The PayPal phishing scams usually start with a warning designed to get the recipient to take immediate action to secure their account. They are informed that their PayPal account has been accessed from a new browser or device. They are told PayPal’s security controls kicked in and as a result, the user is required to login to their account to confirm their identity and remove limitations that have been placed on the account.
The email points out that PayPal could not determine whether this was a legitimate attempt to access their account from a new browser or device, or a fraudulent attempt to gain access to their PayPal Account. Either way, action is required to confirm their identity. A link is included to allow them to do that.
If the link is clicked, the user will be directed to a fake PayPal website where they are required to login to restore their account. In this first stage, PayPal account credentials are obtained. The user is then directed to a new page where they are asked to update their billing address. In addition to their address, they are also asked for their date of birth and telephone number.
The next page asks for their credit card number, security code, and expiry date, which it is claimed will mean they do not need to re-enter that information again when using PayPal. They are also then asked to confirm the details in a second step, which is an attempt to make sure no errors have been made entering credit card information.
The user is then taken to another page where they are asked for their email address and password to link it to their PayPal account. After all the information has been entered, they are told the process has been completed and their account has been secured and successfully restored.
All of these phishing pages have the feel of genuine PayPal web pages, complete with genuine PayPal logos and footers. The domains used for the scam are naturally fake but have some relevance to PayPal. The domains also have authentic SSL certificates and display the green padlock in the browser.
Security experts are still finding fake paypal websites that impersonate PayPal. Using advanced social engineering techniques they try to trick users into handing over sensitive data including log in credentials.
Discover how SpamTitan blocks phishing threats with a free demo. Book Free Demo
Read more on current phishing scams and how to prevent attacks.
IT professionals are seeing an enormous number of Covid-19 themed email phishing attacks. SpamTitan is blocking increasing levels of these phishing emails. What started out as dozens of Covid 19 phishing websites has morphed to tens of thousands - more are being identified and blocked daily. With a large percentage of the workforce working from home, cybercriminals are trying to capitalize on the heightened anxieties of the public during the current crisis.
COVID-19 phishing scams are the most sophisticated versions of phishing emails the industry has seen. Are your employees and customers aware and are they protected?
COVID-19 vaccine scams
Cybercriminals are now shifting their focus to phishing email around Covid-10 vaccines. These vaccine themed phishing emails use subject lines referencing vaccine registration, locations to receive the vaccine, how to reserve a vaccine, and vaccine requirements.
For your employees looking for vaccination information on company devices the consequences are obvious. If the user falls for the scam email they may divulge sensitive or financial information, open malicious links or attachments exposing the organization to attack. These phishing campaigns are sophisticated and may impersonate trusted entities, such as health or government agencies playing a central role in the COVID vaccination rollout.
Preventing Phishing Attacks
Naturally you should take any security warning you receive seriously, but do not take the warnings at face value. Google, PayPal, and other service providers often send security warnings to alert users to suspicious activity. These warnings may not always be genuine and that you should always exercise caution.
The golden rule? Never click links in emails.
Always visit the service provider’s site by entering the correct information into your web browser to login, and always carefully check the domain before providing any credentials.
Discover how SpamTitan provides phishing protection with a free demo. Book Free Demo
Phishing Protection
Without the right security tools in place, organizations are vulnerable to phishing attacks. SpamTitan provides phishing protection by scanning all inbound email in real-time. SpamTitan searches for key indicators in the email header, domain information, and content and performs reputation analysis on all email links, ultimately blocking malicious emails before they reach the end-user.
SpamTitan checks every URL in an email against known blacklists - with 100% active web coverage. SpamTitan's sandboxing feature protects against sophisticated email attacks by providing a powerful environment to run in-depth analysis of unknown or suspicious programs.
Phishing attacks are increasingly complex and growing in number. One of the most effective ways to protect against phishing scams is with a powerful email security solution such as SpamTitan. SpamTitan utilizes an array of anti-phishing tools such as antivirus scanning, heuristic analysis, DMARC authentication and sandboxing. Few vendors offer all of these solutions in one package.
To protect against advanced phishing threats you need advanced protection.
How can I tell if an email from PayPal is genuine?
Generally speaking, emails originating from PayPal will always address you by your full name in capital letters – e.g., JOHN SMITH rather than John Smith. Also, PayPal will never ask for your bank account number, debit, or credit card number. It will also never ask for your full name, your account password, or the answers to your PayPal security questions in an email. If you have any concerns about an email from PayPal, forward the email to spoof@paypal.com where PayPal´s security experts will have a look at it and let you know whether or not it is genuine.
How does SpamTitan mitigate the threat of PayPal phishing scams?
There are several ways in which SpamTitan mitigates the threat of phishing scams. The most effective is DMARC authentication – an authentication process jointly developed by PayPal which leverages existing authentication processes (i.e., Sender Policy Frameworks and Domain Keys Identified Mail) to give domain owners control over emails sent from their domain names. DMARC authentication quickly identifies “spoof” emails claiming to be from PayPal and either rejects them or marks them as spam depending on how the authentication process is configured.
Other than DMARC authentication, how else does SpamTitan protect customers from PayPal phishing scams?
SpamTitan provides the option to “greylist” all inbound emails – which involves returning emails from unknown sources to the originating mail server with a request to resend the email. SMTP-compliant mail servers resend greylisted emails automatically. However, spammers´ servers are rarely SMTP-compliant, so the phishing email is never returned. In the event a phishing email is resent, SpamTitan´s anti-spam engine will run a series of tests to determine a spam score for the email. Whether the email is rejected, marked as spam, or delivered, will depend on the spam score threshold applied by the system administrator.
Doesn´t the greylisting process delay the delivery of genuine emails?
When you configure SpamTitan to greylist inbound emails, you can specify a number of successful deliveries after which the greylisting process is suspended for each sender. Therefore, if you set the “auto-allow” field to “2”, the first two emails from a sender will be greylisted; and – provided the first two emails are successfully returned – no further emails from that sender will be greylisted. You can also exempt senders by name or IP address, and exempt emails sent to specific recipients (although recipient email exemptions are not recommended).
What is the difference between a PayPal phishing scam and a COVID-19 vaccine scam?
Although both scams have the objective of obtaining sensitive information, COVID-19 vaccine scams tend to request Medicare and Medicaid numbers in return for illegitimate COVID-19 tests, vaccines, and treatments. Healthcare information such as this can be used to commit medical identity theft which enables the scammer to receive medical treatment under your name. If Medicare or Medicaid subsequently denies the claim for fraudulently-provided healthcare treatment, the victim of the COVID-19 vaccine scam could be liable for the cost.
Discover how SpamTitan blocks phishing threats with a free demo. Book Free Demo
How many times have you had a phone call or an email from a manager in your organization asking for you to give them the password of an employee to enable them to access their email account?
This request is often made when an individual is on leave and a call is received from a client or colleague wanting to know if they have actioned a request sent before they left. All too often a client has sent an email to their account manager before he or she went on vacation, but it was accidentally missed.
Access to the email account is necessary to avoid embarrassment or to ensure that a sales opportunity is not missed. Maybe the employee in question has failed to set up their Out of Office message and clients are not aware that they need to contact a different person to get their questions answered.
In years gone by, managers used to keep a log of all users’ passwords in a file on their computer. In case of emergency, they could check the password and access any user account. However, this is risky. Nowadays this is not acceptable behavior. It also invades the privacy of employees. If a password is known by any other individual, there is nothing to stop that person from using those login credentials any time they like. Since passwords are frequently used for personal accounts as well as work accounts, disclosing that password could compromise the individual’s personal accounts as well.
Maintaining lists of passwords also makes it harder to take action over inappropriate internet and email use. If a password has been shared, there is no way of determining whether an individual has broken the law or breached company policies. It could have been someone else using that person’s login.
IT staff are therefore not permitted to give out passwords. Instead they must reset the user’s password, issue a temporary one, and the user will need to reset it when they return to work. Many managers will be unhappy with these procedures and will still want to maintain their lists. Employees will be unhappy as they often use their work email accounts to send personal emails. Resetting a password and giving a manager access could be seen as a major invasion of privacy.
Learn more about password security and some of the key protections you can put in place. Book a free SpamTitan demo today. Book Free Demo
What is the solution?
There is a simple solution which will ensure that the privacy of individuals is assured, while forgotten Out of Office auto-responders can be set. Important emails will not be missed either. To do this you can set up shared mailboxes, although these are not always popular.
Do this in Outlook and a manager may need to have many set up in their Outlook program. It will also be necessary for them to train staff members how to use the shared mailboxes, and policies might need to be written. They may need to have to permanently keep the mailboxes of multiple teams open in Outlook.
Is there an easier option?
There is another choice, and that is to delegate permissions. It is more complicated to implement this control as it requires an MS Exchange Administrator to provide Delegate Access. Using Delegate Access will make it possible for an individual, with the appropriate permissions, to send an email on behalf of another employee. This means mailboxes do not have to be open all the time. They can just be opened when an email needs to be sent. This may be ideal, but it will not allow a manager to set up a forgotten Out-of-Office auto-responder.
That would require a member of the IT department, a domain manager, to do it. A ticket would need to be submitted requesting the action. This may not be popular with managers, but it is the only way for the task to be performed without revealing the user’s login credentials or setting up a temporary password which would breach their privacy.
You might be unpopular, but security is vital
If you encounter resistance, you must explain the reasons why password sharing is not permitted: The risks it poses and the problems it can cause.
These matters should be included in a company’s computer, Internet and email usage policies. If the sharing of passwords contravenes company policies, any requests to share passwords would result in the IT department breaching those policies. Requests to divulge that information would therefore have to be denied.
Of course, Out-Of-Office auto-responders are not an IT issue. This is an issue that should be dealt in staff training. It is also a check that a manager should make before a member of staff leaves and goes on holiday, while the employee is still at work.
Learn more about password security and some of the key protections you can put in place. Book a free SpamTitan demo today. Book Free Demo
The dangers of password sharing
Organizations are facing an ever-growing threat from cybercriminals. In 2019 and 2020, we have seen many high-profile data breaches, resulting in serious financial repercussions and damaged brand reputation. Password-sharing at work carries a massive risk for organizations. 81% of breaches originate with stolen or weak passwords. When hackers gain entry to your system, shared passwords make it easier for them to access other parts of your network.
If by chance an intruder finds a document full of shared passwords in a employee’s Google drive that opens up the entire system to attack. This also exposes your organization to legal issues if customers’ privacy rights are violated.
Why do employees share passwords ?
Sharing passwords is extremely risky for the organization . Oftentimes the reason cited for doing this is easier collaboration with colleagues. Sometimes employees share passwords because it’s the company policy. In these situations it’s vital for I.T. to intervene and provide a better way for employees to collaborate, and potentially serious consequences down the road.
Reasons why passwords should never be shared, even with a manager
Passwords are private: This is a fundamental element of IT and network security. This rule cannot be broken or bent
There are alternatives to sharing of passwords that will achieve the same aim: ticket requests, shared mailboxes, and delegate permissions these should be used instead
The sharing of passwords violates an individual’s privacy
If a password is shared, the results of an account audit cannot be trusted.
Password reuse– Many people use the same password to access multiple accounts and platforms. By sharing reused passwords, employees increases the risk a single stolen password poses for companies.
You’re responsible for any activity conducted under your username. If someone else is logged in under your account, you’re still responsible for whatever happens.Data security is more important than an auto-responder
Bring Your Own Device (BYOD) – Employees are increasingly working from home and use their personal smartphones and laptops in addition to company-issued devices. The WFH trend has led to productivity gains. Unfortunately, the benefits can easily be wiped out if passwords shared with friends or family gives unauthorized access to your network and confidential data.
Acceptable Usage Policies would be violated
Learn more about password security and some of the key protections you can put in place. Book a free SpamTitan demo today. Book Free Demo
Multi-Factor authentication to stop password sharing
When MFA is in place, access is only possible when the user validates using two authentication factors. For example, they initially enter their password but must then complete a second authentication request. This could be a code received via a device. Multi-factor authentication, like any security approach, works best when used in tandem with other security strategies.
If a ban on password sharing does not exist in your organization, it must be implemented as a priority. You will not be able to do this without the support of senior managers. You may not feel that it is your job to try to implement a ban, but you should make a case for it. It will help your department protect the network, it will save you time in the long run, and it will be better for the business.
To find out more about password security and some of the key protections you can put in place to improve your resilience against attacks, contact the SpamTitan team today.