titanadmin - Page 5

Phishing Scam Spoofs IRS to Obtain Fraudulent Outstanding Tax Payment

by titanadmin | Nov 16, 2020 | Email Scams, Phishing & Email Spam |

A phishing campaign has been identified that spoofs the U.S. Internal Revenue Service (IRS) and advises recipients that they are facing imminent legal action to recover outstanding tax.

The emails are convincing and well written and are final demands for payment to prevent legal action to recover the outstanding funds. The emails warn the recipient that the IRS has made several attempts to make contact by telephone after no response was received to a written demand for payment that the emails claim was mailed 18 months previously in May 2019. The failure to respond has led to the IRS taking legal action, with charges due to be filed imminently to recover the outstanding tax.

In contrast to many scams that seek login credentials or attempt to get the user to open file attachments to trigger a malware download, this scam uses social engineering techniques to scare the recipient into making contact via email to resolve the fictitious issue. The purpose of the scam is to get the recipient to make a fraudulent payment or disclose their financial account information.

The lack of any hyperlinks or email attachments makes it more likely that the email will be delivered to inboxes and will not be identified as malicious by security solutions. Fortunately, SpamTitan users will be protected from this scam as multiple checks are performed which identify the scam for what it is.

The message body contains all the classic hallmarks of a phishing scam:

• There is urgency to get prompt action taken – Immediate resolution of the issue is necessary
• There is a threat of negative consequences if no action is taken – Legal action to recover funds
• The request is plausible, but an atypical request is made – to only make contact via email

The emails include a case file number, detail the outstanding amount – $1450.61 in this case – and include a docket number and warrant ID for the impending legal action. The recipient is told that legal action will proceed in 4 days if payment is not made, and that the opportunity for voluntary action to rectify the issue is coming to an end.

In addition to the threat of legal action and a court case, the recipient is informed that credit reference bureaus may also be notified about the late/missed payment, which would negatively impact their credit score.

The emails have the subject line “Re: Re: Case ID#ON/7722 / WARRANT FOR YOUR ARREST,” indicating this is not the first time that the message has been sent, helping to emphasize that this is a final warning.

Steps have been taken to make the email appear official, with the display text of the sender address indicating the message has been sent from support @ irs.gov – the legitimate domain used by the IRS. However, the reply to email address supplied is legal.cc @ outlook.com – Which is clearly not an official IRS domain and the message headers show that the email was not sent from the domain stated.

The email does include a postal address; however, no telephone number is supplied. Full contact information would be provided in official IRS communications, although the IRS would not initiate contact with individuals via email.

The phishing emails highlight the importance of stopping to think about what is being requested and to take time to check emails carefully before responding, no matter how pressing the threat may be. Any request for payment should be verified by phone, with contact information obtained from a trusted source, never the contact details supplied in the email. A call to the IRS would quickly reveal this to be a scam.

The reason these scams succeed is because they rely on individuals responding quickly without thinking. Fortunately, an effective spam filter will detect these scam emails and will quarantine or reject the messages.

Election Interference-Themed Phishing Emails Identified Distributing the QBot Trojan

by titanadmin | Nov 5, 2020 | Email Scams, Phishing & Email Spam |

Cybercriminals have taken advantage of the uncertainty over the U.S. presidential election result over the past few days and are using exploiting fear about voting fraud to infect users with malware. With so many postal votes being sent this year, which take much longer to count than in-person votes, there was always going to be a delay in determining the outcome of the presidential election. In such a close election a winner may not be declared for some time, certainly several days after election day, and possibly weeks given the likelihood of several legal challenges and recounts.

Spam campaigns exploiting the situation started to be sent soon after the polls had closed distributing the QBot banking Trojan. When a device is infected with the QBot Trojan, the user’s email account is hijacked and used to send copies of the malware to the user’s contacts. To increase the probability of emails being opened by the recipients, previous email threads are hijacked, and a response is sent with a malicious attachment containing a macro that downloads the malware.

In this campaign, a search is performed for emails containing the word “election” and replies are sent to the senders of those messages. A zip file is attached to the emails named “ElectionInterference,” with the zip file containing a malicious spreadsheet.

The messages encourage the recipient to open the attached spreadsheet to discover important information about interference in the election. With President Trump suggesting in press conferences that there is substantial evidence of election fraud, these messages may seem very credible and enticing to recipients.

The spreadsheet mimics a secure DocuSign file and the user is instructed to enable content to decrypt the file and view the contents; however, doing so will allow macros to run which will silently download the Qbot Trojan.

The QBot Trojan was first identified in 2008; however, it has received many updates over the years to add new functions and mechanisms to evade security solutions. The ability to hijack Outlook email threads is a fairly new feature. The same tactic is also used by the Emotet Trojan to increase the probability of messages and their malicious attachments being opened. The tactic has proven very effective for the operators of Emotet.

In addition to targeting customers of major financial institutions, the QBot Trojan steals sensitive information such as credit card information and passwords. Like Emotet and the TrickBot Trojan, QBot is also a malware dropper. The operators of QBot team up with other threat groups and deliver their malicious payloads, with ransomware often delivered to QBot victims.

Threat actors are quick to seize any opportunity to infect devices with malware, as was seen in the early days of the COVID-19 pandemic when threat groups switched their spamming infrastructure to send COVID-19 themed lures. Election-themed emails are likely to continue for some time with legal challenges to the result expected. Holiday season is also fast approaching, and like previous years, threat actors will send Black Friday, Cyber Monday, and other holiday period themed phishing lures to steal credentials and distribute malware.

Businesses can protect against these phishing and malspam campaigns using a combination of a spam filter, web filter, antivirus software, and end user training.

Phishing Campaigns Targeting Users of Teleconferencing Platforms

by titanadmin | Oct 26, 2020 | Email Scams, Phishing & Email Spam |

Teleconferencing applications have been invaluable during the coronavirus pandemic. They have helped businesses continue to operate during extremely challenging times and have helped support a largely remote workforce.

Platforms such as Zoom, Skype, and Microsoft Teams saw user numbers skyrocket as national lockdowns were imposed and the high usage has continued as lockdowns have eased. The popularity of these platforms has not been missed by cybercriminals, who have devised many phishing campaigns targeting users of these platforms.

The platforms are used as instant messaging services by many workers who are keen to show that they are working hard while at home, so when a message arrives in an inbox informing them they have people trying to connect, they have missed a meeting, or there is a problem with their account, they are likely to reply quickly, often without thinking about the legitimacy of the request.

At first glance these emails appear to be genuine. The request is credible, the images and logos are legitimate, but closer inspection should reveal the messages are not what they seems.

Microsoft Teams Phishing Scams

One of the latest phishing campaigns to spoof a teleconferencing platform targets Office 365 users by spoofing Microsoft Teams. The messages advise the recipient that “There’s new activity in Teams,” and “Your teammates are trying to reach you in Microsoft Teams.” The email claims messages are waiting, and it is necessary to “Reply in Teams” to connect.

Clicking the link will direct the user to a web page that requires them to login to their Microsoft account. Everything on the page is how it should be, as the spoofed login page has been copied from Microsoft. However, close inspection of the URL will reveal a typo. The URL starts with microsftteams to make the web page appear genuine at first glance, but the full URL shows this is not a Microsoft domain. If the user enters their credentials they will be captured and used by the scammers to access the user’s account.

This is far from the only phishing scam to target Microsoft Teams users to obtain Microsoft Office credentials. Several Microsoft Teams phishing scams have attempted to obtain credentials using missed messages from teammates and other plausible lures.

Microsoft Office credentials are extremely valuable to scammers. Accounts can be used to gain access to email data, send further phishing emails, access intellectual property, and can be used as a launchpad for further attacks on the organization. The credentials can also be sold to other cybercriminals.

Similar scams have targeted users of other platforms such as Skype and Zoom. Users of the latter were targeted in one campaign that claimed a meeting was cancelled due to the pandemic, using subject lines such as “Meeting Canceled – Could we do a Zoom call.” A link is included in the email to initiate a call, with the destination site similarly harvesting credentials.

How to Avoid Teleconferencing Platform Phishing Scams

As with other forms of phishing scams, employees need to be vigilant. The emails create a sense of urgency and there is often a “threat” of bad consequences if no action is taken, but it is important to stop and think before responding to a message and to take time to check the email carefully.

You should not open any email attachments or click links in unsolicited emails, especially messages sent from unknown email addresses. Even if the email address appears genuine, take care. Access the teleconferencing platform using your normal login method, never using the links in the emails.

Businesses can protect their remote workers by implementing an advanced spam filtering solution such as SpamTitan to block these emails at source and ensure they are not delivered to their remote workers’ inboxes. A web filtering solution such as WebTitan is also advisable, as it will block attempts to visit malicious websites used to phish for credentials.

For further information on spam filtering and web filtering to protect your business, give the TitanHQ team a call today. Both solutions are available on a free trial – with full product support – to allow you to evaluate their effectiveness before making a decision.

UK Businesses Targeted in HMRC Phishing Scam

by titanadmin | Sep 30, 2020 | Email Scams, Phishing & Email Spam |

Businesses in the United Kingdom are being targeted by scammers impersonating Her Majesty’s Revenue and Customs. There have been several campaigns identified over the past weeks that are taking advantage of the measures put in place by the UK government to help businesses through the COVID-19 pandemic and the forced lockdowns that have prevented businesses from operating or have forced them to massively scale back operations.

The HMRC scams have been numerous and diverse, targeting businesses, the self-employed, furloughed workers and others via email, telephone, and SMS messages. Some of the scams involve threats of arrest and jail time due to the underpayment of tax, demanding payment over the phone to avoid court action or arrest.

One scam targeted clients of Nucleus Financial Services and used a genuine communication from the firm as a template. The genuine email appears to have been obtained from a third-party hacked email account. The email advised recipients that they were due a tax refund from HMRC. A link is supplied in the email that the recipient is required to click to receive their refund. In order to apply to receive the refund the user must enter sensitive information into the website, which is captured by the scammers.

Another campaign has been identified that spoofs HMRC and similarly seeks sensitive information such as bank account and email credentials. In response to the COVID-19 pandemic, the UK government launched a scheme to help businesses by allowing them to defer their VAT payments between March and June 2020, until June 2021 to help ease the financial burden of the nationwide lockdown. Many businesses took advantage of the scheme and applied to have their Value Added Tax (VAT) payments deferred.

The campaign uses emails that spoof HMRC and inform businesses that their application to have their VAT payments deferred has been rejected as the company is in arrears. The emails include an attachment with further information and a report on their application. The document is password protected and the password is supplied in the email to allow the file to be opened.

A hyperlink is supplied which must be clicked which directs the user to a website where they are asked to enter sensitive information such as their bank account details and email address and password, which are captured by the scammers.

COVID-19 has presented scammers with a host of new opportunities to fool businesses into disclosing sensitive information. Many of the lures used in the emails, calls, and text messages are credible, the messages are well written, and the scammers have gone to lengths to make their phishing websites look like the entities they spoof.

Businesses should be on high alert and be particularly vigilant for phishing scams. They should advise their employees to take extra care with any request that requires the disclosure of sensitive information.

Technical controls should also be considered to block phishing emails at source and prevent visits to malicious websites. That is an area where TitanHQ can help. TitanHQ offers two anti-phishing solutions for businesses and MSPs to help them block phishing attacks: SpamTitan and WebTitan.

SpamTitan is a powerful email security solution that blocks phishing emails at source, preventing malicious messages from reaching inboxes. WebTitan is a DNS filtering solution that is used to control the websites that can be accessed over wired and wireless networks, blocking access to web pages that are used for phishing and malware delivery.

Both solutions are available on a free trial to allow you to evaluate their effectiveness before deciding on a purchase. Further information on the solutions, their benefits, and pricing can be obtained by calling the TitanHQ team.

5 Ways to Quickly Identify a Phishing Email

by titanadmin | Aug 27, 2020 | Email Scams, Phishing & Email Spam |

Even though there are easy ways to identify a phishing email, many employees are fooled by these scams. Phishing attacks involve the use of social engineering to convince the target to take a certain action, such as opening an email attachment that has a malicious script that downloads malware or visiting a website that requires sensitive information to be entered. These scams can be convincing, the reason supplied for taking a particular action is often credible, and any linked website can be difficult to distinguish from the site it impersonates.

Phishing campaigns can be conducted cheaply, little skill is required, phishing can be very profitable, and the attacks often succeed. It is no surprise that more than two-thirds of data breaches start with a phishing email, according to the Verizon Data Breach Investigations Report.

How to Identify a Phishing Email

Phishing emails can take many forms and there is a myriad of lures that are used to fool the unwary, but there are tell-tale signs that an email may not be what it seems. By checking certain elements of an email, you will be able to identify all but the most sophisticated phishing attempts. It only takes a few seconds to perform these checks and that time will be well spent as they will help you identify a phishing email and prevent costly data breaches and malware infections.

Check the true sender of the email

This seems an obvious check but spoofing the sender of an email is one of the most common ways that phishers fool people into responding. The display name is spoofed to make it appear that the email has been sent from a trusted contact. The display name may be PayPal, Netflix, the name of your bank, or your boss or a colleague. However, the actual email address is likely to be from a free email service provider such as @gmail.com or @yahoo.co.uk.

Hover your mouse arrow over the display name or click reply and check the actual sender of the email. The domain name (the bit after @) should match the display name and that domain should be one that is used by the company that appears to have sent you the email. Beware of hyphenated domains such as support-netflix.com. These are unlikely to be genuine.

Check for grammatical errors and spelling mistakes

Read the email carefully. Are there spelling mistakes or grammatical errors? Does the wording seem odd, as if it has not been written by a native English speaker? Scammers are often from non-English speaking countries and may use Google Translate to create their emails, which is why the wording may seem a little odd.

Before Google, Netflix, or your bank sends an email, it will be subject to proof-checking. Mistakes will be made on occasion but they are exceedingly rare. Some phishing scams deliberately include spelling mistakes and poorly written emails to weed out people who are unlikely to fall for the next stage of the scam. If you fall for the email, it is likely that you can be fooled by the next stage of the attack.

Phishing emails are often addressed in a way that makes it clear that the sender does not know your name.  “Dear customer” for example. Most companies will use your name in genuine email communications.

Phishers use urgency and a “threat” if no action is taken

Phishers want you to take action quickly rather than stop and think about the legitimacy of any request. It is common for a request to be made that needs immediate action to prevent something undesirable from happening.

For example, someone has tried to log in to your account and you need to take immediate action to secure your account. Something has happened that will result in your account being closed. A payment has been made from your account for something that you have not purchased, and you need to take action to stop that payment from going through. Phishers use fear, urgency, and threats to get prompt action taken and count on people acting quickly without thinking or carefully checking the email. Spending an extra 30 seconds checking an email will not make any difference to the outcome, but it can prevent you from being fooled by a scam.

Check the true destination of any link in the email

Most phishing attacks seek sensitive information such as login credentials. For these to be obtained, you will most likely be directed to a website where you must enter login credentials, financial information, and personal details to verify your identity. Emails are often written in HTML and include a button to click that directs you to a website.

You should check the true URL before clicking. Hover your mouse arrow over any button to find out where you are being directed and make sure the URL matches the context of the message and uses an official domain name of the company referenced in the email. The same applies to the anchor text of a link – the text that is displayed in a clickable link. Make sure you perform the same check on any link before clicking.

On a mobile device, this is even more important, as the small screen size means it is not always possible to display the full URL. The visible part of the URL may look like it is genuine, but when viewing the full URL you will see that it is not. Just press on the URL and keep pressing until the link is displayed.

Beware of email attachments

Email attachments are used in phishing scams for distributing malware and for hiding content from spam filters. Hyperlinks are put in an attachment rather than the message body to fool security solutions, and scripts are used in email attachments that may run automatically when the attachment is opened.

If you are sent an unsolicited email that includes an attachment, treat it as suspicious and try to verify the email is legitimate. If the email has been sent by a colleague, give them a quick call to make sure they actually sent the email, even if the sender check was passed. Someone may have compromised their account. Do not use any contact information supplied in the email, as it is likely to be incorrect.

Only open email attachments that you are confident are genuine, and then never “enable content” as this will grant a macro or other malicious script permission to run.

Anti-Phishing Solutions for Businesses

TitanHQ has developed two powerful anti-phishing solutions to help businesses block phishing and other email and web-based cyberattacks. SpamTitan is an advanced email security solution that has been independently verified as blocking 99.97% of spam and phishing emails and is used by thousands of businesses to keep their inboxes free of threats.

SpamTitan performs a myriad of checks to determine the likelihood of an email being malicious, including RBL checks, Bayesian analysis, heuristics, machine learning techniques to identify zero-day threats, and sender policy frameworks to block email impersonation attacks. Dual antivirus engines are used to detect known malware and sandboxing is used to analyze suspicious email attachments safely to check for malicious actions.

WebTitan is a DNS filtering solution that blocks the web-based component of phishing attacks by preventing employees from visiting known malicious websites or suspicious sites. WebTitan also blocks malware downloads.

Both solutions are competitively priced, easy to implement and use, and provide protection against the full range of email and web-based threats. For further information on improving protection from phishing attacks and other cyber threats, give the TitanHQ team a call. Alternatively, you can register for a no-obligation free trial of both solutions to evaluate them in your own environment.

Phishing Scam Targets Remote Workers Returning to the Office

by titanadmin | Jun 30, 2020 | Email Scams, Phishing & Email Spam |

A new phishing campaign has been identified that targets remote workers that will soon be returning to the workplace and claims to include information on coronavirus training. The campaign is one of the most realistic phishing scams in recent weeks, as it is plausible that prior to returning to the office after lockdown would involve some changes to workplace procedures to ensure employee safety.

This campaign targets Microsoft Office 365 users and attempts to obtain users’ Office 365 credentials under the guise of a request to register for COVID-19 training.  The emails include the Office 365 logo and are short and to the point.

They just include the text, “COVID-19 Training for Employees: A Certificate For Healthy Workspaces (Register) to participate in Covid-19 Office Training for Employees.”

The message includes a button to click to register, and the emails claim to be “powered by Microsoft Office 365 health safety measures.”

Clicking the link will direct the user to a malicious website where they are required to enter their Office 365 credentials.

This campaign, like many others to have emerged over the past few weeks, closely follow world events. At the start of the pandemic, when there was little information available about COVID-19, phishers were offering new information about COVID-19 and the Novel Coronavirus. As more countries were affected and cases were increasing, incorporation was being offered about local cases in the area. Now that most countries have passed the peak of infections and lockdowns have helped to bring the virus under control, tactics have changed once again.

Campaigns have been detected in the United Kingdom related to the new Track and Trace system being used by the NHS to help control infections warning users that they need to purchase a COVID-19 test. Another campaign targeted parents who are experiencing financial difficulties due to COVID-19, asking for bank account information to allow them to receive a support payment from the government. Messages have also been detected about Free school dinners over the summer, now that the UK government has said that it will be providing support to parents.

There have been several campaigns that have taken advantage of the popularity of the Black Lives Matter movement following the death of George Floyd. This campaign asked recipients of the email to register their opinions about Black Lives Matter and leave a review, with the campaign used to deliver the TrickBot Trojan.

What these phishing campaigns clearly demonstrate is the fluid nature of phishing campaigns, that are regularly changed to reflect global events to maximize the chance of the emails being opened. They show that users need to remain on their guard and be alert to the threat from phishing and always take time to consider the legitimacy of any request and to perform a series of checks to determine whether an email is what it claims to be. This can be tackled through security awareness training, which should be provided to employees regularly.

Naturally, the best defense is to make sure that these emails are blocked and do not reach inboxes, which is why it is important to have layered defenses in place. An advanced spam filtering solution such as SpamTitan is required that uses machine learning and other advanced detection measures to identify new phishing scams along with measures to detect previously unseen malware variants. As an additional layer of protection, you should consider implementing a web filtering solution such as WebTitan that provides time-of-click protection to block the web-based component of phishing attacks and stop drive-by malware downloads. Alongside security awareness training, these solutions will help you to mount a formidable defense against phishing attacks.

iCalandar Phishing Scam Attempts to Obtain Banking Credentials

by titanadmin | Jun 29, 2020 | Email Scams, Phishing & Email Spam |

A new phishing campaign has been detected that uses calendar invitations to steal banking and email credentials. The messages in the campaign include an iCalendar email attachment which may fool employees as this is a rare file type for phishing. These attachments are therefore unlikely to have been specifically covered in security awareness training.

iCalendar files are the file types used to store scheduling and calendaring information such as tasks and events. In this case, the messages in the campaign have the subject line “Fault Detection from Message Center,” and have been sent from a legitimate email account that has been compromised by the attackers in a previous campaign.

Because the email comes from a legitimate account rather than a spoofed account, the messages will pass checks such as those conducted through DMARC, DKIM, and SPF, which identify email impersonation attacks where the true sender spoofs an account. DMARC, DKIM, and SPF check to see if the true sender of an email is authorized to send messages from a domain.

As with most phishing campaigns, the attackers use fear and urgency to get users to click without considering the legitimacy of the request. In this case, the messages include a warning from the bank’s security team that withdrawals have been made from the account that have been flagged as suspicious. This campaign is targeting mobile users, with the messages asking for the file to be opened on a mobile device.

If the email attachment is opened, the user will be presented with a new calendar entry titled “Stop Unauthorized Payment” which includes a Microsoft SharePoint URL. If that link is clicked, the user will be directed to a Google-hosted website with a phishing kit that spoofs the login for Wells Fargo bank. Both of these websites have valid SSL certificates, so they may not be flagged as suspicious. They will also display the green padlock that shows that the connection between the browser and the website is encrypted and secure, as would be the case for the genuine bank website.

The user is then asked to enter their username, password, PIN, email address, email password, and account numbers. If the information is entered it is captured by the attacker and the information will be used to gain access to the accounts. To make it appear that the request is genuine, the user will then be directed to the legitimate Wells Fargo website once the information is submitted.

There are warning signs that the request is not genuine, which should be identified by security conscious individuals. The use of SharePoint and Google domains rather than a direct link to the Wells Fargo website are suspect, the request to only open the file on a mobile device is not explained. The phishing website also asks for a lot of information, including email address and password, which are not relevant.

These flags should be enough to convince most users that the request is not genuine, but any phishing email that bypasses spam filtering defenses and is delivered to inboxes poses a risk.

Office 365 Phishing Scam Bypasses Multi-Factor Authentication

by titanadmin | May 22, 2020 | Email Scams, Phishing & Email Spam |

A novel phishing scam has been identified that gains access to information on Office 365 accounts without obtaining usernames and passwords. The campaign also manages to bypass multi-factor authentication controls that has been set up to prevent stolen credentials from being used to remotely access email accounts from unfamiliar locations or devices.

The campaign takes advantage of the OAuth2 framework and the OpenID Connect protocol that are used to authenticate Office 365 users. The phishing emails include a malicious SharePoint link that is used to fool email recipients into granting an application permissions that allow it to access user data without a username and password.

The phishing emails are typical of several other campaigns that abuse SharePoint. They advise the recipient that a file has been shared with them and they are required to click a link to view the file. In this case, the file being shared appears to be a pdf document. The document includes the text “q1.bonus” which suggests that the user is being offered additional money. This scam would be particularly effective if the sender name has been spoofed to appear as if the email has been sent internally by the HR department or a manager.

Clicking the link in the email directs the user to a genuine Microsoft Online URL where they will be presented with the familiar Microsoft login prompt. Since the domain starts with login.microsoftonline.com the user may believe that they are on a genuine Microsoft site (they are) and that it is safe to enter their login credentials (it is not). The reason why it is not safe can be seen in the rest of the URL, but for many users it will not be clear that this is a scam.

Entering in the username and password does not provide the credentials to the attacker. It will authenticate the user and also a rogue application.

By entering in a username and password, the user will be authenticating with Microsoft and will obtain an access token from the Microsoft Identity Platform. OAuth2 authenticates the user and OIDC delegates the authorization to the rogue application, which means that the application will be granted access to user data without ever being provided with credentials. In this case, the authentication data is sent to a domain hosted in Bulgaria.

The user is required to enter their login credentials again and the rogue app is given the same permissions as a legitimate app. The app could then be used to access files stored in the Office 365 account and would also be able to access the user’s contact list, which would allow the attacker to conduct further attacks on the organization and the user’s business contacts.

The phishing campaign was identified by researchers at Cofense who warn access only needs to be granted once. Access tokens have an expiration date, but this method of attack allows the attackers to refresh tokens, so that potentially gives the attackers access to documents and files in the Office 365 account indefinitely.

With multi-factor authentication enabled, businesses may feel that they are immune to phishing attacks. Multi-factor authentication is important and can prevent stolen credentials from being used to access Office 365 and other accounts, but MFA is not infallible as this campaign shows.

This campaign highlights how important it is to have an email security solution that uses predictive technology to identify new phishing scams that have not been seen before and do not include malicious attachments. Phishing attacks such as this are likely to bypass Office 365 antispam protections and be delivered to inboxes, and the unusual nature of this campaign may fool users into unwittingly allowing hackers to access their Office 365 accounts.

For further information on how you can secure your Office 365 accounts and block sophisticated phishing attacks, give us a call today to find out how SpamTitan can improve your email defenses.

Cybercriminals Take Advantage of Popularity of Zoom to Phish for Microsoft Credentials

by titanadmin | May 12, 2020 | Email Scams, Phishing & Email Spam |

Zoom has proven to be hugely popular during the COVID-19 pandemic. The teleconferencing platform has allowed businesses to keep in touch with their employees during lockdown and many consumers are using the platform to keep in touch with friends and family. The popularity of the platform has not been missed by cybercriminals who are now using a range of Zoom-themed lures to trick people into downloading malware.

Any software solution that has been widely adopted is an attractive target for cybercriminals. The large number of users of the platform mean there is a high likelihood of a Zoom phishing email reaching someone who has previously used the solution. In December, there were around 10 million Zoom users worldwide and by March 2020 that number had increased to more than 200 million.

According to research from Check Point, more than 2,449 domains have been registered in the past three weeks that contain the word Zoom, 320 (13%) of which were identified as suspicious and 32 (1.5%) were confirmed as malicious. Many of these domains are likely to be used in Zoom phishing scams.

The Zoom phishing emails mimic genuine notification messages from Zoom and contain hyperlinks that the user is asked to click. The lures mostly consist of fake meeting reminders and notifications about missed scheduled meetings. The hyperlinks used in the emails often include the word Zoom to make it appear that the user is being directed to a genuine Zoom website.

In April, a Zoom phishing campaign was identified that used fake meeting reminders to alert users that they are required to take part in a Zoom meeting with their HR department regarding the termination of their employment. The link supplied in the email directs the user to a spoofed Zoom website on an attacker-controlled domain where their credentials are harvested.

Another Zoom phishing campaign has been identified that uses the subject line “Zoom Account” with the emails welcoming the user to the Zoom platform. The emails include a link that the user is asked to click to login to activate their account. Doing so will result in Zoom credentials being stolen.

One of the most recent campaigns warns the recipient they have missed a meeting and must login to their account to obtain the recording. In this case, Zoom is spoofed but the attackers seek Microsoft credentials, which can be used to obtain a wealth of sensitive data. With those credentials the attackers can take full control of Office 365 email accounts, which are used to conduct further phishing attacks on the organization.

Zoom is not the only teleconferencing platform being spoofed to steal credentials and distribute malware. Campaigns have also been identified recently that spoof WebEx, Microsoft Teams, Google Meet, and other platforms.

Protecting against these Zoom phishing scams requires a combination of an advanced antispam solution such as SpamTitan and end user education to train employees how to recognize phishing emails.

Common Phishing Lures Currently Attracting Clicks

by titanadmin | May 11, 2020 | Email Scams, Phishing & Email Spam |

A new report has been released that sheds light on the most common phishing lures that are currently in use that are providing effective against employees. KnowBe4 has revealed that in the first quarter of 2020, the most common phishing lure was a notification advising the recipient that they need to immediately perform a password check. This lure accounted for 45% of all reported phishing emails in the quarter. The lure is simple yet effective. A hyperlink is included in the email that directs the user to a spoofed webpage where they are required to enter their password for Office 365.

The COVID-19 crisis has provided phishers with new opportunities to steal passwords and distribute malware. At TitanHQ, we have seen a huge variety of COVID-19 themed phishing emails, many of which spoof authorities on COVID-19 such as the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC). The emails claim to offer important information on the coronavirus and updates on cases. SpamTitan has been blocking increasing levels of these coronavirus emails over the past few weeks so it is no surprise to see a COVID-19 phishing lure in second place, which had the subject line: CDC Health Alert Network: Coronavirus Outbreak Cases.

Other common COVID-19 themed phishing emails include messages about rescheduled meetings due to the coronavirus, COVID-19 tax refunds, information from the IT department about working from home, and offers of confidential information about COVID-19. The report indicates there was a 600% increase in COVID-19 phishing lures in Q1, 2020.

COVID-19 had been embraced by cybercriminals and used in phishing campaigns because the emails commonly attract a click. People are naturally worried about the pandemic and crave information that they can use to protect themselves and their families. The campaigns prey on fears about the coronavirus and use urgency to get recipients to click without questioning the legitimacy of the email.

SpamTitan and WebTitan users are well protected against these phishing threats. Early in the year, just a handful of malicious COVID-19 phishing websites were being used for phishing and malware distribution. Now, SpamTitan and WebTitan are blocking tens of thousands of COVID-19 themed websites that are being used to spread malware and steal sensitive information.

SpamTitan incorporates dual antivirus engines to block known malware threats and sandboxing provides protection against malware variants that have yet to be identified. Suspicious email attachments that have not been detected as malicious by the antivirus engines are sent to the sandbox for in depth analysis. SpamTitan also incorporates SPF and DMARC to block email impersonation attacks, and a host of measures are used to assess the legitimacy of emails and embedded hyperlinks.

The key to good cybersecurity is to implement several layers of security. In addition to an advanced spam filtering solution such as SpamTitan you should consider implementing a DNS-based web filtering solution such as WebTitan to block the web-based component of phishing attacks. WebTitan provides comprehensive internet filtering to ensure that office-based employees and remote workers cannot navigate to websites used for phishing and malware distribution.

If you want to make sure that your workers, their devices, and your network are protected against malware, ransomware, and phishing attacks, give us a call today. SpamTitan and WebTitan can be implemented and configured in a matter of minutes and providing protection against email and web-based threats.