titanadmin - Page 6

Watch Out for This New Netflix Phishing Scam!

Any popular platform is an attractive target for phishers, and with more than 167 million subscribers worldwide, the Netflix streaming service certainly falls into that category. While Netflix may not seem a key target for phishers, a successful attack could give scammers access to credit card and banking information.

Netflix phishing scams are common, so it is not unusual to see yet another scam launched, but one of the latest uses a novel tactic to evade security solutions. By incorporating a CAPTCHA challenge, it is harder for security solutions to access the phishing websites and identify their malicious nature.

This Netflix phishing scam starts with an email like many other Netflix scams that precede it. The emails appear to have been sent from the Netflix customer support team and advise the recipient there has been a problem with billing for the latest monthly payment. As a result, the subscription will be suspended in the next 24 hours.

The Netflix user is provided with a link to click and they are told they need to update their information on file. The emails also include a link to unsubscribe and manage communication preferences, although they do not work.

As with most phishing scams there is urgency and a threat. Update your information within 24 hours or you will lose access to the service. Clicking the link will direct the user to a fully functioning CAPTCHA page, where they are required to go through the standard CAPTCHA checks to verify they are not a bot. If the CAPTCHA challenge is passed, the user will be directed to a hijacked domain where they are presented with the standard Netflix sign-in page.

They must sign-in, then they are asked to enter their billing address, along with their full name and date of birth, followed by a second page where they are asked for their card number, expiry date, CVV code, and optional fields for their bank sort code, account number, and bank name. If the information is entered, they are told that they have correctly verified their information and they will be redirected to the real Netflix page, most likely unaware that they have given highly sensitive information to the scammers.

There have been many Netflix phishing emails intercepted over the past few months claiming accounts have been put on hold due to problems with payments. The emails are convincing and very closely resemble the emails sent out regularly by Netflix to service subscribers. The emails feature the Netflix logo, correct color schemes, and direct the recipients to very realistic looking login pages.

What all of these emails have in common is they link to a domain other than Netflix.com. If you receive an email from Netflix, especially one that contains some sort of warning or threat, login to the site by typing the correct domain into the address bar and always make sure you are on the correct website before entering any sensitive information.

Phishing Warning Issued to Sports Industry Following Spate of Attacks

Football is big business and large quantities of money are often transferred electronically between clubs to bring in new players. If scammers were to insert themselves into the communications between clubs, huge payments could easily be diverted. In 2018, the Italian football club Lazio was targeted with a phishing scam that resulted in a payment of €2 million being sent to an account under the control of scammers. The money was never recovered.

Now it appears that the sports industry is being targeted again. Recently, a similar scam was conducted on a Premier League football club in England. The hackers gained access to the email account of the managing director of the club through a phishing campaign after directing the MD to a domain where Office credentials were harvested. Those credentials were then used to access the MD’s email account, and the scammers inserted themselves into and email conversation with another club looking to purchase a player. Fortunately, the scam was detected by the bank and a £1 million fraudulent payment was blocked.

This type of scam starts with a phishing email but is referred to as a Business Email Compromise (BEC) scam. BEC scams are commonplace and often successful. They range from simple scams to complicated multi-email communications between two parties, whether one party believes they are communicating with the genuine email account holder when they are actually communicating with the scammer. When the time comes to make payment, the scammer supplies their own account credentials. All too often, these scams are not detected until after payment is made.

That is far from the only cyberattack on the sports industry in recent weeks and months. There have been several attempted cyberattacks which prompted to the UK’s National Cyber Security Center (NCSC) to issue a warning advising the UK sports sector to be on high alert.

Prior to lockdown, a football club in the UK was hit with a ransomware attack that encrypted essential systems, including the computer systems that controlled the turnstiles, preventing them from working. A game nearly had to be abandoned due to the attack. The ransomware attack is suspected to have also started with a phishing email.

The recent attacks are not limited to football clubs. NCSC data show that 70% of sports institutions in the United Kingdom have suffered a cyberattack in the past 12 months.

NCSC figures show approximately 30% of incidents resulted in financial losses, with the average loss being £10,000, although one organization lost £4 million in a scam. 40% of the attacks involved the use of malware, which is often delivered via spam email. A quarter of attacks involved ransomware.

While malware and ransomware attacks are costly and disruptive, the biggest cause of losses is BEC attacks. Figures from the FBI show these scams accounted for around half of all losses to cybercrime in 2019. $1.77 billion was lost to BEC attacks in 2019, with an average loss of $75,000 (£63,333). The true figure is likely to be even higher, as not all BEC attacks are reported. The FBI anticipates even greater losses this year.

While there are many different attack methods, email remains the most common vector used in cyberattacks on businesses. It is therefore essential to implement a robust email security solution that can block malicious emails and prevent them from being delivered to inboxes.

TitanHQ has developed a powerful, advanced email security solution that can help businesses improve their email security defenses and block phishing, spear phishing, BEC, malware, and ransomware attacks. SpamTitan incorporates multiple threat intelligence feeds, machine learning systems to identify phishing attempts, dual anti-virus engines, and a sandbox to subject suspicious email attachments to in-depth analysis. SpamTitan also incorporates SPF and DMARC to identify and block email impersonation attacks.

If you are concerned about email security and want to improve your defenses against email threats, give the TitanHQ team a call to find out more about SpamTitan and other security solutions that can help you defend your organization from cyberattacks.

Our customer service team will be happy to discuss your options and help set you up for a free trial so you can see for yourself the difference SpamTitan makes to email security.

Phishers Use Google Cloud Services to Steal Office 365 Credentials

A new phishing campaign has been detected that uses Google Cloud Services to fool victims into giving up their Office 365 credentials. The new campaign is part of a growing trend of disguising phishing attacks using legitimate cloud services.

The phishing attack starts like any other with an email containing a hyperlink that the recipient is requested to click. If the user clicks the link in the email, they are directed to Google Drive where a PDF file has been uploaded. When the file is opened, users are asked to click a hyperlink in the document, which appears to be an invitation to access a file hosted on SharePoint Online.

The PDF file asks the victim to click the link to sign in with their Office 365 ID. Clicking the link will direct the user to a landing page hosted using Google’s storage.googleapis.com. When the user arrives on the landing page, they are presented with an Office 365 login prompt that looks exactly like the real thing. After entering their credentials, they will be directed to a legitimate PDF whitepaper that has been obtained from a well-respected global consulting firm.

The campaign has been designed to make it appear that the victim is simply being directed to a PDF file that has been shared via Sharepoint, and the actual PDF file is displayed after the victim has divulged their credentials. It is therefore likely that the victim will not realize that their Office 365 credentials have been phished. The only sign that this is a scam is the source code on the phishing page, which even tech-savvy individuals would be unlikely to check.

This campaign was identified by researchers at Check Point, but it is just one of many similar campaigns to have been identified over the past few months. Since these domains are legitimate and have valid SSL certificates, they are difficult to detect as malicious. This campaign abused Google Cloud Services, but several other campaigns have been detected using the likes of IBM Cloud, Microsoft Azure and others to add legitimacy to the campaigns.

This campaign highlights the importance of providing security awareness training to the workforce and warning employees about the risks of clicking links in unsolicited emails, even those that link to genuine domains. An advanced email security solution should also be implemented to block malicious emails and ensure the majority of malicious messages are not delivered to inboxes. That is an area where TitanHQ can help.

Emotet Botnet Activity Resumes with Trickbot/Qakbot Malware Campaign

Emotet was the most prolific malware botnet of 2018 and 2019, but the botnet fell silent on February 7, 2020, but it has now sprung back to life and is being used to distribute Trojan malware.  The botnet returned with a malicious spam campaign on July 17 of at least 30,000 emails, mostly targeting organizations in the United States and the United Kingdom. The scale of the campaign has now grown to around 250,000 emails a day with the campaign now global.

The Emotet botnet is a network of computers infected with Emotet malware and there are estimated to be around half a million infected Windows computers under the control of the botnet operators. Those infected devices are contacted through the attackers’ command and control (C2) servers and are sent instructions to send out spam emails spreading Emotet malware.

Once the malware is downloaded, the infected computer is added to the botnet and is used to send spam emails. Emotet infections can also spread laterally within an organization. When investigations are launched following the detection of Emotet, it is common for other computers to be discovered to be infected with the malware.

What makes Emotet particularly dangerous is the operators of the botnet pair up with other threat groups and deliver other malware variants. Emotet has been used to distribute a range of malware variants since its creation in 2014, but recently the malware payload of choice was the TrickBot Trojan. TrickBot is a banking trojan cum information stealer that also serves as a malware downloader. In addition to stealing sensitive data, the operators of TrickBot pair up with other malware developers, notably the developers of Ryuk ransomware.  Once TrickBot has stolen information, the baton is passed over to Ryuk, which will also steal data before encrypting files on the network. The new Emotet campaign started by distributing the TrickBot Trojan, although the payload has since switched to the QakBot banking Trojan.  QakBot also delivers ransomware as a secondary payload, with Prolock often used in the past.

Emotet emails use a variety of lures to get recipients to click links to malicious websites or open infected email attachments. Emotet targets businesses, so the lures used are business-related, such as fake shipping notices, invoices, purchase orders, receipts, and job applications. The emails are often personalized, and threat actors are known to hijack email threads and send responses with malicious documents added.

An Emotet infection is serious and should be treated with the same urgency as a ransomware attack. Prompt action may allow Emotet to be removed before a secondary payload is delivered.

Fortunately, Emotet malware is delivered via email which gives businesses an opportunity to prevent infections. By deploying an advanced spam filter such as SpamTitan that has sandboxing to subject email attachments to deep analysis, these malicious emails can be identified and quarantined. Coupled with other email security measures such as end user training, businesses can mount a robust defense and block infections.

The return of Emotet was inevitable, and while the resumption of activity is bad news, there is some good news. A vigilante hacker has started sabotaging Emotet operations by targeting a weak link in their infrastructure. Emotet malware is downloaded from the internet from a range of hacked WordPress sites. The vigilante has found that the temporary stores of Emotet can be easily hacked as they tend to all use the same password. After guessing that password, the Emotet payload has been replaced with a variety of animated GIFs and has disrupted operations, reducing infections to around a quarter of their normal levels. That said, the Emotet gang is attempting to regain control of its web shells and infections with Emotet are still growing.

TitanHQ Implements New ArcTitan Email Archiving Systems

TitanHQ is performing a major update of the ArcTitan email archiving solution. That process is now well underway and existing ArcTitan users are being migrated to the new systems and will greatly benefit from the new and improved service.

The new and improved ArcTitan service is being delivered as a high availability, self-healing, horizontally scaled Kubernetes cluster. The new ArcTitan service uses a high availability Percona XtraDB MySQL database cluster within Kubernetes that handles all database operations. It is self-maintaining and can be scaled up with minimal user effort and no downtime.

The Kubernetes cluster has many components that work in harmony, with each of the components configured to be independently accessible to ensure availability and improve the reliability of the service. Since each component is independently available, in the event of one component going down, the remaining components will still be available. That means there will be minimal or no service outage, instead the single component will be taken offline and repaired without any effect on the others.

As is the case with the old ArcTitan service, all emails are given unique identifiers that are kept for the life of the archive. Emails are fully indexed, and the header, sender/receiver, body, and email attachments are all indexed separately. If historic emails need to be recovered, the indexing ensures millions of archived email messages can be searched and found in seconds.

The new ArcTitan systems encrypt and store raw email data in Replicated Persistent Storage. Ceph storage clusters are deployed which provide high performance block storage and file systems, with automated data replication and fail over.  For long term storage of email data, ArcTitan uses Amazon S3 to ensure reliability, redundancy, and scalability. ArcTitan indices are distributed across several Apache SoIr instances simultaneously.

ArcTitan customers will also benefit from a new graphical user interface (GUR) as shown in the image below:

TitanHQ is contacting all current ArcTitan users and is providing new account details that will need to be used to benefit from the new ArcTitan infrastructure. Applying the changes will require reconfiguration of the connector/mail server. Once that change has been applied, all mail will be directed to the new server for archiving.

Once TitanHQ has verified that the change has been made correctly, and all mail is being successfully sent to the archive on the new infrastructure, the original account will be closed off and will no longer accept emails. All emails from the old account will be migrated to the new infrastructure by TitanHQ and customers will be notified when that process has been completed. They will then have the chance to verify the migration has been completed. Once verified, the old account will then be deleted.

In the meantime, any emails stored using the previous account can still be searched and the archive will remain accessible if historical email needs to be accessed.

We are sure you will be happy with the changes and improved performance and reliability. If you have any questions about the new ArcTitan systems or your migration, our customer service team will be happy to help.

Phorpiex Botnet Activity Surges with Large-Scale Avaddon Ransomware Campaign

Over the past month there has been a surge in Phorpiex botnet activity. A botnet is a network of computers that have been infected with malware, placing them under the control of the botnet operator. Those computers are then used to send spam and phishing emails, often with the aim of distributing malware and ransomware. There are known to be around 500,000 computers in the Phorpiex botnet globally and the botnet has been in operation for almost 10 years.

The Phorpiex botnet has previously been used for sending sextortion emails, distributing cryptocurrency miners, and malware such as the Pony information stealer, GandCrab ransomware, and the XMRig cryptocurrency miner. In June, the Phorpiex botnet was used to conduct a massive Avaddon ransomware campaign that saw around 2% of companies targeted around the world.

Ransomware attacks have increased over the past few months, with many ransomware gangs delivering ransomware manually after gaining access to corporate networks by exploiting vulnerabilities in VPNs and other software or taking advantage of insecure default software configurations. There has also been an increase in ransomware attacks using email as the attack vector. Several ransomware variants are now being primarily delivered by email, and Avaddon ransomware was one of the biggest email threats in June. One week in June saw more than 1 million spam emails sent via the Phorpiex botnet, with most of those emails targeting U.S. companies.

Avaddon ransomware is a new ransomware variant that was first detected in June. The operators of Avaddon ransomware are advertising their malware as ransomware-as-a-service (RaaS) and have been recruiting affiliates to distribute the ransomware for a cut of the profits.

In early June, an Avaddon ransomware campaign was detected that used JavaScript attachments in spam emails. The files had a double extension which made them appear to be JPG files on Windows computers. Windows computers hide file extensions by default, so the file attachment would appear to be named IMG123101.jpg on a Windows computer in the default configuration. If Windows had been changed to display known file extensions, the user would see the file was actually IMG123101.jpg.js. Opening the file would launch a PowerShell and Bitsadmin command that would trigger the download and execution of Avaddon ransomware.

More recently, a campaign was detected that distributed Avaddon ransomware using spam emails with Excel spreadsheet attachments with malicious Excel 4.0 macros. In contrast to JavaScript files, which will run when opened by users, Excel macros require user action to run, so they are less effective. That said, users are instructed to enable the macros using a variety of social engineering techniques and they are still effective.

Avaddon ransomware searches for a range of file types, encrypts those files and adds the .avdn extension. A ransom note is dropped, and a link is supplied to a Tor site along with a unique user ID to allow the victim to login to pay the ransom for the keys to unlock encrypted files. There is no free decryptor available for Avaddon ransomware. File recovery will only be possible if the ransom is paid or if viable backups exist that have not also been encrypted by the ransomware.

Several subject lines have been used in the emails, such as “Your new photo?” and “Do you like my photo?”, with only a ? emoji in the body of the email. This tactic is simple, yet effective.

There are several steps that can be taken by businesses to prevent Avaddon and other email-based ransomware attacks. End user security awareness training should raise awareness of the threat and teach employees how to recognize phishing and malspam threats and condition them to report emails to their security team. If possible, macros should be disabled on all end user devices, although the email attachments used often change and disabling macros will not therefore always prevent infection.

One of the best defenses against email threats such as phishing, malware and ransomware is to install a powerful anti-spam solution such as SpamTitan. SpamTitan can work as a standalone anti-spam service, but also as an additional level of protection for Office 365 email, complementing Microsoft Exchange Online Protection (EOP) and providing an additional layer of security to block zero-day phishing and malware threats.

For more information on protecting your organization from ransomware and other email threats, give the TitanHQ team a call today.

Phishing Scam Targets Remote Workers Returning to the Office

A new phishing campaign has been identified that targets remote workers that will soon be returning to the workplace and claims to include information on coronavirus training. The campaign is one of the most realistic phishing scams in recent weeks, as it is plausible that prior to returning to the office after lockdown would involve some changes to workplace procedures to ensure employee safety.

This campaign targets Microsoft Office 365 users and attempts to obtain users’ Office 365 credentials under the guise of a request to register for COVID-19 training.  The emails include the Office 365 logo and are short and to the point.

They just include the text, “COVID-19 Training for Employees: A Certificate For Healthy Workspaces (Register) to participate in Covid-19 Office Training for Employees.”

The message includes a button to click to register, and the emails claim to be “powered by Microsoft Office 365 health safety measures.”

Clicking the link will direct the user to a malicious website where they are required to enter their Office 365 credentials.

This campaign, like many others to have emerged over the past few weeks, closely follow world events. At the start of the pandemic, when there was little information available about COVID-19, phishers were offering new information about COVID-19 and the Novel Coronavirus. As more countries were affected and cases were increasing, incorporation was being offered about local cases in the area. Now that most countries have passed the peak of infections and lockdowns have helped to bring the virus under control, tactics have changed once again.

Campaigns have been detected in the United Kingdom related to the new Track and Trace system being used by the NHS to help control infections warning users that they need to purchase a COVID-19 test. Another campaign targeted parents who are experiencing financial difficulties due to COVID-19, asking for bank account information to allow them to receive a support payment from the government. Messages have also been detected about Free school dinners over the summer, now that the UK government has said that it will be providing support to parents.

There have been several campaigns that have taken advantage of the popularity of the Black Lives Matter movement following the death of George Floyd. This campaign asked recipients of the email to register their opinions about Black Lives Matter and leave a review, with the campaign used to deliver the TrickBot Trojan.

What these phishing campaigns clearly demonstrate is the fluid nature of phishing campaigns, that are regularly changed to reflect global events to maximize the chance of the emails being opened. They show that users need to remain on their guard and be alert to the threat from phishing and always take time to consider the legitimacy of any request and to perform a series of checks to determine whether an email is what it claims to be. This can be tackled through security awareness training, which should be provided to employees regularly.

Naturally, the best defense is to make sure that these emails are blocked and do not reach inboxes, which is why it is important to have layered defenses in place. An advanced spam filtering solution such as SpamTitan is required that uses machine learning and other advanced detection measures to identify new phishing scams along with measures to detect previously unseen malware variants. As an additional layer of protection, you should consider implementing a web filtering solution such as WebTitan that provides time-of-click protection to block the web-based component of phishing attacks and stop drive-by malware downloads. Alongside security awareness training, these solutions will help you to mount a formidable defense against phishing attacks.

iCalandar Phishing Scam Attempts to Obtain Banking Credentials

A new phishing campaign has been detected that uses calendar invitations to steal banking and email credentials. The messages in the campaign include an iCalendar email attachment which may fool employees as this is a rare file type for phishing. These attachments are therefore unlikely to have been specifically covered in security awareness training.

iCalendar files are the file types used to store scheduling and calendaring information such as tasks and events. In this case, the messages in the campaign have the subject line “Fault Detection from Message Center,” and have been sent from a legitimate email account that has been compromised by the attackers in a previous campaign.

Because the email comes from a legitimate account rather than a spoofed account, the messages will pass checks such as those conducted through DMARC, DKIM, and SPF, which identify email impersonation attacks where the true sender spoofs an account. DMARC, DKIM, and SPF check to see if the true sender of an email is authorized to send messages from a domain.

As with most phishing campaigns, the attackers use fear and urgency to get users to click without considering the legitimacy of the request. In this case, the messages include a warning from the bank’s security team that withdrawals have been made from the account that have been flagged as suspicious. This campaign is targeting mobile users, with the messages asking for the file to be opened on a mobile device.

If the email attachment is opened, the user will be presented with a new calendar entry titled “Stop Unauthorized Payment” which includes a Microsoft SharePoint URL. If that link is clicked, the user will be directed to a Google-hosted website with a phishing kit that spoofs the login for Wells Fargo bank. Both of these websites have valid SSL certificates, so they may not be flagged as suspicious. They will also display the green padlock that shows that the connection between the browser and the website is encrypted and secure, as would be the case for the genuine bank website.

The user is then asked to enter their username, password, PIN, email address, email password, and account numbers. If the information is entered it is captured by the attacker and the information will be used to gain access to the accounts. To make it appear that the request is genuine, the user will then be directed to the legitimate Wells Fargo website once the information is submitted.

There are warning signs that the request is not genuine, which should be identified by security conscious individuals. The use of SharePoint and Google domains rather than a direct link to the Wells Fargo website are suspect, the request to only open the file on a mobile device is not explained. The phishing website also asks for a lot of information, including email address and password, which are not relevant.

These flags should be enough to convince most users that the request is not genuine, but any phishing email that bypasses spam filtering defenses and is delivered to inboxes poses a risk.

Leading UK Private Equity Firm Invests in TitanHQ

One of the leading mid-market private equity investment firms in the United Kingdom has invested in TitanHQ. TitanHQ is headquartered in Galway, Ireland and is a fast-growing, global vendor of cloud-based cybersecurity solutions for SMBs, ISPs, and Managed Service Providers (MSPs) that serve the SMB market.

TitanHQ’s portfolio of solutions consists of SpamTitan Email Security, WebTitan Web Security, and ArcTitan Email Archiving. These solutions have been adopted by more than 8,500 businesses worldwide and are offered by approximately 2,500 MSPs in 150 countries.

TitanHQ, originally Copperfasten Technologies, was formed in 1999 and started life providing email security solutions to businesses in Ireland, but has since grown into a global company that provides SaaS solutions to companies including Pepsi, ViaSat, Virgin, O2, and Datto. The company has been recorded impressive growth and has become the leading provider of cloud-based security solutions to MSPs serving the SMB market, with an ARR of more than $15 million.

Livingbridge invests in companies with a value of up to £200 million and has an Enterprise 3 fund for investment in fast-growing companies up to the value of £50 million, with the latter fund used to invest in TitanHQ.

Livingbridge identified TitanHQ as a target for investment based on a proven track record at delivering powerful cloud-based SaaS solutions and being well positioned to benefit from strong, growing market momentum. The investment in TitanHQ will help accelerate the company’s ambitious growth plans through investment in people and product development.

TitanHQ received investment from Bill Mc Cabe’s Oyster Technology Investments at inception, and Oyster Technology Investments will continue to maintain a significant stake in the business.

“We are excited to be taking this next step in our growth journey with Livingbridge, a partner that understands the unique strengths of our business, shares our vision for success and has the experience and resources to help us to achieve it,” said Ronan Kavanagh, Chief Executive Officer of TitanHQ. “The recent pandemic and the growth of WFH initiatives has further highlighted the need for multiple layers of cyber security and our solutions form key pillars in this security strategy.”

“We are delighted to be partnering with TitanHQ, a uniquely positioned business with a well-differentiated product portfolio operating in a fast-growing, attractive market that is benefiting from strong macro tailwinds,” said Nick Holder, Director at Livingbridge. “There is a tremendous opportunity for Titan HQ to accelerate its growth trajectory over the coming years and we look forward to working closely with the management team to fulfil the company’s potential.”

TrickBot Malware Operators Adopt Black Lives Matter Malspam Campaign

As the COVID-19 pandemic has clearly shown, cybercriminals are quick to adapt their phishing and malware campaigns in response to global and local events. New lures are constantly developed to maximize the probability of success.

In the early stages of the pandemic, when very little was known about SARS-CoV-2 and COVID-19, there was a huge public concern and cybercriminals took advantage. The threat actors behind TrickBot malware, one of the most dangerous malware threats, regularly change their lures in response to newsworthy events to increase the probability of emails and attachments being opened. The TrickBot gang adopted COVID-19 and coronavirus-themed lures when the virus started to spread globally and there was a huge craving for knowledge about the virus and local cases.

It is therefore no surprise to see the TrickBot operators adopt a new lure related to Black Lives Matter. There were huge protests in the United States following the death of George Floyd at the hands of a police officer, and those protests have spread globally. In several countries, the headlines have been dominated by stories about Black Lives Matter protests and counter-protests, and the public mood has presented another opportunity for the gang.

The latest TrickBot email campaign uses a subject line of “Leave a review confidentially about Black Lives Matter,” which has been crafted to appeal to individuals both for and against the protests. The emails contain a Word document attachment named e-vote_form_3438.doc, although several variations along this theme are likely.

The emails request the user open and complete the form in the document to submit their anonymous feedback. The Word document includes a macro which users are requested to enable to allow their feedback to be provided. Doing so will trigger the macro which will download a malicious DLL, which installs the TrickBot Trojan.

TrickBot is first and foremost a banking Trojan but is modular and frequently updated with new functions. The malware collects a range of sensitive information, can exfiltrate files, can move laterally, and also download other malware variants. TrickBot has been extensively used to download Ryuk ransomware as a secondary payload when the TrickBot gang has achieved its initial objective.

The lures used in phishing and malspam emails frequently change, but malspam emails distribute the same threats. Security awareness training can help to improve resilience to phishing threats by conditioning employees on how to respond to unsolicited emails. Making employees aware of the latest tactics, techniques, procedures, and social engineering tactics being used to spread malware will help them to identify threats that land in their inboxes.

Regardless of the ruse used to get users to click, the best defense against these attacks is to ensure that your technical defenses are up to scratch and malware and malicious scripts are identified as such and are blocked and never reach end users’ inboxes. That is an area where TitanHQ can help.

SpamTitan Cloud is a powerful email security solution that provides protection against all email threats. Dual antivirus engines block all known malware threats, while predictive technologies and sandboxing provides protection against zero-day malware and phishing threats. No matter what email system you use, SpamTitan adds an important extra layer of security to block threats before they reach inboxes.

For further information on how you can improve protection and block phishing, spear phishing, email impersonation, and malware and ransomware threats, give the TitanHQ team a call today.

Join TitanHQ and Magic Johnson at MVP GrowthFest on June 23, 2020

The COVID19 pandemic has created challenges for all businesses which are trying their best to adapt to a new normal. Businesses are slowing opening up their offices once again but it will be a long time before a return to “business as usual.” In fact, massive changes have had to take place and life after lockdown is likely to be considerably different to life before it.

Managed Service Providers have also had to adapt, and many Channel companies have realized the massive changes due to the pandemic have brought a wealth of opportunities. They are not suffering as a result of the challenges but have adapted their operations and have gained considerable growth momentum. How have these forward-thinking MSPs turned the pandemic into profit? What have they done to grow their businesses in such difficult times?

On June 23, 2020, MSPs will have an opportunity to get answers to these questions and discover how they can grow their business and thrive during the pandemic and in a post-COVID-19 world.

In line with social distancing requirements, MVP GrowthFest is a virtual event where MSPs will have the opportunity to learn how obstacles that appear to be blocking progress are challenges that can easily be overcome.

MVP GrowthFest is a 3-hour event headlined by the 3-time NBA Most Valuable Player (MVP) Award winning superstar, Earvin “Magic” Johnson Jr. Magic Johnson will be providing insights into the obstacles he has faced during his life and how he succeeded through a combination of talent, tenacity, and a strong commitment to the community.

The event will celebrate the energy that powers growth and the drive to thrive in uncertain times and MSPs will be treated to four powerhouse panels where a combined 15 Channel All-Stars will be providing valuable insights and practical steps to not only survive the pandemic but use it as an opportunity to grow and thrive.

TitanHQ’s Sales Director, Conor Madden, will be leading a security powerhouse panel and will explain how selling security is best achieved through education, and how this approach is essential for the modern-day MSP tech stack.

Currently, cyberattacks are occurring at unprecedented levels. Cyber actors having seized the opportunities COVID-19 has given them. MSPs can position their security stacks front and central and help businesses protect against these threats.

MSPs will naturally need the right solutions, and that is an area where TitanHQ can help, being the leading provider of cloud-based email and web security solutions to MSPs serving the SMB marketplace. TitanHQ solutions have been developed specifically to meet the needs of MSPs and are available at a price point that allows them to be packaged easily to significantly boost profits.

At the security powerhouse, attendees will also hear from:

  • Jon Murchison – CEO, BlackPoint Cyber
  • Kevin Lancaster – CEO, ID Agent & GM Security, Kaseya
  • Jessvin Thomas – President & CTO, SKOUT

Three further powerhouse sessions will be taking place at MVP GrowthFest giving MSPs further insights and assistance to grow their businesses and boost profits. There will also be $2,000 in prizes given out at the event.

Managing Through Change

Featuring:

  • Dan Wensley – CEO, Warranty Master
  • Joe Alapat – CEO & Founder, Liongard
  • Ryan Walsh – Chief Channel Officer, Pax8

Establishing Trust in the New Normal

Featuring:

  • Dave Goldie – Vice President of Channel, Cytracom
  • Ted Roller – Channel Chief, ConnectBooster
  • Andra Hedden – CMO, Marketopia
  • Frank DeBenedetto – Founder, AudIT

Leading & Accelerating through the Recovery

Featuring:

  • Tim Conkle – Founder, The 20
  • Dennis O’Connell – Vice President, Taylor Business Group
  • Ted Roller – Channel Chief, Zomentum

Advance registration is required

 Click Here to Book Your Place at MVP GrowthFest

Phishing Campaign Uses Fake Supreme Court Summons to Obtain Office 365 Credentials

A U.S. Supreme Court phishing campaign has been detected that uses a fake subpoena to appear in court as a lure to obtain Office 365 credentials. The emails are personalized and are addressed to the victim and claim to be a writ issued by the Supreme Court demanding the recipient attend a hearing. This is a targeted campaign rather than a spray and pray attack that attempts to obtain the credentials of high value targets such as C-Suite members.

The emails include a link that the recipient is required to click to view the subpoena. Clicking the link in the email directs the user to a malicious website where they are required to enter their Office 365 credentials to view the subpoena.

The domain used is brand new and, as such, it is not recognized as malicious by many security solutions, including the default anti-phishing measures of Office 365. The scammers have also used multiple redirects to hide the destination URL in another attempt to thwart anti-phishing defenses.

Prior to the user being directed to the phishing page, they are presented with a CAPTCHA page. CAPTCHA is used to prevent web visits by bots, but in this case, it may be used to add legitimacy to the phish to make the request appear genuine. The CAPTCHA page is real, and the user must correctly select the images in order to proceed. The page also includes the name of the user, further adding legitimacy to the scam. The CAPTCHA may also be a further attempt to make it difficult for the destination URL to be analyzed by security solutions.

This phishing campaign is realistic and uses urgency to get the user to take action quickly, rather than stopping to think about the request. There are signs that this is a scam, such as the domain name which clearly has nothing to do with the U.S. Supreme Court, and a few grammatical and spelling mistakes which would not be expected of any Supreme Court request.

However, the sender name in the email was spoofed to make it appear to have been sent by the “Supreme Court”, the request is certain to scare some recipients into clicking the link, and the landing page is sufficiently realistic to fool busy employees into disclosing their login credentials.

Exchange Online protection (EOP), which is provided by Microsoft free of charge with all Office 365 accounts, often fails to spot these zero-day attacks.

To improve protection against new phishing campaigns, an anti-spam solution is required that incorporates predictive techniques, threat intelligence feeds, and machine learning algorithms. SpamTitan incorporates these and several other layers of protection to identify zero-day phishing, malware, and ransomware campaigns and email impersonation attacks.

SpamTitan can be layered on top of Microsoft’s Exchange Online Protection to serve as an additional layer to your email security defenses to ensure that more malicious emails are blocked and never reach end users inboxes.

Office 365 Phishing Scam Bypasses Multi-Factor Authentication

A novel phishing scam has been identified that gains access to information on Office 365 accounts without obtaining usernames and passwords. The campaign also manages to bypass multi-factor authentication controls that has been set up to prevent stolen credentials from being used to remotely access email accounts from unfamiliar locations or devices.

The campaign takes advantage of the OAuth2 framework and the OpenID Connect protocol that are used to authenticate Office 365 users. The phishing emails include a malicious SharePoint link that is used to fool email recipients into granting an application permissions that allow it to access user data without a username and password.

The phishing emails are typical of several other campaigns that abuse SharePoint. They advise the recipient that a file has been shared with them and they are required to click a link to view the file. In this case, the file being shared appears to be a pdf document. The document includes the text “q1.bonus” which suggests that the user is being offered additional money. This scam would be particularly effective if the sender name has been spoofed to appear as if the email has been sent internally by the HR department or a manager.

Clicking the link in the email directs the user to a genuine Microsoft Online URL where they will be presented with the familiar Microsoft login prompt. Since the domain starts with login.microsoftonline.com the user may believe that they are on a genuine Microsoft site (they are) and that it is safe to enter their login credentials (it is not). The reason why it is not safe can be seen in the rest of the URL, but for many users it will not be clear that this is a scam.

Entering in the username and password does not provide the credentials to the attacker. It will authenticate the user and also a rogue application.

By entering in a username and password, the user will be authenticating with Microsoft and will obtain an access token from the Microsoft Identity Platform. OAuth2 authenticates the user and OIDC delegates the authorization to the rogue application, which means that the application will be granted access to user data without ever being provided with credentials. In this case, the authentication data is sent to a domain hosted in Bulgaria.

The user is required to enter their login credentials again and the rogue app is given the same permissions as a legitimate app. The app could then be used to access files stored in the Office 365 account and would also be able to access the user’s contact list, which would allow the attacker to conduct further attacks on the organization and the user’s business contacts.

The phishing campaign was identified by researchers at Cofense who warn access only needs to be granted once. Access tokens have an expiration date, but this method of attack allows the attackers to refresh tokens, so that potentially gives the attackers access to documents and files in the Office 365 account indefinitely.

With multi-factor authentication enabled, businesses may feel that they are immune to phishing attacks. Multi-factor authentication is important and can prevent stolen credentials from being used to access Office 365 and other accounts, but MFA is not infallible as this campaign shows.

This campaign highlights how important it is to have an email security solution that uses predictive technology to identify new phishing scams that have not been seen before and do not include malicious attachments. Phishing attacks such as this are likely to bypass Office 365 antispam protections and be delivered to inboxes, and the unusual nature of this campaign may fool users into unwittingly allowing hackers to access their Office 365 accounts.

For further information on how you can secure your Office 365 accounts and block sophisticated phishing attacks, give us a call today to find out how SpamTitan can improve your email defenses.

30% of British SMEs Have Suffered a COVID-19 Lockdown Phishing Attack

A recent survey by Capterra on British SMEs has revealed 30% have fallen victim to a phishing attack during the COVID-19 lockdown. Just under half of the phishing emails received (45%) were related to coronavirus or COVID-19.

COVID-19 phishing emails increased significantly during the first quarter of 2020 as the coronavirus spread around the world. Since the virus was unknown to science, scientists have been working tirelessly to learn about the virus, the disease it causes, how the virus is spread, and what can be done to prevent infection. The public has been craving information as soon as it is available, which creates the perfect environment for phishing attacks. People want information and threat actors are more than happy to offer to provide it.

The Capterra survey highlights the extent to which these campaigns are succeeding. Employees are receiving phishing emails and being fooled by the social engineering tactics the scammers have adopted. The high success rate has seen many threat actors temporarily abandon their tried and tested phishing campaigns that they were running before the SARS-CoV-2 outbreak, and have repurposed their campaigns to take advantage of the public’s thirst for knowledge about the virus. In the first quarter of 2020, KnowBe4 reported a 600% increase in COVID-19 and coronavirus themed phishing emails.

The high percentage of businesses that have experienced phishing attacks during the COVID-19 lockdown indicates many SMEs need to augment their anti-phishing defenses. There is also a need for further training to be provided to employees, as the emails are being opened and links are being clicked.

On the training front, formal training sessions may be harder to administer with so many employees working remotely. Consider conducting short training sessions via teleconferencing platforms and sending regular email alerts warning about the latest techniques, tactics and procedures being used in targeted attacks on remote workers. Phishing simulation exercises can be hugely beneficial and will help to condition workers to check emails thoroughly and report any threats received. These simulations also help identify which employees need further training to help them recognize potential phishing attacks.

Of course, the best way to ensure that employees do not open phishing emails and malicious attachments is to ensure they are not delivered to employees’ inboxes. That requires an advanced spam filtering solution.

Many SMEs and SMBs have now moved to an Office 365 hosted email solution, in which case email filtering will be taking place using Microsoft’s Exchange Online Protection – The default spam filtering service that protects all office 365 users. If you are reliant on this solution for filtering out phishing emails and other types of malicious messages, you should consider adding a third-party solution on top of EOP.

Exchange Online Protection provides a reasonable level of security and can block phishing emails and known malware threats, but it lacks the features of more advanced spam filtering solutions and cloud-based email security gateways, such as machine learning and predictive technology to identify attacks that have not been seen before.

As an additional protection against phishing attacks, a web filtering solution should be considered. In the event of a phishing email arriving in an inbox, a web filter serves as an additional layer of protection to prevent attempts by employees to visit websites linked in the emails. When an attempt is made to visit a known phishing website or web content that violates your acceptable internet usage policies, access will be blocked and the user will be directed to a local web page telling them why access has been denied.

Multi-factor authentication should also be implemented for email to ensure that in the event that credentials are compromised, a second factor must be provided before access to the email account is granted.

For more information on spam filtering and web filtering, and further information on TitanHQ’s advanced cloud-based email security solution – SpamTitan – and DNS-based web filtering solution – WebTitan – give the TitanHQ team a call today.

Two New Phishing Campaigns Targeting Remote Workers

Two new phishing campaigns have been identified targeting remote workers. One campaign impersonates LogMeIn and the other exploits the COVID-19 pandemic to deliver a legitimate remote administration tool that allows attackers to take full control of a user’s device.

LogMeIn Spoofed to Steal Credentials

Remote workers are being targeted in a phishing campaign that spoofs LogMeIn, a popular cloud-based connectivity service used for remote IT management and collaboration. The emails claim a new update has been released for LogMeIn, with the messages appearing to have been sent by the legitimate LogMeIn Auto-Mailer. The emails include the LogMeIn logo and claim a new security update has been released to fix a new zero-day vulnerability that affects LogMeIn Central and LogMeIn Pro.

A link is supplied in the email that appears to direct the recipient to the accounts.logme.in website and a warning is provided to add urgency to get the user to take immediate action. The email threatens subscription of the service will be suspended if the update is not applied.

The anchor text used in the email masks the true site where the user will be directed. If clicked, the user will be directed to a convincing spoofed LogMeIn URL where credentials are harvested.

There has been an increase in phishing attacks spoofing remote working tools in recent weeks such as LogMeIn, Microsoft Teams, Zoom, GoToMeeting, and Google Meet. Any request sent by email to update security software or take other urgent actions should be treated as suspicious. Always visit the official website by entering the URL into the address bar or using your standard bookmarks. Never use any information provided in the email. If the security update is genuine, you will be advised about it when you log in.

NetSupport Remote Administration Tool Used to Take Control of Remote Workers’ Laptops

A large-scale phishing campaign has been detected that uses malicious Excel attachments to deliver a legitimate remote access tool that is used by attackers to take control of a victim’s computer.

The emails used in this campaign appear to have been sent from the Johns Hopkins Center and claim to provide a daily update on COVID-19 deaths in the United States. The Excel file attached to the email – covid_usa_nyt_8072.xls – displays a graph taken from the New York Times detailing COVID-19 cases and when opened the user is encouraged to enable content. The Excel file contains a malicious Excel 4.0 macro that downloads a NetSupport Manager client from a remote website if the content is enabled, and the client will be automatically executed.

The NetSupport RAT delivered in this campaign drops additional components, including executable files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. Once installed it will connect with its C2 server, allowing the attacker to send further commands.

Block Phishing Attacks and Malware with SpamTitan and WebTitan Cloud

The key to blocking phishing attacks is to implement layered anti-phishing defenses. SpamTitan serves as an additional layer of protection for email that works in tandem with the security anti-spam measures implemented by Google with G-Suite and Microsoft with Office 365 to provide a greater level of protection, especially against sophisticated attacks and zero-day threats. SpamTitan itself includes multiple layers of security to block threats, including dual anti-virus engines, sandboxing, DMARC, and predictive technologies to identify never-before-seen phishing and malware threats.

WebTitan Cloud serves as an additional layer of protection to protect against the web-based component of phishing attacks, with time-of-click protection to block attempts by employees to visit phishing websites linked in emails and redirect to malicious websites during general web browsing. WebTitan works in tandem with email security solutions to increase protection for employees regardless where they access the internet and allows different policies to be set when they are on and off the network.

For further information on these powerful cybersecurity solutions give the TitanHQ team a call today to book a product demonstration and to receive assistance getting set up for a free trial of the full products.

Webinar – Keeping your Remote Workers TWICE as secure with SpamTitan & WebTitan

Worried about protecting remote workers from phishing, zero-day attacks, malware and dangerous websites?   

On Thursday, May 21, TitanHQ will be hosting a webinar to explain how to better protect remote workers and their devices from attack. This webinar is ideal for current SpamTitan customers, prospective customers, Managed Service Providers and Small to Medium Enterprises.

We’ll show you why it’s vital  to protect against the  email and web component of cyberattacks – a web filter serves as an important, layer of security to block phishing attacks and malware and ransomware downloads.

Join Derek Higgins, Engineering Manger TitanHQ, Eddie Monaghan, Channel Manager TitanHQ, Marc Ludden, Strategic Alliance Manager TitanHQ and Kevin Hall, Senior Systems Engineer at Datapac on Thursday, May 21st @11am CDT.

We will discuss:

  • Covid-19 exploitation by cybercriminals in malicious cyber attacks
  • Meeting the challenge of protecting a fully distributed workforce

– Spotlight on WebTitan features and security layers for managing user security at multiple locations. Deep dive into the features and benefits of the latest version of WebTitan Security.

– The sophisticated nature of advanced persistent threats faced today and how WebTitan mitigates your risk against these threats.

  • Most cyberattacks have an email and web-based component –How WebTitan serves as a vital layer of security to block phishing attacks, malware and ransomware downloads.
  • Why WebTitan is the leading web security option for the Managed Service Provider who service the SMB and SME market.

Webinar Details

Webinar – Keeping your Remote Workers TWICE as secure with SpamTitan & WebTitan 

Date : Thursday, May 21st, 2020

Time : 11 – 11.30am CDT

 

Cybercriminals Take Advantage of Popularity of Zoom to Phish for Microsoft Credentials

Zoom has proven to be hugely popular during the COVID-19 pandemic. The teleconferencing platform has allowed businesses to keep in touch with their employees during lockdown and many consumers are using the platform to keep in touch with friends and family. The popularity of the platform has not been missed by cybercriminals who are now using a range of Zoom-themed lures to trick people into downloading malware.

Any software solution that has been widely adopted is an attractive target for cybercriminals. The large number of users of the platform mean there is a high likelihood of a Zoom phishing email reaching someone who has previously used the solution. In December, there were around 10 million Zoom users worldwide and by March 2020 that number had increased to more than 200 million.

According to research from Check Point, more than 2,449 domains have been registered in the past three weeks that contain the word Zoom, 320 (13%) of which were identified as suspicious and 32 (1.5%) were confirmed as malicious. Many of these domains are likely to be used in Zoom phishing scams.

The Zoom phishing emails mimic genuine notification messages from Zoom and contain hyperlinks that the user is asked to click. The lures mostly consist of fake meeting reminders and notifications about missed scheduled meetings. The hyperlinks used in the emails often include the word Zoom to make it appear that the user is being directed to a genuine Zoom website.

In April, a Zoom phishing campaign was identified that used fake meeting reminders to alert users that they are required to take part in a Zoom meeting with their HR department regarding the termination of their employment. The link supplied in the email directs the user to a spoofed Zoom website on an attacker-controlled domain where their credentials are harvested.

Another Zoom phishing campaign has been identified that uses the subject line “Zoom Account” with the emails welcoming the user to the Zoom platform. The emails include a link that the user is asked to click to login to activate their account. Doing so will result in Zoom credentials being stolen.

One of the most recent campaigns warns the recipient they have missed a meeting and must login to their account to obtain the recording. In this case, Zoom is spoofed but the attackers seek Microsoft credentials, which can be used to obtain a wealth of sensitive data. With those credentials the attackers can take full control of Office 365 email accounts, which are used to conduct further phishing attacks on the organization.

Zoom is not the only teleconferencing platform being spoofed to steal credentials and distribute malware. Campaigns have also been identified recently that spoof WebEx, Microsoft Teams, Google Meet, and other platforms.

Protecting against these Zoom phishing scams requires a combination of an advanced antispam solution such as SpamTitan and end user education to train employees how to recognize phishing emails.

Common Phishing Lures Currently Attracting Clicks

A new report has been released that sheds light on the most common phishing lures that are currently in use that are providing effective against employees. KnowBe4 has revealed that in the first quarter of 2020, the most common phishing lure was a notification advising the recipient that they need to immediately perform a password check. This lure accounted for 45% of all reported phishing emails in the quarter. The lure is simple yet effective. A hyperlink is included in the email that directs the user to a spoofed webpage where they are required to enter their password for Office 365.

The COVID-19 crisis has provided phishers with new opportunities to steal passwords and distribute malware. At TitanHQ, we have seen a huge variety of COVID-19 themed phishing emails, many of which spoof authorities on COVID-19 such as the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC). The emails claim to offer important information on the coronavirus and updates on cases. SpamTitan has been blocking increasing levels of these coronavirus emails over the past few weeks so it is no surprise to see a COVID-19 phishing lure in second place, which had the subject line: CDC Health Alert Network: Coronavirus Outbreak Cases.

Other common COVID-19 themed phishing emails include messages about rescheduled meetings due to the coronavirus, COVID-19 tax refunds, information from the IT department about working from home, and offers of confidential information about COVID-19. The report indicates there was a 600% increase in COVID-19 phishing lures in Q1, 2020.

COVID-19 had been embraced by cybercriminals and used in phishing campaigns because the emails commonly attract a click. People are naturally worried about the pandemic and crave information that they can use to protect themselves and their families. The campaigns prey on fears about the coronavirus and use urgency to get recipients to click without questioning the legitimacy of the email.

SpamTitan and WebTitan users are well protected against these phishing threats. Early in the year, just a handful of malicious COVID-19 phishing websites were being used for phishing and malware distribution. Now, SpamTitan and WebTitan are blocking tens of thousands of COVID-19 themed websites that are being used to spread malware and steal sensitive information.

SpamTitan incorporates dual antivirus engines to block known malware threats and sandboxing provides protection against malware variants that have yet to be identified. Suspicious email attachments that have not been detected as malicious by the antivirus engines are sent to the sandbox for in depth analysis. SpamTitan also incorporates SPF and DMARC to block email impersonation attacks, and a host of measures are used to assess the legitimacy of emails and embedded hyperlinks.

The key to good cybersecurity is to implement several layers of security. In addition to an advanced spam filtering solution such as SpamTitan you should consider implementing a DNS-based web filtering solution such as WebTitan to block the web-based component of phishing attacks. WebTitan provides comprehensive internet filtering to ensure that office-based employees and remote workers cannot navigate to websites used for phishing and malware distribution.

If you want to make sure that your workers, their devices, and your network are protected against malware, ransomware, and phishing attacks, give us a call today. SpamTitan and WebTitan can be implemented and configured in a matter of minutes and providing protection against email and web-based threats.

PerSwaysion Spear Phishing Attacks Conducted to Obtain Office 365 Credentials of Executives

A new phishing campaign has been identified that uses the Microsoft Sway file sharing service as part of a three-stage attack with the goal of obtaining the Office 365 credentials of high-level executives.

Group IB researchers identified the campaign and named it PerSwaysion, although versions of the attack have been identified that have used OneNote and SharePoint. The campaign is highly targeted and has been conducted on high-level executives at more than 150 companies. The individuals behind the campaign are believed to operate out of Nigeria and South Africa, with the earliest traces of the attacks indicating the campaign has been running since around the middle of last year.

The PerSwaysion attack starts with a spear phishing email sent to an executive in the targeted organization. The phishing emails include a PDF file attachment with no malicious code embedded. The PDF file just includes a link that the user is required to click to view the content of the file. The link directs the user to file on a Microsoft Sway page, which also requires them to click a link to view the content. Microsoft Sway allows the previewing of the document and displays the content without the user having to open the document. The document states the name of the sender – a known contact – and that individual’s email address with the message that a file has been shared for review along with a hyperlink with the text ‘Read Now’. Clicking the link directs the user to a phishing page with an Office 365 Single Sign-on login prompt.

The initial PDF file, Microsoft Sway page, and the login prompt on the phishing page are all branded with Microsoft Office 365 logos, and it is easy to see how many victims would be fooled into disclosing their credentials.

Once credentials have been obtained, they are used the same day to access the Office 365 account, email data is copied from the account, and it is then used to send further spear phishing emails to individuals in the victim’s contact list. The sent emails are then deleted from the victim’s sent folder to ensure the attack is not detected by the victim.

The emails include the sender’s name in the subject line, and since they have come from the account of a known contact, they are more likely to be opened. The lure used is simple yet effective, asking the recipient to open and review the shared document.

Many of the attacks have been conducted on individuals at companies in the financial services sector, although law firms and real estate companies have also been attacked. The majority of attacks have been conducted in the United States and Canada, United Kingdom, Netherlands, Germany, Singapore, and Hong Kong.

It is possible that the attackers continue to access the compromised emails accounts to steal sensitive data. Since the campaign targets high level executives, the email accounts are likely to contain valuable intellectual property. They could also be used for BEC scams to trick employees into making fraudulent wire transfers.

Spike in Skype and Zoom Phishing Attacks Targeting Remote Employees

The lockdown imposed due to COVID-19 has forced employees to abandon the office and work from home, with contact maintained using communications solutions such as Skype, Slack, and Zoom. Unsurprisingly the huge increase in use of these platforms has created an opportunity for cybercriminals, who are using fake notifications from these and other communication and teleconferencing platforms as lures in phishing campaigns on remote workers.

Several campaigns have been identified that take advantage of the popularity of these platforms. One campaign has recently been identified that uses Skype branding advising users that they have pending notifications. The emails are personalized and include the Skype username and have a review button for users to click to review their notifications. These emails very closely resemble the genuine emails sent to users by Skype. The emails also appear, at first glance, to have been sent from a genuine address.

The link supplied in the email directs the recipient to a hxxps website that has Skype in the domain name. Since the connection between the browser and the website is encrypted, it will display the green padlock to show that the connection is secure, as is the case on the genuine Skype domain. The webpage includes Skype branding and the logo of the company being targeted and states that the webpage has been set up for authorized use by employees of the company. The username of the victim is automatically added to the login page, so all that is required is for a password to be entered.

This campaign was identified by Cofense, which received multiple reports from business users about the emails, which bypassed Microsoft Exchange Online Protection (EOP) and were delivered to Office 365 inboxes.

A Zoom campaign has also been identified that uses similar tactics. Zoom is one of the most popular lockdown teleconferencing apps and has been recommended by many businesses for use by employees to maintain contact during the lockdown. The platform has also proven popular with consumers and now has more than 300 million users.

In this campaign, Zoom meeting notifications are sent to targets. As is common with phishing campaigns, the attackers generate fear and urgency to get the targets to respond quickly without scrutinizing the messages. This campaign advises the recipients to login to a meeting with their HR department regarding their job termination. Clicking the link will similarly direct users to a fake login page where they are required to enter their credentials. The landing page is a virtual carbon copy of the official Zoom login page, although the only parts of the page that work are the username and password fields. This campaign was identified by Abnormal Security, which reports that around 50,000 of these messages were delivered to Office 365 accounts and bypassed EOP.

The phishing emails are credible, the webpages that users are directed to look genuine, and many people will be fooled by the emails. Security awareness training will help to condition employees to question emails such as these, but given the number of messages that are bypassing Microsoft’s EOP, businesses should also consider adding an additional layer of email security to their Office 365 accounts.

This is an area where TitanHQ can help. SpamTitan Cloud does not replace EOP for Office 365, it allows businesses to add an extra layer of protection on top to provide extra protection from zero-day attacks. SpamTitan Cloud blocks spam, phishing, and malware laced emails that would otherwise be delivered to Office 365 inboxes.

SpamTitan Cloud is quick and easy to implement and can protect your Office 365 accounts in a matter of minutes. Since the solution is available on a free trial, you will be able to evaluate the difference it makes and see how many malicious messages it blocks before committing to a purchase.

For further information on improving your phishing defenses, give the TitanHQ team a call today.

Phishing Campaign Piggybacks on Popularity of Dating Apps During Lockdown to Install Remote Access Trojan

Higher education institutions in the United States are being targeted in a phishing campaign that distributes a remote access trojan called Hupigon, a RAT that was first identified in 2010.

The Hupigon RAT has previously been used by advanced persistent threat groups (APT) from China, although this campaign is not believed to have been conducted by APT groups, instead the Hupigon RAT has been repurposed by cybercriminals. While several industries have been targeted in the campaign, almost half of attacks have been on colleges and universities.

The Hupigon RAT allows the operators to download other malware variants, steal passwords, and gain access to the microphone and webcam. Infection could see the attackers take full control of an infected device.

The campaign uses online dating lures to get users to install the Trojan. The emails show two dating profiles of supposed users of the platform, and the recipient is asked to select the one they find the most attractive. When the user makes their choice, they are directed to a website where an executable file is downloaded, which installs the Hupigon RAT.

The choice of lure for the campaign is no doubt influenced by the huge rise in popularity of dating apps during the COVID-19 pandemic. While there are not many actual dates taking place due to lockdown and social distancing measures now in place around the globe, the lockdowns have seen many people with a lot of time on their hands. That, coupled with social isolation for many singles, has actually led to an uptick in the use of online dating apps, with many users of the apps turning to Zoom and FaceTime to have virtual dates. Several popular dating apps have reported an increase in use during the COVID-19 pandemic. For example, Tinder reports use has increased, with the platform having its busiest ever day, with more than 3 billion profiles swiped in a single day.

As we have already seen with COVID-19 lures in phishing attacks, which account for the majority of lures during the pandemic, when there is interest in a particular event or news story, cybercriminals will take advantage. With the popularity of dating apps soaring, we can expect to see an increase in the number of online dating -themed lures.

The advice for higher education institutions and businesses is to ensure that an advanced spam filtering solution is in place to block the malicious messages and ensure they do not reach end users’ inboxes. It is also important to ensure that security awareness training continues to be provided to staff, students, and remote employees to teach them how to recognize the signs of phishing and other email threats.

TitanHQ can help with the former. If you want to better protect staff, students, and employees and keep inboxes free of threats, give the TitanHQ team a call today. After signing up, you can be protecting your inboxes in a matter of minutes.

Healthcare Providers Continue to be Targeted with COVID-19 Phishing Emails

Healthcare providers are being targeted by cybercriminals using COVID-19-themed phishing emails, with the campaigns showing no sign of letting up. The volume of attacks has prompted the U.S. Federal Bureau of Investigation (FBI) to issue a further warning to healthcare providers urging them to take steps to protect their networks and block the attacks.

The first major COVID-19-themed phishing attacks targeting healthcare providers started to be detected by around March 18, 2020. The attacks have grown over the following weeks and the lures have diversified.

Campaigns have been conducted targeting at-home healthcare employees who are providing telehealth services to patients, and there has been an increase in business email compromise scams. The latter see vendors impersonated and requests sent for early or out-of-band payments due to difficulties that are being experienced due to COVID-19.

The phishing attacks are being conducted to obtain login credentials and to spread malware, both of which are used to gain a foothold in healthcare networks to allow follow-on system exploitation, persistence, and the exfiltration of sensitive data.

The malware being distributed in these campaigns is highly varied and includes information stealers such as Lokibot, backdoors, and Trojans such as Trickbot. Microsoft has recently reported that Trickbot accounts for the majority of COVID-19 phishing emails targeting Office 365 users, with a campaign last week involving hundreds of different, unique macro-laced documents. In addition to being a dangerous malware variant in its own right, Trickbot also downloads other malicious payloads, including RYUK ransomware.

A diverse range of malware is delivered by a similarly diverse range of email attachments and malicious scripts. Microsoft Word documents containing malicious macros are commonly used, as are 7-zip compressed files, Microsoft executables, and JavaScript and Visual Basic scripts. The emails are being sent from a combination of domestic and international IP addresses.

While the number of COVID-19-themed phishing emails has been increasing, the overall volume of phishing emails has not increased by a major amount. What is happening is threat actors are changing their lures and are now using COVID-19 lures as they are more likely to be opened.

The campaigns can be highly convincing. The lures and requests are plausible, many of the emails are well written, and authorities on COVID-19 such as the Centers for Disease Control and Prevention, the HHS’ Centers for Medicare and Medicaid Services, and the World Health Organization have been spoofed. Oftentimes the emails are sent from a known individual and trusted contact, which makes it more likely that the email attachment will be opened.

The advice offered by the FBI is to follow cybersecurity best practices such as never opening unsolicited email attachments, regardless of who appears to have sent the email. Ensuring software is kept up to date and patches are applied promptly is also important, as is turning off automatic email attachment downloads. The FBI has also recommended filtering out certain types of attachments through email security software, something that is easy to do with SpamTitan.

The FBI has stressed the importance of not opening email attachments, even if antivirus software says that the file is clean. As the Trickbot campaign shows, new variants of malicious documents and scripts are being created at an incredible rate, and signature-based detection methods cannot keep up. This is another area where SpamTitan can help. In addition to using dual antivirus engines to identify known malware variants faster, SpamTitan includes sandboxing to identify and block zero-day malware threats that have yet to have their signatures added to antivirus software virus definitions lists.

Training is important to teach healthcare employees cybersecurity best practices to help them identify phishing emails, but it is also important to ensure that your technical controls are capable of blocking these threats.

Study Reveals Extent of University Cyberattacks

Data obtained by the UK think tank Parliament Street has revealed the extent to which universities are being targeted by cybercriminals and the sheer number of spam and malicious emails that are sent to the inboxes of university staff and students.

Data on malicious and spam email volume was obtained by Parliament Street through a Freedom of Information request. The analysis of data from UK universities showed they are having to block millions of spam emails, hundreds of thousands of phishing emails, and tens of thousands of malware-laced emails every year.

Warwick University’s figures show that more than 7.6 million spam emails were sent to the email accounts of staff and students in the final quarter of 2019 alone, which included 404,000 phishing emails and more than 10,000 emails containing malware.

It was a similar story at Bristol University, which received more than 7 million spam emails over the same period, 76,300 of which contained malware. Data from the London School of Hygiene and Tropical Medicine revealed more than 6.3 million spam emails were received in 2019, which included almost 99,000 phishing emails and more than 73,500 malware attacks. 12,773,735 spam and malicious emails were received in total for 2018 and 2019.

Data from Lancaster University revealed more than 57 million emails were rejected for reasons such as spam, malware, or phishing, with 1 million emails marked as suspected spam. The figures from Imperial College London were also high, with almost 40 million emails blocked in 2019.

Like attacks on companies, cyberattacks on universities are often conducted for financial gain. These attacks attempt to deliver malware and obtain credentials to gain access to university networks to steal data to sell on the black market. Universities store huge amounts of sensitive student data, which is extremely valuable to hackers as it can be used for identity theft and other types of fraud. Attacks are also conducted to deliver ransomware to extort money from universities.

Universities typically have high bandwidth to support tens of thousands of students and staff. Attacks are conducted to hijack devices and add them to botnets to conduct a range of cyberattacks on other targets. Email accounts are being hijacked and used to conduct spear phishing attacks on other targets.

Nation state-sponsored advanced persistent threat (APT) groups are targeting universities to gain access to intellectual property and research data. Universities conduct cutting-edge research and that information is extremely valuable to companies that can use the research data to develop products to gain a significant competitive advantage.

Universities are seen as relatively soft targets compared to organizations of a similar size. Cybersecurity defenses tend to be far less advanced, and the sprawling networks and number of devices used by staff and students make defending networks difficult.

With the number of cyberattacks on universities growing, leaders of higher education institutions need to take steps to improve cybersecurity and prevent the attacks from succeeding.

The majority of threats are delivered via email, so advanced email security defenses are essential, and that is an area where TitanHQ can help.

Independent tests show SpamTitan blocks in excess of 99.97% of spam email, helping to keep inboxes free of junk email. SpamTitan incorporates dual anti-virus engines to block known threats, machine learning to identify new types of phishing attacks, and sandboxing to detect and block zero-day malware and ransomware threats. When email attachments pass initial tests, suspicious attachments are sent to the sandbox for in-depth analysis to identify command and control center callbacks and other malicious actions. SpamTitan also incorporates SPF and DMARC controls to block email impersonation attacks, data loss prevention controls for outbound messages, and controls to detect potential email account compromises.

If you want to improve your cybersecurity defenses, start by upgrading your email security defenses with SpamTitan. You may be surprised to discover the little investment is required to significantly improve your email security defenses. For more information, call the TitanHQ team today.

Security Awareness for Remote Workers During COVID-19 Crisis

Security awareness for remote workers has never been more important. It is fair to say that there have never been more people working from home as there are now during the COVID-19 pandemic, and home workers are now being actively targeted by cybercriminals who see them as providing an easy way to gain access to their corporate networks to steal sensitive information, and install malware and ransomware.

Businesses may have already given their employees security awareness training to make sure they are made aware of the risks that they are likely to encounter and to teach them how to recognize threats and respond. However, working from home introduces many more risks and those risks may not have been covered in security awareness training sessions geared toward protecting office workers. It is also important to provide security training for employees, and this is especially important for remote workers, as risk increases when employees are working remotely.

In this post we will highlight some of the key areas that must be addressed in work-from-home (WFH) security awareness training for the workforce.

Increased Security Awareness for Remote Workers Required as COVID-19 Crisis Deepens

Naturally, as an email security solution provider, we strongly advocate the use of a powerful email security solution and layered technical defenses to protect against phishing, but technical controls, while effective, will not stop all threats from reaching inboxes. It is all too easy to place too much reliance on technical security solutions for securing email environments and work computers. The truth is that even with the best possible email security defenses in place, some threats will end up reaching inboxes.

The importance of providing security awareness training to the workforce and the benefits of doing so have been highlighted by several studies. One benchmarking study, conducted by the security awareness training provider KnowBe4, revealed 37.9% of employees fail phishing tests if they are not provided with security awareness and social engineering training. That figure has increased by 8.3% from the previous year. With security awareness training and phishing email simulations, the figure dropped to 14.1% after 90 days.

During the COVID-19 pandemic, the volume of phishing emails being sent has increased significantly and campaigns are being conducted targeting remote workers. The aim of the phishing campaigns is to obtain login credentials to email accounts, VPNs, and SaaS platforms and to spread malware and ransomware.

With so many employees now working from home, and the speed at which companies have had to transition from a largely office-based workforce to having virtually everyone working from home may have seen security awareness training for remote workers put on the back burner. However, with the lockdown likely to be extended for several months and attacks on the rise, it is important to make sure that training is provided, and as soon as possible.

Increase in COVID-19 Domain Registrations and Rise in Web-Based Attacks

Security awareness training for remote workers also needs to cover internet security as not all threats will arrive in inboxes. Most phishing attacks have a web-based component, and malicious websites are being set up for drive-by malware downloads. Currently, the vast majority of threats are using COVID-19 and the Novel Coronavirus as a lure to get remote workers to download malware, ransomware, or part with their login credentials.

Unsurprisingly, cybercriminals have increased web-based attacks, which are being conducted using a plethora of COVID-19 and novel coronavirus-themed domains. By the end of March, approximately 42,000 domains related to COVID-19 and coronavirus had been registered. An analysis by Check Point Research revealed those domains were 50% more likely to be malicious than other domains registered over the same period.

It is important to raise awareness of the risks of using corporate laptops for personal use such as browsing the Internet. Steps should also be taken to limit the websites that can be accessed by employees and, at the very least, a solution should be implemented and configured to block access to known malicious websites that are used for phishing, fraud, and malware distribution.

Shadow IT is a Major Security Risk

When employees are office-based and connected to the network, identifying shadow IT – unauthorized software and hardware used by employees – is more straightforward. The problem not only becomes harder to identify when employees work from home, the risk of unauthorized software being loaded onto corporate-issued devices increases.

Software downloaded onto work computers carries a risk of a malware infection and potentially offers an easy way to attack the user’s device and the corporate network. IT teams will have little visibility into the unauthorized software on users’ devices and whether it is running the latest version and has been patched against known vulnerabilities. It is important to cover shadow IT in security awareness training for remote workers and to make it clear that no software should be installed on work devices and that personal USB devices should not be connected to corporate devices without the go-ahead being given by the IT department.

The COVID-19 pandemic has seen many workers turn to teleconferencing platforms to communicate with the office, friends, and family. One of the most popular teleconferencing platforms is Zoom. Malicious installers have been identified that install the genuine Zoom client but have been bundled with malware. Installers have been identified that also install adware, Remote Access Trojans, and cryptocurrency miners.

How TitanHQ Can Help Improve Email Security

Several security awareness training firms have made resources available to businesses free of charge during the COVID-19 crisis to help them train the workforce, such as the SANS Institute. Take advantage of these resources and push them out to your workforce. If you are a small SMB, you may also be able to get access to free phishing simulation emails to test the workforce and reinforce training.

TitanHQ can’t help you with your remote worker cybersecurity awareness training, but we can help by ensuring employees have to deal with fewer threats by protecting against email and web-based attacks.

SpamTitan is an advanced and powerful cloud-based email security solution that will protect remote workers from phishing, spear phishing, malware, virus, and ransomware attacks by blocking attacks at the source and preventing the threats from reaching inboxes. SpamTitan features dual anti-virus engines to protect against known malware threats and email sandboxing to block unknown (zero-day) malware threats. SpamTitan incorporates several real-time threat intelligence feeds to block current and emerging phishing attacks and machine learning technology detects and blocks previously unseen phishing threats. SpamTitan has been developed to work seamlessly with Office 365 to allow businesses to create layered defenses, augmenting Microsoft’s protections and adding advanced threat detection and blocking capabilities.

WebTitan is a DNS filtering solution that will protect all workers from web-based attacks, no matter where they access the internet. WebTitan incorporates zero-minute threat intelligence and blocks malicious domains and web pages as soon as they are identified. The solution can also be used to carefully control the types of websites that remote workers can access on their corporate-owned devices, via keyword and category-based controls. WebTitan can also be configured to block the downloading of malicious files and software installers to control shadow IT.

For more information on protecting your business during the COVID-19 crisis, to arrange a product demonstration of SpamTitan and/or WebTitan, and to register for a free trial of either solution to allow you to start instantly protecting against email and web-based threats, contact TitanHQ today!

TitanHQ Presenting at Blackpoint Cyber’s Remote Reality LIVE

Blackpoint Cyber announced its Remote Reality LIVE conference, which will occur online April 8th and April 9th 2020.

The conference will focus on managed service providers (MSPs) and how they can stay secure, profitable, and resilient as the world increases remote operations during the COVID-19 pandemic – registration and attendance are free. The two-day conference will include sessions by former leaders of the United States’ government cyber security and intelligence communities as well as cyber security experts and business veterans from the MSP services and technology industry.

Blackpoint Cyber announces its virtual cyber security conference for MSPs – Remote Reality LIVE. Featuring a keynote from the former Acting Director of the CIA and sessions from tech giants Datto, Webroot, Marketopia, and more.

Jon Murchison, Blackpoint’s CEO and founder, and former US government cyber operations expert, explains the conference’s objective: “IT services and infrastructure have become mission critical for organizations to survive in this new economic landscape brought on by COVID-19. MSPs are the key to our success and, especially during these times, a collective national asset to their respective countries. That’s why we are bringing together experienced government and industry leaders to help MSPs navigate the current economic and security environments. We’re excited to provide one of the first online and socially-distanced conferences dedicated to MSPs and cyber security.”

Blackpoint has partnered with leading technology, service, and marketing firms for the conference, including:

  • Datto: leading global provider of cloud-based software and technology solutions purpose-built for MSPs
  • Webroot: Cybersecurity Solutions Purpose-Built for MSPs and SMBs
  • Convergint: Global, Service-based Systems Integrator
  • Marketopia: Lead Generation and Marketing for Technology Companies
  • ID Agent: Dark Web and Identity Theft Protection
  • TitanHQ: Email and DNS Security
  • Compliancy Group: HIPAA Compliance-as-a-Service
  • Atlantic Data Forensics: Premier Incident Response and Forensics
  • ProSource Technology Solutions: Leading Managed Service Provider
  • Corporate Office Properties Trust (COPT): Premier Real Estate Investment Trust

Michael Morell, former Deputy Director and Acting Director CIA, will present the keynote session on national security implications of the Coronavirus outbreak. While at the CIA, Mr. Morell was President George W. Bush’s daily intelligence briefer during the 9/11 attacks and was awarded the Distinguished Intelligence Medal, the CIA’s second highest honor.

Additional former US government cyber security and intelligence expert speakers include: Bill Priestap, former FBI Assistant Director of Counterintelligence, Chris Inglis, Former Deputy Director of NSA, Dave Sears, retired Commander and Navy SEAL, and Kevin Donegan, former United States Navy Vice Admiral and previous commander of the US Navy’s 5th fleet out of Bahrain. Security and MSP industry leaders will also present informational sessions, such as lead generation in a virtual world, security in the MSP space, cyber security for commercial real estate, the threat landscape of remote workers, and more.

Matt Solomon, VP of Business Development & IT at ID Agent, shares his sentiments on the conference: “ID Agent is very excited to participate in one of the first virtual MSP events since in-person events have been taken off the schedule. MSPs still need education during this period and we are honored to be part of such an esteemed group of vendors.”

In addition to learning how to stay secure and prosper, conference attendees will also be eligible for giveaways and prizes.

Participants may register online: Remote Reality Live – Free Registration

Cybersecurity Best Practices for Home Workers

When it comes to cybersecurity and home working, CIOs and IT teams have a challenge – How to ensure the same level of protection is provided for remote workers as they get when they are in the office. To help we have compiled a set of cybersecurity best practices for home workers to help IT teams prepare for a massive increase in telecommuting

The cybersecurity protections at home will not be nearly as good for home workers as protections in the office, which are much easier to implement and maintain. IT departments will therefore need to teach telecommuting workers cybersecurity best practices for home working and their devices will need to be configured to access applications and work resources securely. With so many workers having to telecommute, this will be a major challenge.

The coronavirus pandemic has forced businesses to rapidly expand the number of telecommuting workers and having to increase capacity in such a short space of time increases the potential for mistakes. Further, testing may not be nearly as stringent as necessary given the time pressure IT workers are under. Their teams too are likely to be depleted due to self-isolating workers.

One area where standards are likely to slip is staff training on IT. Many employees will be working from home for the first time and will have to use new methods and applications they will not be familiar with. The lack of familiarity can easily lead to mistakes being made. It is important that even though resources are limited you still teach cybersecurity best practices for home workers. Do not assume that telecommuting workers will be aware of the steps they must take to work securely away from the office.

Steps for IT Teams to Take to Improve Cybersecurity for Home Workers

Listed below are some of the key steps that IT teams need to take to improve security for employees that must now work from home.

Ensure VPNs are Provided and Updated

Telecommuting workers should not be able to access their work environment unless they use a VPN. A VPN will ensure that all traffic is encrypted, and data cannot be intercepted in transit. Enterprise-grade VPNs should be used as they are more robust and provide greater security. Ensure there are sufficient licenses for all workers, and you have sufficient bandwidth available. You must also make sure that the VPN is running the latest software version and patches are applied, even if this means some downtime to perform the updates. VPN vulnerabilities are under active attack.

Set up Firewalls for Remote Workers

You will have a firewall in place at the office and remote workers must have similar protections in place. Software firewalls should be implemented to protect remote workers’ devices. Home routers may have inbuilt firewalls. Talk employees through activating hardware firewalls if they have them on their home routers and ensure that passwords are set to prevent unauthorized individuals from connecting to their home Wi-Fi network.

Apply the Rule of Least Privilege

Remote workers introduce new risks, and with large sections of the workforce telecommuting, that risk is considerable. Remote workers are being targeted by cybercriminals and through web- and email-based attacks. In the event of a malware infection or credential theft, damage can be limited by ensuring workers only have access to resources absolutely necessary for them to perform their work duties. If possible, restrict access to sensitive systems and data.

Ensure Strong Passwords are Being Set

To protect against brute force attacks, ensure good password practices are being followed. Consider using a password manager to help employees remember their passwords. The use of complex passwords should be enforced.

Implement Multifactor Authentication

Multifactor authentication should be implemented on all applications that are accessed by remote workers. This measure will ensure that if credentials are compromised, system access is not granted unless a second factor is provided.

Ensure Remote Workers’ Devices Have Antivirus Software installed

Antivirus software must be installed on all devices that are allowed to connect to work networks and the solutions must be set to update automatically.

Set Windows Updates to Automatic

Working remotely makes it harder to monitor user devices and perform updates. Ensure that Windows updates are set to occur automatically outside of office hours. Instruct workers to leave their devices on to allow updates to take place.

Use Cloud-Based Backup Solutions

To prevent accidental data loss and to protect against ransomware attacks, all data must be backed up. By using cloud-based backups, in the event of data loss, data can be restored from the cloud-backup service.

Teach Cybersecurity Best Practices for Home Workers

All telecommuting workers must be shown how they need to access their work environment securely when working away from the office. Reinforce IT best practices with home workers, provide training on the use of VPNs, provide training on cybersecurity dos and don’ts when working remotely, and explain procedures for reporting problems.

Define Procedures for Dealing with a Security Incident

Members of the IT team are also likely to be working remotely so it is essential that everyone is aware of their role and responsibilities. In the event of a security incident, workers should have clear procedures to follow to ensure the incident is resolved quickly and efficiently.

Implement a Web Filter

A web filter will help to protect against web-based malware attacks by blocking access to malicious websites and will help to prevent malware downloads and the installation of shadow IT. Also consider applying content controls to limit employee activities on corporate-owned devices. Drive-by malware attacks have increased and the number of malicious domains registered in the past few weeks has skyrocketed.

Use Encrypted Communication Channels

When you need to communicate with telecommuting workers, ensure you have secure communications channels to use where sensitive information cannot be intercepted. Use encryption for email and secure text message communications, such as Telegram or WhatsApp.

Ensure Your Email Security Controls are Sufficient

One of the most important cybersecurity best practices for home workers is to take extra care when opening emails. Phishing and email-based malware attacks have increased significantly during the coronavirus pandemic. Ensure training is provided to help employees identify phishing emails and other email threats.

Consider augmenting email security to ensure more threats are blocked. If you use Office 365, a third-party email security solution layered on top will provide much better protection. Exchange Online Protection (EOP) is unlikely to provide the level of protection you need against phishing and zero-day malware threats. Consider an email security solutions with data loss protection functions to protect against insider threats.

Monitor for Unauthorized Access

More devices connecting to work environments makes it much easier for threat actors to hide malicious activity. Make sure monitoring is stepped up. An intrusion detection system that can identify anomalous user behavior would be a wide investment.

For further information on enhancing email security and web filtering to protect remote workers during the coronavirus pandemic, contact TitanHQ today.

Email Security and Home Working During the COVID-19 Crisis

In this post, we explore email security and home working and offer advice to help businesses ensure their workers, devices, and networks are protected.

The 2019 Novel Coronavirus pandemic has forced many workers to self-isolate at home and an increasing number of employees want to work from home to reduce the risk of contracting COVID-19. Businesses are under pressure to allow their workers to stay at home and use either company-issued or personal devices to access their networks and work remotely.

Cybercriminals are constantly changing their tactics, techniques, and procedures and they have jumped at the opportunity provided by the Novel Coronavirus. People are scared and rightly so. COVID-19 has a high mortality rate and the virus is spreading like wildfire. People want information about cases in their local area, advice on how to protect themselves, and information about possible cures. Cybercriminals have obliged and are conducting phishing campaigns that claim to offer all that information. Many campaigns have now been detected from many different threat groups that attempt to obtain login credentials and spread malware. Since early January when the first major campaigns were detected, the volume of coronavirus and COVID-19 emails has increased significantly.

Campaigns are being conducted impersonating authorities on the Novel Coronavirus and COVID-19, such as the World Health Organization (WHO), the U.S. Centers for Disease Control and Prevention (CDC), the U.S. Department of Health and Human Services, and other government agencies. COVID-19-themed emails are being sent to remote workers that spoof HR departments warning about cases that have been detected within the organization. Health insurers are being spoofed in campaigns that include invoices for coverage for COVID-19.

Since January, more than 16,000 Coronavirus and COVID-19-themed domains have been registered which are being used to host phishing kits and distribute malware. Researchers at CheckPoint Software report that those domains are 50% more likely to be malicious than other domains registered in the same period.

Email security and home working will naturally be a major concern for IT teams given the sheer number of home workers due to the Coronavirus pandemic and the volume of attacks that are now being conducted targeting home workers. With so many devices now connecting to networks remotely, if cybercriminals do obtain credentials, it will be much harder for IT teams to identify threat actors connecting remotely. Fortunately, there are steps that can be taken to improve email security and home working need not majorly increase risk.

You should make sure that your employees can only connect to your network and cloud-based services through a VPN. Enterprise VPNs can be configured to force all traffic through the VPN to reduce the potential for error. Make sure that the VPN is configured to start automatically when the device is powered up.

It is crucial that all remote workers are protected by a robust and effective email security solution. It is not possible to stop cybercriminals targeting remote workers, but it is possible to stop phishing and malware threats from reaching inboxes.

To protect your employees against phishing attacks and malware, an advanced email security solution is essential. If you use Office 365 for email, do not rely on Office 365 email security. You will need greater protection than Exchange Online Protection provides to protect against phishing, spear phishing, and zero-day threats.

SpamTitan has multiple detection mechanisms to identify and block the full range of email threats. SpamTitan incorporates SPF and DMARC to provide protection against email impersonation attacks, machine learning algorithms and predictive technology to protect against zero-day attacks, advanced phishing protection from whaling and spear phishing attacks by scanning inbound email in real-time, dual antivirus engines to block malware threats, and email sandboxing for in-depth analysis of suspicious attachments. SpamTitan also includes 6 specialist RBLs, supports whitelisting, blacklisting, and greylisting, and incorporates multiple threat intelligence feeds.

There is an increased risk of insider threats with remote workers. To provide protection and prevent accidental policy violations, SpamTitan incorporates a data loss prevention filter to stop credit card numbers, Social Security numbers, and other data types from being sent via email.

No email security solution will be able to block 100% of email threats, 100% of the time. It is therefore important to provide regular cybersecurity training to employees to make them aware of phishing threats, train them how to identify a phishing email or social engineering scam, and to condition remote employees how to respond should a threat be received. Phishing simulation exercises are also useful to find out which employees require additional training and to identify possible gaps in training programs. IT security basic training refreshers should also be provided to ensure employees know what can and cannot be done with work devices.

Multifactor authentication must be implemented on all applications and email accounts to provide protection in the event of an account compromise. If credentials are stolen and used from a previously unknown location or an unfamiliar device, a second authentication factor must be provided before access is granted. You should also disable macros on all user devices unless a specific user needs to use macros for work.

You can arrange a demonstration to see SpamTitan in action and you can also sign up for a free trial to put SpamTitan to the test in your own environment.

TrickBot Trojan Now Includes Module for Brute Force RDP Attacks

The TrickBot Trojan is a sophisticated banking Trojan that was first identified in 2016. While the malware was initially just an information stealer concerned with stealing online banking credentials, the malware has evolved considerably over the past four years and several modules have been added that provide a host of additional malicious capabilities.

The TrickBot Trojan’s information stealing capabilities have been significantly enhanced. In addition to banking credentials, it will steal system and network information, email credentials, tax data, and intellectual property. TrickBot is capable of moving laterally and silently infecting other computers on the network using legitimate Windows utilities and the EternalRomance exploit for the SMBv1 vulnerability. The malware can add a backdoor for persistent access. TrickBot also serves as a malware downloader and will download other malicious payloads, including Ryuk ransomware.

The Trojan is frequently updated and new variants are regularly released. The Command and Control infrastructure is also constantly changing. According to an analysis by Bitdefender, more than 100 new IPs are added to its C&C infrastructure each month with each having a lifespan of around 16 days. The malware and its infrastructure are highly sophisticated, and while steps have been taken to dismantle the operation, the attackers are managing to stay one step ahead.

TrickBot is primarily distributed by spam email through the Emotet botnet. Infection with Emotet sees TrickBot downloaded, and infection with TrickBot sees a computer added to the Emotet botnet. Once all useful information has been obtained from an infected system, the baton is passed over to the Ryuk ransomware operators with a reverse shell opened giving the Ryuk ransomware operators access to the system.

A recent analysis of a variant captured by Bitdefender on January 30, 2020 has shown another method of distribution has been added to its arsenal. The Trojan now has a module for bruteforcing RDP. The brute force RDP attacks are mainly being conducted on organizations in the financial services, education, and telecom industries and are currently targeted on organizations in the United States and Hong Kong at this stage, although it is likely that the attacks will spread geographically over the coming weeks. The attacks are being conducted to steal intellectual property and financial information.

Since the TrickBot Trojan is modular, it can be constantly updated with new features and the evolution of the malware so far, and its success, means it will continue to be a threat for some time to come. Fortunately, it is possible to prevent infections by practicing good cyber hygiene.

Spam is still the primary method of delivery for both the Emotet Trojan and TrickBot so an advanced spam filter is essential. Since new variants are constantly being released, signature-based detection methods alone are insufficient. SpamTitan incorporates a Bitdefender-powered sandbox to analyze suspicious email attachments for malicious activity. This ensures the malicious activity of never-before-seen malware variants is identified and the emails are quarantined before they can cause any harm.

If you don’t need RDP, ensure it is disabled. If you do, ensure access is restricted and strong passwords are set. Use rate limiting to block login attempts after a set number of failures and ensure multifactor authentication is implemented to stop stolen credentials from being used.

For further information on SpamTitan Email Security and to find out how you can improve your defenses against email and web-based attacks, contact the TitanHQ team today.

Phishing Attack Ends in Ryuk Ransomware Infection for City of Durham, NC


The City of Durham and the County of Durham in North Carolina have experienced a ransomware attack that has crippled both. The attack ‘started’ on March 6 in the late evening, which is common for ransomware attacks. Most take place in the evening and over the weekend, when there is less chance of the file encryption being detected.

Two separate attacks occurred simultaneously. Fast action by the IT department helped to contain the attack, but not in time to prevent approximately 80 servers from being infected. Those servers were encrypted and need to be rebuilt and approximately 1,000 computers had to be re-imaged.

There are many ways that cybercriminals gain access to business networks to deploy malware, but email is the most common attack vector. Most cyberattacks start with a phishing email and this attack was no different.

Ryuk ransomware was used to encrypt files on the network in order to extort money from the city and country. A ransom demand is issued which, depending on the extent of encryption, can range from several thousand dollars to several million. This phase of the attack is the most visible and causes the most disruption, but the attack actually started much earlier.

Ruyk ransomware is delivered by the TrickBot Trojan, an information stealer turned malware downloader. One installed on a networked device, the TrickBot Trojan performs reconnaissance, moves laterally, and installs itself on other computers on the network. Once all useful information has been found and exfiltrated, a reverse shell is opened and access to the system is given the ransomware operators. They will then move laterally and download their ransomware payload onto as many devices as possible on the network.

TrickBot downloaded by Emotet malware, a notorious botnet and Emotet is delivered via email. The Emotet campaigns used a combination of Office documents with malicious macros that download the malware payload and hyperlinks to websites where malware is downloaded. TrickBot may also be delivered directly through spam email. This Trio of malware variants can do a considerable amount of damage. Even if the ransom is not paid, losses can be considerable. The Trojans can steal a substantial amount of sensitive information including email credentials, banking credentials, tax information, and intellectual property.

In this case, seven computers appear to have been compromised in the first phase of the attack as a result of employees responding to phishing emails.

The key to blocking attacks such as this is to have layered defenses in place that are capable of blocking the initial attack. That means an advanced spam filtering solution is required to block the initial phishing emails and end users must receive regular security awareness training to help them identify any malicious emails that arrive in their inboxes. Multifactor authentication is needed to prevent stolen credentials from being used to access email accounts and endpoint security solutions are required to detect malware if it is downloaded.

To find out more about protecting your systems from phishing and malware attacks, and how a small per user cost per month can prevent a hugely expensive cyberattack, give the TitanHQ team a call today.

Beware of COVID-19 Phishing Emails

Several new COVID-19 phishing email campaigns have been detected over the past few days that are exploiting fear about the novel coronavirus pandemic to deliver computer viruses and steal sensitive information.

People are naturally worried about getting infected with the real virus especially with the high fatality rate, so emails related to COVID-19 are likely to be opened.

Some of the phishing emails that have been intercepted are easy to identify as malicious. They are poorly written with spelling mistakes and grammatical errors, but some campaigns have been expertly crafted and are highly convincing and are likely to catch out many people.

The first COVID-19 phishing campaigns were detected in January and the number has steadily grown over the past few weeks. Many different threat groups are now using COVID-19 phishing lures to fool the unwary into disclosing credentials, visiting malicious links, or downloading malware.

The World Health Organization (WHO) has issued a warning after several phishing campaigns were detected that impersonated WHO. The emails claimed to provide essential information about cases in the local area along with advice on how to avoid infection. One of the most recently detected campaigns claimed to provide “Coronavirus Updates” with the emails containing a ZIP file attachment that appeared to be a PDF file – MYHEALTH.PDF. However, the file was actually an executable file – MYHEALTH.exe. If the file was opened, it triggered the download of GULoader, which in turn downloads Formbook malware from Google Drive. Another similar campaign included a Word attachment that downloaded the TrickBot Trojan, which is being used to deliver Ryuk ransomware as a secondary payload.

The Centers for Disease Control and prevention is also being impersonated. One campaign claims the novel coronavirus had become an airborne threat and warns of new cases in the local area. The emails appear to have been sent from a legitimate CDC email account – CDC-Covid19[@]cdc.gov. The emails include an attachment titled “Safety Precautions” which appears to be an Excel spreadsheet, but it actually a .exe executable file. Double clicking on the file attachment triggers the download of a banking Trojan.

Email and text-based phishing campaigns are targeting UK taxpayers and impersonate HM Revenue and Customs (HMRC). The emails include a legitimate HMRC logo and advise the recipients about a new COVID-19 tax refund program. According the emails, the refund program was set up in cooperation with National Insurance and National Health Services and allows taxpayers to claim back tax to help deal with the coronavirus pandemic. In order to receive the refund, the user is told they must supply their name, address, mother’s maiden name and their bank card number.

In the past few days, a web-based malware distribution campaign has been identified. Several websites are now displaying world maps and dashboards that allow people to track the spread of the virus and find out about the location of new cases. People are naturally concerned about cases in their local area, and the website maps are attracting a lot of visitors.

Shai Alfasi, a security researcher at Reason Labs, discovered several websites using fake versions of maps and dashboards. The websites prompt users to download an application that allows them to track infections in real-time. The application is an executable file that delivers the AZORult information stealer.

With COVID-19 infections increasing and showing no sign of slowing, COVID-19 phishing campaigns are likely to continue. Organizations should raise awareness of the threat of COVID-19 phishing attacks with their employees and ensure appropriate technical solutions are implemented to block web and email-based attacks. TitanHQ can help with the latter and can provide advanced email and web security solutions to block these attacks. If you have not yet implemented a web filter or email security solution to protect your Office 365 accounts, now is a good time to start. Contact TitanHQ today for further information.

US Infrastructure of Necurs Botnet Seized

Microsoft has announced it has taken control of the U.S. infrastructure of the Necurs botnet and has taken steps to prevent the botnet operators from registering new domains and the rebuilding the Necurs infrastructure.

The Scale of the Necurs Botnet

The Necurs botnet first appeared in 2012 and has grown into one of the largest spam and malware distribution networks. The botnet consists of around 9 million devices that have been infected with Necurs malware. Each device within the botnet is under the control of the cybercrime group behind the botnet.

The Necurs botnet is used to commit a wide range of cybercrimes by the operators of the botnet as well as other cybercriminal groups who rent out parts of the botnet as a service. The Necurs botnet was used for malware and ransomware distribution, cryptocurrency mining, and attacks on other computers to steal credentials and confidential data. The Necurs botnet also has a distributed Denial of Service (DDoS) module capable of performing massive DDoS attacks, although this function is yet to be used.

The main use of the botnet is spamming. The botnet has been used to send vast quantities of spam email, including emails pushing fake pharmaceutical products, pump and dump stock scams, and Russian dating scams. To give an example of the scale of the spamming, over a 58-day period of observation, Microsoft found that a single Necurs malware-infected computer had sent out 3.8 million spam emails to 40.6 million email accounts. That is just one infected device out of 9 million! In 2017, the botnet was being used to spread Dridex and Locky ransomware at a rate of around 5 million emails an hour and between 2016 and 2019 the botnet was responsible for 90% of email-based malware attacks.

The Takedown of Necurs Infrastructure

Microsoft has tracked the criminal activity of the Necurs botnet operators for 8 years. The gang is believed to be Evil Corp, the Russian cybercriminal group behind the Dridex banking Trojan. Evil Corp has been named the most harmful cybercrime group in the world.

The takedown of the Necurs botnet involved a coordinated effort by Microsoft and partners in 35 countries. Microsoft obtained an order from the U.S. District Court for the Eastern District of New York on March 5, 2020 to seize the U.S. domains used by the botnet operators. These domains were used to issue commands to the 9 million infected computers.

Simply seizing the domains would not be sufficient to take down the botnet, as the botnet’s command and controls servers could be rapidly rebuilt. Domains used by the threat actors are often taken down, so new domains are constantly registered weeks or months in advance.

The key to long-term disruption of the botnet was cracking the algorithm used by the threat actors to generate new domains. Microsoft analyzed the algorithm and calculated more than 6 million domains that would be used by the threat actors over the next 25 months. Steps have been taken to prevent those domains from being registered and becoming part of the Necurs infrastructure.

The 9 million devices around the world are still infected with Necurs malware. Microsoft and its partners have identified the infected devices and are working with ISPs and CERT teams around the world to rid those devices of the malware.

Phishing Attack Results in $2.6 Million Loss for Puerto Rico Government

Just a few days after new figures from the FBI confirmed business email compromise scams were the biggest cause of losses to cybercrime, news broke of a massive cyberattack on a Puerto Rico government agency. Cybercriminals had gained access to the email account of an employee, understood to work in the Puerto Rico Employee Retirement System.

The compromised email account was used to send requests to other government agencies requesting changes be made to standard bank accounts for remittance payments. Since the email account used was trusted, the changes to bank accounts were made. Scheduled payments were then made as normal and millions of dollars of remittance payments were wired to attacker-controlled bank accounts.

The Puerto Rico Industrial Development Company, a state-owned corporation that drives economic development of the country, was one of the worst hit. Emails were received requesting changes to bank accounts and two payments were made. The first payment of $63,000 was made in December and another payment of $2.6 million in January. Other departments were also targeted, including the Tourism Company. The latter made a payment of $1.5 million. In total, the scammers attempted to steal around $4.73 million.

The business email compromise scam was uncovered when those payments were not received by the correct recipients. Prompt action was then taken to block the transfers and some of the payments were frozen, but the government has not been able to recover around $2.6 million of the stolen funds.

A full investigation has been launched to determine how the attackers gained access to the email account to pull off the scam. While the method used has not been confirmed, BEC attacks usually start with a spear phishing email.

A phishing email is sent to a person of interest requesting urgent action be taken to address a problem. A link is supplied in the email that directs the user to a website that requests their email account credentials. The account can then be accessed by the attacker. Attackers often set up mail forwarders to receive a copy of every email sent to and from the account. This enables them to learn about the company and typical payments and construct highly convincing scam emails.

Once access to a corporate email account is gained, the BEC scam is much harder to identify and block. The best defense is to ensure that the initial phishing emails are not delivered, and that is an area where TitanHQ can help.

Phishing Most Common Method of Attack and BEC Scams Result in Highest Losses

A new report from the FBI’s Internet Crime Complaint Center (IC3) has revealed the extent to which phishing is used to attack businesses and the huge losses that have resulted from another form of email attack – business email compromise (BEC) scams.

In 2019, IC3 received 467,361 complaints about cybercrime and there were reported losses in excess of $3.5 billion, up from $2.7 billion in 2018. The true losses and number of attacks will be far higher, as not all crimes and losses are reported. Phishing, vishing, smishing, and pharming attacks were the most prevalent crime types with 114,702 complaints submitted to IC3 in 2019. Those attacks resulted in losses of more than $57 million.

Source: IC3

There were 23,775 complaints about BEC attacks and losses to those attacks were more than $1.776 billion. On average, BEC attacks result in losses of around $75,000 and the attacks accounted for 50.75% of all losses to cybercrime in 2019.

Business email compromise attacks involve the impersonation of a known individual or company and a fake invoice and fraudulent wire transfer request. Alternatively, changes to vendor’s bank account details or requested or changes to direct deposit accounts for payroll. These email impersonation attacks involve spoofing an email account or compromising an account, with the latter usually achieved with phishing emails.

Email is also used to deliver ransomware – 2,0417 incidents and $8,965,847 in losses – and malware and viruses – 2,373 incidents and $2,009,119 in losses.

The Importance of a Layered Approach to Email Security

As the IC3 2019 cost of cybercrime report shows, the most common attack vector is email, so how can business owners protect against email-based attacks?

Businesses can either purchase cybersecurity solutions directly or engage a managed service provider to look after cybersecurity. If the decision is taken to manage cybersecurity in-house, it is essential to adopt a defense in-depth strategy and implement multiple layers of protection. Should one cybersecurity solution fail to block a threat, other layers will prevent the attack from succeeding.

Many businesses have adopted Office 365 and use it for email. Microsoft includes a basic level of email protection for Office 365 as standard – Exchange Online Protection (EOP). EOP serves as the first layer of protection against phishing attacks, malware, and spam, but EOP alone is not enough to block sophisticated phishing attacks, BEC attacks, and zero-day malware threats. An additional layer of protection is required.

Advanced Protection Against Phishing and Business Email Compromise Attacks

TitanHQ has developed an advanced anti-spam solution – SpamTitan – that provides an additional layer of protection against email threats.

To protect against known malware threats, dual anti-virus engines are used. However, new malware variants are constantly being released. Before AV engines can block these new threats, the threat must be identified and the malware signature is then added to the AV engine’s virus definitions. Until that happens, threats will not be identified as malicious and will be delivered to inboxes.

To improve protection against zero-day threats, TitanHQ uses sandboxing fro email. When a suspicious or unknown email attachment is received, it is sent to the sandbox where it is subjected to in-depth analysis to identify command and control center callbacks and potentially malicious actions.

Office 365 accounts are targeted by cybercriminals and their new phishing campaigns are tested against Office 365 protections to make sure the emails are delivered. One previous study showed that 25% of phishing emails are delivered to Office 365 inboxes.

To ensure phishing threats are detected that would otherwise not be blocked by EOP, SpamTitan uses a range of advanced detection techniques. They include multiple real-time blackhole lists and threat intelligence feeds, multi-layered message analysis, SURBL’s, Bayesian analysis, greylisting, and more. Protection against email impersonation attacks and spoofing is provided through Sender Policy Framework and DMARC, and all outbound emails are scanned to identify potential email account compromises.

SpamTitan is a full-service email security solution that protects your business, your employees, and your clients from email-based attacks. With SpamTitan, you can adopt a layered approach to email security at a very low cost per user.

If you want to make sure that your business is protected from costly email-based attacks, give the TitanHQ team a call.

Emotet Phishing Campaigns Continue and New Wi-Fi Infection Method Identified

Emotet is the biggest malware threat faced by businesses and activity has increased considerably in recent weeks after a lull in December. Several new campaigns are now being identified each week, most of which are target businesses. One of the most recent campaigns uses a tried and tested technique to install the |Emotet Trojan. Malicious Word documents masquerading as invoices, estimates, renewals, and bank details.

The campaign mostly targets organizations in the United States and the United Kingdom, although attacks have also been detected in India, Spain, and the Philippines. Approximately 90% of emails in this campaign target financial services, with around 8% of attacks on companies in the food and drink industry.

The malicious Word documents are either attached to emails or hyperlinks are included in the emails that direct the user to a compromised website where the Word document is downloaded. The websites used are frequently changed and new Emotet variants are frequently released to prevent detection. Email security solutions that rely on AV engines to detect malware are unlikely to detect these zero-day threats as malicious.

Since Emotet is a massive botnet, emails spreading the Emotet Trojan come from many different sources. Email security solutions that rely on real-time blacklists are unlikely to detect these sources as malicious.

Emotet is primarily distributed via email from infected devices, but recently another distribution method has been identified. Emotet also spreads via Wi-Fi networks. This method has been used for almost two years, but it has only just been detected by security researchers at Binary Defense.

When Emotet is installed, a worm.exe binary is dropped that runs automatically. It attempts to connect to nearly Wi-Fi networks and brute forces weak passwords. Once connected to a Wi-Fi network, a search is conducted for non-hidden shares on the network. An attempt is made to enumerate all users connected to the Wi-Fi network, devices are brute forced, and the Emotet binary is dropped.

How to Block Emotet

The constantly changing tactics of the Emotet gang make detection difficult and no single solution will provide protection against all forms of attack. What is needed is a defense in-depth approach and layered defenses.

The primary defense against a predominantly email-based threat such as Emotet is an advanced spam filtering solution. Many businesses have used Office 365 and rely on the protection provided by Exchange Online Protection (EOP), which is included as standard with Office 365 licenses. However, EOP alone will not provide enough protection against Emotet. EOP will block all known malware threats, but it struggles to identify zero-day attacks. To block zero-day attacks, more advanced detection methods are required.

SpamTitan has been developed to work seamlessly with EOP to protect Office 365 email from zero-day threats. SpamTitan uses a variety of techniques to identify Emotet, including dual antivirus engines to block known Emotet variants and sandboxing to block zero-day attacks. Suspicious or unknown attachments are sent to the sandbox where they are subjected to in-depth analysis to identify command and control server callbacks and other malicious actions. SpamTitan also scans outgoing emails to identify attempts to spread Emotet from an already-infected machine. SpamTitan also incorporates DMARC to identify email impersonation and domain spoofing, which are commonly used in emails spreading Emotet.

To provide protection against the web-based element of attacks, including Emotet emails that use malicious hyperlinks rather than email attachments, another layer needs to be added to cybersecurity defenses – a DNS filtering solution such as WebTitan.

WebTitan uses real-time URL threat detection powered by 650 million end users. The real-time database includes more than 3 million malicious URLs and IP addresses and each day around 100,000 new malicious URLs are detected and blocked. WebTitan also includes real-time categorization and detection of malicious domains, full-path URLs, and IPs, with up-to-the-minute updates performed to block new malicious sources. As soon as a URL is identified as being used to distribute Emotet (or other malware) it is blocked by WebTitan. WebTitan also conducts link & content analysis, static, heuristic, & behavior anomaly analysis, and features in-house and 3rd party tools and feeds to keep users protected from web-based threats.

Other essential steps to take to tackle the threat from Emotet include:

  • Disable macros across the organization
  • Ensure operating systems are kept up to date and vulnerabilities are promptly patched.
  • Set strong passwords to thwart brute force attacks
  • Ensure endpoint protection solutions are deployed on all devices
  • Provide security awareness training to employees
  • Conduct phishing simulation exercises to identify employees that require further training

The First California Consumer Privacy Act Lawsuit Has Been Filed

The first California Consumer Privacy Act lawsuit has been filed over an alleged failure to adequately protect consumer data. The lawsuit has been filed against Hanna Andersson, a children’s clothing company, and its ecommerce platform provider, Salesforce.com.

The California Consumer Privacy Act took effect on January 1, 2020. Under Civil Code 1798.100 – 1798.199, consumers could start exercising their new rights under CCPA from the compliance date. One of those rights is being able to take legal action against companies for privacy violations, such as the theft of personal data in a data breach.

The California Consumer Privacy Act lawsuit was filed in the U.S. District Court for the Northern District of California on behalf of a victim of a 2019 data breach. The lawsuit alleges negligence and a failure to implement reasonable safeguards to protect consumer data, and that the data breach occurred as a direct result of the alleged negligence. A claim for damages has not been stated, although the right has been reserved to seek damages and relief at a later date.

The breach in question was announced by Hanna Andersson on January 15, 2020. Hackers had gained access to its systems and downloaded malware, which allowed the attackers to steal information such as names, personal information, and payment card data. That information was subsequently listed for sale on the dark web.

The California Consumer Privacy Act allows Californians to file for damages of up to $750 per data breach, so a class action California Consumer Privacy Act lawsuit arising from a sizeable data breach could prove extremely costly for a company. In this case, the data breach affected approximately 10,000 California residents, so damages up to $7,500,000 could potentially be claimed.

Enforcement of CCPA

Enforcement of compliance by the California Attorney General has been delayed and will start 6 months after the publication of the final regulations or July 1, 2020, whichever comes sooner. Since the final regulations have yet to be published, the enforcement date will be July 1, 2020. California Attorney General Xavier Bercerra has already stated that he will make an example of businesses that fail to comply with CCPA.

It should be noted that there is nothing in CCPA that prevents the state attorney general from issuing notices of noncompliance before that date and consumers can already file lawsuits to claim damages. It is therefore essential for all entities covered by CCPA to ensure that they are honoring the new consumer rights and have implemented safeguards to protect consumer data.

How TitanHQ Can Help with CCPA Compliance

TitanHQ offers two powerful security solutions that can help covered entities ensure the data of consumers is protected and data breaches are prevented. These two cybersecurity solutions protect against the two most common attack vectors – Email and the internet.

SpamTitan is a powerful anti-spam, anti-malware, and anti-phishing solution that protects email systems from phishing and spear phishing attacks, known and zero-day malware threats, and email-based ransomware attacks.

WebTitan is a companion solution that blocks the web-based element of phishing attacks, exploit kits, and drive-by malware downloads over the internet, while also controlling the content that employees can access on wired and wireless networks.

TitanHQ can also help covered entities comply with the right to know and right to delete consumer rights afforded by CCPA through ArcTitan. ArcTitan is an email archiving solution that allows organizations to meet state and federal email data retention requirements and quickly find emails containing consumer data. If a California resident exercises their right to know what data is held on them by a company, or requests all of their personal data is deleted, that information can quickly be found in the archive. ArcTitan will also allow you to quickly find email data for eDiscovery in the event of any legal disputes.

For further information on these solutions, to schedule a product demonstration, or to arrange a free trial of the full solutions (with full customer support), give the TitanHQ team a call today.

Tax Season Phishing Scams and Malspam Campaigns Start in Earnest

Tax season is now underway and business email compromise scammers have stepped up their efforts to obtain W-2 forms for tax fraud. These attacks often start with spear phishing emails targeting the CEO and the executive board. Once email credentials have been obtained, the accounts are then accessed, and emails are sent internally to payroll and the HR department requesting the W-2 forms of employees who have worked in the previous tax year.

Scammers target businesses as there is much greater potential for profit than attacks on individual taxpayers, although consumers also need to be wary of IRS-related phishing scams. This time of year sees an increase in IRS phishing scams. Scammers impersonate the IRS and send emails informing taxpayers about a tax refund that is due and demands are sent for outstanding tax, with threats of dire consequences if prompt action is not taken to address issues.

Advances in email security have meant cybercriminals have had to get creative as it is harder to sneak phishing emails past email defenses. Phishing scams are now commonly initiated via text message, post, and over the telephone. There has already been one campaign identified where consumers are being targeted using robocalls warning that Social Security numbers have been suspended after suspicious activity was detected.

While many of these scams seek personal information, others are conducted to spread malware. One threat group that started its tax-related scams early this year is the Emotet gang. A campaign is currently being conducted that uses emails containing fake signed W-9 forms.

Signed W-9 forms are requested by companies from their contractors if they have been paid in excess of $600 during the tax year. Many companies will have requested signed W-9 forms from their contractors to confirm addresses and tax identification numbers, so they will be expecting copies of these forms in their inboxes.

The Emotet emails are short and to the point, saying “Thank you for your help. Pleased see attached file.” The emails include a Word document attachment named W-9.doc. When the document is opened, the Office 365 logo is displayed along with text stating the document was created in OpenOffice and requires the user to enable editing and enable content. Doing so triggers the silent download of the Emotet Trojan.

This is just one of the tax-related messages being used by the Emotet gang. There are likely to be many more variants sent over the next few weeks. Other cybercriminal gangs will similarly be conducting their own tax-themed phishing campaigns to spread different malware variants and ransomware.

Businesses, tax preparers, and consumers need to be on high alert during tax season for phishing scams and emails spreading malware.

Now is a good time for businesses to review their cybersecurity defenses and enhance protection against phishing and malware attacks. If you use Office 365 and rely on the anti-phishing protections built into Office 365 (EOP), you should consider enhancing your anti-phishing and anti-malware protection with a third-party spam filter – One that has superior malspam detection capabilities.

This is an area where TitanHQ can help. SpamTitan uses a variety of advanced techniques to detect and block phishing threats and zero-day malware, including an email sandbox where unknown and suspicious email attachments are subject to in-depth analysis. Give the TitanHQ team a call to find out more about SpamTitan, improving Office 365 malware and phishing protection, and to arrange a product demonstration and free trial of SpamTitan.

In the meantime, take steps to alert your workforce about tax-season phishing scams and prepare them in case a phishing email arrives in their inbox. An email alert sent to your employees about the threat of tax-season scams could prevent a costly phishing attack or malware infection.

Novel Coronavirus Phishing Scam Uses Scare Tactics to Spread Emotet Trojan

A novel coronavirus phishing campaign has been detected that uses scare tactics to trick users into infecting their computer with malware.

The World Health Organization has now declared the 2019 novel coronavirus outbreak a global emergency. The number of cases has increased 10-fold in the past week with almost 9,100 cases confirmed in China and 130 elsewhere around the world.

A worldwide health crisis such as this has naturally seen huge coverage in the press, so it is no surprise that cybercriminals are capitalizing on the concern and are using it as a lure in a malspam campaign to scare people into opening an email attachment and enabling the content.

A novel coronavirus phishing campaign has been detected that uses a fake report about the coronavirus to get email recipients to open a document that details steps that should be taken to prevent infection. Ironically, taking the actions detailed in the email will actually guarantee infection with a virus of a different type: Emotet.

The coronavirus phishing campaign was identified by IBM X-Force researchers. The campaign is targeted on users in in different Japanese prefectures and warning of an increase in the number of local confirmed coronavirus cases. The emails include a Word document attachment containing the notification along with preventative measures that need to be taken.

If the attachment is opened, users are told they must enable content to read the document. Enabling the content will start the infection process that will see the Emotet Trojan downloaded. Emotet is also a downloader of other malware variants. Other banking Trojans and ransomware may also be downloaded. Emotet can also send copies of itself to the victim’s contacts. Those messages may also be coronavirus related.

To add credibility, the Emotet gang makes the emails appear to have been sent by a disability welfare service provider in Japan. Some of the captured messages include the correct address in the footer.

More than 2,000 new infections have been confirmed in the past 24 hours in China and all of its provinces have now been impacted. Cases have now been reported in 18 other countries with Thailand and Japan the worst hit outside of China with 14 cases confirmed in each country. As the coronavirus spreads further and more cases are reported, it is likely that the Emotet gang will expand this campaign and start targeting different countries using emails in different languages. Kaspersky lab has also said that it has identified malspam campaigns with coronavirus themes that use a variety of email attachments to install malware.

Businesses can protect against Emotet, one of the most dangerous malware variants currently in use, by implementing a spam filtering solution such as SpamTitan that incorporates a sandbox where malicious documents can be analyzed in safety to check for malicious actions.

For further information on protecting your email system, contact TitanHQ today.

Cost of Spam in Academia Calculated by Researchers

It has been well documented how much time businesses waste dealing with spam and there is no denying the threat that malicious spam emails (malspam) pose, but it is not just a problem for big business. Spam in academia is also a major problem.

A recent study published in the journal, Scientometrics, explores the cost of spam in academia. The study was primarily focused on spam emails sent by new, non-peer-reviewed journals that are attempting to gain a share of the market. These journals are adopting the same spam tactics often used by scammers to sell cheap watches and cut-price medications and for phishing and spreading malware.

Three researchers – Jaime A. Teixeira da Silva, Aceil Al-Khatib, and Panagiotis Tsigaria – attempted to quantify the amount of time that is being wasted dealing with those messages and the losses that result.

To assess the extent of the problem, the researchers used figures from several studies on spamming to obtain an average number of targeted spam emails that academics receive each day. They opted for a conservative figure of 4-5 messages, per academic, per day. Most of those messages take just a few seconds to open and read but that time mounts up. They assumed an average time of 5 seconds per message – less than half a minute per day. That equates to $100 per researcher, per year at an average hourly rate of $50. Using the United Nations estimate of the number of researchers in academia globally, the total global cost of spam in academia was estimated to be $1.1 billion a year.

That figure is based on the lost time alone and does not factor in non-targeted spam emails – bulk unsolicited emails not specifically targeting researchers. Add in the time dealing with those messages and the global cost reaches $2.6 billion a year. To put the cost into perspective, $2.6 million is much more than the time researchers devote to peer review, which has been estimated at a cost of $1.9 billion a year. The figures do not include the considerable losses due to phishing, malware, and ransomware attacks. Factor in those costs and the losses would be several orders of magnitude higher.

Co-author of the study, Panagiotis Tsigaris, a professor of economics at Thompson Rivers University in Canada, explained that there is no silver bullet when it comes to dealing with spam and suggested several ways that the cost of spam in academia could be reduced.

Tsigaris suggests that penalties should be increased for publishing in predatory journals, and that academics should be educated about spam email and that improvements should be made to email filtering technology.

Here at TitanHQ, we are well aware of the problem of spam, both in terms of the productivity losses that spam causes, and harm caused by malicious spam emails.

To help prevent losses and downtime due to spam and email-based threats, TitanHQ has developed a powerful, easy-to-use, and cost-effective cloud-based spam filtering solution called SpamTitan. SpamTitan has been independently tested and shown to block in excess of 99.9% of spam email, 100% of known malware and ransomware threats, and thanks to a host of detection measures and sandboxing, SpamTitan is also effective at blocking zero-day (new) malware and ransomware threats.

To find out more about SpamTitan and how you can block more spam and ensure malicious emails do not reach your researchers’ inboxes, give the TitanHQ team a call today.

TitanHQ Announces New Partnership with Pax8

TitanHQ has announced a new partnership with Pax8. The partnership means Pax8 partners now have access to TitanHQ’s cloud-based email security solution – SpamTitan – and its DNS filtering solution, WebTitan.

Pax8 is the leader in cloud distribution. The company simplifies the cloud buying process and empowers businesses to achieve more with the cloud. The company has been named Best in Show for two consecutive years at the Next Gen and XChange conferences and is positioned at number 60 in the 2019 Inc. 5000 list of the fastest growing companies.

Pax8 carefully selects the vendors it works with and only offers market-leading channel friendly solutions to its partners. When searching for further cybersecurity solutions for its partners, TitanHQ was determined to be the perfect fit. TitanHQ is the leading provider of cloud-based email and web security solutions for managed service providers (MSPs) serving the SMB marketplace and its cybersecurity solutions are much loved by users. This was clearly shown in the 2019 G2 Crowd Report on Email Security Gateways where SpamTitan was named leader, having achieved 4- or 5-star ratings by 97% of its users, with 92% saying they would recommend the solution to other businesses.

Phishing, malware, and ransomware attacks have all increased in the past year and the cost of mitigating those attacks continues to rise. By implementing SpamTitan and WebTitan, SMBs and MSPs can secure their email environments and block web-based threats and keep their networks secure.

SpamTitan provides excellent protection for Office 365 environments. The solution detects and blocks phishing and email impersonation attacks and prevents known and zero-day malware and ransomware threats from reaching inboxes. The WebTitan Cloud DNS filtering solution blocks the web-based component of cyberattacks by preventing end users from visiting malicious websites, such as those harboring malware and phishing kits.

Both solutions are quick and easy to implement, can be seamlessly integrated into MSPs service stacks and cloud-management platforms, and Pax8 partners benefit from highly competitive and transparent pricing, centralized billing, and leading customer support.

“I am delighted to partner with the Pax8 team,” said Ronan Kavanagh, CEO, TitanHQ. “Their focus and dedication to the MSP community are completely aligned with ours at TitanHQ, and we look forward to delivering our integrated solutions to their partners and customers.”

Emotet Botnet Springs Back to Life and Massive Phishing and Spamming Campaigns Resume

The Emotet botnet took a Christmas holiday but it’s now up and running again and the massive phishing and spamming campaigns have resumed. These campaigns, which involve millions of spam emails, use a variety of lures to trick people into opening an attachment and enabling content. The content in question includes a macro that runs a PowerShell command that downloads and executes the Emotet Trojan.

The Emotet Trojan is bad news. Emotet was once just a banking Trojan whose purpose was to steal online banking credentials. It still does that and much more besides. Emotet also steals credentials from installed applications and browsers. It is also self-propagating and will send copies of itself via email to the victim’s contacts. As if that was not bad enough, Emotet has another trick up its sleeve. It is also a downloader of other malware variants such as the TrickBot Trojan and Ryuk ransomware. These additional payloads allow data to be stolen and sold for profit and for files across the network to be encrypted and ransom demands issued. Emotet has also delivered cryptocurrency miners in the past and could deliver any number of other malware payloads.

The scale of the botnet is staggering. In the first quarter of 2019, Emotet was responsible for 6 out of 10 malicious payloads delivered via email. There are often breaks in activity, but even though the threat actors behind the botnet took almost half of 2019 off, Emotet still ranks as the top malware threat of the year.

Emotet sprung back to life on January 13, 2020, with targeted attacks on the pharmaceutical industry in North America, but it didn’t take long for the attacks to spread even further afield. Now more than 80 countries are being attacked and in addition to English, campaigns have been detected in Italian, Polish, German, Spanish, Japanese, and Chinese.

The lures used to fool end users into opening email attachments are highly varied and often change. Tried and tested lures such as fake invoices, orders, statements, agreements, payment remittance notices, receipts, and delivery notifications are often used in attacks on businesses, which are the primary targets. Before the botnet shut down for a break in December, Greta Thunberg-themed emails were being used along with Christmas party invitations. A host of new lures can be expected in 2020.

The themes of the emails may change but the messages have one thing in common. They require an end user to take action. That is usually opening a document, spreadsheet, or other file, but could be a click on a hyperlink in an email. Once that action is taken, Emotet will be silently downloaded.

There are two main ways of blocking attacks and both are necessary. The first is to ensure that the email system is secure, which means implementing an effective spam filter. Businesses that use Office 365 will have a modicum of protection through Exchange Online Protection (EOP), which is included with Office 365 subscriptions. However, businesses should not rely on EOP alone. Layered defenses are required.

SpamTitan is a powerful spam filter that will improve protection against malware threats such as Emotet. SpamTitan can be layered on top of Office 365 to provide greater protection and prevent the malware from being delivered to inboxes. Dual anti-virus engines are incorporated into the solution to detect known threats and SpamTitan includes a sandbox for identifying threats that signature-based detection mechanisms miss.

Many businesses deploy a variety of security solutions but fail to prepare their employees for an attack. If malicious emails make it past security solutions and are delivered to inboxes, all it takes is for one employee to fail to spot the threat and respond for Emotet to be installed (and potentially ransomware as well). It is therefore important to provide regular security awareness training to everyone in the company from the CEO down. If employees are not told how to identify malicious emails, they cannot be expected to spot threats and report the messages to the security team.

Fortunately, through a combination of email security solutions and security awareness training, the threat from Emotet can be neutralized. For more information on the former, give TitanHQ a call today.