Blog
by titanadmin | May 27, 2024 | Phishing & Email Spam, Security Awareness, Spam Advice, Spam News |
Email phishing is the most common form of phishing, with email providing threat actors with an easy way of getting their malicious messages in front of employees. Phishing emails typically include a URL along with a pressing reason for clicking the link. The URLs are often masked to make them appear legitimate, either with a button or link text relevant to the lure in the message. Email attachments are often added to emails that contain malicious scripts for downloading a variety of malicious payloads, or links to websites where malware is hosted.
While there are many email security solutions available to businesses, many lack the sophistication to block advanced phishing threats as they rely on threat intelligence, antivirus software, and reputation checks. While these are important and effective at blocking the bulk of phishing and malspam emails, they are not effective at blocking zero-day attacks, business email compromise, and advanced phishing threats.
More advanced features include email sandboxing for detecting and quarantining zero-day malware threats and malicious scripts, greylisting for increasing the spam catch rate, and AI and machine learning capabilities that can assess messages and identify threats based on how they differ from the messages that are typically received by the business. SpamTitan, a cloud-based anti-spam service from TitanHQ, has these features and more. Independent tests have shown that the solution blocks more than 99.99% of spam emails, 99.95% of malware, and more than 99.91% of phishing emails. SpamTitan can be provided as a hosted email filter or as a gateway spam filter for installation on-premises on existing hardware, serving as a virtual anti-spam appliance.
Microsoft 365 users often complain about the phishing catch rate of the protections provided by Microsoft, which are EOP only for most licenses and EOP and Defender for the most expensive licenses. While these protections are effective at blocking spam and known malware, they fall short of what is required for blocking advanced threats. To improve Microsoft 365 security and block the threats that Microsoft misses, TitanHQ has developed PhishTitan. PhishTitan augments Microsoft 365 defenses and is the easiest way of improving the Office 365 spam filter. These advanced defenses are now vital due to the increase in attacks. The Anti-Phishing Working Group (APWG) has reported that more phishing attacks were conducted in 2023 than ever before.
Massive Increase in Text Message Phishing Scams
Blocking email phishing attempts is straightforward with advanced email security solutions, which make it much harder for phishers to get their messages in front of employees. One of the ways that threat actors have adapted is by switching to SMS phishing attacks, which no email security solution can block. APWG has reported a major increase in SMS-based phishing attempts.
A recent study attempted to determine the extent to which SMS phishing is being used. Researchers used SMS gateways – websites that allow users to obtain disposable phone numbers – to obtain a large number of phone numbers for the study. They then waited to see how long it took for SMS phishing messages to be received. The study involved 2,011 phone numbers and over 396 days the researchers received an astonishing 67,991 SMS phishing messages, which averages almost 34 per number. The researchers analyzed the messages and identified 35,128 unique campaigns that they associated with 600 phishing operations. Several of the threat actors had even set up URL shortening services on their own domains to hide the destination URLs. With these shortening services, the only way to tell that the domain is malicious is to click the link.
Blocking SMS phishing threats is difficult for businesses and the primary defense is security awareness training. SMS phishing should be included in security awareness training to make employees aware of the threat, as it is highly likely that they will encounter many SMS phishing threats. The SafeTitan security awareness platform makes creating training courses simple and the platform includes training content on all types of threats, including SMS, voice, and email phishing. With SafeTitan it is easy to create and automate campaigns, as well as deliver training in real-time in response to employee errors to ensure training is provided when it is likely to have the greatest impact – immediately after a mistake is made.
by titanadmin | May 26, 2024 | Phishing & Email Spam, Security Awareness |
Cloudflare Workers is being abused in phishing campaigns to obtain credentials for Microsoft, Gmail, Yahoo!, and cPanel Webmail. The campaigns identified in the past month have mostly targeted individuals in Asia, North America, and Southern Europe, with the majority of attacks conducted on organizations in the technology, finance, and banking sectors.
Cloudflare Workers is part of the Cloudflare Developer Platform and allows code to be deployed and run from Cloudflare’s global network. It is used to build web functions and applications without having to maintain infrastructure. The campaigns were identified by researchers at Netskope Threat Labs. One campaign uses a technique called HTML smuggling, which involves abusing HTML5 and JavaScript features to inject and extract data across network boundaries. This is a client-side attack where the malicious activities occur within the user’s browser. HTML smuggling is most commonly associated with malware and is used to bypass network controls by assembling malicious payloads on the client side. In this case, the malicious payload is a phishing page.
The phishing page is reconstructed in the user’s browser, and they are prompted to log in to the account for which the attacker seeks credentials, such as their Microsoft account. When the victim enters their credentials, they will be logged in to the legitimate website and the attacker will then collect the tokens and session cookies.
Another campaign uses adversary-in-the-middle (AitM) tactics to capture login credentials, cookies, and tokens, and allow the attackers to compromise accounts that are protected with multi-factor authentication. Cloudflare Workers is used as a reverse proxy server for the legitimate login page for the credentials being targeted. Traffic between the victim and the login page is intercepted to capture credentials as well as MFA codes and session cookies. The advantage of this type of attack is the user is shown the exact login page for the credentials being targeted. That means that the attacker does not need to create and maintain a copy of the login page.
When the user enters their credentials, they are sent to the legitimate login page by the attacker, and the response from the login page is relayed to the victim. The threat actor’s application captures the credentials and the tokens and cookies in the response. In these CloudFlare Workers phishing campaigns, users can identify the scam by looking for the *.workers.dev domain and should be trained to always access login pages by typing the URL directly into the web browser.
Defending against sophisticated phishing attacks requires a combination of security measures including an email security solution with AI/machine learning capabilities and email sandboxing, regular security awareness training, and web filtering to block the malicious websites and inspecting HTTP and HTTPS traffic. For more information on improving your defenses, give the TitanHQ team a call.
by titanadmin | May 15, 2024 | Network Security, Phishing & Email Spam, Security Awareness |
The Black Basta ransomware-as-a-service (RaaS) group has been aggressively targeting critical infrastructure entities in North America, Europe, and Australia, and attacks have been stepped up, with the group’s affiliates now known to have attacked at least 500 organizations worldwide. In the United States, the group has attacked 12 of the 16 government-designated critical infrastructure sectors, and attacks on healthcare providers have increased in recent months.
Black Basta is thought to be one of multiple splinter groups that were formed when the Conti ransomware group shut down operations in June 2022. The group breaches networks, moves laterally, and exfiltrates sensitive data before encrypting files. A ransom note is dropped and victims are required to make contact with the group to find out how much they need to pay to a) prevent the publication of the stolen data on the group’s leak site and b) obtain the decryption keys to recover their encrypted data.
The group uses multiple methods for initial access to victims’ networks; however, the primary method used by affiliates is spear phishing. The group has also been observed exploiting known, unpatched vulnerabilities in software and operating systems. For instance, in February 2024, the group started exploiting a vulnerability in ConnectWise (CVE-2024-1709). The group has also been observed abusing valid credentials and using Qakbot malware. Qakbot malware is commonly distributed in phishing emails.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) recently issued a cybersecurity alert about Black Basta in response to the increase in attacks. The alert shares indicators of compromise and the tactics, techniques, and procedures used by the group in recent attacks. All critical infrastructure organizations have been advised to implement a range of mitigations to make it harder for Black Basta ransomware affiliates to access internal networks and move laterally. The recommended mitigations will also strengthen defenses against other ransomware groups and should be considered by all businesses and organizations.
Phishing and spear phishing are common access vectors for ransomware groups and the initial access brokers many of the groups work with, including the operators of Qakbot malware. Strengthening phishing defenses should therefore be a priority. TitanHQ offers three products that help improve phishing defenses: SpamTitan Email Security, PhishTitan, and the SafeTitan security awareness training and phishing simulation platform.
SpamTitan is a comprehensive email security and spam filtering service that blocks the full range of threats including spam, phishing, malware, viruses, and other malicious emails. Independent tests have confirmed the solution has a 99.99% spam catch rate, Bayesian autolearning and heuristics defend against advanced email threats, recipient verification using SPF, DKIM, and DMARC, antivirus protection is provided using two leading anti-virus engines, and the solution incorporates sandboxing for deep analysis of suspicious files. The sandbox is capable of detecting threats from their behavior rather than email signatures and is capable of identifying and blocking zero-day malware threats. The solution is regularly rated the best spam filter for business by independent software review sites and is one of the most popular spam filters for MSPs.
PhishTitan is a powerful anti-phishing solution for businesses that use Microsoft 365 that protects against the advanced attacks that Microsoft’s EOP and Defender miss. The solution includes auto-remediation features to help businesses rapidly respond when they are targeted by cybercriminal groups, and integrates seamlessly with Microsoft 365, augmenting Microsoft’s protections to ensure that more phishing threats are identified and blocked. PhishTitan adds banner notifications to emails from external email accounts and warnings about unsafe content, rewrites URLs to show the true destination, provides time-of-click protection against malicious URLs, provides threat data and analytics to help users assess their risk profile, and subjects all emails to AI and LLM analysis, detecting phishing threats with a high degree of accuracy and blocking threats that Microsoft misses. The solution also uses real-time analysis and threat assessments to neutralize business email compromise and spear phishing attacks before they begin.
It is important to train the workforce on how to recognize and report phishing attempts. SafeTitan is a comprehensive security awareness training platform that provides training in bite-sized chunks. The training modules are no longer than 10 minutes and are easy to fit into busy workflows. By providing regular training each month, businesses can develop a security culture and significantly improve resilience to phishing and spear phishing attacks, especially when combined with phishing simulations. The phishing simulator includes templates from real-world ransomware campaigns, and they are regularly updated based on the latest threat intelligence.
As an additional protection, multi-factor authentication should be implemented on all accounts, and phishing-resistant MFA is the gold standard. Since vulnerabilities are often exploited, it is important to ensure that software, firmware, and operating systems are kept up to date with patches applied promptly. Ransomware groups such as Black Basta are quick to exploit known vulnerabilities in their attacks. Remote access software should be secured and disabled if it isn’t used, networks should be segmented to hamper lateral movement, and backups should be regularly made of all critical data, with copies stored securely offsite on air-gapped devices. Further recommended mitigations can be found in CISA’s StopRansomware Guide.
by titanadmin | May 14, 2024 | Industry News, Phishing & Email Spam |
TitanHQ has announced two new strategic alliances that will improve access to the company’s cybersecurity solutions in the Indian subcontinent and the Middle East. Evanti Tech is a Mumbai-based provider of IT infrastructure, cloud, and security services that helps to protect Indian businesses against cyberattacks, ransomware attacks, and other cybersecurity threats. The new alliance with TitanHQ will see Evanti Tech serve as a value-added distributor, incorporating TitanHQ’s cloud-based email security solutions into its cybersecurity suite to provide its clients with multi-layered protection capable of defending against a constantly evolving cyber threat landscape. The addition of TitanHQ’s email security solutions will allow the company to better protect its clients from email-based threats such as ransomware, malware, phishing, spear phishing, and business email compromise.
TitanHQ has also announced a new alliance with the Dubai, UAE-based cybersecurity managed service (CSMS) provider Nanjgels. Nanjgels protection methodology is based on five pillars of security – Protect, Identify, Detect, Remediate, Respond, with the company providing infrastructure security, user security, network security, data & app security, and security operations and response. Under the new alliance, Nanjgels will be adding SpamTitan email security solutions to its portfolio and will be offering them to all clients in the region to help them improve email security and block spam, phishing, spear phishing, BEC, ransomware, and other email threats.
The SpamTitan suite of products has been developed from the ground up to meet the needs of managed service providers and help them better protect their clients from email-based threats. SpamTitan includes double anti-virus protection to block known malware threats, email sandboxing to identify and block zero-day malware threats, protection against malicious links in emails, and spam detection mechanisms such as SPF, DKIM, DMARC, and greylisting to block more than 99.99% of spam and unwanted emails. The solution scans inbound and outbound emails and includes data loss protection features to combat insider threats.
Multi-award-winning SpamTitan is an ideal solution for protecting Microsoft 365 accounts. Almost 20% of phishing emails circumvent Microsoft 365 Exchange Defender and Microsoft Exchange Online Protection (EOP). SpamTitan integrates seamlessly with Microsoft 365 to augment defenses and block the phishing and malware threats that Microsoft misses. SpamTitan has achieved 36 consecutive VB Bulletin Anti-Spam awards, and recent independent tests have confirmed the solution blocks in excess of 99.95% of malware.
TitanHQ’s multi-tenant solutions are hugely popular with managed service providers as they make it easy to sell, onboard, manage, and deliver advanced security solutions directly to their client base and reduce the amount of time that MSPs need to devote to protecting their clients. TitanHQ offers antispam solutions for MSPs, phishing protection, DNS filtering, email encryption, email archiving, security awareness training, and phishing simulations. If you are a managed service provider looking to improve security, contact TitanHQ to find out more about the TitanShield program and the products you can easily add to your security stack to better protect your clients.
by titanadmin | Apr 30, 2024 | Email Scams, Network Security, Phishing & Email Spam |
The U.S. government and education sectors are being targeted by cybercriminals looking to steal sensitive data. These sectors hold large volumes of sensitive data that are easily monetized, victims can be extorted, and access to compromised networks can be sold to other cybercriminal groups such as ransomware gangs. These attacks can result in significant data breaches, major financial losses, and reputational damage that is hard to repair.
The campaign uses a combination of two malware variants and vulnerability exploitation, and the attack starts with phishing emails with malicious attachments. The campaign was identified by researchers at Veriti and delivers the notorious Agent Tesla remote access trojan (RAT) and an information-stealing malware called Taskun. Agent Tesla provides attackers with remote access to networks and is often used by initial access brokers for compromising networks, with the access sold on to other cybercriminal groups. Agent Tesla can be used to download additional payloads and has comprehensive information-stealing capabilities. The malware can log keystrokes, take screenshots, and steal credentials from browsers, wireless profiles, and FTP clients.
Taskun malware is spyware that also has information-stealing capabilities. In this campaign, the malware is used to compromise systems and make it easier for Agent Tesla to be installed, establish persistence, and operate undetected for long periods. The campaign involves emails with malicious attachments, with social engineering techniques used to trick employees into running malicious code that exploits unpatched vulnerabilities in operating systems and Office applications. The campaign involves a reconnaissance phase to identify the vulnerabilities that can be exploited to maximize the chance of a highly impactful compromise. The vulnerabilities exploited in this campaign include several Microsoft Office remote code execution vulnerabilities dating from 2010 to 2018 and takes advantage of businesses with poor patch management practices, incomplete inventories of connected devices, and devices running outdated software due to issues upgrading.
Defending against email-based attacks involving multiple malware variants and vulnerability exploitation requires a multi-layered approach to security, with cybersecurity measures implemented that provide overlapping layers of protection. The first line of defense should be advanced spam filtering software to block inbound spam and phishing emails. SpamTitan from TitanHQ is an AI-driven cloud-based email filtering service that is capable of identifying and blocking spam and phishing emails and has advanced malware detection capabilities. In addition to dual antivirus engines, the SpamTitan hosted spam filter includes email sandboxing for behavioral detection of malware threats. In independent tests, SpamTitan was shown to block 99.983% of spam emails, 99.914% of phishing emails, and 99.511% of malware.
It is important to ensure that employees are made aware of the threats they are likely to encounter. Security awareness training should be provided to teach cybersecurity best practices, eradicate risky practices, and train employees to be vigilant and constantly on the lookout for signs of phishing and malware. The SafeTitan security awareness training platform makes it easy to develop and automate comprehensive training and keep employees up to date on the latest tactics used by threat actors. SafeTitan, in combination with TitanHQ’s cloud-based anti-spam service, will help to ensure that phishing and malware threats are identified and blocked.
Cybersecurity best practices should also be followed, such as implementing multi-factor authentication on accounts, ensuring patches are applied promptly, keeping software up to date, installing endpoint antivirus solutions, and network segmentation to reduce the impact of a successful attack. It is also important to ensure there is a comprehensive inventory of all devices connected to the network and conduct vulnerability scans to ensure weaknesses are detected to allow proactive steps to be taken to improve security.
