Spam News

Our spam news section provides up to date news on the latest threats that are likely to hit the inboxes of your employees. Cybercriminals are constantly changing tactics with new spam email campaigns, different social engineering techniques and new methods of installing malware and ransomware. By keeping up to date on the latest spam news, organizations can take timely action to mitigate risk.

In that regard, a spam filtering solution is essential. All it takes is for one employee to click on a malicious link or open an infected email attachment for an entire network to be compromised. A spam filter will check all incoming email messages and search for common spam signatures in addition to checking senders’ email accounts against blacklists of known spammers. Email attachments will be checked for virus signatures and hyperlinks compared to blacklists of known malicious domains.

Armed with the latest spam news, information security teams can send email alerts to their employees warning of pertinent threats that they need to be aware of.

This section also includes news on industry-specific attacks, in particular those that are being used to target the healthcare, education, financial services, legal and hospitality sectors.

Global Spam Email Levels at 2-Year High

Global spam email levels have been rising, with spam volume in July soaring to levels not seen since March 2015.

The figures come from the Symantec monthly threat report, which uses data from the Global Intelligence Network (GIN). Last month, global spam email levels increased by 0.6 percentage points to 54.9% of total email volume. The industry that received the most spam emails was the mining sector, with 59.1% of emails categorized as spam.

Spam emails include unsolicited marketing emails, offers of cut price medications and notices about women who have been trawling the internet for a man like you. While many of these emails are simply junk, the volume of malicious messages has been rising. In particular, spam messages containing malware.

Symantec reports that email malware has increased to levels not seen since December 2016. Last month, one in every 359 spam emails was used to deliver malware. The previous month, one in every 451 emails contained malware. The industry that received the most email malware levels was the agriculture, forestry and fishing sector, with one in every 152 emails containing malware.

Malware and Phishing Emails at The Highest Level Seen This Year

Malicious emails are being sent in campaigns targeting medium sized businesses, which registered the highest percentage of malware emails. Businesses with between 251 and 500 employees had the highest volume of malware in their inboxes, according to Symantec’s analysis. Large businesses – organizations with between 1,001 and 1,500 employees – had the highest rate of spam delivery as a whole.

While malware emails increased, the number of malware variants used in those emails dropped to 58.7 million variants from 66.3 million the previous month. Symantec notes that several malware families have now started being spread via email, which has contributed to the malware email volume.

In the past month, malware variants have been detected that are capable of generating their own spam emails from the infected device and sending malware copies to the victims’ entire address books. The Emotet banking Trojan now has this functionality and Reyptson malware also, with the latter sending itself to Thunderbird contacts.

This month, Microsoft has discovered a new tech support scam that is being distributed via spam email. Spam emails spoofing brands are being sent in large campaigns with links to websites that generate popups warning of suspicious activity and malware infections.

Symantec notes the volume of phishing emails has also increased with levels now at a 12-month high. One in 1,968 emails are used for phishing. Phishing attacks on the mining industry sector were the most common with one in 1,263 emails used for phishing, indicating targeted attacks are occurring.

Increase in Global Spam Email Levels Highlights Need for Effective Spam Filtering

The rise in global spam email levels highlights the need for an advanced email spam filter. Spam is a major drain on productivity and malware and phishing attacks are costly to mitigate. Employee security awareness programs are effective at preventing employees from falling for phishing scams, although a technological solution should be implemented to prevent spam emails from reaching inboxes. SpamTitan blocks more than 99.9% of spam and dual antivirus engines prevent the delivery of known malware.

If you are looking for the best spam filter for business use and want to protect your users and network from malicious emails, contact the TitanHQ team today for more information on SpamTitan.

Trickbot Malware Now Includes Self-Replicating Worm Module

Trickbot malware is a banking Trojan that has been around for a few years now, although its authors have recently developed a WannaCry ransomware-style worm module that allows it to spread much more rapidly.

The recent NotPetya attacks also included a similar module enabling the malware to be used in devastating attacks that wiped out entire systems.

This new method of speeding up the spread of malware takes advantage of a vulnerability in Windows Server Message Block, which is used to identify all vulnerable computers on a network that connect via the Lightweight Directory Access Protocol (LDAP).

Since the exploit is readily available, cybercriminals can use it in conjunction with malware to spread infections more effectively and quickly. Worms were once popular, although their use has died out. The use of worm-like elements with the WannaCry and NotPetya attacks has shown just how effective they can be, and also served as a reminder of why they were popular in the first place.

Far from isolated malware variants, we could be about to see a rise in the use of worm-like modules. Fortunately, for the time being at least, the worm module in Trickbot malware does not appear to be fully operational. That said, the malware is constantly being redeveloped so it is probable the flaws will be fixed soon.

The malware can gain access to online banking accounts enabling the attackers to empty bank accounts.  It is fast becoming one of the most prevalent banking Trojans, according to IBM X-Force. It is currently being used in targeted attacks on organizations in the financial sector around the world, with recent campaigns targeting banks in the UK and United States. The ability to spread throughout a network rapidly will make it much more dangerous.

Aside from the new worm-like module another change has been detected. PhishMe reports that it has identified a change to how the Trojan is distributed. Attacks have occurred via malvertising campaigns this year that redirect web users to sites hosting the Rig exploit kit, although Trickbot is primarily distributed via spam email sent via the Necurs botnet.

The latest change to the Trickbot malware campaign is helping the threat actors to evade anti-virus solutions. Previously, the Trojan has been installed via macro scripts in specially crafted office documents. The latest campaign update sees the attackers use a Windows Script Component (WSC) containing XML-format scripts. The same delivery mechanism has also been used to deliver GlobeImposter ransomware.

Ransomware Attacks on Small Businesses Cause Devastating Losses

Ransomware attacks on small businesses can be devastating. Many small businesses have little spare capital and certainly not enough to be handing out cash to cybercriminals, let alone enough to cover the cost of loss of business while systems are taken out of action. Many small businesses are one ransomware attack away from total disaster. One attack and they may have to permanently shut their doors.

A recent research study commissioned by Malwarebytes – conducted by Osterman Research – has highlighted the devastating effect of ransomware attacks on small businesses.

1,054 businesses with fewer than 1,000 employees were surveyed and asked about the number of ransomware attacks they had experienced, the cost of mitigating those attacks and the impact of the ransomware attacks on their business.

Anyone following the news should be aware of the increase in ransomware attacks. Barely a week goes by without a major attack being announced. The latest study has confirmed the frequency of attacks has increased. More than one third of companies that took part in the survey revealed they had experienced at least one ransomware attack in the past 12 months.

22% of Small Businesses Shut Down Operations Immediately Following a Ransomware Attack

The survey also showed the devastating impact of ransomware attacks on small businesses. More than one fifth of small businesses were forced to cease operations immediately after an attack. 22% of businesses were forced to close their businesses.

Those companies able to weather the storm incurred significant costs. 15% of companies lost revenue as a result of having their systems and data locked by ransomware and one in six companies experienced downtime in excess of 25 hours. Some businesses said their systems were taken out of action for more than 100 hours.

Paying a ransom is no guarantee that systems can be brought back online quickly. Each computer affected requires its own security key. Those keys must be used carefully. A mistake could see data locked forever. A ransomware attack involving multiple devices could take several days to resolve. Forensic investigations must also be conducted to ensure all traces of the ransomware have been removed and no backdoors have been installed. That can be a long-winded, painstaking process.

Multiple-device attacks are becoming more common. WannaCry-style ransomware attacks that incorporate a worm component see infections spread rapidly across a network. However, many ransomware variants can scan neworks and self-replicate. One third of companies that experienced attack, said it spread to other devices and 2% said all devices had been encrypted.

Can Ransomware Attacks on Small Businesses be Prevented?

Can ransomware attacks on small businesses be prevented? Confidence appears to be low. Almost half of respondents were only moderately confident they could prevent a ransomware attack on their business. Even though a third of businesses had ‘anti-ransomware’ defenses in place, one third still experienced attacks.

Unfortunately, there is no single solution that can prevent ransomware attacks on small businesses. What organizations must do is employ multi-layered defenses, although that can be a major challenge, especially with limited resources.

A risk assessment is a good place to start. Organizations need to look at their defenses critically and assess their infrastructure for potential vulnerabilities that could be exploited.

Improving Defenses Against Ransomware

Ransomware attacks on small businesses usually occur via email with employees targeted using phishing emails. Organizations should consider implementing a spam filtering solution to reduce the number of malicious emails that reach inboxes.

Some emails will inevitably slip past these defenses, so it is important for staff to be security aware. Security awareness training should be ongoing and should involve phishing simulations to find out how effective training has been and to single out employees that need further training.

While ransomware can arrive as an attachment, it is usually downloaded via scripts of when users visit malicious websites. By blocking links and preventing end users from visiting malicious sites, ransomware downloads can be blocked. A web filtering solution can be used to block malicious links and sites.

Anti-virus solutions should be kept up to date, although traditional signature-based detection technology is not as effective as it once was. Alone, anti-virus software will not offer sufficient levels of protection.

As was clearly shown by the WannaCry and NotPetya attacks, malware can be installed without any user interaction if systems are not configured correctly and patches and software updates are not applied promptly. Sign up to alerts and regularly check for updated software and don’t delay patching computers.

A ransomware attack need not be devastating. If organizations back up their data to the cloud, on a portable (unplugged) local storage device and have a copy of data off site, in the event of an attack, data will not be lost.

Phishing by SMS: Smishing Attacks on The Rise

Smishing attacks are on the rise. Cybercriminals have been turning to the Short Message Service – SMS – to conduct phishing campaigns to gather personal information for identity theft and fraud. Smishing is also used to fool mobile device users into installing malware.

Like phishing emails, smishing attacks use social engineering techniques to get users to complete a specific action, often to click on a link that will direct them to a webpage where they are asked to provide sensitive information or to download a file to their device. Most commonly, the aim of smishing is to obtain personal information such as usernames and passwords to online bank accounts.

Many organizations have implemented spam filtering solutions that capture phishing emails and prevent them from being delivered to end users’ inboxes. Security awareness training is also provided, with the threat of phishing explained to employees.  However, the best practices that are taught are not always applied to SMS messages and spam controls do not block SMS messages.

In contrast to emails, which are often ignored, people also tend to access their SMS messages much more rapidly than emails. Text messages are typically opened within seconds, or minutes, of them being received. Cybercriminals are well aware that their malicious MS messages will be opened and read.

Cybercriminals use the same techniques for smishing attacks that are used on email phishing scams. The messages inject a sense of urgency, requiring an action to be taken quickly. The messages are designed to grab attention, with security threats one of the most common themes. The attackers typically impersonate banks, credit card companies, email providers, social media networks or online retailers and warn of security issues such as potential fraudulent activity, imminent charges that will be applied or they threaten account closure.

Messages may even appear to have been sent by a contact, either using a stolen mobile or by spoofing someone who is known and trusted. Messages may include a link to an interesting article, a photograph or a social media post for example.

Smishing attacks started with SMS messages, although similar scams are now being conducted on other messaging platforms such as WhatsApp, Skype and Facebook Messenger.

Blocking smishing attacks is difficult. The key to avoiding becoming a victim is awareness of the threat and adopting the same security best practices that can protect end users on email.

  • As with email, when receiving an odd message, stop and think about the request. Could it be a scam?
  • Even if the message suggests urgent action is required, take time to consider what is being asked. Smishing attacks work because people respond without thinking.
  • It is important not to respond to a SMS message that has been sent from an unknown sender. If you respond, the person who sent the message will be aware that messages are being received.
  • If a message containing a hyperlink is received, do not click on the link. Delete the message.
  • Never send any sensitive information via text message. Legitimate companies will not ask you to send sensitive information by text message.
  • If you are concerned about the contents of a text message, check with the institution concerned, but do not use links or telephone numbers sent in the message. Independently verify the phone number and call or find the correct website via the search engines.
  • If you are a business that provides employees with access to a WiFi network, it is possible to prevent employees from visiting malicious websites linked in smishing campaigns. WebTitan Cloud for WiFi is a web filter for WiFi networks that prevents users from visiting malicious websites, such as those used in smishing attacks.

Ransomware and Phishing Attacks in 2017 Have Soared

A new survey from CSO shows ransomware and phishing attacks in 2017 have increased, although companies have reported a decline in the number of cyber incidents experienced over the past year. While it is certainly good news that organizations are experiencing fewer cyberattacks, the report suggests that the severity of the attacks has increased and more organizations have reported suffering losses as a result of security incidents.

CSO conducted the annual U.S State of Cybercrime survey on 510 respondents, 70% of whom were at the vice president level or higher. Companies had an average IT security budget of $11 million.

This year’s report suggests organizations are struggling to keep up with the number of patches and software upgrades now being issued, although the consequences of the delays have been clearly shown this year with the NotPetya and WannaCry attacks. The failure to patch promptly has seen many organizations attacked, with some companies still struggling to recover. Nuance Communications was badly affected by NotPetya, and a month after the attacks, only 75% of its customers have regained access to its services. TNT also suffered extensive disruption to services in the weeks following the attacks, although these are just two companies out of many to experience extended disruption.

IT security budgets have increased by an average of 7.5% year over year with 10% of companies saying they have increased IT security spending by 20% or more in the past 12 months. While new technologies are taking up the bulk of the new budgets, organizations are also investing in audits and knowledge assessments, information sharing, redeveloping their cybersecurity strategy, policies and processes and are adding new skills. 67% of respondents said they have now expanded their security capabilities in include mobile devices, the cloud and IoT.

Even though the threat of attack is severe, many companies still believe a cyber response plan should not be part of their cybersecurity strategy, although acceptance that cyberattacks will occur has seen 19% of respondents plan to implement a response strategy in the next 12 months.

Even though there was a fall in the number of security incidents, losses experienced as a result of those attacks have remained constant or have increased over the past 12 months for 68% of respondents. Only 30% of companies said they had experienced no losses as a result of security incidents, down 6 percentage points from last year.

More CSOs and CISOs are now reporting directly to the board on a monthly basis, up 17% since last year. However, as was also confirmed by a recent survey conducted by KPMG, many boards still view cybersecurity as an IT issue – The CSO survey suggests 61% of boards believe cybersecurity is a concern of the IT department not a matter for the board, a drop of just two percentage points since last year.

Phishing attacks in 2017 have increased significantly, with 36% of companies reporting attacks – up from 26% last year. 17% of companies experienced ransomware attacks – up from 14% – and financial fraud increased from 7% to 12%. Business email compromise scams are also increasing, up from 5% to 9% in the past 12 months.

The increase in ransomware and phishing attacks in 2017 highlights the need for security awareness training for employees and an improvement to spam filtering controls. Organizations need to ensure they have sufficient staffing levels to ensure patches are applied promptly, while investment in people must improve to ensure they have the skills, resources and training to respond to the latest threats.  Boards must also appreciate that cybersecurity is not just a matter for IT departments, and the CSO survey shows that too much faith is being placed in cybersecurity protections. Currently only 53% of companies are testing the effectiveness of their security programs.

Reyptson Ransomware Spreads Itself by Emailing Itself to Contacts

Reyptson ransomware is a new threat that has been discovered in the past few days. The new ransomware variant is currently being used in attacks in Spain, with detected activity rising considerably in the days since its discovery.

There is no free decryptor for Reyptson ransomware at this stage. The ransomware variant encrypts a wide range of file types, including MS Office files and images using AES-128 encryption. Encrypted files will have the file extension .Reyptson appended to the file.

Infection will require files to be recovered from backups or the ransom demand must be paid if no backup exists and victims do not want permanent file loss. Users are told they must pay a ransom of €200 to unlock the encryption, although the payment will increase to €500 after 72 hours.

New cryptoransomware variants are being released on an almost daily basis with the majority spread via spam email. What makes this variant unique is its ability to spread itself following infection. Reyptson is capable of conducting its own email campaigns and spreading itself to a victim’s contacts.

The spam email campaigns are conducted via the Thunderbird email client. Reyptson ransomware searches for contacts and creates new spam email messages and sends them to all contacts using the victim’s credentials.

The emails claim to be invoices and include a link for the recipient to download the invoice. Clicking the link will download a compressed .rar file which contains an executable file that appears to be a PDF file. If that executable file is opened; the user will be infected with the ransomware and the process will repeat. According to an analysis by MalwareHunterTeam, the emails have the subject line Folcan S.L. Facturación.

Recently, global ransomware campaigns have been conducted using exploits stolen from the NSA. Those exploits take advantage of vulnerabilities in software that have not been addressed. Even though patches have been released to correct those vulnerabilities, many companies have yet to update their operating systems. A free scanner called Eternal Blues has been developed that has revealed more than 50,000 computers around the world are still vulnerable and have not been patched.

Patching promptly has always been important, but now even more so. Delaying the updating of software can see organizations infected and the damage can be considerable. In the case of NotPetya, computers are rendered useless and even payment of a ransom cannot undo the damage.

However, spam email remains the most common vector for spreading ransomware. Preventing Reyptson ransomware attacks and other cryptoransomware variants requires an advanced spam filter. A spam filter such as SpamTitan can block these messages and prevent them from being delivered to end users. If the spam emails are not delivered, they cannot be opened by end users.

Prompt patching, user awareness training, spam and web filtering can help organizations reduce the risk of attack. However, it is also essential to ensure multiple backups of data are made to ensure recovery in case of infection. Organizations should adopt the 3-2-1 approach to backups. Ensure there are three copies of data, on 2 different media with one copy stored off site.

One backup copy can be stored locally – on a removable device that is unplugged when backups are completed or are not being used. One copy should be stored in the cloud and one on a backup drive/tape that is stored in a secure location off site that can be used in the event of a disaster.

Federal Agencies Urged to Use DMARC to Prevent Impersonation Attacks

A U.S senator is urging the Department of Homeland Security and other federal agencies to adopt DMARC to prevent impersonation attacks via email. Over the past few months, several government agencies have been targeted by phishers who have used government domains to send huge numbers of spam emails.

The emails appear legitimate as they have been sent from government-owned domains, and while the text in the emails often contains clues to suggest the emails are not genuine, the official domain adds sufficient authenticity to see many email recipients fooled.

The use of official domains by phishers is nothing new of course, but government-owned domains should be protected to prevent them being used in phishing campaigns. The problem is that in the vast majority of cases, insufficient controls have been implemented to prevent impersonation attacks.

Sen. Ron Wyden (D-Oregon) wrote to the Department of Homeland Security voicing his concerns about the problem, and specifically, the failure of federal agencies – including DHS – to use the Domain-based Message Authentication Reporting and Conformance (DMARC) standard.

DMARC is a proven tool that can help to prevent impersonation attacks via email by allowing email recipients to verify the sender of an email. If DMARC is used, it is possible to determine whether the emails have genuinely been sent from federal agencies or if they have been sent by a third party unauthorized to use the domain. In short, it will prevent impersonation attacks and protect consumers. If DMARC was used, it would make it much harder for government agencies to be impersonated.

The standard is recommended by the National Institute of Standards & Technology (NIST) as well as the Federal Trade Commission (FTC). DMARC has also recently been adopted in the UK by the British government with hugely positive results. Since DMARC has been implemented, the UK Tax agency alone has reduced impersonation attacks to the tune of 300 million messages in a single year.

The UK’s National Cyber Security Center (NCSC) has also created a central system where it processes all of the DMARC reports from all government agencies to monitor impersonation attacks across all government departments

Currently the Department of Homeland Security does not use DMARC and it is not used on the majority of government owned domains. The U.S. government owns approximately 1,300 domains, yet DMARC is only used on an estimated 2% of those domains.

Impersonation attacks are on the rise and numerous government agencies have been impersonated in recent months including the Department of Health and Human Services, the IRS and even the Defense Security Service – part of the U.S. Department of Defense.

Sen. Wyden suggests the Department of Homeland Security should immediately adopt DMARC and mandate its use across all federal agencies.  DHS already scans other federal agencies for vulnerabilities under the Cyber Hygiene program. Sen. Wyden says DMARC scanning should be incorporated into that program. As in the UK, Sen. Wyden suggests a central repository should be created for all DMARC reports by the General Services Administration (GSA) to give DHA visibility into impersonation attacks across all federal agencies.

Ovidiy Stealer: A New Password Stealing Malware Priced to Maximize Sales

The Ovidiy Stealer is a password stealing malware that will record login credentials and transmit the information to the attacker’s C2 server. As with many other password stealers, information is recorded as it is entered into websites such as banking sites, web-based email accounts, social media accounts and other online accounts.

The good news is that even if infected, the Ovidiy Stealer will not record information entered via Internet Explorer or Safari. The malware is also not persistent. If the computer is rebooted, the malware will stop running.

The bad news is, if you use Chrome or Opera, your confidential information is likely to be compromised. Other browsers known to be supported include Orbitum, Torch, Amigo and Kometa. However, since the malware is being constantly updated it is likely other browsers will be supported soon.

Ovidiy Stealer is a new malware, first detected only a month ago. It is primarily being used in attacks in Russian-speaking regions, although it is possible that multi-language versions will be developed and attacks will spread to other regions.

Researchers at Proofpoint – who first detected the password stealing malware – believe email is the primary attack vector, with the malware packaged in an executable file sent as an attachment. Proofpoint also suggests that rather than email attachments, links to download pages are also being used. Samples have been detected bundled with LiteBitcoin installers and the malware is also being distributed through file-sharing websites, in particular via Keygen software cracking programs.

New password stealers are constantly being released, but what sets the Ovidiy Stealer aside and makes it particularly dangerous is it is being sold online at a particularly low price. Just $13 (450-750 Rubles) will get one build bundled into an executable ready for delivery via a spam email campaign. Due to the low price there are likely to be many malicious actors conducting campaigns to spread the malware, hence the variety of attack vectors.

Would be attackers willing to part with $13 are able to view the number of infections via a web control panel complete with login. Via the control panel they can manage their account, see the number of infections, build more stubs and view the logs generated by the malware.

Protecting against malware such as Ovidiy Stealer requires caution as it takes time before new malware are detected by AV solutions. Some AV solutions are already detecting the malware, but not all. As always, when receiving an email from an unknown sender, do not open attachments or click on hyperlinks.

Organizations can greatly reduce risk from this password-stealer and other malware spread via spam email by implementing an advanced spam filtering solution such as SpamTitan to prevent malicious emails from reaching end users’ inboxes. SpamTitan uses dual AV engines to maximize detections and blocks over 99.9% of spam email.

IRS Launches Campaign to Raise Awareness of Phishing Attacks on Tax Professionals

Phishing attacks on tax professionals are soaring. Tax professionals across the United States have been extensively targeted by cybercriminals this tax season who fool them into disclosing sensitive information such as login credentials and tax information.

The IRS has received 177 reports from tax professionals that have fallen for the scams this year and have disclosed sensitive information, although the victim count is likely to be much higher since not all phishing attacks are reported. Currently, the IRS is receiving between three and five new reports of successful phishing scams each week.

Many of the victims have reported large data losses as a result of the phishing scams. Tax information is used by cybercriminals to file fraudulent tax returns in the victims’ names. The data can also be used for identity theft.

The IRS says tax professionals are being extensively targeted by highly organized criminal gangs in the United States, as well as international crime rings.  The IRS points out that the criminals conducting phishing attacks on tax professionals “are well funded, knowledgeable and creative.”

Targets are researched and information is often included in the emails that is relevant to the recipient. The name and address of the target are often used in the emails and the requests are highly credible. Emails may request data or provide a hyperlink for the recipient to click. Clicking the link results in malware being downloaded that gives the attacker access to the computer. Keyloggers are often downloaded that record and transmit passwords.

The Anti Phishing Working Group tracked 1.2 million unique phishing attacks last year, representing a 65% rise from 2015. Those scams often involve millions of emails. Currently, APWG is tracking an average of 92,564 unique phishing attacks each month.

Phishing attacks on tax professionals can be highly sophisticated, but in the majority of cases it is possible to block attacks by employing basic security measures. Unfortunately, many organizations overlook these steps.

The IRS is working closely with the tax industry and state tax agencies as the ‘Security Summit’. The Security Summit has recently launched a new campaign to help tackle the problem of phishing by raising awareness of the threat via a new “Don’t Take the Bait” campaign.

Over the next 10 weeks, the Security Summit will send weekly emails to raise awareness of the different types of phishing scams and other threats. The Security Summit has kicked off the campaign with spear phishing, which will be followed by education efforts to raise awareness of CEO fraud/BEC scams, ransomware attacks, remote account takeovers, EFIN thefts and business identity theft.

Blocking phishing attacks on tax professionals requires layered defenses, one of the most important being the use of software solutions to prevent phishing emails from being delivered to end users’ inboxes. SpamTitan blocks more than 99.9% of email spam and keeps inboxes free from malicious messages. If emails are not delivered, employees will not be tested.

Even with software solutions in place it is important for all employees to be aware of the threat from phishing. Security training should be provided to teach employees how to recognize the tell-tale signs of phishing emails and organizations should try to develop a culture of security awareness.

IRS Commissioner John Koskinen said “Doing nothing or making a minimal effort is no longer an option. Anyone who handles taxpayer information has a legal responsibility to protect it.”

The IRS recommends several measures to reduce risk:

  • Educate all employees on the risk from spear phishing and phishing in general
  • Ensure strong passwords are used
  • Always question emails – Never take them at face value
  • Never click a link without first checking the destination URL – Hover the mouse arrow over a masked link to find the true URL
  • Use two-factor authentication for all email requests to send sensitive data – Confirm with the sender via the telephone
  • Use security software to block phishing emails and malware and ensure the software is updated automatically
  • Use the security settings in tax preparation software
  • Report suspicious emails to the IRS

57% Cyber Incidents Caused by Phishing and Social Engineering

Phishing and social engineering attacks are the biggest cyber risks faced by organizations. Not only are attacks on the rise, they are becoming more sophisticated. The increase in attacks and cost of mitigating cyber incidents is having a major negative impact on businesses.

Organizations can tackle the problem of phishing and social engineering by implementing technologies that preventing phishing emails from reaching end users’ inboxes and ensuring employees know how to identify threats and response when a malicious email arrives in their inbox.

One of the most effective ways of blocking these phishing and social engineering attacks is implementing an advanced spam filtering solution. SpamTitan blocks more than 99.9% of email spam and uses two antivirus engines to identify and block emails with malicious attachments.

Many organizations provide security training to their employees and teach them to be more security aware, although a new report from the Business Continuity Institute calls for businesses to do more in this regard. In order to tackle phishing and improve resilience to attacks BCI says user education needs to improve.

A one-off training program as part of an employee’s induction is no longer sufficient. Training should be an ongoing process with regular refresher training sessions provided throughout the year. Phishing simulation exercises are also highly beneficial for reinforcing training and gauging how effective training has been.

However, the study suggests only 52% of companies conduct awareness-raising seminars and just 55% conduct regular exercises on likely cybersecurity scenarios. Only 46% run desktop exercises such as attack simulations.

The BCI study confirmed just how often phishing and social engineering attacks result in cyber incidents. The report shows that 57% of cyber incidents involve phishing or social engineering emails. Malware is responsible for 41% of cyber disruptions, with spear phishing emails accounting for 30% of attacks. Ransomware has grown into a major issue in recent months and is behind 19% of cyber disruptions.

The survey was conducted on 734 individuals from 69 countries. Two thirds of respondents had experienced a cybersecurity incident in the past 12 months with 15% saying they had experienced 10 or more disruptions in the past year. 5% said they experienced between 11 and 20 incidents in the past 12 months, a further 5% experienced between 21 and 50 incidents and 5% said they experienced 51 or more incidents. Responding to these incidents takes up valuable time. 67% of attacks take more than an hour to resolve with 16% taking more than four hours.

These incidents are costing businesses dearly. 33% of organizations said the cost of those attacks exceeded €50,000, while 13% of respondents said they had spent over €250,000 remediating attacks. It should be noted that 40% of respondents that took part in the survey were from SMEs with an annual turnover of less than €1 million.

Cybercriminals are only likely to increase their efforts and conduct more phishing and social engineering attacks. It is therefore essential for businesses to have a high commitment to cyber resilience and to do more to improve cybersecurity defenses. The survey suggests only 60% of senior management are committed to improving their defenses, so there is still plenty of room for improvement.

NotPetya Ransomware Attacks Spread to 65 Countries

NotPetya ransomware attacks have spread globally, with the latest figures from Microsoft suggesting there are now more than 12,500 reported victims spread across 65 countries. The attacks first started to be reported on Tuesday morning with companies in the Ukraine hit particularly hard.

At first it appeared that the attacks involved Petya ransomware, although it has since been confirmed that this is a new ransomware variant. The ransomware has already attracted a variety of names such as GoldenEye, SortaPetya, ExPetr, and NotPetya. We shall use the latter.

Security researchers believe the NotPetya ransomware attacks started in Ukraine. The first attacks occurred the day before a national holiday – a common time to launch an attack. IT staff were unlikely to be working, so the probability of the attacks being halted before the ransomware was allowed to run would be increased.

The NotPetya ransomware attacks have been discovered to have occurred via a variety of vectors. Ukraine was hit particularly hard, which suggested a country-specific attack vector. Some security researchers have suggested the first attacks occurred via a Ukrainian accounting package called M.E. Doc, with the attackers managing to compromise a software update. M.E.Doc hinted that this may be the case initially, but later denied they were the cause of the attack. If it is true that a software update was involved, it would not be the first time M.E.Doc was attacked. A similar ransomware attack occurred via M.E.Doc software updates in May.

However, that is only one potential attack vector used in the NotPetya ransomware attacks. It has been confirmed that the attackers are also using two NSA exploits that were released by Shadow Brokers in April. As was the case with the WannaCry ransomware attacks, the EternalBlue exploit is being used. The latest attacks are also using another exploit released at the same time called EternalRomance.

In contrast to the WannaCry ransomware attacks last month, the exploits used in the NotPetya ransomware attacks only scan for vulnerable devices on local networks, not via the Internet.

Both exploits will not work if computers have already been patched with MS17-010 released by Microsoft in March. Following the WannaCry attacks, Microsoft also issued a patch for older, unsupported Windows versions to prevent further ransomware attacks.

However, patching would not necessarily have prevented infection. In contrast to WannaCry, NotPetya ransomware attacks have been reported by companies that have patched their computers. Security researchers have confirmed that all it takes for infection to occur is for one computer to have been missed when applying the patches. That allows the attackers to attack that machine, and also any other machines connected to the local network, even if the patch has been applied.

The attacks also appear to be occurring via phishing emails containing malicious Microsoft Office documents.  As has been the case with many other ransomware attacks, the failure to implement spam defenses can result in infection. The use of an advanced spam filter such as SpamTitan offers excellent protection against email-based ransomware attacks, preventing those emails from reaching end users’ inboxes.

Upon infection, the ransomware waits one hour before executing and forcing a reboot. When the computer restarts, the ransom note appears. The ransom demand is for $300 per infected machine. In contrast to the majority of ransomware variants, NotPetya does not encrypt files. Instead it replaces the Master File Table (MFT). Since the MFT shows the computer where files are located on the hard drive, without it files cannot be found. Files are not encrypted, but they still cannot be accessed.

Preventing ransomware attacks such as this requires regular patching to address vulnerabilities and anti-spam solutions to prevent malicious emails from being delivered.

Fortunately, NotPetya ransomware attacks can be blocked. Cybereason security researcher Amit Serber has found a way to vaccinate computers against this specific ransomware variant. He suggests IT teams “Create a file called perfc in the C:\Windows folder and make it read only.” This method has been confirmed as effective by other security researchers, although it will not work if infection has already occurred.

Unfortunately, recovery following an attack may not be possible if infected computers cannot be restored from backups. Kaspersky Lab reports there is a flaw in the ransomware saying, “We have analyzed the high level code of the encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks.” Further, the email account used by the attacker to verify ransom payments has been shut down by a German email provider.

Fake Invoices Used in New Locky Ransomware Campaign

The WannaCry ransomware attacks may have attracted a lot of press, but Locky ransomware poses a bigger threat to organizations with a new Locky ransomware campaign now a regular event. The ransomware was first seen in February last year and rapidly became the biggest ransomware threat. In recent months, Cerber has been extensively distributed, but Locky is still being used in widespread attacks on organizations.

The actors behind Locky ransomware are constantly changing tactics to fool end users into downloading the malware and encrypting their files.

The Necurs botnet has recently been used to distribute Jaff ransomware, although now that a decryptor has been developed for that ransomware variant, the actors behind Necurs have switched back to Locky. The new Locky ransomware campaign involves millions of spam messages sent via the Necurs botnet, with some reports suggesting approximately 7% of global email volume at the start of the campaign came from the Necurs botnet and was spreading Locky.

The new Locky ransomware campaign uses a new variant of the ransomware which does not encrypt files on Windows operating systems later than XP. This appears to be an error, with new, updated version of the ransomware is expected to be launched soon. As with past campaigns, the latest batch of emails uses fake invoices to fool end users into installing the ransomware.

Fake invoices are commonly used to spread ransomware because they are highly effective. Even though these campaigns often include scant information in the email body, many end users open the attachments and enable macros. Doing so results in Locky being downloaded. There is still no free decryptor available to unlock Locky-encrypted files. Infections can only be resolved by paying a sizeable ransom payment or restoring files from backups.

Training end users to be more security aware will help organizations to reduce susceptibility to ransomware attacks, although the best defense against email-based ransomware attacks is to use an advanced spam filtering solution to prevent the messages from reaching end users’ inboxes. If emails are blocked, there is no chance of end users opening malicious attachments and installing the ransomware.

SpamTitan is an email security solution that can block these ransomware emails. SpamTitan blocks more than 99.9% of spam messages and dual anti-virus engines ensure malicious emails do not reach inboxes. While some anti-spam solutions have a high false positive rate and block genuine emails, SpamTitan’s false positive rate is extremely low at just 0.003%.

SpamTitan requires no additional hardware purchases, no staff training and the solution can be installed in a matter of minutes.

If you are unhappy with your current anti-spam solution or have yet to start protecting your inboxes from malicious messages, contact the TitanHQ team today for further information on how SpamTitan can benefit your business. TitanHQ also offers SpamTitan on a 30-day no-obligation free trial to allow you to see the benefits of the solution for yourself before committing to a purchase.

URL Padding Used in Latest Facebook Phishing Scam

A new Facebook phishing scam has been detected that attempts to fools end users into believing they are on the genuine Facebook site using a technique called URL padding. The attack method is being used in targeted attacks on users of the mobile Facebook website.

As with other Facebook phishing scams, the aim of the attackers is to get end users to reveal their Facebook login credentials. The scam takes advantage of poor security awareness and a lack of attentiveness.

URL padding – as the name suggests – involves padding the URL with hyphens to mask the real website that is being visited. The URLs being used by the attackers start with m.facebook.com, which is the correct domain for the genuine Facebook website. In a small URL bar on mobile phones, this part of the URL will be clearly visible.

What follows that apparent domain is a series of hyphens: m.facebook.com————-. That takes the latter part of the domain outside the viewable area of the address bar. End users may therefore be fooled into thinking they are on the genuine website as they will not see the last part of the URL. If they were to check, they would see that m.facebook.com————- is actually a subdomain of the site they are visiting.

The hyphens would be a giveaway that the site is not genuine, but the attackers add in an additional word into the URL such as ‘validate’ or ‘secure’ or ‘login’ to add authenticity.

The attackers have lifted the login box and branding from Facebook, so the login page that is presented appears to be the same as is used on the genuine site.

One telltale sign that all is not as it appears is the use of hxxp:// instead of https:// at the start of the URL, a sure sign that the site is not genuine. Even so, many Facebook users would be fooled by such a scam. URL padding is also being used to target users of other online services such as Apple iCloud and Comcast.

Facebook accounts contain a wealth of information that can be used in future spear phishing campaigns or attacks on the victims’ contacts.  PhishLabs, which discovered the new scam, says the attackers are currently using this phishing scam for the latter and are using the account access to spam end users’ contacts and conduct further phishing campaigns.

While the scam has been detected, it is currently unclear how links to the phishing website are being distributed. While it is possible that they are arriving via spam email, Phishlabs suggests SMS messages or messenger services are being used.

Southern Oregon University Phishing Attack Nets Criminals $1.9 Million

A recent Southern Oregon University phishing attack has clearly demonstrated why so many cybercriminals have chosen phishing as their main source of income.

Hacking an organization takes considerable planning and effort, typically requiring many hours of hard work and a considerable amount of skill. Phishing on the other hand is easy by comparison, requiring little work. Furthermore, the potential profits from phishing can be considerable.

The Southern Oregon University Phishing Attack Required a Single Email

The Southern Oregon University phishing attack involved a single phishing email. The attackers impersonated a construction company – Andersen Construction – that was building a pavilion and student recreation center at the University.

The attackers spoofed the email address of the construction firm and requested all future payments be directed to a different bank account. The university then wired the next payment to the new account in April. The payment was for $1.9 million.

The university discovered the construction firm had not received the funds three days later. The FBI was contacted as soon as the fraud was discovered and efforts are continuing to recover the funds. The university reports that the attackers have not withdrawn all of the funds from their account, although a sizeable chunk is missing. Joe Mosley, a spokesperson for SOU said, “It’s certainly not all of the money that was transferred, but it’s not just nickels and dimes, either.”

In order to pull off a scam such as this, the attackers would need to know that the construction project was taking place and the name of the firm. Such information is not hard to find and universities often have construction projects taking place.

These attacks are known as Business Email Compromise (BEC) scams. They typically involve a contractor’s email account being hacked and used to send an email to a vendor. It is not clear whether the vendors email account had been hacked, but that step may not be required to pull off a phishing attack such as this.

Rise in BEC Attacks Prompts FBI Warning to Universities

In this case, the payment was substantial but it is far from an isolated incident. Last month, the FBI released a public service announcement warning universities of attacks such as this.

The FBI warned that access to a construction firm’s email account is not necessary. All that is required is for the scammer to purchase a similar domain to the one used by the firm. Accounts department employees may check the email address and not notice that there is a letter different.

By the time the university discovered a payment has not been received, the funds have already been cleared from the scammer’s account and cannot be recovered. Payments are commonly of the order of several hundred thousand dollars.

The FBI informed SOU that there have been 78 such attacks in the past year, some of which have been conducted on universities. However, all organizations are at risk from these BEC scams.

The Southern Oregon University phishing attack shows just how easy it can be for scammers to pull off a BEC attack. Protecting against this time of scam requires employees to be vigilant and to exercise extreme caution when requests are made to change bank accounts. Such a request should always be verified by a means other than email. A telephone call to the construction firm could easily have stopped this scam before any transfer was made.

Restaurants Facing Barrage of Fileless Malware Phishing Attacks

Cybercriminals have been conducting fileless malware phishing attacks and restaurants are in the firing line. Restaurants are being singled out as they tend to have relatively poor cybersecurity defenses and criminals can easily gain access to the credit card details of thousands of customers.

The phishing attacks are used to install fileless malware – malware that remains in the memory and does not involve any files being written to the hard drive. Consequently, fileless malware is particularly difficult to detect. By switching to fileless malware, which most static antivirus solutions do not detect, the criminals can operate undetected.

While fileless malware can be short-lived, only existing in the memory until the computer is rebooted, the latest variants are also persistent. The purpose of the malware is to allow the attackers to install a backdoor that provides access to restaurants’ computer systems. They can then steal the financial information of customers undetected.

The latest fileless malware phishing attacks involve RTF files. Researchers at Morphisec detected the campaign, which has been attributed to the hacking group FIN7; a group that has close associations with the Carbanak group.

The attacks start with a well-crafted phishing email, with social engineering methods used to encourage end users to open the attached RTF file. RTF files have been discovered that are restaurant themed, named menu.rtf and relating to orders. Some emails appear to have been written to target specific restaurant chains.

One intercepted phishing email claimed to be a catering order, with the attachment containing a list of the items required. In the email, brief instructions explaining when the order is needed and how to view the list of ordered items. The email was brief, but it was particularly convincing. Many restaurants are likely to be fooled by these fileless malware phishing attacks, with access to systems granted for long periods before detection.

As with other phishing campaigns, the user is prompted to enable the content in the attached file. Opening the RTF file presents the user with a large image that they must click in order to view the contents of the document. The document is expertly crafted, appears professional and suggests the contents of the document are protected. Double clicking on the image and confirming with a click on OK will launch the infection process, running JavaScript code.

FIN7 has recently been conducting attacks on financial institutions, but Morphisec reports that the methodology has changed for the malware attacks on restaurants. DNS queries are used to deliver the shellcode stage of infection, but in contrast to past attacks, the DNS queries are launched from the memory, rather than using PowerShell commands. Since the attack does not involve files being written to the hard drive, it is difficult to detect.

Further, the researchers checked the RTF file against VirusTotal and discovered none of the 56 AV vendors are currently detecting the file as malicious.

Corporate Phishing Emails Increased by 400% in Q2, 2017

Corporate phishing emails are one of the biggest cybersecurity risks faced by organizations. Cybercriminals are well aware that even companies with robust cybersecurity defenses are vulnerable to phishing attacks.

Phishing email volume is higher than at any other time in history. Employees are being targeted with threat actors now using sophisticated social engineering techniques to maximize the probability of employees clicking on links, opening infected email attachments or disclosing their login credentials. If corporate phishing emails are delivered to end users’ inboxes, there is a high chance that at least one employee will be fooled. All it takes is for one employee to click on a malicious link or open an infected attachment for malware to be installed or access to sensitive data be provided.

The threat from phishing attacks has been steadily increasing in recent years, although this year has seen phishing attacks soar. A recent study conducted by Mimecast has shown that cybercriminals have been stepping up their efforts in recent months. Last quarter, there was a 400% increase in corporate phishing emails according to the study.

A phishing trends & intelligence report for Q1, 2017 from the security awareness training firm PhishLabs showed that in the first quarter of 2017, overall phishing email volume increased by 20% compared to the previous quarter. 88% of phishing attacks were concentrated on five industries: payment services, financial institutions, cloud storage/file hosting firms, webmail/online services and e-commerce companies.

The anti-phishing training and phishing simulation platform provider PhishMe also noted a major increase in phishing emails in Q1, 2017. The firm’s Q1, 2017 malware review also showed there had been a 69.2% increase in botnet malware usage in the first quarter of this year.

Business email compromise attacks are also on the rise. Proofpoint’s annual Human Factor report showed BEC email attacks rose from 1% of message volume to 42% of message volume relative to emails bearing Trojans. Those attacks have cost businesses $5 billion worldwide.

These studies clearly show that corporate phishing emails are on the rise, highlighting the need for organizations to improve their defenses. The best defense against phishing emails and ransomware attacks is to ensure messages are intercepted and blocked. It is therefore essential for organizations to implement a robust spam filtering solution to prevent malicious messages from reaching end users’ inboxes.

SpamTitan conducts more than 100 checks of incoming emails, ensuring more than 99.98% of spam and malicious emails are blocked. Dual anti-virus engines are used to ensure 100% of known malware and ransomware is intercepted and prevented from being delivered to end users’ inboxes.

If you have yet to implement an advanced spam filtering solution or you are unhappy with your current provider, contact TitanHQ today to find out more about SpamTitan and how it can be used to protect your business from email attacks. SpamTitan is also available on a no obligation, 30-day free trial, allowing you to try the solution for yourself before committing to a purchase.

MacRansom: A New, Free Ransomware-as-a-Service that Targets Mac Users

Mac users are better protected from ransomware than Windows users, although they now face a new threat: MacRansom. The new ransomware variant may not be particularly advanced, although it is capable of encrypting files.

MacRansom is being offered under a ransomware-as-a-service (RaaS) model with the RaaS advertised to cybercriminals on a Tor network portal. In contrast to many RaaS offerings that require payment to be made before the RaaS can be used, the threat actors behind MacRansom are offering the RaaS free of charge.

Any would-be cybercriminal looking to conduct ransomware attacks can email the creators of the ransomware via a secure Protonmail email address and a version of MacRansom will be created according to the user’s specifications.

The authors of MacRansom claim they are professional engineers and security researchers with extensive experience in software development and a thorough understanding of the MacOS. They claim they have previously worked at Yahoo and Facebook.

The authors claim that MacRansom can be installed and will remain invisible to the victim until the scheduled execution time, when it will complete its encryption routine in under a minute. The ransomware variant uses a 128-bit industrial standard encryption algorithm that cannot be beaten unless the ransom is paid. The authors claim the ransomware leaves no digital traces and that it can be scheduled to run at a specific time set by the user. It can even be triggered when an individual plugs in an external drive into an infected machine to maximize the number of files that are encrypted. However, the ransomware is only capable of encrypting a maximum of 128 files.

The Ransomware is capable of checking if it is in a virtual environment, whether it is being debugged or if it has been installed in a non-Mac environment, in which case it will exit.

Security researchers at Fortinet – Rommel Joven and Wayne Chin Low – signed up for the RaaS and obtained a sample, but noted that under some circumstances it may not be possible to decrypt encrypted files even if the ransom is paid. They said, “A remarkable thing we observed when reverse-engineering the encryption/decryption algorithm is that the TargetFileKey is permuted with a random generated number.  In other words, the encrypted files can no longer be decrypted once the malware has terminated.” However, to find out, victims will be required to pay a ransom payment of 0.25 Bitcoin – around $700.

Fortunately, infection requires the victim to run a file with an unidentified developer. They will therefore need to confirm they wish to do that before the file is run. This warning should be sufficient to prevent many end users from proceeding.

University of Alaska Phishing Attack Results in Exposure of 25,000 Individuals’ Data

A University of Alaska phishing attack has potentially resulted in attackers gaining access to the sensitive information of 25,000 staff, students and faculty staff.

The University of Alaska phishing attack occurred in December last year, although affected individuals have only just been notified. The phishing emails were sent to university employees. One or more individuals responded and were fooled into following the threat actors’ instructions.

Details of the exact nature of the phishing emails were not disclosed; however, as with other phishing scams, the emails appeared genuine and looked professional. By responding to the emails, the employees accidentally disclosed their usernames and passwords to the attackers. The attack resulted in ‘several’ email accounts being compromised.

The emails in the compromised accounts contained a range of sensitive information including names and Social Security numbers. In total, around 25,000 staff, students and faculty members had their information exposed.

The investigation into the University of Alaska phishing attack could not confirm whether any of the emails in the accounts were accessed or if information was copied by the attackers, although it remains a distinct possibility.

Due to the sensitive nature of data in the accounts, the University of Alaska had to inform all affected individuals by mail and offer credit monitoring and identity theft protection services. Victims will also be protected by a $1 million identity theft insurance policy.

A forensic analysis had to be conducted to determine the exact nature of the attack and which individuals had been affected – A process that took around 5 months. Staff had to be provided with additional training to improve awareness of credential phishing scams and were retrained correct handling of sensitive information. The notifications and mitigations came at a considerable cost.

The University of Alaska phishing attack was just one of many phishing attacks that have taken place in the United States over the past few months. The phishing attacks all have a common denominator. Employees were targeted, phishing emails reached inboxes, and end users followed the instructions in the emails.

Training staff to be aware of the threat of phishing can reduce susceptibility, although training did not prevent the University of Alaska phishing attack.

Even after receiving security awareness training, employees can make mistakes. A technology solution should therefore be implemented to stop phishing emails from being delivered to end users’ inboxes.

SpamTitan from TitanHQ offers excellent protection against phishing attacks, blocking more than 99.9% of spam, phishing emails and other malicious messages. SpamTitan is quick and easy to install, cost effective to implement and easy to maintain.

With SpamTitan installed, organizations can protect themselves against phishing attacks and avoid the considerable cost of data breaches.

For more information on SpamTitan and other TitanHQ security products, contact the sales team today and take the first step toward improving your defences against phishing attacks.

Beware of WannaCry Phishing Emails

Cybercriminals have started sending WannaCry phishing emails, taking advantage of the fear surrounding the global network worm attacks.

An email campaign has been identified in the United Kingdom, with BT customers being targeted. The attackers have spoofed BT domains and made their WannaCry phishing emails look extremely realistic. BT branding is used, the emails are well written and they claim to have been sent from Libby Barr, Managing Director, Customer Care at BT. A quick check of her name on Google will reveal she is who she claims to be. The WannaCry phishing emails are convincing, cleverly put together, and are likely to fool many customers.

The emails claim that BT is working on improving its security in the wake of the massive ransomware campaign that affected more than 300,000 computers in 150 countries on May 12, 2017. In the UK, 20% of NHS Trusts were affected by the incident and had data encrypted and services majorly disrupted by the ransomware attacks. It would be extremely hard if you live in the UK to have avoided the news of the attacks and the extent of the damage they have caused.

The WannaCry phishing emails provide a very good reason for taking prompt action. BT is offering a security upgrade to prevent its customers from being affected by the attacks. The emails claim that in order to keep customers’ sensitive information secure, access to certain features have been disabled on BT accounts. Customers are told that to restore their full BT account functionality they need to confirm the security upgrade by clicking on the upgrade box contained in the email.

Of course, clicking on the link will not result in a security upgrade being applied. Customers are required to disclose their login credentials to the attackers.

Other WannaCry phishing emails are likely to be sent claiming to be from other broadband service providers. Similar campaigns could be used to silently download malware or ransomware.

Cybercriminals often take advantage of global news events that are attracting a lot of media interest. During the Olympics there were many Olympic themed spam emails. Phishing emails were also rife during the U.S. presidential elections, the World Cup, the Zika Virus epidemic, and following every major news event.

The golden rule is never to click on links sent in email from individuals you do not know, be extremely careful about clicking links from people you do know, and assume that any email you receive could be a phishing email or other malicious message.

A single phishing email sent to an employee can result in a data breach, email or network compromise. It is therefore important for employers to take precautions. Employees should be provided with phishing awareness training and taught the tell-tale signs that emails are not genuine.  It is also essential that an advanced spam filtering solution is employed to prevent the vast majority of phishing emails from reaching end users inboxes.

On that front, TitanHQ is here to help. Contact the team today to find out how SpamTitan can protect your business from phishing, malware and ransomware attacks.

Jaff Ransomware: A New Variant from the Distributors of Locky

A new encryptor – Jaff ransomware – could be heading your way via email. Jaff ransomware is being distributed by the individuals responsible for distributing the Dridex banking Trojan and Locky ransomware. The gang has also previously used Bart ransomware to encrypt files in an attempt to extort money from businesses.

In contrast to Locky and many other ransomware variants, the individuals behind Jaff ransomware are seeking a huge ransom payment to unlock files, suggesting the new variant will be used to target businesses rather than individuals. The ransom demand per infected machine is 1.79 Bitcoin – around $3,300. The WannaCry ransomware variant only required a payment of $300 per infected machine.

The distributors have used exploit kits in the past to spread infections, although spam email is used for the latest campaign. Whether that will remain the only distribution mechanism remains to be seen. Millions of spam email messages have already sent via the Necurs botnet, according to Proofpoint researchers who identified the new encryptor.

The emails have a PDF file attachment rather than a Word document. Those PDF files contain embedded Word documents with macros that will download the malicious payload. This method of distribution has been seen with Locky ransomware in recent weeks.

The change in file attachment is believed to be an attempt to get users to open the attachments. There has been a lot of publicity about malicious Word documents attached to emails from unknown senders. The change could see more end users open the attachments and infect their devices.

Opening the PDF file will present the user with a screen advising them that the contents of the document are protected. They are prompted to ‘enable editing’ by ignoring the security warning and enabling macros. Enabling macros will result in infection. Jaff ransomware will then search for and encrypt a wide range of file types including images and multimedia files, databases, office documents and backups.

There is no known decryptor for Jaff ransomware. Recovery will depend on a viable backup existing that has not been encrypted by the ransomware. The alternatives are to pay the sizable ransom payment or permanently lose files.

To protect against the threat, an advanced spam filtering solution should be implemented to prevent the emails from reaching end users’ inboxes. As a failsafe, employees should be warned about the threat of ransomware and instructed not to open any file attachments from unknown senders. They should also be alerted to the threat from PDF files containing embedded word documents.

Who Conducted the WannaCry Ransomware Attacks? Link Found to North Korea

Who Conducted the WannaCry Ransomware Attacks?

The WannaCry ransomware attacks that started on Friday May 12 rapidly spread to more than 150 countries. While the attacks have been halted, IT security professionals are still scrambling to secure their systems and the search is now on for the perpetrators.

Malware researchers are analyzing the ransomware code and attack method to try to find clues that will reveal who conducted the WannaCry ransomware attacks.

At this stage in the investigation, no concrete evidence has been uncovered that links the attacks to any individual or hacking group, although a Google security researcher, Neel Mehta, has found a possible link to the Lazarus Group; a hacking organization believed to be based in China with links to North Korea.

The Lazarus Group is thought to be behind the attack on Sony Pictures in 2014 and the major heist on the Bangladesh central bank in February this year. While the link between the Lazarus Group and North Korea has not been comprehensively proven, the U.S. government is sure the group has been backed by North Korea in the past.

WannaCry Ransomware Code has been Reused

Mehta discovered parts of the ransomware code from the latest attacks were the same as code in a 2015 backdoor used by the Lazarus Group, suggesting the WannaCry ransomware attacks were conducted either by the Lazarus Group or by someone who has access to the same code.

Mehta also compared the code from the latest WannaCry ransomware variant and the backdoor to an earlier version of WannaCry ransomware from February and found code had been shared between all three. Symantec’s researchers have confirmed the code similarities.

Whether the Lazarus Group conducted the attacks is far from proven, and there is no evidence to suggest that were that to be the case, that the group had any backing from North Korea. The group could have been acting independently.

While some have called this link ‘strong evidence’, it should be explained that comparing code between malware samples does not confirm origin. Code is often reused and it is possible that the actors behind this campaign may have put in a false flag to divert attention from themselves onto the Lazarus Group and North Korea.

While the false flag idea is possible and plausible, Kaspersky Lab believes it is improbable and that the similarities in the source code point the finger of blame at the Lazarus Group.

Many Questions Remain Unanswered

The link with the Lazarus Group/North Korea is now being investigated further, but there are currently many questions unanswered.

The ransomware included a self-replicating function making it act like a worm, allowing it to rapidly spread to all vulnerable computers on a network. The sophistication of the attack suggests it was the work of a highly capable organization rather than an individual. However, the kill switch in the ransomware that was discovered by UK researcher ‘Malware Tech,’ allowed the infections to be halted. Such an ‘easily found’ kill switch would be atypical of such a sophisticated hacking group.

Previous attacks linked with the Lazarus Group have also been highly targeted. The WannaCry ransomware attacks over the weekend were purposely conducted in multiple countries, including China and Russia. The widespread nature of the attacks would be a departure from the typical attack methods used by Lazarus.

There are doubts as to whether North Korea would back an attack on its neighbours and allies, and while financially motivated attacks cannot be ruled out, past state-sponsored attacks have had a political purpose.

At this stage, it is not possible to tell who conducted the WannaCry ransomware attacks, but the latest discovery is an important clue as to who may be responsible.

WannaCry Ransomware Campaign Claims Victims in 150 Countries

On Friday May 12, a massive WannaCry ransomware campaign was launched, with the UK’s National Health Service (NHS) one of the early victims. The ransomware attack resulted in scores of NHS Trusts having data encrypted, with the infection rapidly spreading to networked devices. Those attacks continued, with 61 NHS Trusts now known to have been affected. Operations were cancelled and doctors were forced to resort to pen and paper while IT teams worked around the clock to bring their systems back online.

Just a few hours after the first reports of the WannaCry ransomware attacks emerged, the scale of the problem became apparent. The WannaCry ransomware campaign was claiming tens of thousands of victims around the world. By Saturday morning, Avast issued a statement confirming there had been more than 57,000 attacks reported in 100 countries. Now the total has increased to more than 200,000 attacks in 150 countries. While the attacks appear to now be slowing, security experts are concerned that further attacks will take place this week.

So far, in addition to the NHS, victims include the Spanish Telecoms operator Telefonica, Germany’s rail network Deutsche Bahn, the Russian Interior ministry, Renault in France, U.S. logistics firm FedEx, Nissan and Hitachi in Japan and multiple universities in China.

The WannaCry ransomware campaign is the largest ever ransomware attack conducted, although it does not appear that many ransoms have been paid yet. The BBC reports that the WannaCry ransomware campaign has already resulted in $38,000 in ransom payments being generated. That total is certain to rise over the next few days. WannaCry ransomware decryption costs $300 per infected device with no free decryptor available. The ransom amount is set to double in 3 days if payment is not made. The attackers threaten to delete the decryption keys if payment is not made within 7 days of infection.

Ransomware attacks usually involve malware downloaders sent via spam email. If emails make it past anti-spam solutions and are opened by end users, the ransomware is downloaded and starts encrypting files. WannaCry ransomware has been spread in this fashion, with emails containing links to malicious Dropbox URLs. However, the latest WannaCry ransomware campaign leverages a vulnerability in Server Message Block 1.0 (SMBv1). The exploit for the vulnerability – known as ETERNALBLUE – has been packaged with a self-replicating payload which can spread rapidly to all networked devices. The vulnerability is not a new zero day however. In fact, Microsoft patched the vulnerability in its MS17-010 security bulletin almost two months ago. The problem is many organizations have not installed the update and are vulnerable to attack.

The ETERNALBLUE exploit was reportedly stolen from the National Security Agency by Shadow Brokers, a cybercriminal gang with links to Russia. ETERNALBLUE was allegedly developed as a hacking weapon to gain access to Windows computers used by enemy states and terrorists. Shadow Brokers managed to steal the tool and published the exploit online in mid-April. While it is not known whether Shadows Brokers is behind the attack, the publication of the exploit allowed the attacks to take place.

The exploit allows the attackers to drop files on a vulnerable system, with that file then executed as a service. The dropped file then downloads WannaCry ransomware, which searches for other available networked devices. The infection spreads before files are encrypted. Any unpatched device with port 445 open is vulnerable.

The WannaCry ransomware campaign would have resulted in far more infections had it not been for the actions of a security researcher in the UK. The researcher –@MalwareTechBlog – found a kill switch to prevent encryption. The ransomware attempts to communicate with a specific domain. If communication is possible, the ransomware does not proceed with encryption. If the domain cannot be contacted, files are encrypted.

@MalwareTechBlog discovered the reference to the nonsense domain, saw that it was unregistered and bought it. By doing so, the ransomware attack was thwarted. The domain checking mechanism was presumably added to prevent the ransomware from running in a sandbox environment.

However, a new version of the ransomware without the kill switch has reportedly already been released, which could see the victim count increase substantially over the next few days. Organizations that have not applied Microsoft’s patch are advised to do so as a priority to block the attack.

The massive ransomware attack should serve as reminder to all organizations of the importance of applying patches promptly. That will be a particularly painful reminder for many organizations that fell victim to this preventable ransomware attack.

Sabre Corporation Data Breach: PII and Payment Card Data Potentially Exposed

A Sabre Corporation data breach has potentially resulted in the theft of credit card details and PII from the SynXis Hospitality Solutions reservation system. The Sabre Corporation data breach was acknowledged in Sabre Corp’s Q2 10-Q filing with the Securities and Exchange Commission. Few details about the security incident have been released as the incident is currently under investigation.

What is known is the incident affects SynXis, a cloud-based SaaS used by more than 36,000 independent hotels and global hotel chains. The system allows employees to check room availability, pricing and process bookings.

Sabre Corporation recently discovered an unauthorized third party gained access to the system and potentially viewed the data of a subset of Sabre Corp’s hotel clients. Information potentially compromised as a result of the Sabre Corporation data breach includes the personally identifiable information and payment card information of hotel guests.

At this stage, Sabre Corporation is still investigating the breach and has not disclosed how the individual gained access to the payment system or when access was first gained. Sabre Corp is currently trying to determine exactly how many individuals have been affected, although affected companies have now been notified of the incident.

Sabre Corp has confirmed that the security breach only affected its SynXis Central Reservations system and unauthorized access has now been blocked. Law enforcement has been alerted to the incident and cybersecurity firm Mandiant contracted to conduct a full forensic investigation of its systems.

The Sabre Corporation data breach is the latest in a string of cyberattacks on hotel chains. Hyatt Hotels Corp, Kimpton Hotels and Restaurants, Omni Hotels & Resorts, Trump Hotels, Starwood Hotels & Resorts, Hilton Hotels, HEI Hotels & Resorts and InterContinental Hotels Group have all experienced data breaches in recent months that have resulted in the attackers gaining access to their card payment systems.

While the method used to gain access to Sabre’s system is not yet known, similar cyberattacks on hotel reservation and payment systems have involved malware and compromised login credentials.

If malware is installed on systems it can be used to monitor keystrokes and record login credentials. The sharing of login credentials and poor choices of passwords can also allow attackers to gain access to login credentials.

To protect against cyberattacks, hotels and their contracted SaaS providers should use layered defences including multiple systems to prevent the downloading of malware and multi-factor authentication to reduce the risk from compromised login credentials being used to gain access to POS systems.

Web filters should be used to control employees’ Internet access and downloads, an antispam solution used to prevent malicious emails from reaching end users’ inboxes and anti-virus and anti-malware solutions should be kept up to date and set to scan networks regularly.

Organizations in the hospitality sector must also ensure they have the basics correct, such as changing default passwords, using strong passwords and employing good patch management policies.

IC3 Issues Warning About Business Email Compromise Scams

The Internet Crime Complaint Center (IC3) has issued a new alert to businesses warning of the risk of business email compromise scams.

The businesses most at risk are those that deal with international suppliers as well as those that frequently perform wire transfers. However, businesses that only issue checks instead of sending wire transfers are also at risk of this type of cyberattack.

In contrast to phishing scams where the attacker makes emails appear as if they have come from within the company by spoofing an email address, business email compromise scams require a corporate email account to be accessed by the attackers.

Once access to an email account is gained, the attacker crafts an email and sends it to an individual responsible for making wire transfers, issuing other payments, or an individual that has access to employees PII/W-2 forms and requests a bank transfer or sensitive data.

The attackers often copy the format of emails previously sent to the billing/accounts department. This information can easily be gained from the compromised email account. They are also able to easily identify the person within the company who should be sent the request.

Not all business email compromise scams are concerned with fraudulent bank transfers. IC3 warns that the same scam is also used to obtain the W-2 tax statements of employees, as has been seen on numerous occasions during this year’s tax season.

Phishing scams are often sent out randomly in the hope that some individuals click on malicious links or open infected email attachments. However, business email compromise scams involve considerable research on the company to select victims and to identify appropriate protocols used by the company to make transfer requests.

Business email compromise scams often start with phishing emails. Phishing is used to get end users to reveal their login credentials or other sensitive information that can be used to gain access to business networks and perform the scam. Malware can also be used for this purpose. Emails are sent with links to malicious websites or with infected email attachments. Opening the attachments or clicking on the links downloads malware capable of logging keystrokes or provides the attackers with a foothold in the network.

IC3 warns that business email compromise scams are a major threat for all businesses, regardless of their size. Just because your business is small, it doesn’t mean that you face a low risk of attack.

Between January 2015 and December 2016, IC3 notes there was a 2,370% increase in BEC scams. While funds are most commonly sent to bank accounts in China and Hong Kong, IC3 says transfers have been made to 103 countries in the past two years.

The losses reported by businesses are staggering. Between October 2013 and December 2016, more than $5 billion has been obtained by cybercriminals. United States businesses have lost $1,594,503,669 in more than 22,000 successful scams. The average loss is $71,528.

IC3 lists the five most common types of business email compromise scams as:

  1. Businesses receiving requests from frequently used suppliers requesting transfers be made to a new bank account.This is also known as a bogus invoice scam.
  2. An executive within the company (CFO or CTO for example) requests a transfer be made by a second employee in the company. This is also known as a business executive scam.
  3. A compromised email account is used to send a payment request/invoice to a vendor in the employees contact list.
  4. The attackers impersonate an attorney used by the firm and request the transfer of funds. These scams are common at the end of the week or end of the business day. They are also known as Friday afternoon scams.
  5. A request is sent from a compromised email account to a member of the HR department requesting information on employees such as W-2 Forms or PII. These scams are most common during tax season.

There are a number of strategies that can be adopted to prevent business email compromise attacks from being successful.

IC3 recommends:

  • Using a domain-based email account rather than a web-based account for business email accounts
  • Exercising caution about the information posted to social media accounts. This is where the attackers do much of their research
  • Implement a two-step verification process to validate all transfer requests
  • Use two-factor authentication for corporate email accounts
  • Never respond to an email using the reply option. Always use forward and type in the address manually
  • Register all domains that are similar to the main domain used by the company
  • Use intrusion detection systems and spam filters that quarantine or flag emails that have been sent with extensions similar to those used by the company – Blocking emails sent from xxx_company.com if the company uses xxx-company.com for example
  • Be wary of any request that seems out of the ordinary or requires a change to the bank account usually used for transfers

Millions Affected by Google Phishing Scam

A Google phishing scam has been spreading like wildfire over the past couple of days. Emails have been sent in the millions inviting people to edit Google Docs files. The emails appear to have been sent by known individuals, increasing the likelihood of the messages being opened and the links being clicked.

In contrast to many email scams that include a link to a spoofed website, this scam directs the recipient to Google Docs. When the user arrives at the site they will be presented with a legitimate Google sign-in screen.

The Google phishing scam works within the Google platform, taking advantage of the fact that individuals can create a third-party app and give it a misleading name. In this case, the app has been named ‘Google Docs.’

This makes it appear that Google Docs is asking for permission to read, send, delete, and manage emails and access the user’s contacts. However, it is the creator of the app that is asking to be granted those permissions. If users check the developer name, they will see that all is not as it seems. Many individuals will not check, since the permission screen also includes Google logos.

Signing in will give the attacker access to the user’s Google account, including their emails, Google Docs files, and contact list. Further, signing in on the website will also result in the victim’s contact list being sent similar invitations. Unsurprisingly, many have fallen for the Google phishing scam and countless emails are still circulating.

The scam appears to have started at some point on Wednesday. Google has now issued an official statement saying it is taking action to protect users and has disabled the accounts that are being used to conduct the scam.

Google confirmed the actions it has taken in response to the phishing scam, saying “We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”

Anyone who receives a request to edit a Google Doc should treat the request with suspicion, even if it has been sent from someone known to the recipient.

If you think you may have fallen for this phishing scam it is likely that emails will already have been generated and sent to your contacts. However, you can take action to block the threat by revoking the access rights you have given to the app through the Connected Apps and Sites page.

The Google phishing scam is highly convincing and clearly shows how sophisticated cybercriminals are getting in their attempts to gain access to sensitive information and why it is imperative that email users be permanently on their guard.

58% of UK Office Workers Open Email Attachments from Unknown Senders

Training employees on basic cybersecurity is essential. Conventional cybersecurity solutions such as antivirus software are no longer as effective at blocking threats as they once were and employees are targeted by cybercriminals.

Cybercriminals are well aware that employees are easy to fool. Social engineering techniques are used to create highly convincing phishing scams. Those emails contain images of well-known brands and text that would not look out of place in an official communication. Believable reasons are given for the need to disclose login credentials, click on hyperlinks or open email attachments. The emails are effective.

Email is now the number one attack vector for cybercriminals and the biggest cybersecurity threat for businesses.

Employees Still Lack Security Awareness

Even though the threat from phishing has been widely reported in the media, many employees still take major security risks at work.

A recent survey conducted by Glassdoor on UK office workers highlights how serious the risk of email cyberattacks is. 1,000 office workers from mid to large-sized businesses in the UK were asked questions about cybersecurity. 58% of respondents said they usually opened email attachments sent from unknown individuals.

Cybercriminals often mask email addresses to make the emails appear as if they have been sent from someone in the recipient’s contact list. Those tactics are even more effective at getting an end user to take the desired action – clicking on a hyperlink or opening an email attachment. The former directs the end user to a malicious website where malware is silently downloaded. Opening the email attachment results in code being run that downloads a malicious payload.

When asked how often email attachments from known senders were opened, 83% of respondents said they always or usually opened email attachments. Office workers were also asked whether their organization had experienced a cyberattack. 34% of respondents said it had.

How often are malicious emails getting past organizations security defenses? 76% of respondents said suspicious emails had been sent to their work email inboxes.

The survey suggests cybersecurity training is either not being conducted or that it is in effective and email security solutions are not in place or have not been configured correctly.

20% of respondents said their organization had no policy on email attachments, or if it did, it had not been communicated to them. 58% said they would feel much safer if their organization had the appropriate technology in place to protect them from email attacks.

How to Improve Defenses Against Email Attacks

Organizations must ensure appropriate technology is in place to block malicious emails and that employee cybersecurity training programs are developed to raise awareness of the risks of cyberattacks via email.

Policies should be developed – and communicated to staff – covering email attachments and hyperlinks. If staff are unaware of the risks, they cannot be expected to be able to identify an email as suspicious and take the appropriate action. It must also be made clear to employees what actions should be taken if suspicious emails are received.

Cybersecurity training programs should also be evaluated. If those programs are not tested, employers will not know how effective their training is. Sending dummy phishing emails is a good way to determine whether training programs are effective.

A powerful spam filtering and anti-phishing solution should also be employed to prevent malicious emails from reaching end users’ inboxes. SpamTitan, for instance, is an advanced antispam solution for SMEs that blocks over 99.7% of spam emails and 100% of known malware. By preventing malicious emails from reaching end users’ inboxes, employee cybersecurity training will not be put to the test.

Healthcare Ransomware Attacks Accounted for 50% of All Security Incidents

Hackers are continuing to attack healthcare organizations, but healthcare ransomware attacks are the biggest cause of security incidents, according to the NTT Security 2017 Global Threat Intelligence Report.

Healthcare ransomware attacks accounted for 50% of all security breaches reported by healthcare organizations between October 2015 and September 2016 and are the largest single cause of security breaches.

However, healthcare is far from the only sector to be targeted. Retail, government, and the business & professional services sector have also suffered many ransomware attacks during the same period. Those four sectors accounted for 77% of global ransomware attacks. The worst affected sector was business & professional services, with 28% of reported ransomware attacks, followed by the government (19%), healthcare (15%) and retail (15%).

NTT Security reports that phishing emails are the most common mechanism for ransomware delivery, being used in 73% of ransomware and malware attacks. Poor choices of password are also commonly exploited to gain access to networks and email accounts. NTT says just 25 passwords were used in 33% of all authentication attempts on its honeypots, while 76% of authentication attempts used a password known to have been implemented in the Mirai botnet.

Zero-day exploits tend to attract considerable media attention, but they are used in relatively few attacks. Web-based attacks have fallen but they still pose a significant threat. The most commonly attacked products were Microsoft Internet Explorer, Adobe Flash Player, and Microsoft Silverlight. Exploit kit activity has fallen throughout the year as cybercriminals have turned to phishing emails to spread malware and ransomware. There was a steady decline in exploit kit attacks throughout the year.

With phishing posing the highest risk, it is essential that organizations ensure they have adequate defenses in place. Phishing attacks are sophisticated and hard to distinguish from genuine emails. Security awareness training is important, but training alone will not prevent some attacks from being successful. It is also important to ensure that training is not just a one time exercise. Regular training sessions should be conducted, highlighting the latest tactics used by cybercriminals and recent threats.

The best form of defense against phishing attacks is to use anti-phishing technologies such as spam filters to prevent phishing emails from reaching end users. The more phishing emails that are blocked, the less reliance organizations place on end users being able to identify phishing emails. Solutions should also be implemented to block users from visiting phishing websites via hyperlinks sent via email.

Web-Based Attacks Fall: Ransomware Attacks on Businesses Soar

There was some good news in the latest installment of the Symantec Internet Security Threat Report. Web-based attacks have fallen year on year, but ransomware attacks on businesses have sky rocketed. Sabotage and subversion attacks have also risen sharply in the past 12 months.

The Internet Security Threat Report shows that exploit kit and other web-based attacks fell by 30% in 2016, but over the same period, ransomware attacks on businesses increased by 36%.

Ransomware has proved popular with cybercriminals as attacks are easy to perform and money can be made quickly. If an attacker succeeds in encrypting business data, a ransom must be paid within a few days. In the United States, where the majority of ransomware attacks occur, 64% of businesses pay the ransom.

Web-based attacks on the other hand typically take longer and require considerably more technical skill. Cybercriminals must create and host a malicious site and direct end users to the site. Once malware has been downloaded, the attackers must move laterally within the network and find and exfiltrate sensitive data. The data must then be sold.

Ransomware attacks on businesses are far easier to conduct, especially using ransomware-as-a-service. All that is required is for criminals to pay to rent the ransomware, set their own terms, and distribute the malware via spam email. Many ransomware authors even provide kits with instructions on how to customize the ransomware and conduct campaigns. The appeal of ransomware is clear. It is quick, easy and profitable to conduct attacks.

The Symantec Internet Security Threat Report charts the rise in popularity of ransomware. Symantec detected 101 separate ransomware families in 2016. In 2014 and 2015 the count was just 30. Symantec’s ransomware detections increased from 340,665 in 2015 to 463,841 in 2016. Ransomware as a service has played a major role in the increase in attacks.

Ransom demands have also increased in the past year. In 2015, the average ransom demand was $294 per infected device. In 2016, the average ransomware demand had increased to $1,077.

Fortunately, good data backup policies will ensure businesses do not have to pay to unlock their data. Unfortunately, even if data can be recovered from backups, ransomware attacks on businesses are costly to resolve. Cybersecurity firms need to be hired to conduct analyses of networks to ensure all traces of ransomware (and other malware) have been removed. Those firms must also check to make sure no backdoors have been installed.

Ransomware attacks on businesses typically see computers locked for several days, causing considerable loss of revenue for companies. Customer breach notifications may also need to be issued. Ransomware attacks can cost tens or hundreds of thousands of dollars to resolve, even if no ransom is paid.

Since ransomware is primarily distributed via spam email, businesses need to ensure they have appropriate email defenses in place. An advanced spam filter with an anti-phishing component is essential, along with other endpoint protection systems.

Symantec’s figures show that spam email volume has remained constant year on year, with spam accounting for 53% of email volume in 2016.

In 2016, one in 2,596 emails involved a phishing component, down from one in 965 in 2014. Phishing attacks may be down, but malware attacks increased over the same period.

Malware-infected email attachments and malicious links to malware-infected websites accounted for one in every 131 emails in 2016, up from 1 in 220 in 2015 and 1 in 244 in 2014. In 2016, 357 million new malware variants were detected, up from 275 million in 2014.

The decline in web-based attacks is certainly good news, but it doesn’t mean the threat can be ignored. Last year there were 229,000 web-based attacks tracked by Symantec. While that is a considerable decrease from the previous year, web-based attacks still pose a significant threat to businesses.

Web-based attacks could also increase this year. The Symantec Internet Security Threat Report indicates 9% of websites have critical bugs that could be easily exploited by cybercriminals allowing them to hijack the websites. Worryingly, Symantec reports that 76% of websites contain bugs that could potentially be exploited.

The Symantec Internet Security Threat Report shows data breaches have remained fairly constant over the past two years. In 2014, widely reported to be ‘the year of the data breach’, Symantec recorded 1,523 data breaches. The following year that fell to 1,211 breaches. Last year, there was little change, with 1,209 breaches reported.

The halt in the rise in data breaches suggests organizations are getting better at protecting their networks and data. However, large data breaches are increasing. Last year there were 15 data breaches that involved the theft of more than 10 million records, up from 11 in 2014.

Protecting against data breaches and cyberattacks requires comprehensive, multi-layered security defenses. TitanHQ offers a range of cybersecurity solutions for SMEs to help them improve their security posture and protect against web-based and email-based security threats.

For more information on how you can improve your security posture, and information on the best spam filter for business use, contact the TitanHQ team today.

Cerber Becomes the Biggest Ransomware Threat

2017 was the year when Locky Ransomware first arrived on the scene, with the ransomware variant fast becoming the biggest ransomware threat. Locky infections rose rapidly following its release in February and continued to rise in the first half of the year. The ransomware variant was initially installed via exploit kits, although as exploit kit activity fell, the developers switched to spam email as the primary attack vector.

As 2016 progressed, Locky activity declined. While Locky infections continue, it is no longer the biggest ransomware threat. Locky now accounts for just 2% of infections. A new report from Malwarebytes has revealed that the biggest ransomware threat – by some distance – is Cerber ransomware.

Cerber ransomware is now behind 90% of all global ransomware infections, with those attacks performed using many different variants of the ransomware. Cerber has even surpassed TeslaCrypt; a previously highly prevalent ransomware variant that dominated attacks in 2015 and early 2016. At the start of 2017, Cerber’s ‘market share’ stood at 70%, although that increased to 90% by the end of Q3.

The secret of the success of Cerber lies not only in the sophistication of the ransomware, but how it is being used and distributed. Cerber ransomware has become the biggest ransomware threat because it is not only the authors that are using it to attack organizations. There is now an army of affiliates using the ransomware. Those affiliates do not need programming experience and neither much in the way of technical skill. Their role is simple. They are simply distributors who get a cut of the profits for any ransoms they manage to generate.

Ransom payments are likely with Cerber infections. There is no decryptor for the ransomware as no flaws have been discovered. Files locked by Cerber cannot be unlocked without the decryption keys, and only the attackers have access to those. The encryption used is of military-grade, says Malwarebytes. Further, a computer does not even need to be connected to the Internet in order for files to be encrypted. The latest variants also include a host of new defenses to prevent detection and analysis.

The primary attack vector used is email. Cerber is distributed in spam email, with infection occurring when a user opens an infected email attachment. That triggers the downloading of Cerber from the attacker’s Dropbox account.

With the new defenses put in place by its authors and no shortage of affiliates signing up to use the ransomware-as-a-service, Cerber looks set to remain the main ransomware threat throughout Q2. Attacks will continue and likely increase, and new variants will almost certainly be released.

All organizations can do is to improve their defenses against attack. Cybersecurity solutions should be employed to prevent spam emails from being delivered to end users. Staff should be trained how to identify malicious emails and not to open email attachments sent from unknown senders. Organizations should also use security tools to detect endpoint infections.

Since even with advanced security defenses infections are still possible, it is essential that all data are backed up and those backups tested to ensure they will allow encrypted data to be recovered.

Phishing Attacks on Schools Spike – Is Your School Doing Enough to Prevent Attacks?

In the United States, phishing attacks on schools and higher education institutions have soared in recent months, highlighting the need for improvements to be made to staff education programs and cybersecurity defenses.

Phishing refers to the practice of sending emails in an attempt to get the recipients to reveal sensitive information such as logins to email accounts, bank accounts, or other computer systems.  Typically, a link is included in the email which will direct the user to a website where information must be entered. The sites, as well as the emails, contain information to make the request look genuine.

Phishing is nothing new. It has been around since the 1980’s, but the extent to which sensitive information is stored electronically and the number of transactions that are now conducted online has made attacks much more profitable for cybercriminals. Consequently, attacks have increased. The quality of phishing emails has also improved immeasurably. Phishing emails are now becoming much harder to identify, especially by non-technical members of staff.

No organization is immune to attack, but attackers are no longer concentrating on financial institutions and healthcare organizations. The education sector is now being extensively targeted. Phishing attacks on schools are being conducted far more frequently, and all too often those attacks are succeeding.

Such is the scale of the problem that the IRS recently issued a warning following a massive rise in phishing attacks on schools. Campaigns were being conducted by attackers looking for W-2 Form data of school employees. That information was then used to submit fraudulent tax returns in school employees’ names.

Recent Phishing Attacks on Schools, Colleges, and Universities

Westminster College is one of the latest educational institutions to report that an employee has fallen for the W-2 Form phishing scam, although it numbers in dozens of schools, colleges and universities that have been attacked this year.

Phishing emails are not only concerned with obtaining tax information. Recently, a phishing attack on Denver Public Schools gave the attackers the information they needed to make a fraudulent bank transfer. More than $40,000 intended to pay staff wages was transferred to the criminal’s account.

This week, news emerged of a listing on a darknet noticeboard from a hacker who had gained access to school email accounts, teacher’s gradebooks, and the personal information of thousands of students. That individual was looking for advice on what to do with the data and access in order to make money.

Washington University School of Medicine was targeted in a phishing attack that saw the attackers gain access to patient health information. More than 80,000 patients potentially had their health information stolen as a result of that attack.

Last week, news emerged of an attempted phishing attack on Minnesota schools, with 335 state school districts and around 170 charter schools potentially attacked. In that case, the phishing attack was identified before any information was released. The attack involved an email that appeared to have been sent from the Education Commissioner. The attackers were trying to gain access to financial information.

How to Improve Defenses Against Phishing Attacks

Fortunately, there are a number of technological controls that can be implemented cheaply to reduce the risk of phishing attacks on schools being successful.

An advanced spam filtering solution with a powerful anti-phishing component is now essential. A spam filter looks for the common spam and phishing signatures and ensures suspect messages are quarantined and not delivered to end users.

It must be assumed that occasionally, even with a spam filter, phishing emails may occasionally be delivered. To prevent employees and students from visiting phishing websites and revealing their information, a web filtering solution can be used. Web filters block end users from visiting websites that are known to be used for phishing. As an additional benefit, web filters can stop individuals from accessing websites known to contain malware or host illegal or undesirable material – pornography for instance.

Those solutions should be accompanied by training for all staff members on the risk from phishing and the common identifiers that can help staff spot a phishing email. Schools should also implement policies for reporting threats to the organization’s IT department. Fast reporting can limit the harm caused and prevent other staff members from responding.

IT departments should also have policies in place to ensure thwarted attacks are reported to law enforcement. Warnings should also be sent to other school districts following an attack to allow them to take action to protect themselves against similar attacks.

Any school or higher educational institution that fails to implement appropriate defenses against phishing attacks will be at a high risk of a phishing attack being successful. Not only do phishing attacks place employees at risk of fraud, they can prove incredibly costly for schools to mitigate. With budgets already tight, most schools can simply not afford to cover those costs.

Improve Your Phishing Defenses with TitanHQ

The TitanHQ team have worked on email anti-spam solutions for schools, web filtering for the education sector, and email archiving for schools for over 20 years. We have a deep understanding of the security issues that all schools and colleges face when trying to protect students, school staff and visitors. TitanHQ has developed products to address the needs of schools and block threats such as phishing, malware, and ransomware, while ensuring compliance with federal and state laws.

TitanHQ offers schools a powerful and highly effective email security solution – SpamTitan – which blocks in excess of 99.9% of spam and 100% of known malware threats. The award-winning solution is the single-most important measure to block phishing and malware threats, the majority of which are delivered via email.

WebTitan offers safe internet browsing for children, providing protection from harmful and obscene web content whether students are studying at school or at home. Web security is available for all devices, and in addition to blocking age-inappropriate web content, will prevent access to known phishing websites and will block malware and ransomware downloads.

If you want to improve your defenses against phishing and malware in the most cost effective way possible, give the TitanHQ team a call today. Both solutions are available to schools and other educational institutions on a 30-day 10% free trial, which will allow you to see for yourself the difference each makes and why so many schools have already implemented these solutions.

Microsoft Patches Actively Exploited Zero-Day Vulnerability in Microsoft Word

Microsoft has finally patched a zero-day vulnerability in Microsoft Word that has been exploited by cybercriminals for months. Recently, the vulnerability has been exploited by the gang behind the Dridex banking Trojan.

The remote code execution vulnerability (CVE-2017-0199) affects the Windows Object Linking and Embedding (OLE) application programming interface. The vulnerability is a logic flaw rather than a programming error, which makes defending against attacks difficult.

The bug affects RTF files. The spam email campaigns use RTF files containing an embedded OLE2Link object, which downloads an HTA (HTML Application) file containing malicious code when the document is opened. No user interaction other than opening the file is required to infect the end user’s device.

There is some debate as to how long the vulnerability has been actively exploited in the wild. Attacks may have been occurring as early as November 2016 according to SophosLabs, although certainly since the start of 2017. Over the past two months, the vulnerability has been extensively exploited to deliver the Dridex banking Trojan.

The zero-day vulnerability in Microsoft Word has been exploited for espionage purposes in Russian speaking countries, while FireEye observed the exploit being used to distribute Latentbot malware. Latentbot is an information stealer with the ability to corrupt hard drives.

Many security companies have been tracking the vulnerability, although it was McAfee that announced the existence of the actively exploited flaw on Friday last week. The flaw exists in virtually all Microsoft Word versions and does not require macros to be enabled in order for malicious code to run.

Employees are advised never to enable macros on documents unless they are 100% certain that a document is legitimate; however, this zero-day exploit does not rely on macros. Simply opening the Word document on an unpatched Office installation is likely to result in infection.

This makes the vulnerability particularly dangerous. Any end user that opens a specially crafted Word document would automatically run the code which would see the Dridex Trojan (or another malware) downloaded. One protection that can prevent the malicious code from running is to enable Protected View mode. However, the code will run when Protected View is turned off.

The malicious emails sent out in at least one campaign have the subject line “scanned data” with the RFT file attachments containing the word ‘scan’ followed by a random string of numbers, according to Proofpoint.

To protect against this exploit, the patches for both Office and Windows that were released by Microsoft on Tuesday April 11, 2017 should be applied. However, in order to apply the security update, Service Pack 2 for Office 2010 must be installed.

If it is not possible to apply the Microsoft updates immediately, you can configure your spam filter to block RTF files or add RTF files to the list of documents to block in the Microsoft Office Trust Center.

Kelihos Botnet Takedown: Spam King Arrested

Yesterday, the U.S. Department of Justice announced that one of the leading email spammers has been arrested as part of an operation to disrupt and dismantle the infamous Kelihos botnet.

The Kelihos botnet is a network of tens of thousands of computers that are used to launch massive spamming campaigns comprising millions of emails. Those spam emails are used for a variety of nefarious purposes including the distribution of ransomware and malware. The botnet has been extensively used to spread fake antivirus software and spread credential-stealing malware.

Computers are added to the Kelihos botnet using malware. Once installed, Kelihos malware runs silently and users are unaware that their computers have been hijacked. The Kelihos botnet can be quickly weaponized and used for a variety of malicious purposes. The botnet has previously been used for spamming campaigns that artificially inflate stock prices, promote counterfeit drugs and recruit people to fraudulent work-at-home schemes.

Pyotr Levashov is believed to operate the botnet in addition to conducting a wide range of cybercriminal activities out of Russia. In what turned out to be an unwise move, Levashov left the relative safety of his home country and travelled to Barcelona, Spain on holiday. Levashov was arrested on Sunday, April 9 by Spanish authorities acting on a U.S. issued international arrest warrant.

Levashov is suspected of playing a role in the alleged Russian interference in the U.S. presidential election in 2016, although Levashov is best known for his spamming activities, click fraud and DDoS attacks.

Levashov, or Peter Severa as he is otherwise known, is heavily involved in distributing virus spamming software and is believed to have written numerous viruses and Trojans. Spamhaus lists Levashov in seventh place on the list of the 10 worst spammers.

Levashov is believed to have run multiple operations that connected virus developers with spamming networks, and is suspected of running the Kelihos botnet, the Waledac botnet – which was taken down in 2010 – and the Storm botnet.  Levashov was indicted for his role in the latter in 2009, although he managed to avoid extradition to the United States. At the time, Storm was the biggest spamming botnet in operation and was used to send millions of emails every day. Levashov also moderates many spamming forums and is well known in underground circles. Levashov is believed to have been extensively involved in spamming and other cybercriminal activities for the past 20 years; although to date he has avoided prosecution.

A statement released by the U.S. Department of Justice reads, “The operation announced today targeted an ongoing international scheme that was distributing hundreds of millions of fraudulent e-mails per year, intercepting the credentials to online and financial accounts belonging to thousands of Americans, and spreading ransomware throughout our networks.”

The DOJ operation also involved the takedown of domains associated with the Kelihos botnet starting on April 8, 2017. The DOJ says shutting down those domains was “an extraordinary task.”

While it is certainly good news that such a high profile and prolific spammer has been arrested and the Kelihos botnet has been severely disrupted, other spammers are likely to soon take Levashov’s place. Vitali Kremez, director of research at Flashpoint said his firm had seen chatter on underground forums indicating other major spammers are responding to the news of the arrest by taking acting to secure their own operations. There may be a blip in email spam volume, but that blip is only likely to be temporary.

Denver Public Schools Phishing Scam Sees Employees Wages Stolen

The importance of anti-phishing training for staff members has been highlighted this week following a major incident in Denver. A targeted Denver Public Schools phishing scam saw at least 30 members of staff divulge their usernames and passwords to scammers.

The Denver Public Schools phishing scam enabled attackers to gain access to accounts, which allowed information to be gained to access to the school district’s payroll system. The attackers changed the routing numbers for payments to employees and directed the payments to their own accounts. More than $40,000 that had been set aside to pay staff wages was stolen.

Staff members have now been paid and efforts are continuing to recover the stolen funds. At least 14 direct deposits were made and have not been recovered. The school district is hoping that the payments will be covered by an insurance policy. The incident has been reported to the Colorado Bureau of Investigation and the incident is being investigated to try to identify the individuals behind the scam.

The Denver Public Schools phishing scam was highly convincing; however, questions will be asked about how so many employees fell for the scam and disclosed their login credentials. The school district has confirmed that efforts were made to educate its employees on the risk of phishing prior to the attack taking place.

Denver Public Schools employs 13,991 members of staff. The response percentage was therefore very low, but it can only take one individual to respond to such a scam for serious financial harm to be caused.

A Bad Year for Phishing Attacks on Schools

Phishing attacks on schools are commonplace, but this year has seen attacks soar. For instance, in 2017, there have been 141 reported W-2 phishing scams, 33 of which affected schools, colleges and universities.

While phishing scams used to be fairly easy to detect, now they are becoming much more sophisticated. It is now not easy to tell a phishing email from a real email request. The attackers use spoofing techniques to make the emails appear as if they have been sent from within the organization. Genuine email accounts may even be compromised and used for phishing attacks. Last month, the Digital Citizens Alliance reported finding millions of .edu email addresses listed for sale on the dark web. Those email addresses are often used for phishing scams as they are trusted.

Phishing emails are often free from the spelling and grammatical errors that were commonly seen in spam emails in years gone by. The emails often contain lifted branding, images and formatting, which makes them highly convincing. The requests for information may also seem reasonable.

How to Prevent Phishing Attacks

Providing anti-phishing training for staff is now an essential cybersecurity defense; however, it is also important to ensure that training has had the desired effect and has been taken onboard. Schools should therefore conduct dummy phishing exercises to identify the effectiveness of their training programs. Research has shown that with practice, employees get much better at identifying phishing scams.

Technological solutions should also be implemented to prevent spam emails from reaching end users’ inboxes. Advanced anti-spam solutions such as SpamTitan do not rely on blacklists to identify emails as spam. Blacklists are used along with a host of front end controls and emails are subjected to Bayesian analyses to identify common spam signatures. Rules can be set to reduce the risk of email spoofing.

If you are interested in finding out more about the range of technological solutions that can be employed to reduce the risk of phishing attacks, contact the TitanHQ team today.

IBM Reports 6,000% Increase in Tax-Related Email Spam This Tax Season

A recent report from IBM X-Force has highlighted the massive growth in tax-related email spam this year. Between December 2016 and February 2017, tax-related email spam increased by an incredible 6,000%.

A rise in tax-related email spam is to be expected during tax season. It is the time of year when tax returns are submitted and criminals can make substantial profits. If tax information is stolen and a fraudulent tax return is submitted prior to the individual submitting their own return, thousands of dollars in refunds can be obtained. With such high returns from each set of tax information, it is no surprise that tax-related scams are so prevalent.

This year, has seen many different scams detected, although one of the most successful is the W-2 phishing scam. The scam involves a tax fraudster impersonating the CEO, CFO or another executive, and emailing a request for W-2 Forms to members of the payroll department.

As we have seen on numerous occasions this year, the emailed lists can contain thousands of employees’ sensitive information. Usually, every employee that has taxable earnings for the previous fiscal year. To date, there have been 141 reports of successful scams. The largest breach was reported by American Senior Communities. The tax information of more than 17,000 members of staff were emailed to scammers.

The IRS said it was one of the most dangerous email phishing scams seen in recent years. It’s too early to tell how much in fraudulent refunds have been paid out by the IRS, although last year the total was around $5.8 billion. This year that total is expected to rise.

W-2 form phishing scams may be the most common type of tax-related email scams seen this year, but there are many. Most are delivered by email, although website phishing attacks have also been highly prevalent.

Cybercriminals have been impersonating tax software companies and have been sending out fake marketing emails encouraging consumers to visit spoofed websites. They are then relieved of their personal information. Information gathered via the online forms enable fraudsters to steal identities and file fraudulent tax returns in the victims’ names.

Tax season is also a time when malware infections spike. Tax-related email spam is sent with malicious email attachments. Opening those attachments results in malware or ransomware being downloaded to the victims’ computers.

Cybercriminals use a wide variety of techniques to steal credentials. Social engineering techniques are used to fool email recipients into believing requests for information are genuine. Attackers use typosquating and URL hijacking to make their malicious websites appear legitimate. The phishing templates used by some cybercriminals are so convincing it is almost impossible to distinguish them from genuine emails. The correct branding is used, links are masked, and support is even offered for uploading tax-related documentation. In many cases, the emails contain the IRS logo and victims are fooled into supplying their credentials. The scams are often successful, even though the IRS does not initiate contact with taxpayers via email.

To protect against attacks and fraud, consumers can set an IRS IP PIN on their accounts. That pin number must be used to file a tax return. Provided the PIN is not disclosed, individuals will be protected from fraudulent tax filings.

Many Americans leave filing their tax returns to the last minute; however, this year the scammers started sending tax-related email spam early. The late filing of tax returns gives cybercriminals plenty of time to submit fake returns. Tax returns should be filed as soon as a W-2 Form is received to reduce the risk of becoming a victim of fraud.

Businesses can protect themselves against W-2 phishing scams by implementing an advanced spam filtering solution to block spam emails. However, staff should also receive anti-phishing training and policies should be implemented that require any request for W-2 Forms to be verified with the sender of the email by telephone.

Businesses are still being targeted by scammers so they should be on their guard. They should also ensure that they are prepared well in advance for the tsunami of tax-related email spam that will start to arrive from December 2017.

Warning for Tax Professionals About New IRS e-Services Phishing Scam

The Inland Revenue Service has issued a new warning to tax professionals about a new IRS e-Services phishing scam.

With the tax return deadline fast approaching it is the last chance for the fraudsters to steal identities and file fraudulent tax returns. The past few days has seen a surge in phishing attacks on tax professionals.

The purpose of the IRS e-Services phishing scam is to obtain tax professionals’ e-Services usernames and passwords. The emails use a variety of subject lines that have been crafted to attract attention and ensure the emails are opened.

The emails claim to have been sent by the IRS about issues with the user’s e-Services account. The emails warn that the user’s e-Services account has been closed, suspended or blocked. In order to reactivate the account or prevent its closure, the email recipient is required to login to their account.

A link is supplied in the email that enables the recipient to take the required action. Clicking on the link will direct the user to a login page that closely resembles the IRS e-Services portal. Entering in a username and password into the login page will see the details captured by the attackers.

In response to the high volume of phishing attacks on tax professionals, the IRS has been improving account security in recent weeks. The IRS has been asking tax professionals to revalidate their accounts to prevent delays when accessing their e-Services accounts. The attackers appear to be taking advantage and piggybacking on those recent communications.

The IRS warns all tax professionals that if for any reason their e-Services account has been closed, they should contact the e-Services Help Desk to reactivate their account, but never to click on any links contained in emails. While links to malicious websites are used for this scam, users should also be wary about any attachments sent in e-Services emails.

This tax season has seen a major increase in tax-related email scams, most notably a massive rise in W-2 Form phishing scams. At least 140 successful W-2 Form phishing attacks have already been announced, although with two weeks left of tax season that figure is certain to rise. K12 schools, colleges and other higher education institutions have been extensively targeted this year, as has the healthcare industry. Some of the phishing scams have resulted in thousands of employees’ tax details being obtained by fraudsters.

The last few days before the April 18 deadline for submitting tax returns is likely to see many more phishing attacks performed. All businesses should therefore be on their guard and should exercise extreme caution.

2017 IBM X-Force Threat Intelligence Index Provides Insight into Cyberattack Trends

The 2017 IBM X-Force Threat Intelligence Index has been released this week. The report provides an insight into the main cybersecurity threats faced by all industries and major cyberattack trends, data breaches and security incidents experienced by U.S. organizations in 2016.

Last year’s IBM X-Force Threat Intelligence Index showed healthcare was the industry most heavily targeted by cybercriminals. However, the 2017 IBM X-Force Threat Intelligence Index shows cybercriminals changed their focus in 2016. Last year, the financial services was hit the hardest. The healthcare dropped down to fifth place.

The healthcare industry did not suffer mega data breaches of the same scale as 2015 – which saw a 78.8 million-record cyberattack on Anthem Inc., and 10 million record+ data breaches at Premera Blue Cross and Excellus BlueCross BlueShield. However, there were security breaches aplenty. 2016 was the worst ever year for healthcare industry breaches, with more incidents reported than any other year in history.

Those breaches resulted in far fewer records being exposed or stolen. The 2017 IBM X-Force Threat Intelligence Index indicates there was an 88% drop in exposed or stolen healthcare records in 2016 compared to the previous year. Around 12 million healthcare records were exposed or stolen in 2016.

The 2017 IBM X-Force Threat Intelligence Index also shows that there was a shift in the nature of attacks, with cybercriminals targeting unstructured data rather than structured data. Data breaches involving email archives, intellectual property, and business documents all rose in 2016.

The healthcare industry may not have seen so many records exposed, but that was certainly not the case across all industry sectors. 2016 was a very bad year for cyberattacks. In 2015, around 600 million records were exposed or stolen. In 2016 the total jumped to an incredible 4 million records, helped in no small part by the 1.5 billion record breach at Yahoo and the discovery of massive data breaches at LinkedIn, MySpace, and Dropbox. It is therefore no surprise that IBM called 2016 The Year of the Mega Data Breach.

Top of the list of attacked industries in 2016 was financial services. Both the financial services and healthcare sectors saw a fall in attacks by outsiders, but attacks by malicious insiders and inadvertent actors increased in both industry sectors.

In the financial services, 5% of attacks involved malicious insiders and 53% involved inadvertent actors. In healthcare, 25% of attacks involved malicious insiders and 46% involved inadvertent actors. The financial services saw 42% of attacks conducted by outsiders. Healthcare cyberattacks by outsiders accounted for 29% of the annual total.

According to the 2017 IBM X-Force Threat Intelligence Index, the second most targeted industry was information and communications, followed by manufacturing and retail. All three industries saw increases in attacks by outsiders, which accounted for the vast majority of attacks. 96% of attacks on information and communications were by outsiders, with 91% apiece for manufacturing and retail.

The financial services sector saw a substantial rise in SQLi and OS CMDi attacks in 2016 – The most common attack method for the industry. The main attack method on the information and communications sector involved exploitation of vulnerabilities allowing attackers to trigger buffer overflow conditions. The main attack method on the manufacturing, retail and healthcare industries was also SQLi and OS CMDi attacks, which accounted for 71% of manufacturing industry cyberattacks, 50% of retail cyberattacks, and 48% of healthcare cyberattacks.

The 2017 IBM X-Force Threat Intelligence Index indicates cybercriminals favored older attack methods in 2016 such as ransomware, malware toolkits, and command injection to gain access to valuable data and resources.

Ransomware was big news in 2016. Many cybercriminals turned to ransomware as a quick and easy source of income. Figures from the FBI indicate $209 million in ransom payments were made in the first three months of 2016 alone.

Malware was also extensively used in attacks, with Android malware and banking Trojans big in 2016. Not all attacks targeted organizations for their data. DDoS attacks increased, both in frequency and severity. While attacks of 300+ Mbps were unusual in 2015, they became the norm in 2016. One attack in excess of 1 Tbps was reported.

While 2015 saw exploit kits extensively used to infect endpoints with malware, in 2016 spam email was favored. Spam was a primary attack tool of cybercriminals, especially in the second half of the year. While the first half of the year saw spam email volume remain steady, the 2017 IBM X-Force Threat Intelligence Index indicates there was a significant increase in spam volume in the second half of the year and a massive rise in the number of malicious email attachments.

The 2017 IBM X-Force Threat Intelligence Index shows the vast majority of malicious attachments were ransomware or ransomware downloaders, which accounted for 85% of malicious email attachments.

The increase in the use of spam email as an attack vector shows how important it is for organizations to improve their defenses against email attacks. An advanced spam filter is essential as is training of employees on security best practices and phishing attack prevention.

Exploit Kit Activity has Declined, but Spamming Activity Has Increased

Figures from Trustwave show there has been a steady decline in exploit kit activity over the past year. Exploit kits were once one of the biggest cybersecurity threats. In late 2015 and early 2016 exploit kits were being extensively used to spread ransomware and malware. Now exploit kit activity has virtually dropped to nothing.

Exploit kits are toolkits that are loaded onto malicious or hijacked websites that probe for vulnerabilities in browsers and plugins such as Adobe Flash Player and Java. When a new zero-day vulnerability was discovered, it would rapidly be added to exploit kits and used to silently download ransomware and malware onto web visitors’ computers. Any individuals that had failed to keep their browsers and plugins up to date would be at risk of being infected. All that would be required was make them – or fool them- into visiting a malicious website.

Links were sent via spam email, malvertising was used to redirect web visitors and websites were hacked and hijacked.  However, the effort required to develop exploits for vulnerabilities and host exploit kits was considerable. The potential rewards made the effort more than worthwhile.

Exploit kits such as Angler, Magnitude and Neutrino no longer pose such a big threat. The actors behind the Angler exploit kit, which was used to spread Locky ransomware in early 2016, were arrested. Law enforcement agencies across the world have also targeted gangs running these exploit kits. Today, exploit kit activity has not stopped entirely, but it is nowhere near the level seen in the first half of 2016.

While this is certainly good news, it does not mean that the threat level has reduced. Ransomware and malware are still major threats, all that has happened is cybercriminals have changed tactics for distributing the malicious programs. Exploit kits are not dead and buried. There has just been a lull in activity. New exploit kits are undoubtedly being developed. For the time being, exploit kit activity remains at a low level.

Now, the biggest threat comes from malicious spam email messages. Locky and other ransomware variants are now almost exclusively spread via spam email messages. Cybercriminals are also developing more sophisticated methods to bypass security controls, trick end users into opening infected email attachments, and improve infection rates.

Much greater effort is now being put into developing convincing phishing and spear phishing emails, while spam emails are combined with a wide range of social engineering tricks to get end users to open infected email attachments. End users are more knowledgeable and know not to click on suspicious email attachments such as executable files; however, malicious Word documents are another matter. Office documents are now extensively used to fool end users into installing malware.

With cybercriminals now favoring spam and phishing emails to spread malware and ransomware, businesses need to ensure their spam defenses are up to scratch. Employees should continue to be trained on cybersecurity, the latest email threats should be communicated to staff and advanced spam filters should be deployed to prevent messages from being delivered to end users.

Blank Slate Spam Campaign Distributing Cerber Ransomware

The SANS Internet Storm Center reports that the Blank Slate spam campaign which was first detected in July last year is now being used to spread Cerber ransomware, rather than previous favorites Locky and Sage 2.0.

In the majority of cases, emails used to spread ransomware and other nasties use a variety of social engineering techniques to trick end users into opening the email attachments and infecting their computers. However, the Blank Slate spam campaign opts for simplicity. The spam email messages contain no text, hence the name ‘blank slate’.

The email messages contain a double zip file attachment. A zip file is attached to the email, and within it is a second zip file containing JavaScript or a Word document with a malicious macro. The JavaScript or macro then downloads the malicious payload – Cerber ransomware – if it is run.

Without any social engineering tactics, infection rates are likely to be much lower. However, researchers suggest that more email messages are likely to get past security defenses using this technique. Since more emails are delivered to end users’ inboxes, this is likely to make up for the fact that fewer attachments will be opened.  The blank slate spam campaign is believed to be spread via botnets.

Cerber ransomware has been a major threat over the past 12 months. The ransomware is frequently updated to ensure it avoids detection. The latest blank slate spam campaign is being used to spread the latest form of the ransomware, which hides malicious code inside Nullsoft Scriptable Install System (NSIS) installers.

Security researchers at Palo Alto Network’s Unit 42 team report that Cerber ransomware is being hosted on around 500 separate domains. When domains are detected by hosting companies they are rapidly shut down; however, new domains are then registered by the criminals to take their place.

Since new domains can easily be registered using stolen credentials, the costs to cybercriminals are low. The cost of signing up for a new domain are negligible. Burner phones can be purchased cheaply and the numbers provided when registering domains, email addresses can be registered free of charge, and stolen credit card details can be used to make payment. There is no shortage of stolen credit card numbers to use. However, the rewards from Cerber ransomware infections are high. Now, the keys to decrypt data locked by Cerber ransomware costs victims 1 Bitcoin – around $1,000.

Organizations can protect against the threat by ensuring their spam filtering solutions are carefully configured and making sure all employees are instructed never to open JavaScript files or enable Word macros sent from unknown senders.

World’s Largest Spam Operation Exposed: Database of 1.37 Billion Email Addresses Uncovered

The world’s largest spam operation has been exposed, and along with it, a massive database of email addresses. More than 1.37 billion email addresses, names, addresses, and IP addresses were in the database, which was exposed as a result of an error made during a backup. The company behind the operation is the email marketing firm River City Media – A legitimate email marketing company that uses some decidedly shady email marketing practices.

So how large is the world’s largest spam operation? According to MacKeeper researchers, the company behind the massive spamming campaigns were sending up to one billion spam email messages every day. However, due to the leak, life is likely to get a lot tougher for the email marketing firm. Its entire infrastructure has now been added to the spamming blacklist maintained by Spamhaus: The world leader in providing up to date threat intelligence on email spam and related spamming activity.

So how does a database from the world’s largest spam operation get released on the Internet? Faulty backups! The company failed to configure their Rsync backups correctly, resulting in those backups being available online without any need for a password. The database was discovered by MacKeeper security researcher Chris Vickery.

The revelation that such a large database had been obtained was huge news. In fact, it even drew a response from the Indian government, which felt it necessary to explain that it was not the source of the leak. The Indian government’s federal ID system is one of a very small number of databases that contain that number of records.

The number of records in the database is so large that almost everyone that uses email would either be on the list or would know someone that is.

How does a company amass so many email addresses? According to Vickery, there are various methods used, although he said “credit checks, education opportunities, and sweepstakes,” are typically used to obtain the email addresses, as are legitimate marketing campaigns from major brands. Users divulge their email addresses during these campaigns in order to receive a free gift, special offer, or an online service. Hidden away in the terms and conditions, which few people read, is confirmation that the information collected will be shared with marketing partners. Those marketing partners then share addresses with their partners, and their partners’ partners, and so on. Before long, the email addresses will be made available to a great deal of spammers.

When spammers use those addresses, there is a high probability that the domains used for sending the marketing messages will be blocked. To get around this, companies such as RCM use warm up accounts to send out their campaigns.

New campaigns will be sent to the warm up accounts, and provided they do not generate complaints, the sender of the emails will be marked as a good sender. With a good reputation, the spammers will be able to scale up their operation and send out billions of messages. If at any point messages start to be rejected or complaints start to be received, the domain is dropped and the process starts again. That way, RCM is able to bypass spam filtering controls and continue to send messages.

A detailed insight into the world’s largest spam operation and the techniqus used to send spam messages has been published by CSO Online, which worked with Vickery, MacKeeper, and Spamhaus following the discovery of the huge database.

Businesses Are Not Taking Full Advantage of Anti-Phishing Technologies, Says FTC

A recently published study from the Federal Trade Commission’s (FTC) Office of Technology Research and Investigation has revealed that anti-phishing technologies are not being widely adopted by U.S. businesses.

While there are several anti-phishing technologies that could be adopted by businesses to reduce susceptibility to phishing attacks, relatively few businesses are taking full advantage of the latest anti-phishing solutions.

Phishing is a type of online scam primarily conducted via email, although the same type of scam can occur online on malicious websites. The email version of the scam involves sending an email request to an employee in which the attacker claims to be a well-known source. That could be an Internet service provider, a well-known company such as Amazon or Netflix, or the CEO or CFO of the employee’s company. The target is asked to send sensitive personal or business information.

Typically, the attackers request financial information, logins, or as we have seen on numerous occasions this year, employees’ W-2 Form data. The information is then used for identity theft and fraud. In the case of the W-2 Form phishing scams, the information is used to file fraudulent tax returns in employees’ names.

Phishing is one of the biggest cybersecurity threats that businesses must mitigate. A separate study conducted by PhishMe showed that the vast majority of cyberattacks start with a phishing email. The largest ever healthcare data breach – which resulted in the theft of 78.8 million health insurance members’ credentials from Anthem Inc. – occurred as a result of an employee responding to a phishing message.

The FTC’s research revealed that most businesses have now implemented authentication controls, but little else. The FTC study (performed by OTech) found that 86% of businesses were using the Sender Policy Framework (SPF) to determine whether emails that claim to have been sent from a business were actually sent from the domain used by that business.

While this is an important anti-phishing control, SPF alone is insufficient to protect businesses from phishing attacks. SPF controls can be bypassed.

The FTC study found that fewer than 10% of businesses were using Domain Message Authentication Reporting & Conformance (DMARC) to receive intelligence on the latest spoofing attempts used to bypass SPF controls. DMARC allows businesses to automatically reject unauthenticated messages, yet few use the technology.

While not covered by the FTC study, one of the best additional anti-phishing technologies is a spam filtering solution such as SpamTitan.

SpamTitan blocks 99.97% of spam email messages, 100% of known malware via its dual anti-virus engines, while a powerful anti-phishing component looks for common signatures of phishing emails and prevents them from being delivered.

The threat from phishing is growing. A study from the Anti-Phishing Working Group revealed there was a 65% increase in phishing attacks in 2016 compared to 2015. Last year, 1,220,523 phishing attacks were reported. With attacks increasing at such a rate, and given the number of phishing attacks on businesses so far in 2017, more must be done to prevent attacks.

Is your business doing enough to prevent phishing attacks? What anti-phishing technologies has your business adopted to prevent employees being scammed?