Even though there are easy ways to identify a phishing email, many employees are fooled by these scams. Phishing attacks involve the use of social engineering to convince the target to take a certain action, such as opening an email attachment that has a malicious script that downloads malware or visiting a website that requires sensitive information to be entered. These scams can be convincing, the reason supplied for taking a particular action is often credible, and any linked website can be difficult to distinguish from the site it impersonates.
Phishing campaigns can be conducted cheaply, little skill is required, phishing can be very profitable, and the attacks often succeed. It is no surprise that more than two-thirds of data breaches start with a phishing email, according to the Verizon Data Breach Investigations Report.
How to Identify a Phishing Email
Phishing emails can take many forms and there is a myriad of lures that are used to fool the unwary, but there are tell-tale signs that an email may not be what it seems. By checking certain elements of an email, you will be able to identify all but the most sophisticated phishing attempts. It only takes a few seconds to perform these checks and that time will be well spent as they will help you identify a phishing email and prevent costly data breaches and malware infections.
Check the true sender of the email
This seems an obvious check but spoofing the sender of an email is one of the most common ways that phishers fool people into responding. The display name is spoofed to make it appear that the email has been sent from a trusted contact. The display name may be PayPal, Netflix, the name of your bank, or your boss or a colleague. However, the actual email address is likely to be from a free email service provider such as @gmail.com or @yahoo.co.uk.
Hover your mouse arrow over the display name or click reply and check the actual sender of the email. The domain name (the bit after @) should match the display name and that domain should be one that is used by the company that appears to have sent you the email. Beware of hyphenated domains such as support-netflix.com. These are unlikely to be genuine.
Check for grammatical errors and spelling mistakes
Read the email carefully. Are there spelling mistakes or grammatical errors? Does the wording seem odd, as if it has not been written by a native English speaker? Scammers are often from non-English speaking countries and may use Google Translate to create their emails, which is why the wording may seem a little odd.
Before Google, Netflix, or your bank sends an email, it will be subject to proof-checking. Mistakes will be made on occasion but they are exceedingly rare. Some phishing scams deliberately include spelling mistakes and poorly written emails to weed out people who are unlikely to fall for the next stage of the scam. If you fall for the email, it is likely that you can be fooled by the next stage of the attack.
Phishing emails are often addressed in a way that makes it clear that the sender does not know your name. “Dear customer” for example. Most companies will use your name in genuine email communications.
Phishers use urgency and a “threat” if no action is taken
Phishers want you to take action quickly rather than stop and think about the legitimacy of any request. It is common for a request to be made that needs immediate action to prevent something undesirable from happening.
For example, someone has tried to log in to your account and you need to take immediate action to secure your account. Something has happened that will result in your account being closed. A payment has been made from your account for something that you have not purchased, and you need to take action to stop that payment from going through. Phishers use fear, urgency, and threats to get prompt action taken and count on people acting quickly without thinking or carefully checking the email. Spending an extra 30 seconds checking an email will not make any difference to the outcome, but it can prevent you from being fooled by a scam.
Check the true destination of any link in the email
Most phishing attacks seek sensitive information such as login credentials. For these to be obtained, you will most likely be directed to a website where you must enter login credentials, financial information, and personal details to verify your identity. Emails are often written in HTML and include a button to click that directs you to a website.
You should check the true URL before clicking. Hover your mouse arrow over any button to find out where you are being directed and make sure the URL matches the context of the message and uses an official domain name of the company referenced in the email. The same applies to the anchor text of a link – the text that is displayed in a clickable link. Make sure you perform the same check on any link before clicking.
On a mobile device, this is even more important, as the small screen size means it is not always possible to display the full URL. The visible part of the URL may look like it is genuine, but when viewing the full URL you will see that it is not. Just press on the URL and keep pressing until the link is displayed.
Beware of email attachments
Email attachments are used in phishing scams for distributing malware and for hiding content from spam filters. Hyperlinks are put in an attachment rather than the message body to fool security solutions, and scripts are used in email attachments that may run automatically when the attachment is opened.
If you are sent an unsolicited email that includes an attachment, treat it as suspicious and try to verify the email is legitimate. If the email has been sent by a colleague, give them a quick call to make sure they actually sent the email, even if the sender check was passed. Someone may have compromised their account. Do not use any contact information supplied in the email, as it is likely to be incorrect.
Only open email attachments that you are confident are genuine, and then never “enable content” as this will grant a macro or other malicious script permission to run.
Anti-Phishing Solutions for Businesses
TitanHQ has developed two powerful anti-phishing solutions to help businesses block phishing and other email and web-based cyberattacks. SpamTitan is an advanced email security solution that has been independently verified as blocking 99.97% of spam and phishing emails and is used by thousands of businesses to keep their inboxes free of threats.
SpamTitan performs a myriad of checks to determine the likelihood of an email being malicious, including RBL checks, Bayesian analysis, heuristics, machine learning techniques to identify zero-day threats, and sender policy frameworks to block email impersonation attacks. Dual antivirus engines are used to detect known malware and sandboxing is used to analyze suspicious email attachments safely to check for malicious actions.
WebTitan is a DNS filtering solution that blocks the web-based component of phishing attacks by preventing employees from visiting known malicious websites or suspicious sites. WebTitan also blocks malware downloads.
Both solutions are competitively priced, easy to implement and use, and provide protection against the full range of email and web-based threats. For further information on improving protection from phishing attacks and other cyber threats, give the TitanHQ team a call. Alternatively, you can register for a no-obligation free trial of both solutions to evaluate them in your own environment.
Phishing is a cybersecurity threat that businesses of all sizes are likely to face and one that requires multiple phishing protection measures to prevent. Phishing is the term given to fraudulent attempts to obtain sensitive information such as login credentials to email accounts or employee/customer information. Phishing can take place over the telephone (vishing), via text message (SMiShing), or through social media networks and websites, but the most common phishing attacks take place over email.
When phishing occurs over email, an attack usually consists of two elements. A lure – a reason given in the email that encourages the user to take a particular action – and a web-based component, where sensitive information is collected.
For instance, an email is sent telling the recipient that there has been a security breach that requires immediate action. A link is supplied in the email that directs the recipient to a website where they are required to login and verify their identity. The website is spoofed to make it look like the site it is impersonating and when information is entered it is captured by the attacker.
Phishing protection measures should be deployed to block both of these components. First, you need a solution that stops the phishing attack at source and prevents phishing emails from being delivered to inboxes. You should also have security measures in place to prevent information from being handed over to the attackers at the web stage of the attack. As an additional protection, in case both of those measures fail, you need to prevent stolen credentials from being used to gain access to the account.
Four Essential Phishing Protection Measures
Phishing protection measures should consist of four elements: a spam filter, a web filter, end user training, and multi-factor authentication – often referred to as layered phishing defenses. If one layer should fail, others are in place to make sure the attack does not succeed.
Spam filtering
A spam filter is your first line of defense and one that will block the vast majority of email threats. An advanced spam filter will block in excess of 99.9% of spam, phishing, and malware-laced emails. Spam filters incorporate several layers of protection. They use blacklists of known spammers – domains, email accounts, and IP addresses that have previously been used for spamming, phishing, and other nefarious activities. Checks are performed on the message headers and the message body is subjected to multiple checks to identify malicious URLs and keywords commonly used in spam and phishing emails. Each message is given a score, and if that score is higher than a pre-defined threshold, the message will be either deleted or quarantined. Spam filters also incorporate antivirus engines that check messages for malicious attachments.
Web filtering
Cybercriminals are constantly changing tactics and developing new methods to obfuscate their phishing attempts to bypass spam filters. Spam filters are updated to block these new attacks, but there will be a lag and some messages will slip through the net on occasion. This is where a web filter kicks into action. A web filter will check a website against several blacklists and will assess the content of the website in real-time. If the website is deemed to be malicious, the user will not be permitted to connect, instead they will be directed to a local block page. Web filters also have AV software to prevent malware being downloaded and can be used to control the types of content users can access – blocking pornography for instance, or social media networks, gaming sites and other productivity drains.
End user training
Technical anti-phishing measures are important, but they will not block all attacks. It is therefore essential to provide end user training to help employees identify phishing and other malicious emails. A once-a-year formal training session should be conducted, with ongoing, regular shorter training sessions throughout the year to raise awareness of new threats and to reinforce the annual training. Phishing simulations should also be conducted to test whether training has been effective and to ensure that any knowledge gaps are identified and addressed.
Multi-factor authentication
If credentials are stolen in a phishing attack, or are otherwise obtained by a cybercriminal, multi-factor authentication can prevent those credentials from being used. In addition to a password, a second factor must be provided before account access is granted. This could be a token, code, or one-time password, with the latter usually sent to a mobile phone. While multi-factor authentication will block the majority of attempts by unauthorized individuals to access accounts, it is not infallible and should not be considered as a replacement for the other protections. Multi-factor authentication will also not stop malware infections.
Phishing Protection Solutions from TitanHQ
TitanHQ has developed two powerful cybersecurity solutions to help you protect against phishing and malware attacks: SpamTitan email security and the WebTitan web filter. Both of these solutions have multiple deployment options and are easy to implement, configure, and use. The solutions are consistently rated highly by end users for the level of protection provided, ease of deployment, ease of use, and for the excellent customer support if you ever have any problems or questions.
On top of that, pricing is totally transparent with no hidden extras, and the solutions are very competitively priced. Both are available on a free trial to allow you to test them in your own environment before committing to a purchase.
Businesses are constantly targeted by cybercriminals and phishing one of the easiest ways that they can gain a foothold in corporate networks. An email is sent to an employee with a lure to entice them to click an embedded hyperlink and visit a website. When they arrive on the site, they are presented with a login prompt and must enter their credentials. The login prompt is indistinguishable from the real thing, but the domain on which the login prompt appears is controlled by the attacker. Any information entered on the website is captured.
End user training will go a long way to keeping your business protected against phishing attacks. Phishers target people using a variety of “social engineering” tactics to get them to take a specific action, which could be visiting a website and downloading malware, giving up their login credentials, or sending a wire transfer to the criminal’s bank account. By conditioning employees to perform checks and to stop and think before taking any action suggested in an email, you will greatly improve resilience to phishing attacks.
Many employees will say that they can identify a phishing email and will never be fooled, but the number of successful phishing attacks that are occurring every day suggests there are gaps in knowledge and even the most tech-savvy individuals can be fooled.
To illustrate this point, consider the SANS Institute. If you have never heard of the SANS Institute, it is one of the world’s leading computer and information security training and certification organizations, including anti-phishing training.
In August 2020, the SANS Institute announced that one of its employees had fallen for a phishing scam and disclosed their login credentials. The attacker used those credentials to access the account and set up a mail forwarder that sent a copy of every email to the attacker’s email account. 513 emails, some of which contained sensitive information on SANS members, were forwarded to the account before the attack was detected. The emails contained the personally identifiable information of 28,000 SANS members. The SANS Institute decided to use this attack as a training tool and will be providing details of how it succeeded to help others prevent similar attacks.
This incident shows that even the most highly trained individuals can fall for a phishing email. Had training not been provided, instead of one compromised email account there could have been many.
Phishers are constantly changing tactics and developing new scams to fool people and technological anti-phishing solutions. The key to phishing attack prevention is to implement a range of defenses to block attacks. Any one of those measures may fail to detect a phishing email on occasion, but others will be in place to provide protection. This defense-in depth approach is essential given the sophistication of phishing attacks and the volume of messages now being sent.
In addition to regular end user training and phishing simulation emails to harden the human element of your defenses, you need an advanced spam filter. If you use Office 365 you will already have a basic level of protection provided through Microsoft’s basic spam filter, Exchange Online Protection (EOP), but this should be augmented with a third-party solution such as SpamTitan to block more threats. EOP blocks spam, known malware, and many phishing emails, but SpamTitan will greatly improve protection against more sophisticated phishing attacks and zero-day malware.
You should also consider implementing a web filter to block the web-based component of phishing attacks. When an employee attempts to visit a malicious website that is used to steal credentials and other sensitive information, a web filter can prevent that website from being accessed.
With a spam filter, web filter, and end user training, you will be well protected, but you should also implement 2-factor authentication. If credentials are stolen, 2-factor authentication can prevent those credentials from being used by the attacker to gain access to the account.
For more information on spam filtering, web filtering, and phishing protection, give the TitanHQ team a call. Our team of experienced engineers will be happy to help you set up SpamTitan email security and the WebTitan web filter on a free trial so you can see for yourself how effective both are at blocking phishing attacks and other cybersecurity threats.
Several SBA loan phishing scams identified in recent weeks that impersonate the U.S. Small Business Administration in order to obtain personally identifiable information and login credentials for fraudulent purposes.
Due to the hardships suffered by businesses due to the COVID-19 pandemic, the SBA’s Office of Disaster Assistance is offering loans and grants to small businesses to help them weather the storm.
Hundreds of millions of dollars have been made available by the U.S. government under the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) to help struggling individuals and companies during the pandemic. Cybercriminals have been quick to develop campaigns to fraudulently obtain those funds, raid bank accounts, steal sensitive information, and distribute malware and ransomware.
Several phishing campaigns have been launched since April 2020 targeting businesses that are considering or have already applied for loans under the SBA’s Economic Injury Disaster Loan Program.
Phishing emails have been sent encouraging small businesses to apply for a loan. One such campaign confirms that the business is eligible for a loan and the loan has been pre-approved. The purpose of the scam is to obtain business information that allows the scammers to apply for a loan on behalf of the business and pocket the funds.
Another scam impersonates the SBA and claims an application for a loan is complete and payment will be made once supporting documents have been received. The emails include an attached form that must be completed and uploaded to the SBA website. The email attachment appears to be a .img file but has a hidden double extension and is actually a .exe executable. Double-clicking and running the file will see GuLoader malware installed, which is a downloader that can deliver a range of different malicious payloads.
The same email address used for that campaign was used in a different attack that included a PDF form that requested bank account information and other sensitive data, which needed to be completed and uploaded to a spoofed SBA website.
In the past few days, yet another SBA loan phishing scam has come to light. Phishing emails were sent to Federal Executive Branch, and state, local, tribal, and territorial government agencies. The phishing scam relates to an SBA application for a loan with the subject line “SBA Application – Review and Proceed.” The emails links to a cleverly spoofed SBA web page that indistinguishable from the genuine login page apart from the URL that attempts to steal credentials. The scam prompted the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency alert warning of the scam.
These SBA loan phishing scams use a variety of lures and have multiple aims, but they can be avoided by following good cybersecurity best practices.
First and foremost, you should have an advanced spam filtering solution in place such as SpamTitan. SpamTitan checks email headers and message content for signs of spam, phishing, and scams and uses DMARC and sender policy framework (SPF) to identify and block email impersonation attacks.
Dual antivirus engines detect 100% of known malware and sandboxing is used to subject attachments to deep analysis to identify malicious code and malware that has not been seen before. Machine learning technology is also used to identify new phishing scams, along with multiple threat intelligence feeds to identify known phishing scams.
Prior to opening any downloaded document or file it should be scanned using antivirus software that has up-to-date virus definitions. Check the properties of files to make sure they are what they claim to be and do not have a double extension.
Care should be taken when opening any email or email attachment, even emails that are expected. Steps should be taken to verify the legitimacy of any request received via email, especially one that requires the provision of personally identifiable information or requests for bank account and other highly sensitive information.
Emails and websites may look legitimate and have SBA logos, but that does not guarantee they are genuine. Always carefully check the sender of the email – Genuine SBA accounts end with sba.gov. The display name can easily be spoofed so click reply and carefully check the email address is correct. Care should be taken when visiting any website linked in an email. Check the full URL of any website to make sure it is a legitimate domain.
CISA also recommends monitoring users’ web browsing habits and restricting access to potentially malicious websites. The easiest way to do this is by using a web filtering solution such as WebTitan. WebTitan allows businesses to monitor Internet activity in real time, send automatic alerts, block downloads of certain file types, and carefully control the types of websites that can be accessed by employees.
For more information on spam filtering and web filtering solutions to protect your business from phishing and other cyberattacks, give the SpamTitan team a call today.
Over the past few months, cyberattacks involving Netwalker ransomware have been steadily increasing and Netwalker has now become one of the biggest ransomware threats of 2020.
Netwalker ransomware is the new name for a ransomware variant called Mailto, which first appeared a year ago in August 2019. The threat actors behind the ransomware rebranded their malware as Netwalker in late 2019 and in 2020 started advertising for affiliates to distribute the ransomware under the ransomware-as-a-service model. In contrast to many RaaS offerings, the threat group is being particularly choosy about who they recruit to distribute the ransomware and has been attempting to build a select group of affiliates with the ability to conduct network attacks on enterprises that have the means to pay large ransoms and the data to warrant such large payments if attacked.
Netwalker ransomware was used in an attack in February on Toll Group, an Australian logistics and transportation company, which caused widespread disruption although the firm claims not to have paid the ransom. Like several other ransomware gangs, the Netwalker gang took advantage of the COVID-19 pandemic and was using COVID-19 lures in phishing emails to spread the ransomware payload via a malicious email attachment, opting for a Visual Basic Scripting (.vbs) loader attachments.
Then followed attacks on Michigan State University and Columbia College of Chicago, with the frequency of attacks increasing in June. The University of California San Francisco, which was conducting research into COVID-19, was attacked and had little choice other than to pay the $1.14 million ransom demand to regain access to essential research data that was encrypted in the attack. More recently Lorien Health Services, a Maryland operator of assisted living facilities, also had files encrypted by the Netwalker gang.
The recent attacks have seen the attack vector change, suggesting the attacks have been the work of affiliates and the recruitment campaign has worked. Recent attacks have seen a range of techniques used in attacks, including brute force attacks on RDP servers, exploitation of vulnerabilities in unpatched VPN systems such as Pulse Secure VPNs that have not had the patch applied to correct the CVE-2019-11510 vulnerability. Attacks have also been performed exploiting user interface components of web apps, such as the Telerik UI vulnerability CVE-2019-18935, in addition to vulnerabilities in Oracle WebLogic and Apache Tomcat servers.
With the ransoms paid so far, the group is now far better funded and appears to have skilled affiliates working at distributing the ransomware. Netwalker has now become one of the biggest ransomware threats and has joined the ranks of Ryuk and Sodinokibi. Like those threat groups, data is stolen prior to file encryption and threats are issued to publish or sell the data if the ransom is not paid.
The increase in activity and skill of the group at gaining access to enterprise networks prompted the FBI to issue a flash alert warning of the risk of attack in late July. The group appears to be targeting government organizations, educational institutions, healthcare providers and entities involved in COVID-19 research, and the attacks are showing no sign of slowing, in fact they are more than likely to increase.
Defending against the attacks requires a defense in depth approach and adoption of good cyber hygiene. An advanced spam filtering solution should be used to block email attacks, end users should be taught how to recognize malicious emails and shown what to do if a suspicious email is received. Vulnerabilities in software are being exploited so prompt patching is essential. All devices should be running the latest software versions.
Antivirus and anti-malware software should be used on all devices and kept up to date, and policies requiring strong passwords to be implemented should be enforced to prevent brute force tactics from succeeding. Patched VPNs should be used for remote access, two-factor authentication should be implemented, web filters used for secure browsing of the internet, and backups should be performed regularly. Backups should be stored on a non-networked device that is not accessible over the internet to ensure they too are not encrypted in an attack.
Any popular platform is an attractive target for phishers, and with more than 167 million subscribers worldwide, the Netflix streaming service certainly falls into that category. While Netflix may not seem a key target for phishers, a successful attack could give scammers access to credit card and banking information.
Netflix phishing scams are common, so it is not unusual to see yet another scam launched, but one of the latest uses a novel tactic to evade security solutions. By incorporating a CAPTCHA challenge, it is harder for security solutions to access the phishing websites and identify their malicious nature.
This Netflix phishing scam starts with an email like many other Netflix scams that precede it. The emails appear to have been sent from the Netflix customer support team and advise the recipient there has been a problem with billing for the latest monthly payment. As a result, the subscription will be suspended in the next 24 hours.
The Netflix user is provided with a link to click and they are told they need to update their information on file. The emails also include a link to unsubscribe and manage communication preferences, although they do not work.
As with most phishing scams there is urgency and a threat. Update your information within 24 hours or you will lose access to the service. Clicking the link will direct the user to a fully functioning CAPTCHA page, where they are required to go through the standard CAPTCHA checks to verify they are not a bot. If the CAPTCHA challenge is passed, the user will be directed to a hijacked domain where they are presented with the standard Netflix sign-in page.
They must sign-in, then they are asked to enter their billing address, along with their full name and date of birth, followed by a second page where they are asked for their card number, expiry date, CVV code, and optional fields for their bank sort code, account number, and bank name. If the information is entered, they are told that they have correctly verified their information and they will be redirected to the real Netflix page, most likely unaware that they have given highly sensitive information to the scammers.
There have been many Netflix phishing emails intercepted over the past few months claiming accounts have been put on hold due to problems with payments. The emails are convincing and very closely resemble the emails sent out regularly by Netflix to service subscribers. The emails feature the Netflix logo, correct color schemes, and direct the recipients to very realistic looking login pages.
What all of these emails have in common is they link to a domain other than Netflix.com. If you receive an email from Netflix, especially one that contains some sort of warning or threat, login to the site by typing the correct domain into the address bar and always make sure you are on the correct website before entering any sensitive information.
Football is big business and large quantities of money are often transferred electronically between clubs to bring in new players. If scammers were to insert themselves into the communications between clubs, huge payments could easily be diverted. In 2018, the Italian football club Lazio was targeted with a phishing scam that resulted in a payment of €2 million being sent to an account under the control of scammers. The money was never recovered.
Now it appears that the sports industry is being targeted again. Recently, a similar scam was conducted on a Premier League football club in England. The hackers gained access to the email account of the managing director of the club through a phishing campaign after directing the MD to a domain where Office credentials were harvested. Those credentials were then used to access the MD’s email account, and the scammers inserted themselves into and email conversation with another club looking to purchase a player. Fortunately, the scam was detected by the bank and a £1 million fraudulent payment was blocked.
This type of scam starts with a phishing email but is referred to as a Business Email Compromise (BEC) scam. BEC scams are commonplace and often successful. They range from simple scams to complicated multi-email communications between two parties, whether one party believes they are communicating with the genuine email account holder when they are actually communicating with the scammer. When the time comes to make payment, the scammer supplies their own account credentials. All too often, these scams are not detected until after payment is made.
That is far from the only cyberattack on the sports industry in recent weeks and months. There have been several attempted cyberattacks which prompted to the UK’s National Cyber Security Center (NCSC) to issue a warning advising the UK sports sector to be on high alert.
Prior to lockdown, a football club in the UK was hit with a ransomware attack that encrypted essential systems, including the computer systems that controlled the turnstiles, preventing them from working. A game nearly had to be abandoned due to the attack. The ransomware attack is suspected to have also started with a phishing email.
The recent attacks are not limited to football clubs. NCSC data show that 70% of sports institutions in the United Kingdom have suffered a cyberattack in the past 12 months.
NCSC figures show approximately 30% of incidents resulted in financial losses, with the average loss being £10,000, although one organization lost £4 million in a scam. 40% of the attacks involved the use of malware, which is often delivered via spam email. A quarter of attacks involved ransomware.
While malware and ransomware attacks are costly and disruptive, the biggest cause of losses is BEC attacks. Figures from the FBI show these scams accounted for around half of all losses to cybercrime in 2019. $1.77 billion was lost to BEC attacks in 2019, with an average loss of $75,000 (£63,333). The true figure is likely to be even higher, as not all BEC attacks are reported. The FBI anticipates even greater losses this year.
While there are many different attack methods, email remains the most common vector used in cyberattacks on businesses. It is therefore essential to implement a robust email security solution that can block malicious emails and prevent them from being delivered to inboxes.
TitanHQ has developed a powerful, advanced email security solution that can help businesses improve their email security defenses and block phishing, spear phishing, BEC, malware, and ransomware attacks. SpamTitan incorporates multiple threat intelligence feeds, machine learning systems to identify phishing attempts, dual anti-virus engines, and a sandbox to subject suspicious email attachments to in-depth analysis. SpamTitan also incorporates SPF and DMARC to identify and block email impersonation attacks.
If you are concerned about email security and want to improve your defenses against email threats, give the TitanHQ team a call to find out more about SpamTitan and other security solutions that can help you defend your organization from cyberattacks.
Our customer service team will be happy to discuss your options and help set you up for a free trial so you can see for yourself the difference SpamTitan makes to email security.
A new phishing campaign has been detected that uses Google Cloud Services to fool victims into giving up their Office 365 credentials. The new campaign is part of a growing trend of disguising phishing attacks using legitimate cloud services.
The phishing attack starts like any other with an email containing a hyperlink that the recipient is requested to click. If the user clicks the link in the email, they are directed to Google Drive where a PDF file has been uploaded. When the file is opened, users are asked to click a hyperlink in the document, which appears to be an invitation to access a file hosted on SharePoint Online.
The PDF file asks the victim to click the link to sign in with their Office 365 ID. Clicking the link will direct the user to a landing page hosted using Google’s storage.googleapis.com. When the user arrives on the landing page, they are presented with an Office 365 login prompt that looks exactly like the real thing. After entering their credentials, they will be directed to a legitimate PDF whitepaper that has been obtained from a well-respected global consulting firm.
The campaign has been designed to make it appear that the victim is simply being directed to a PDF file that has been shared via Sharepoint, and the actual PDF file is displayed after the victim has divulged their credentials. It is therefore likely that the victim will not realize that their Office 365 credentials have been phished. The only sign that this is a scam is the source code on the phishing page, which even tech-savvy individuals would be unlikely to check.
This campaign was identified by researchers at Check Point, but it is just one of many similar campaigns to have been identified over the past few months. Since these domains are legitimate and have valid SSL certificates, they are difficult to detect as malicious. This campaign abused Google Cloud Services, but several other campaigns have been detected using the likes of IBM Cloud, Microsoft Azure and others to add legitimacy to the campaigns.
This campaign highlights the importance of providing security awareness training to the workforce and warning employees about the risks of clicking links in unsolicited emails, even those that link to genuine domains. An advanced email security solution should also be implemented to block malicious emails and ensure the majority of malicious messages are not delivered to inboxes. That is an area where TitanHQ can help.
Emotet was the most prolific malware botnet of 2018 and 2019, but the botnet fell silent on February 7, 2020, but it has now sprung back to life and is being used to distribute Trojan malware. The botnet returned with a malicious spam campaign on July 17 of at least 30,000 emails, mostly targeting organizations in the United States and the United Kingdom. The scale of the campaign has now grown to around 250,000 emails a day with the campaign now global.
The Emotet botnet is a network of computers infected with Emotet malware and there are estimated to be around half a million infected Windows computers under the control of the botnet operators. Those infected devices are contacted through the attackers’ command and control (C2) servers and are sent instructions to send out spam emails spreading Emotet malware.
Once the malware is downloaded, the infected computer is added to the botnet and is used to send spam emails. Emotet infections can also spread laterally within an organization. When investigations are launched following the detection of Emotet, it is common for other computers to be discovered to be infected with the malware.
What makes Emotet particularly dangerous is the operators of the botnet pair up with other threat groups and deliver other malware variants. Emotet has been used to distribute a range of malware variants since its creation in 2014, but recently the malware payload of choice was the TrickBot Trojan. TrickBot is a banking trojan cum information stealer that also serves as a malware downloader. In addition to stealing sensitive data, the operators of TrickBot pair up with other malware developers, notably the developers of Ryuk ransomware. Once TrickBot has stolen information, the baton is passed over to Ryuk, which will also steal data before encrypting files on the network. The new Emotet campaign started by distributing the TrickBot Trojan, although the payload has since switched to the QakBot banking Trojan. QakBot also delivers ransomware as a secondary payload, with Prolock often used in the past.
Emotet emails use a variety of lures to get recipients to click links to malicious websites or open infected email attachments. Emotet targets businesses, so the lures used are business-related, such as fake shipping notices, invoices, purchase orders, receipts, and job applications. The emails are often personalized, and threat actors are known to hijack email threads and send responses with malicious documents added.
An Emotet infection is serious and should be treated with the same urgency as a ransomware attack. Prompt action may allow Emotet to be removed before a secondary payload is delivered.
Fortunately, Emotet malware is delivered via email which gives businesses an opportunity to prevent infections. By deploying an advanced spam filter such as SpamTitan that has sandboxing to subject email attachments to deep analysis, these malicious emails can be identified and quarantined. Coupled with other email security measures such as end user training, businesses can mount a robust defense and block infections.
The return of Emotet was inevitable, and while the resumption of activity is bad news, there is some good news. A vigilante hacker has started sabotaging Emotet operations by targeting a weak link in their infrastructure. Emotet malware is downloaded from the internet from a range of hacked WordPress sites. The vigilante has found that the temporary stores of Emotet can be easily hacked as they tend to all use the same password. After guessing that password, the Emotet payload has been replaced with a variety of animated GIFs and has disrupted operations, reducing infections to around a quarter of their normal levels. That said, the Emotet gang is attempting to regain control of its web shells and infections with Emotet are still growing.
TitanHQ is performing a major update of the ArcTitan email archiving solution. That process is now well underway and existing ArcTitan users are being migrated to the new systems and will greatly benefit from the new and improved service.
The new and improved ArcTitan service is being delivered as a high availability, self-healing, horizontally scaled Kubernetes cluster. The new ArcTitan service uses a high availability Percona XtraDB MySQL database cluster within Kubernetes that handles all database operations. It is self-maintaining and can be scaled up with minimal user effort and no downtime.
The Kubernetes cluster has many components that work in harmony, with each of the components configured to be independently accessible to ensure availability and improve the reliability of the service. Since each component is independently available, in the event of one component going down, the remaining components will still be available. That means there will be minimal or no service outage, instead the single component will be taken offline and repaired without any effect on the others.
As is the case with the old ArcTitan service, all emails are given unique identifiers that are kept for the life of the archive. Emails are fully indexed, and the header, sender/receiver, body, and email attachments are all indexed separately. If historic emails need to be recovered, the indexing ensures millions of archived email messages can be searched and found in seconds.
The new ArcTitan systems encrypt and store raw email data in Replicated Persistent Storage. Ceph storage clusters are deployed which provide high performance block storage and file systems, with automated data replication and fail over. For long term storage of email data, ArcTitan uses Amazon S3 to ensure reliability, redundancy, and scalability. ArcTitan indices are distributed across several Apache SoIr instances simultaneously.
ArcTitan customers will also benefit from a new graphical user interface (GUR) as shown in the image below:
TitanHQ is contacting all current ArcTitan users and is providing new account details that will need to be used to benefit from the new ArcTitan infrastructure. Applying the changes will require reconfiguration of the connector/mail server. Once that change has been applied, all mail will be directed to the new server for archiving.
Once TitanHQ has verified that the change has been made correctly, and all mail is being successfully sent to the archive on the new infrastructure, the original account will be closed off and will no longer accept emails. All emails from the old account will be migrated to the new infrastructure by TitanHQ and customers will be notified when that process has been completed. They will then have the chance to verify the migration has been completed. Once verified, the old account will then be deleted.
In the meantime, any emails stored using the previous account can still be searched and the archive will remain accessible if historical email needs to be accessed.
We are sure you will be happy with the changes and improved performance and reliability. If you have any questions about the new ArcTitan systems or your migration, our customer service team will be happy to help.
Over the past month there has been a surge in Phorpiex botnet activity. A botnet is a network of computers that have been infected with malware, placing them under the control of the botnet operator. Those computers are then used to send spam and phishing emails, often with the aim of distributing malware and ransomware. There are known to be around 500,000 computers in the Phorpiex botnet globally and the botnet has been in operation for almost 10 years.
The Phorpiex botnet has previously been used for sending sextortion emails, distributing cryptocurrency miners, and malware such as the Pony information stealer, GandCrab ransomware, and the XMRig cryptocurrency miner. In June, the Phorpiex botnet was used to conduct a massive Avaddon ransomware campaign that saw around 2% of companies targeted around the world.
Ransomware attacks have increased over the past few months, with many ransomware gangs delivering ransomware manually after gaining access to corporate networks by exploiting vulnerabilities in VPNs and other software or taking advantage of insecure default software configurations. There has also been an increase in ransomware attacks using email as the attack vector. Several ransomware variants are now being primarily delivered by email, and Avaddon ransomware was one of the biggest email threats in June. One week in June saw more than 1 million spam emails sent via the Phorpiex botnet, with most of those emails targeting U.S. companies.
Avaddon ransomware is a new ransomware variant that was first detected in June. The operators of Avaddon ransomware are advertising their malware as ransomware-as-a-service (RaaS) and have been recruiting affiliates to distribute the ransomware for a cut of the profits.
In early June, an Avaddon ransomware campaign was detected that used JavaScript attachments in spam emails. The files had a double extension which made them appear to be JPG files on Windows computers. Windows computers hide file extensions by default, so the file attachment would appear to be named IMG123101.jpg on a Windows computer in the default configuration. If Windows had been changed to display known file extensions, the user would see the file was actually IMG123101.jpg.js. Opening the file would launch a PowerShell and Bitsadmin command that would trigger the download and execution of Avaddon ransomware.
More recently, a campaign was detected that distributed Avaddon ransomware using spam emails with Excel spreadsheet attachments with malicious Excel 4.0 macros. In contrast to JavaScript files, which will run when opened by users, Excel macros require user action to run, so they are less effective. That said, users are instructed to enable the macros using a variety of social engineering techniques and they are still effective.
Avaddon ransomware searches for a range of file types, encrypts those files and adds the .avdn extension. A ransom note is dropped, and a link is supplied to a Tor site along with a unique user ID to allow the victim to login to pay the ransom for the keys to unlock encrypted files. There is no free decryptor available for Avaddon ransomware. File recovery will only be possible if the ransom is paid or if viable backups exist that have not also been encrypted by the ransomware.
Several subject lines have been used in the emails, such as “Your new photo?” and “Do you like my photo?”, with only a ? emoji in the body of the email. This tactic is simple, yet effective.
There are several steps that can be taken by businesses to prevent Avaddon and other email-based ransomware attacks. End user security awareness training should raise awareness of the threat and teach employees how to recognize phishing and malspam threats and condition them to report emails to their security team. If possible, macros should be disabled on all end user devices, although the email attachments used often change and disabling macros will not therefore always prevent infection.
One of the best defenses against email threats such as phishing, malware and ransomware is to install a powerful anti-spam solution such as SpamTitan. SpamTitan can work as a standalone anti-spam service, but also as an additional level of protection for Office 365 email, complementing Microsoft Exchange Online Protection (EOP) and providing an additional layer of security to block zero-day phishing and malware threats.
For more information on protecting your organization from ransomware and other email threats, give the TitanHQ team a call today.
A new phishing campaign has been identified that targets remote workers that will soon be returning to the workplace and claims to include information on coronavirus training. The campaign is one of the most realistic phishing scams in recent weeks, as it is plausible that prior to returning to the office after lockdown would involve some changes to workplace procedures to ensure employee safety.
This campaign targets Microsoft Office 365 users and attempts to obtain users’ Office 365 credentials under the guise of a request to register for COVID-19 training. The emails include the Office 365 logo and are short and to the point.
They just include the text, “COVID-19 Training for Employees: A Certificate For Healthy Workspaces (Register) to participate in Covid-19 Office Training for Employees.”
The message includes a button to click to register, and the emails claim to be “powered by Microsoft Office 365 health safety measures.”
Clicking the link will direct the user to a malicious website where they are required to enter their Office 365 credentials.
This campaign, like many others to have emerged over the past few weeks, closely follow world events. At the start of the pandemic, when there was little information available about COVID-19, phishers were offering new information about COVID-19 and the Novel Coronavirus. As more countries were affected and cases were increasing, incorporation was being offered about local cases in the area. Now that most countries have passed the peak of infections and lockdowns have helped to bring the virus under control, tactics have changed once again.
Campaigns have been detected in the United Kingdom related to the new Track and Trace system being used by the NHS to help control infections warning users that they need to purchase a COVID-19 test. Another campaign targeted parents who are experiencing financial difficulties due to COVID-19, asking for bank account information to allow them to receive a support payment from the government. Messages have also been detected about Free school dinners over the summer, now that the UK government has said that it will be providing support to parents.
There have been several campaigns that have taken advantage of the popularity of the Black Lives Matter movement following the death of George Floyd. This campaign asked recipients of the email to register their opinions about Black Lives Matter and leave a review, with the campaign used to deliver the TrickBot Trojan.
What these phishing campaigns clearly demonstrate is the fluid nature of phishing campaigns, that are regularly changed to reflect global events to maximize the chance of the emails being opened. They show that users need to remain on their guard and be alert to the threat from phishing and always take time to consider the legitimacy of any request and to perform a series of checks to determine whether an email is what it claims to be. This can be tackled through security awareness training, which should be provided to employees regularly.
Naturally, the best defense is to make sure that these emails are blocked and do not reach inboxes, which is why it is important to have layered defenses in place. An advanced spam filtering solution such as SpamTitan is required that uses machine learning and other advanced detection measures to identify new phishing scams along with measures to detect previously unseen malware variants. As an additional layer of protection, you should consider implementing a web filtering solution such as WebTitan that provides time-of-click protection to block the web-based component of phishing attacks and stop drive-by malware downloads. Alongside security awareness training, these solutions will help you to mount a formidable defense against phishing attacks.
A new phishing campaign has been detected that uses calendar invitations to steal banking and email credentials. The messages in the campaign include an iCalendar email attachment which may fool employees as this is a rare file type for phishing. These attachments are therefore unlikely to have been specifically covered in security awareness training.
iCalendar files are the file types used to store scheduling and calendaring information such as tasks and events. In this case, the messages in the campaign have the subject line “Fault Detection from Message Center,” and have been sent from a legitimate email account that has been compromised by the attackers in a previous campaign.
Because the email comes from a legitimate account rather than a spoofed account, the messages will pass checks such as those conducted through DMARC, DKIM, and SPF, which identify email impersonation attacks where the true sender spoofs an account. DMARC, DKIM, and SPF check to see if the true sender of an email is authorized to send messages from a domain.
As with most phishing campaigns, the attackers use fear and urgency to get users to click without considering the legitimacy of the request. In this case, the messages include a warning from the bank’s security team that withdrawals have been made from the account that have been flagged as suspicious. This campaign is targeting mobile users, with the messages asking for the file to be opened on a mobile device.
If the email attachment is opened, the user will be presented with a new calendar entry titled “Stop Unauthorized Payment” which includes a Microsoft SharePoint URL. If that link is clicked, the user will be directed to a Google-hosted website with a phishing kit that spoofs the login for Wells Fargo bank. Both of these websites have valid SSL certificates, so they may not be flagged as suspicious. They will also display the green padlock that shows that the connection between the browser and the website is encrypted and secure, as would be the case for the genuine bank website.
The user is then asked to enter their username, password, PIN, email address, email password, and account numbers. If the information is entered it is captured by the attacker and the information will be used to gain access to the accounts. To make it appear that the request is genuine, the user will then be directed to the legitimate Wells Fargo website once the information is submitted.
There are warning signs that the request is not genuine, which should be identified by security conscious individuals. The use of SharePoint and Google domains rather than a direct link to the Wells Fargo website are suspect, the request to only open the file on a mobile device is not explained. The phishing website also asks for a lot of information, including email address and password, which are not relevant.
These flags should be enough to convince most users that the request is not genuine, but any phishing email that bypasses spam filtering defenses and is delivered to inboxes poses a risk.
One of the leading mid-market private equity investment firms in the United Kingdom has invested in TitanHQ. TitanHQ is headquartered in Galway, Ireland and is a fast-growing, global vendor of cloud-based cybersecurity solutions for SMBs, ISPs, and Managed Service Providers (MSPs) that serve the SMB market.
TitanHQ’s portfolio of solutions consists of SpamTitan Email Security, WebTitan Web Security, and ArcTitan Email Archiving. These solutions have been adopted by more than 8,500 businesses worldwide and are offered by approximately 2,500 MSPs in 150 countries.
TitanHQ, originally Copperfasten Technologies, was formed in 1999 and started life providing email security solutions to businesses in Ireland, but has since grown into a global company that provides SaaS solutions to companies including Pepsi, ViaSat, Virgin, O2, and Datto. The company has been recorded impressive growth and has become the leading provider of cloud-based security solutions to MSPs serving the SMB market, with an ARR of more than $15 million.
Livingbridge invests in companies with a value of up to £200 million and has an Enterprise 3 fund for investment in fast-growing companies up to the value of £50 million, with the latter fund used to invest in TitanHQ.
Livingbridge identified TitanHQ as a target for investment based on a proven track record at delivering powerful cloud-based SaaS solutions and being well positioned to benefit from strong, growing market momentum. The investment in TitanHQ will help accelerate the company’s ambitious growth plans through investment in people and product development.
TitanHQ received investment from Bill Mc Cabe’s Oyster Technology Investments at inception, and Oyster Technology Investments will continue to maintain a significant stake in the business.
“We are excited to be taking this next step in our growth journey with Livingbridge, a partner that understands the unique strengths of our business, shares our vision for success and has the experience and resources to help us to achieve it,” said Ronan Kavanagh, Chief Executive Officer of TitanHQ. “The recent pandemic and the growth of WFH initiatives has further highlighted the need for multiple layers of cyber security and our solutions form key pillars in this security strategy.”
“We are delighted to be partnering with TitanHQ, a uniquely positioned business with a well-differentiated product portfolio operating in a fast-growing, attractive market that is benefiting from strong macro tailwinds,” said Nick Holder, Director at Livingbridge. “There is a tremendous opportunity for Titan HQ to accelerate its growth trajectory over the coming years and we look forward to working closely with the management team to fulfil the company’s potential.”
As the COVID-19 pandemic has clearly shown, cybercriminals are quick to adapt their phishing and malware campaigns in response to global and local events. New lures are constantly developed to maximize the probability of success.
In the early stages of the pandemic, when very little was known about SARS-CoV-2 and COVID-19, there was a huge public concern and cybercriminals took advantage. The threat actors behind TrickBot malware, one of the most dangerous malware threats, regularly change their lures in response to newsworthy events to increase the probability of emails and attachments being opened. The TrickBot gang adopted COVID-19 and coronavirus-themed lures when the virus started to spread globally and there was a huge craving for knowledge about the virus and local cases.
It is therefore no surprise to see the TrickBot operators adopt a new lure related to Black Lives Matter. There were huge protests in the United States following the death of George Floyd at the hands of a police officer, and those protests have spread globally. In several countries, the headlines have been dominated by stories about Black Lives Matter protests and counter-protests, and the public mood has presented another opportunity for the gang.
The latest TrickBot email campaign uses a subject line of “Leave a review confidentially about Black Lives Matter,” which has been crafted to appeal to individuals both for and against the protests. The emails contain a Word document attachment named e-vote_form_3438.doc, although several variations along this theme are likely.
The emails request the user open and complete the form in the document to submit their anonymous feedback. The Word document includes a macro which users are requested to enable to allow their feedback to be provided. Doing so will trigger the macro which will download a malicious DLL, which installs the TrickBot Trojan.
TrickBot is first and foremost a banking Trojan but is modular and frequently updated with new functions. The malware collects a range of sensitive information, can exfiltrate files, can move laterally, and also download other malware variants. TrickBot has been extensively used to download Ryuk ransomware as a secondary payload when the TrickBot gang has achieved its initial objective.
The lures used in phishing and malspam emails frequently change, but malspam emails distribute the same threats. Security awareness training can help to improve resilience to phishing threats by conditioning employees on how to respond to unsolicited emails. Making employees aware of the latest tactics, techniques, procedures, and social engineering tactics being used to spread malware will help them to identify threats that land in their inboxes.
Regardless of the ruse used to get users to click, the best defense against these attacks is to ensure that your technical defenses are up to scratch and malware and malicious scripts are identified as such and are blocked and never reach end users’ inboxes. That is an area where TitanHQ can help.
SpamTitan Cloud is a powerful email security solution that provides protection against all email threats. Dual antivirus engines block all known malware threats, while predictive technologies and sandboxing provides protection against zero-day malware and phishing threats. No matter what email system you use, SpamTitan adds an important extra layer of security to block threats before they reach inboxes.
For further information on how you can improve protection and block phishing, spear phishing, email impersonation, and malware and ransomware threats, give the TitanHQ team a call today.
The COVID19 pandemic has created challenges for all businesses which are trying their best to adapt to a new normal. Businesses are slowing opening up their offices once again but it will be a long time before a return to “business as usual.” In fact, massive changes have had to take place and life after lockdown is likely to be considerably different to life before it.
Managed Service Providers have also had to adapt, and many Channel companies have realized the massive changes due to the pandemic have brought a wealth of opportunities. They are not suffering as a result of the challenges but have adapted their operations and have gained considerable growth momentum. How have these forward-thinking MSPs turned the pandemic into profit? What have they done to grow their businesses in such difficult times?
On June 23, 2020, MSPs will have an opportunity to get answers to these questions and discover how they can grow their business and thrive during the pandemic and in a post-COVID-19 world.
In line with social distancing requirements, MVP GrowthFest is a virtual event where MSPs will have the opportunity to learn how obstacles that appear to be blocking progress are challenges that can easily be overcome.
MVP GrowthFest is a 3-hour event headlined by the 3-time NBA Most Valuable Player (MVP) Award winning superstar, Earvin “Magic” Johnson Jr. Magic Johnson will be providing insights into the obstacles he has faced during his life and how he succeeded through a combination of talent, tenacity, and a strong commitment to the community.
The event will celebrate the energy that powers growth and the drive to thrive in uncertain times and MSPs will be treated to four powerhouse panels where a combined 15 Channel All-Stars will be providing valuable insights and practical steps to not only survive the pandemic but use it as an opportunity to grow and thrive.
TitanHQ’s Sales Director, Conor Madden, will be leading a security powerhouse panel and will explain how selling security is best achieved through education, and how this approach is essential for the modern-day MSP tech stack.
Currently, cyberattacks are occurring at unprecedented levels. Cyber actors having seized the opportunities COVID-19 has given them. MSPs can position their security stacks front and central and help businesses protect against these threats.
MSPs will naturally need the right solutions, and that is an area where TitanHQ can help, being the leading provider of cloud-based email and web security solutions to MSPs serving the SMB marketplace. TitanHQ solutions have been developed specifically to meet the needs of MSPs and are available at a price point that allows them to be packaged easily to significantly boost profits.
At the security powerhouse, attendees will also hear from:
Jon Murchison – CEO, BlackPoint Cyber
Kevin Lancaster – CEO, ID Agent & GM Security, Kaseya
Jessvin Thomas – President & CTO, SKOUT
Three further powerhouse sessions will be taking place at MVP GrowthFest giving MSPs further insights and assistance to grow their businesses and boost profits. There will also be $2,000 in prizes given out at the event.
Managing Through Change
Featuring:
Dan Wensley – CEO, Warranty Master
Joe Alapat – CEO & Founder, Liongard
Ryan Walsh – Chief Channel Officer, Pax8
Establishing Trust in the New Normal
Featuring:
Dave Goldie – Vice President of Channel, Cytracom
Ted Roller – Channel Chief, ConnectBooster
Andra Hedden – CMO, Marketopia
Frank DeBenedetto – Founder, AudIT
Leading & Accelerating through the Recovery
Featuring:
Tim Conkle – Founder, The 20
Dennis O’Connell – Vice President, Taylor Business Group
A U.S. Supreme Court phishing campaign has been detected that uses a fake subpoena to appear in court as a lure to obtain Office 365 credentials. The emails are personalized and are addressed to the victim and claim to be a writ issued by the Supreme Court demanding the recipient attend a hearing. This is a targeted campaign rather than a spray and pray attack that attempts to obtain the credentials of high value targets such as C-Suite members.
The emails include a link that the recipient is required to click to view the subpoena. Clicking the link in the email directs the user to a malicious website where they are required to enter their Office 365 credentials to view the subpoena.
The domain used is brand new and, as such, it is not recognized as malicious by many security solutions, including the default anti-phishing measures of Office 365. The scammers have also used multiple redirects to hide the destination URL in another attempt to thwart anti-phishing defenses.
Prior to the user being directed to the phishing page, they are presented with a CAPTCHA page. CAPTCHA is used to prevent web visits by bots, but in this case, it may be used to add legitimacy to the phish to make the request appear genuine. The CAPTCHA page is real, and the user must correctly select the images in order to proceed. The page also includes the name of the user, further adding legitimacy to the scam. The CAPTCHA may also be a further attempt to make it difficult for the destination URL to be analyzed by security solutions.
This phishing campaign is realistic and uses urgency to get the user to take action quickly, rather than stopping to think about the request. There are signs that this is a scam, such as the domain name which clearly has nothing to do with the U.S. Supreme Court, and a few grammatical and spelling mistakes which would not be expected of any Supreme Court request.
However, the sender name in the email was spoofed to make it appear to have been sent by the “Supreme Court”, the request is certain to scare some recipients into clicking the link, and the landing page is sufficiently realistic to fool busy employees into disclosing their login credentials.
Exchange Online protection (EOP), which is provided by Microsoft free of charge with all Office 365 accounts, often fails to spot these zero-day attacks.
To improve protection against new phishing campaigns, an anti-spam solution is required that incorporates predictive techniques, threat intelligence feeds, and machine learning algorithms. SpamTitan incorporates these and several other layers of protection to identify zero-day phishing, malware, and ransomware campaigns and email impersonation attacks.
SpamTitan can be layered on top of Microsoft’s Exchange Online Protection to serve as an additional layer to your email security defenses to ensure that more malicious emails are blocked and never reach end users inboxes.
A novel phishing scam has been identified that gains access to information on Office 365 accounts without obtaining usernames and passwords. The campaign also manages to bypass multi-factor authentication controls that has been set up to prevent stolen credentials from being used to remotely access email accounts from unfamiliar locations or devices.
The campaign takes advantage of the OAuth2 framework and the OpenID Connect protocol that are used to authenticate Office 365 users. The phishing emails include a malicious SharePoint link that is used to fool email recipients into granting an application permissions that allow it to access user data without a username and password.
The phishing emails are typical of several other campaigns that abuse SharePoint. They advise the recipient that a file has been shared with them and they are required to click a link to view the file. In this case, the file being shared appears to be a pdf document. The document includes the text “q1.bonus” which suggests that the user is being offered additional money. This scam would be particularly effective if the sender name has been spoofed to appear as if the email has been sent internally by the HR department or a manager.
Clicking the link in the email directs the user to a genuine Microsoft Online URL where they will be presented with the familiar Microsoft login prompt. Since the domain starts with login.microsoftonline.com the user may believe that they are on a genuine Microsoft site (they are) and that it is safe to enter their login credentials (it is not). The reason why it is not safe can be seen in the rest of the URL, but for many users it will not be clear that this is a scam.
Entering in the username and password does not provide the credentials to the attacker. It will authenticate the user and also a rogue application.
By entering in a username and password, the user will be authenticating with Microsoft and will obtain an access token from the Microsoft Identity Platform. OAuth2 authenticates the user and OIDC delegates the authorization to the rogue application, which means that the application will be granted access to user data without ever being provided with credentials. In this case, the authentication data is sent to a domain hosted in Bulgaria.
The user is required to enter their login credentials again and the rogue app is given the same permissions as a legitimate app. The app could then be used to access files stored in the Office 365 account and would also be able to access the user’s contact list, which would allow the attacker to conduct further attacks on the organization and the user’s business contacts.
The phishing campaign was identified by researchers at Cofense who warn access only needs to be granted once. Access tokens have an expiration date, but this method of attack allows the attackers to refresh tokens, so that potentially gives the attackers access to documents and files in the Office 365 account indefinitely.
With multi-factor authentication enabled, businesses may feel that they are immune to phishing attacks. Multi-factor authentication is important and can prevent stolen credentials from being used to access Office 365 and other accounts, but MFA is not infallible as this campaign shows.
This campaign highlights how important it is to have an email security solution that uses predictive technology to identify new phishing scams that have not been seen before and do not include malicious attachments. Phishing attacks such as this are likely to bypass Office 365 antispam protections and be delivered to inboxes, and the unusual nature of this campaign may fool users into unwittingly allowing hackers to access their Office 365 accounts.
For further information on how you can secure your Office 365 accounts and block sophisticated phishing attacks, give us a call today to find out how SpamTitan can improve your email defenses.
A recent survey by Capterra on British SMEs has revealed 30% have fallen victim to a phishing attack during the COVID-19 lockdown. Just under half of the phishing emails received (45%) were related to coronavirus or COVID-19.
COVID-19 phishing emails increased significantly during the first quarter of 2020 as the coronavirus spread around the world. Since the virus was unknown to science, scientists have been working tirelessly to learn about the virus, the disease it causes, how the virus is spread, and what can be done to prevent infection. The public has been craving information as soon as it is available, which creates the perfect environment for phishing attacks. People want information and threat actors are more than happy to offer to provide it.
The Capterra survey highlights the extent to which these campaigns are succeeding. Employees are receiving phishing emails and being fooled by the social engineering tactics the scammers have adopted. The high success rate has seen many threat actors temporarily abandon their tried and tested phishing campaigns that they were running before the SARS-CoV-2 outbreak, and have repurposed their campaigns to take advantage of the public’s thirst for knowledge about the virus. In the first quarter of 2020, KnowBe4 reported a 600% increase in COVID-19 and coronavirus themed phishing emails.
The high percentage of businesses that have experienced phishing attacks during the COVID-19 lockdown indicates many SMEs need to augment their anti-phishing defenses. There is also a need for further training to be provided to employees, as the emails are being opened and links are being clicked.
On the training front, formal training sessions may be harder to administer with so many employees working remotely. Consider conducting short training sessions via teleconferencing platforms and sending regular email alerts warning about the latest techniques, tactics and procedures being used in targeted attacks on remote workers. Phishing simulation exercises can be hugely beneficial and will help to condition workers to check emails thoroughly and report any threats received. These simulations also help identify which employees need further training to help them recognize potential phishing attacks.
Of course, the best way to ensure that employees do not open phishing emails and malicious attachments is to ensure they are not delivered to employees’ inboxes. That requires an advanced spam filtering solution.
Many SMEs and SMBs have now moved to an Office 365 hosted email solution, in which case email filtering will be taking place using Microsoft’s Exchange Online Protection – The default spam filtering service that protects all office 365 users. If you are reliant on this solution for filtering out phishing emails and other types of malicious messages, you should consider adding a third-party solution on top of EOP.
Exchange Online Protection provides a reasonable level of security and can block phishing emails and known malware threats, but it lacks the features of more advanced spam filtering solutions and cloud-based email security gateways, such as machine learning and predictive technology to identify attacks that have not been seen before.
As an additional protection against phishing attacks, a web filtering solution should be considered. In the event of a phishing email arriving in an inbox, a web filter serves as an additional layer of protection to prevent attempts by employees to visit websites linked in the emails. When an attempt is made to visit a known phishing website or web content that violates your acceptable internet usage policies, access will be blocked and the user will be directed to a local web page telling them why access has been denied.
Multi-factor authentication should also be implemented for email to ensure that in the event that credentials are compromised, a second factor must be provided before access to the email account is granted.
For more information on spam filtering and web filtering, and further information on TitanHQ’s advanced cloud-based email security solution – SpamTitan – and DNS-based web filtering solution – WebTitan – give the TitanHQ team a call today.
Two new phishing campaigns have been identified targeting remote workers. One campaign impersonates LogMeIn and the other exploits the COVID-19 pandemic to deliver a legitimate remote administration tool that allows attackers to take full control of a user’s device.
LogMeIn Spoofed to Steal Credentials
Remote workers are being targeted in a phishing campaign that spoofs LogMeIn, a popular cloud-based connectivity service used for remote IT management and collaboration. The emails claim a new update has been released for LogMeIn, with the messages appearing to have been sent by the legitimate LogMeIn Auto-Mailer. The emails include the LogMeIn logo and claim a new security update has been released to fix a new zero-day vulnerability that affects LogMeIn Central and LogMeIn Pro.
A link is supplied in the email that appears to direct the recipient to the accounts.logme.in website and a warning is provided to add urgency to get the user to take immediate action. The email threatens subscription of the service will be suspended if the update is not applied.
The anchor text used in the email masks the true site where the user will be directed. If clicked, the user will be directed to a convincing spoofed LogMeIn URL where credentials are harvested.
There has been an increase in phishing attacks spoofing remote working tools in recent weeks such as LogMeIn, Microsoft Teams, Zoom, GoToMeeting, and Google Meet. Any request sent by email to update security software or take other urgent actions should be treated as suspicious. Always visit the official website by entering the URL into the address bar or using your standard bookmarks. Never use any information provided in the email. If the security update is genuine, you will be advised about it when you log in.
NetSupport Remote Administration Tool Used to Take Control of Remote Workers’ Laptops
A large-scale phishing campaign has been detected that uses malicious Excel attachments to deliver a legitimate remote access tool that is used by attackers to take control of a victim’s computer.
The emails used in this campaign appear to have been sent from the Johns Hopkins Center and claim to provide a daily update on COVID-19 deaths in the United States. The Excel file attached to the email – covid_usa_nyt_8072.xls – displays a graph taken from the New York Times detailing COVID-19 cases and when opened the user is encouraged to enable content. The Excel file contains a malicious Excel 4.0 macro that downloads a NetSupport Manager client from a remote website if the content is enabled, and the client will be automatically executed.
The NetSupport RAT delivered in this campaign drops additional components, including executable files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. Once installed it will connect with its C2 server, allowing the attacker to send further commands.
Block Phishing Attacks and Malware with SpamTitan and WebTitan Cloud
The key to blocking phishing attacks is to implement layered anti-phishing defenses. SpamTitan serves as an additional layer of protection for email that works in tandem with the security anti-spam measures implemented by Google with G-Suite and Microsoft with Office 365 to provide a greater level of protection, especially against sophisticated attacks and zero-day threats. SpamTitan itself includes multiple layers of security to block threats, including dual anti-virus engines, sandboxing, DMARC, and predictive technologies to identify never-before-seen phishing and malware threats.
WebTitan Cloud serves as an additional layer of protection to protect against the web-based component of phishing attacks, with time-of-click protection to block attempts by employees to visit phishing websites linked in emails and redirect to malicious websites during general web browsing. WebTitan works in tandem with email security solutions to increase protection for employees regardless where they access the internet and allows different policies to be set when they are on and off the network.
For further information on these powerful cybersecurity solutions give the TitanHQ team a call today to book a product demonstration and to receive assistance getting set up for a free trial of the full products.
Worried about protecting remote workers from phishing, zero-day attacks, malware and dangerous websites?
On Thursday, May 21, TitanHQ will be hosting a webinar to explain how to better protect remote workers and their devices from attack. This webinar is ideal for current SpamTitan customers, prospective customers, Managed Service Providers and Small to Medium Enterprises.
We’ll show you why it’s vital to protect against the email and web component of cyberattacks – a web filter serves as an important, layer of security to block phishing attacks and malware and ransomware downloads.
Join Derek Higgins, Engineering Manger TitanHQ, Eddie Monaghan, Channel Manager TitanHQ, Marc Ludden, Strategic Alliance Manager TitanHQ and Kevin Hall, Senior Systems Engineer at Datapac on Thursday, May 21st @11am CDT.
We will discuss:
Covid-19 exploitation by cybercriminals in malicious cyber attacks
Meeting the challenge of protecting a fully distributed workforce
– Spotlight on WebTitan features and security layers for managing user security at multiple locations. Deep dive into the features and benefits of the latest version of WebTitan Security.
– The sophisticated nature of advanced persistent threats faced today and how WebTitan mitigates your risk against these threats.
Most cyberattacks have an email and web-based component –How WebTitan serves as a vitallayer of security to block phishing attacks, malware and ransomware downloads.
Why WebTitan is the leading web security option for the Managed Service Provider who service the SMB and SME market.
Webinar Details
Webinar – Keeping your Remote Workers TWICE as secure with SpamTitan & WebTitan
Zoom has proven to be hugely popular during the COVID-19 pandemic. The teleconferencing platform has allowed businesses to keep in touch with their employees during lockdown and many consumers are using the platform to keep in touch with friends and family. The popularity of the platform has not been missed by cybercriminals who are now using a range of Zoom-themed lures to trick people into downloading malware.
Any software solution that has been widely adopted is an attractive target for cybercriminals. The large number of users of the platform mean there is a high likelihood of a Zoom phishing email reaching someone who has previously used the solution. In December, there were around 10 million Zoom users worldwide and by March 2020 that number had increased to more than 200 million.
According to research from Check Point, more than 2,449 domains have been registered in the past three weeks that contain the word Zoom, 320 (13%) of which were identified as suspicious and 32 (1.5%) were confirmed as malicious. Many of these domains are likely to be used in Zoom phishing scams.
The Zoom phishing emails mimic genuine notification messages from Zoom and contain hyperlinks that the user is asked to click. The lures mostly consist of fake meeting reminders and notifications about missed scheduled meetings. The hyperlinks used in the emails often include the word Zoom to make it appear that the user is being directed to a genuine Zoom website.
In April, a Zoom phishing campaign was identified that used fake meeting reminders to alert users that they are required to take part in a Zoom meeting with their HR department regarding the termination of their employment. The link supplied in the email directs the user to a spoofed Zoom website on an attacker-controlled domain where their credentials are harvested.
Another Zoom phishing campaign has been identified that uses the subject line “Zoom Account” with the emails welcoming the user to the Zoom platform. The emails include a link that the user is asked to click to login to activate their account. Doing so will result in Zoom credentials being stolen.
One of the most recent campaigns warns the recipient they have missed a meeting and must login to their account to obtain the recording. In this case, Zoom is spoofed but the attackers seek Microsoft credentials, which can be used to obtain a wealth of sensitive data. With those credentials the attackers can take full control of Office 365 email accounts, which are used to conduct further phishing attacks on the organization.
Zoom is not the only teleconferencing platform being spoofed to steal credentials and distribute malware. Campaigns have also been identified recently that spoof WebEx, Microsoft Teams, Google Meet, and other platforms.
Protecting against these Zoom phishing scams requires a combination of an advanced antispam solution such as SpamTitan and end user education to train employees how to recognize phishing emails.
A new report has been released that sheds light on the most common phishing lures that are currently in use that are providing effective against employees. KnowBe4 has revealed that in the first quarter of 2020, the most common phishing lure was a notification advising the recipient that they need to immediately perform a password check. This lure accounted for 45% of all reported phishing emails in the quarter. The lure is simple yet effective. A hyperlink is included in the email that directs the user to a spoofed webpage where they are required to enter their password for Office 365.
The COVID-19 crisis has provided phishers with new opportunities to steal passwords and distribute malware. At TitanHQ, we have seen a huge variety of COVID-19 themed phishing emails, many of which spoof authorities on COVID-19 such as the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC). The emails claim to offer important information on the coronavirus and updates on cases. SpamTitan has been blocking increasing levels of these coronavirus emails over the past few weeks so it is no surprise to see a COVID-19 phishing lure in second place, which had the subject line: CDC Health Alert Network: Coronavirus Outbreak Cases.
Other common COVID-19 themed phishing emails include messages about rescheduled meetings due to the coronavirus, COVID-19 tax refunds, information from the IT department about working from home, and offers of confidential information about COVID-19. The report indicates there was a 600% increase in COVID-19 phishing lures in Q1, 2020.
COVID-19 had been embraced by cybercriminals and used in phishing campaigns because the emails commonly attract a click. People are naturally worried about the pandemic and crave information that they can use to protect themselves and their families. The campaigns prey on fears about the coronavirus and use urgency to get recipients to click without questioning the legitimacy of the email.
SpamTitan and WebTitan users are well protected against these phishing threats. Early in the year, just a handful of malicious COVID-19 phishing websites were being used for phishing and malware distribution. Now, SpamTitan and WebTitan are blocking tens of thousands of COVID-19 themed websites that are being used to spread malware and steal sensitive information.
SpamTitan incorporates dual antivirus engines to block known malware threats and sandboxing provides protection against malware variants that have yet to be identified. Suspicious email attachments that have not been detected as malicious by the antivirus engines are sent to the sandbox for in depth analysis. SpamTitan also incorporates SPF and DMARC to block email impersonation attacks, and a host of measures are used to assess the legitimacy of emails and embedded hyperlinks.
The key to good cybersecurity is to implement several layers of security. In addition to an advanced spam filtering solution such as SpamTitan you should consider implementing a DNS-based web filtering solution such as WebTitan to block the web-based component of phishing attacks. WebTitan provides comprehensive internet filtering to ensure that office-based employees and remote workers cannot navigate to websites used for phishing and malware distribution.
If you want to make sure that your workers, their devices, and your network are protected against malware, ransomware, and phishing attacks, give us a call today. SpamTitan and WebTitan can be implemented and configured in a matter of minutes and providing protection against email and web-based threats.
A new phishing campaign has been identified that uses the Microsoft Sway file sharing service as part of a three-stage attack with the goal of obtaining the Office 365 credentials of high-level executives.
Group IB researchers identified the campaign and named it PerSwaysion, although versions of the attack have been identified that have used OneNote and SharePoint. The campaign is highly targeted and has been conducted on high-level executives at more than 150 companies. The individuals behind the campaign are believed to operate out of Nigeria and South Africa, with the earliest traces of the attacks indicating the campaign has been running since around the middle of last year.
The PerSwaysion attack starts with a spear phishing email sent to an executive in the targeted organization. The phishing emails include a PDF file attachment with no malicious code embedded. The PDF file just includes a link that the user is required to click to view the content of the file. The link directs the user to file on a Microsoft Sway page, which also requires them to click a link to view the content. Microsoft Sway allows the previewing of the document and displays the content without the user having to open the document. The document states the name of the sender – a known contact – and that individual’s email address with the message that a file has been shared for review along with a hyperlink with the text ‘Read Now’. Clicking the link directs the user to a phishing page with an Office 365 Single Sign-on login prompt.
The initial PDF file, Microsoft Sway page, and the login prompt on the phishing page are all branded with Microsoft Office 365 logos, and it is easy to see how many victims would be fooled into disclosing their credentials.
Once credentials have been obtained, they are used the same day to access the Office 365 account, email data is copied from the account, and it is then used to send further spear phishing emails to individuals in the victim’s contact list. The sent emails are then deleted from the victim’s sent folder to ensure the attack is not detected by the victim.
The emails include the sender’s name in the subject line, and since they have come from the account of a known contact, they are more likely to be opened. The lure used is simple yet effective, asking the recipient to open and review the shared document.
Many of the attacks have been conducted on individuals at companies in the financial services sector, although law firms and real estate companies have also been attacked. The majority of attacks have been conducted in the United States and Canada, United Kingdom, Netherlands, Germany, Singapore, and Hong Kong.
It is possible that the attackers continue to access the compromised emails accounts to steal sensitive data. Since the campaign targets high level executives, the email accounts are likely to contain valuable intellectual property. They could also be used for BEC scams to trick employees into making fraudulent wire transfers.
The lockdown imposed due to COVID-19 has forced employees to abandon the office and work from home, with contact maintained using communications solutions such as Skype, Slack, and Zoom. Unsurprisingly the huge increase in use of these platforms has created an opportunity for cybercriminals, who are using fake notifications from these and other communication and teleconferencing platforms as lures in phishing campaigns on remote workers.
Several campaigns have been identified that take advantage of the popularity of these platforms. One campaign has recently been identified that uses Skype branding advising users that they have pending notifications. The emails are personalized and include the Skype username and have a review button for users to click to review their notifications. These emails very closely resemble the genuine emails sent to users by Skype. The emails also appear, at first glance, to have been sent from a genuine address.
The link supplied in the email directs the recipient to a hxxps website that has Skype in the domain name. Since the connection between the browser and the website is encrypted, it will display the green padlock to show that the connection is secure, as is the case on the genuine Skype domain. The webpage includes Skype branding and the logo of the company being targeted and states that the webpage has been set up for authorized use by employees of the company. The username of the victim is automatically added to the login page, so all that is required is for a password to be entered.
This campaign was identified by Cofense, which received multiple reports from business users about the emails, which bypassed Microsoft Exchange Online Protection (EOP) and were delivered to Office 365 inboxes.
A Zoom campaign has also been identified that uses similar tactics. Zoom is one of the most popular lockdown teleconferencing apps and has been recommended by many businesses for use by employees to maintain contact during the lockdown. The platform has also proven popular with consumers and now has more than 300 million users.
In this campaign, Zoom meeting notifications are sent to targets. As is common with phishing campaigns, the attackers generate fear and urgency to get the targets to respond quickly without scrutinizing the messages. This campaign advises the recipients to login to a meeting with their HR department regarding their job termination. Clicking the link will similarly direct users to a fake login page where they are required to enter their credentials. The landing page is a virtual carbon copy of the official Zoom login page, although the only parts of the page that work are the username and password fields. This campaign was identified by Abnormal Security, which reports that around 50,000 of these messages were delivered to Office 365 accounts and bypassed EOP.
The phishing emails are credible, the webpages that users are directed to look genuine, and many people will be fooled by the emails. Security awareness training will help to condition employees to question emails such as these, but given the number of messages that are bypassing Microsoft’s EOP, businesses should also consider adding an additional layer of email security to their Office 365 accounts.
This is an area where TitanHQ can help. SpamTitan Cloud does not replace EOP for Office 365, it allows businesses to add an extra layer of protection on top to provide extra protection from zero-day attacks. SpamTitan Cloud blocks spam, phishing, and malware laced emails that would otherwise be delivered to Office 365 inboxes.
SpamTitan Cloud is quick and easy to implement and can protect your Office 365 accounts in a matter of minutes. Since the solution is available on a free trial, you will be able to evaluate the difference it makes and see how many malicious messages it blocks before committing to a purchase.
For further information on improving your phishing defenses, give the TitanHQ team a call today.
Higher education institutions in the United States are being targeted in a phishing campaign that distributes a remote access trojan called Hupigon, a RAT that was first identified in 2010.
The Hupigon RAT has previously been used by advanced persistent threat groups (APT) from China, although this campaign is not believed to have been conducted by APT groups, instead the Hupigon RAT has been repurposed by cybercriminals. While several industries have been targeted in the campaign, almost half of attacks have been on colleges and universities.
The Hupigon RAT allows the operators to download other malware variants, steal passwords, and gain access to the microphone and webcam. Infection could see the attackers take full control of an infected device.
The campaign uses online dating lures to get users to install the Trojan. The emails show two dating profiles of supposed users of the platform, and the recipient is asked to select the one they find the most attractive. When the user makes their choice, they are directed to a website where an executable file is downloaded, which installs the Hupigon RAT.
The choice of lure for the campaign is no doubt influenced by the huge rise in popularity of dating apps during the COVID-19 pandemic. While there are not many actual dates taking place due to lockdown and social distancing measures now in place around the globe, the lockdowns have seen many people with a lot of time on their hands. That, coupled with social isolation for many singles, has actually led to an uptick in the use of online dating apps, with many users of the apps turning to Zoom and FaceTime to have virtual dates. Several popular dating apps have reported an increase in use during the COVID-19 pandemic. For example, Tinder reports use has increased, with the platform having its busiest ever day, with more than 3 billion profiles swiped in a single day.
As we have already seen with COVID-19 lures in phishing attacks, which account for the majority of lures during the pandemic, when there is interest in a particular event or news story, cybercriminals will take advantage. With the popularity of dating apps soaring, we can expect to see an increase in the number of online dating -themed lures.
The advice for higher education institutions and businesses is to ensure that an advanced spam filtering solution is in place to block the malicious messages and ensure they do not reach end users’ inboxes. It is also important to ensure that security awareness training continues to be provided to staff, students, and remote employees to teach them how to recognize the signs of phishing and other email threats.
TitanHQ can help with the former. If you want to better protect staff, students, and employees and keep inboxes free of threats, give the TitanHQ team a call today. After signing up, you can be protecting your inboxes in a matter of minutes.
Healthcare providers are being targeted by cybercriminals using COVID-19-themed phishing emails, with the campaigns showing no sign of letting up. The volume of attacks has prompted the U.S. Federal Bureau of Investigation (FBI) to issue a further warning to healthcare providers urging them to take steps to protect their networks and block the attacks.
The first major COVID-19-themed phishing attacks targeting healthcare providers started to be detected by around March 18, 2020. The attacks have grown over the following weeks and the lures have diversified.
Campaigns have been conducted targeting at-home healthcare employees who are providing telehealth services to patients, and there has been an increase in business email compromise scams. The latter see vendors impersonated and requests sent for early or out-of-band payments due to difficulties that are being experienced due to COVID-19.
The phishing attacks are being conducted to obtain login credentials and to spread malware, both of which are used to gain a foothold in healthcare networks to allow follow-on system exploitation, persistence, and the exfiltration of sensitive data.
The malware being distributed in these campaigns is highly varied and includes information stealers such as Lokibot, backdoors, and Trojans such as Trickbot. Microsoft has recently reported that Trickbot accounts for the majority of COVID-19 phishing emails targeting Office 365 users, with a campaign last week involving hundreds of different, unique macro-laced documents. In addition to being a dangerous malware variant in its own right, Trickbot also downloads other malicious payloads, including RYUK ransomware.
A diverse range of malware is delivered by a similarly diverse range of email attachments and malicious scripts. Microsoft Word documents containing malicious macros are commonly used, as are 7-zip compressed files, Microsoft executables, and JavaScript and Visual Basic scripts. The emails are being sent from a combination of domestic and international IP addresses.
While the number of COVID-19-themed phishing emails has been increasing, the overall volume of phishing emails has not increased by a major amount. What is happening is threat actors are changing their lures and are now using COVID-19 lures as they are more likely to be opened.
The campaigns can be highly convincing. The lures and requests are plausible, many of the emails are well written, and authorities on COVID-19 such as the Centers for Disease Control and Prevention, the HHS’ Centers for Medicare and Medicaid Services, and the World Health Organization have been spoofed. Oftentimes the emails are sent from a known individual and trusted contact, which makes it more likely that the email attachment will be opened.
The advice offered by the FBI is to follow cybersecurity best practices such as never opening unsolicited email attachments, regardless of who appears to have sent the email. Ensuring software is kept up to date and patches are applied promptly is also important, as is turning off automatic email attachment downloads. The FBI has also recommended filtering out certain types of attachments through email security software, something that is easy to do with SpamTitan.
The FBI has stressed the importance of not opening email attachments, even if antivirus software says that the file is clean. As the Trickbot campaign shows, new variants of malicious documents and scripts are being created at an incredible rate, and signature-based detection methods cannot keep up. This is another area where SpamTitan can help. In addition to using dual antivirus engines to identify known malware variants faster, SpamTitan includes sandboxing to identify and block zero-day malware threats that have yet to have their signatures added to antivirus software virus definitions lists.
Training is important to teach healthcare employees cybersecurity best practices to help them identify phishing emails, but it is also important to ensure that your technical controls are capable of blocking these threats.
Data obtained by the UK think tank Parliament Street has revealed the extent to which universities are being targeted by cybercriminals and the sheer number of spam and malicious emails that are sent to the inboxes of university staff and students.
Data on malicious and spam email volume was obtained by Parliament Street through a Freedom of Information request. The analysis of data from UK universities showed they are having to block millions of spam emails, hundreds of thousands of phishing emails, and tens of thousands of malware-laced emails every year.
Warwick University’s figures show that more than 7.6 million spam emails were sent to the email accounts of staff and students in the final quarter of 2019 alone, which included 404,000 phishing emails and more than 10,000 emails containing malware.
It was a similar story at Bristol University, which received more than 7 million spam emails over the same period, 76,300 of which contained malware. Data from the London School of Hygiene and Tropical Medicine revealed more than 6.3 million spam emails were received in 2019, which included almost 99,000 phishing emails and more than 73,500 malware attacks. 12,773,735 spam and malicious emails were received in total for 2018 and 2019.
Data from Lancaster University revealed more than 57 million emails were rejected for reasons such as spam, malware, or phishing, with 1 million emails marked as suspected spam. The figures from Imperial College London were also high, with almost 40 million emails blocked in 2019.
Like attacks on companies, cyberattacks on universities are often conducted for financial gain. These attacks attempt to deliver malware and obtain credentials to gain access to university networks to steal data to sell on the black market. Universities store huge amounts of sensitive student data, which is extremely valuable to hackers as it can be used for identity theft and other types of fraud. Attacks are also conducted to deliver ransomware to extort money from universities.
Universities typically have high bandwidth to support tens of thousands of students and staff. Attacks are conducted to hijack devices and add them to botnets to conduct a range of cyberattacks on other targets. Email accounts are being hijacked and used to conduct spear phishing attacks on other targets.
Nation state-sponsored advanced persistent threat (APT) groups are targeting universities to gain access to intellectual property and research data. Universities conduct cutting-edge research and that information is extremely valuable to companies that can use the research data to develop products to gain a significant competitive advantage.
Universities are seen as relatively soft targets compared to organizations of a similar size. Cybersecurity defenses tend to be far less advanced, and the sprawling networks and number of devices used by staff and students make defending networks difficult.
With the number of cyberattacks on universities growing, leaders of higher education institutions need to take steps to improve cybersecurity and prevent the attacks from succeeding.
The majority of threats are delivered via email, so advanced email security defenses are essential, and that is an area where TitanHQ can help.
Independent tests show SpamTitan blocks in excess of 99.97% of spam email, helping to keep inboxes free of junk email. SpamTitan incorporates dual anti-virus engines to block known threats, machine learning to identify new types of phishing attacks, and sandboxing to detect and block zero-day malware and ransomware threats. When email attachments pass initial tests, suspicious attachments are sent to the sandbox for in-depth analysis to identify command and control center callbacks and other malicious actions. SpamTitan also incorporates SPF and DMARC controls to block email impersonation attacks, data loss prevention controls for outbound messages, and controls to detect potential email account compromises.
If you want to improve your cybersecurity defenses, start by upgrading your email security defenses with SpamTitan. You may be surprised to discover the little investment is required to significantly improve your email security defenses. For more information, call the TitanHQ team today.
Security awareness for remote workers has never been more important. It is fair to say that there have never been more people working from home as there are now during the COVID-19 pandemic, and home workers are now being actively targeted by cybercriminals who see them as providing an easy way to gain access to their corporate networks to steal sensitive information, and install malware and ransomware.
Businesses may have already given their employees security awareness training to make sure they are made aware of the risks that they are likely to encounter and to teach them how to recognize threats and respond. However, working from home introduces many more risks and those risks may not have been covered in security awareness training sessions geared toward protecting office workers. It is also important to provide security training for employees, and this is especially important for remote workers, as risk increases when employees are working remotely.
In this post we will highlight some of the key areas that must be addressed in work-from-home (WFH) security awareness training for the workforce.
Increased Security Awareness for Remote Workers Required as COVID-19 Crisis Deepens
Naturally, as an email security solution provider, we strongly advocate the use of a powerful email security solution and layered technical defenses to protect against phishing, but technical controls, while effective, will not stop all threats from reaching inboxes. It is all too easy to place too much reliance on technical security solutions for securing email environments and work computers. The truth is that even with the best possible email security defenses in place, some threats will end up reaching inboxes.
The importance of providing security awareness training to the workforce and the benefits of doing so have been highlighted by several studies. One benchmarking study, conducted by the security awareness training provider KnowBe4, revealed 37.9% of employees fail phishing tests if they are not provided with security awareness and social engineering training. That figure has increased by 8.3% from the previous year. With security awareness training and phishing email simulations, the figure dropped to 14.1% after 90 days.
During the COVID-19 pandemic, the volume of phishing emails being sent has increased significantly and campaigns are being conducted targeting remote workers. The aim of the phishing campaigns is to obtain login credentials to email accounts, VPNs, and SaaS platforms and to spread malware and ransomware.
With so many employees now working from home, and the speed at which companies have had to transition from a largely office-based workforce to having virtually everyone working from home may have seen security awareness training for remote workers put on the back burner. However, with the lockdown likely to be extended for several months and attacks on the rise, it is important to make sure that training is provided, and as soon as possible.
Increase in COVID-19 Domain Registrations and Rise in Web-Based Attacks
Security awareness training for remote workers also needs to cover internet security as not all threats will arrive in inboxes. Most phishing attacks have a web-based component, and malicious websites are being set up for drive-by malware downloads. Currently, the vast majority of threats are using COVID-19 and the Novel Coronavirus as a lure to get remote workers to download malware, ransomware, or part with their login credentials.
Unsurprisingly, cybercriminals have increased web-based attacks, which are being conducted using a plethora of COVID-19 and novel coronavirus-themed domains. By the end of March, approximately 42,000 domains related to COVID-19 and coronavirus had been registered. An analysis by Check Point Research revealed those domains were 50% more likely to be malicious than other domains registered over the same period.
It is important to raise awareness of the risks of using corporate laptops for personal use such as browsing the Internet. Steps should also be taken to limit the websites that can be accessed by employees and, at the very least, a solution should be implemented and configured to block access to known malicious websites that are used for phishing, fraud, and malware distribution.
Shadow IT is a Major Security Risk
When employees are office-based and connected to the network, identifying shadow IT – unauthorized software and hardware used by employees – is more straightforward. The problem not only becomes harder to identify when employees work from home, the risk of unauthorized software being loaded onto corporate-issued devices increases.
Software downloaded onto work computers carries a risk of a malware infection and potentially offers an easy way to attack the user’s device and the corporate network. IT teams will have little visibility into the unauthorized software on users’ devices and whether it is running the latest version and has been patched against known vulnerabilities. It is important to cover shadow IT in security awareness training for remote workers and to make it clear that no software should be installed on work devices and that personal USB devices should not be connected to corporate devices without the go-ahead being given by the IT department.
The COVID-19 pandemic has seen many workers turn to teleconferencing platforms to communicate with the office, friends, and family. One of the most popular teleconferencing platforms is Zoom. Malicious installers have been identified that install the genuine Zoom client but have been bundled with malware. Installers have been identified that also install adware, Remote Access Trojans, and cryptocurrency miners.
How TitanHQ Can Help Improve Email Security
Several security awareness training firms have made resources available to businesses free of charge during the COVID-19 crisis to help them train the workforce, such as the SANS Institute. Take advantage of these resources and push them out to your workforce. If you are a small SMB, you may also be able to get access to free phishing simulation emails to test the workforce and reinforce training.
TitanHQ can’t help you with your remote worker cybersecurity awareness training, but we can help by ensuring employees have to deal with fewer threats by protecting against email and web-based attacks.
SpamTitan is an advanced and powerful cloud-based email security solution that will protect remote workers from phishing, spear phishing, malware, virus, and ransomware attacks by blocking attacks at the source and preventing the threats from reaching inboxes. SpamTitan features dual anti-virus engines to protect against known malware threats and email sandboxing to block unknown (zero-day) malware threats. SpamTitan incorporates several real-time threat intelligence feeds to block current and emerging phishing attacks and machine learning technology detects and blocks previously unseen phishing threats. SpamTitan has been developed to work seamlessly with Office 365 to allow businesses to create layered defenses, augmenting Microsoft’s protections and adding advanced threat detection and blocking capabilities.
WebTitan is a DNS filtering solution that will protect all workers from web-based attacks, no matter where they access the internet. WebTitan incorporates zero-minute threat intelligence and blocks malicious domains and web pages as soon as they are identified. The solution can also be used to carefully control the types of websites that remote workers can access on their corporate-owned devices, via keyword and category-based controls. WebTitan can also be configured to block the downloading of malicious files and software installers to control shadow IT.
For more information on protecting your business during the COVID-19 crisis, to arrange a product demonstration of SpamTitan and/or WebTitan, and to register for a free trial of either solution to allow you to start instantly protecting against email and web-based threats, contact TitanHQ today!
Blackpoint Cyber announced its Remote Reality LIVE conference, which will occur online April 8th and April 9th 2020.
The conference will focus on managed service providers (MSPs) and how they can stay secure, profitable, and resilient as the world increases remote operations during the COVID-19 pandemic – registration and attendance are free. The two-day conference will include sessions by former leaders of the United States’ government cyber security and intelligence communities as well as cyber security experts and business veterans from the MSP services and technology industry.
Blackpoint Cyber announces its virtual cyber security conference for MSPs – Remote Reality LIVE. Featuring a keynote from the former Acting Director of the CIA and sessions from tech giants Datto, Webroot, Marketopia, and more.
Jon Murchison, Blackpoint’s CEO and founder, and former US government cyber operations expert, explains the conference’s objective: “IT services and infrastructure have become mission critical for organizations to survive in this new economic landscape brought on by COVID-19. MSPs are the key to our success and, especially during these times, a collective national asset to their respective countries. That’s why we are bringing together experienced government and industry leaders to help MSPs navigate the current economic and security environments. We’re excited to provide one of the first online and socially-distanced conferences dedicated to MSPs and cyber security.”
Blackpoint has partnered with leading technology, service, and marketing firms for the conference, including:
Datto: leading global provider of cloud-based software and technology solutions purpose-built for MSPs
Webroot: Cybersecurity Solutions Purpose-Built for MSPs and SMBs
Convergint: Global, Service-based Systems Integrator
Marketopia: Lead Generation and Marketing for Technology Companies
ID Agent: Dark Web and Identity Theft Protection
TitanHQ: Email and DNS Security
Compliancy Group: HIPAA Compliance-as-a-Service
Atlantic Data Forensics: Premier Incident Response and Forensics
ProSource Technology Solutions: Leading Managed Service Provider
Corporate Office Properties Trust (COPT): Premier Real Estate Investment Trust
Michael Morell, former Deputy Director and Acting Director CIA, will present the keynote session on national security implications of the Coronavirus outbreak. While at the CIA, Mr. Morell was President George W. Bush’s daily intelligence briefer during the 9/11 attacks and was awarded the Distinguished Intelligence Medal, the CIA’s second highest honor.
Additional former US government cyber security and intelligence expert speakers include: Bill Priestap, former FBI Assistant Director of Counterintelligence, Chris Inglis, Former Deputy Director of NSA, Dave Sears, retired Commander and Navy SEAL, and Kevin Donegan, former United States Navy Vice Admiral and previous commander of the US Navy’s 5th fleet out of Bahrain. Security and MSP industry leaders will also present informational sessions, such as lead generation in a virtual world, security in the MSP space, cyber security for commercial real estate, the threat landscape of remote workers, and more.
Matt Solomon, VP of Business Development & IT at ID Agent, shares his sentiments on the conference: “ID Agent is very excited to participate in one of the first virtual MSP events since in-person events have been taken off the schedule. MSPs still need education during this period and we are honored to be part of such an esteemed group of vendors.”
In addition to learning how to stay secure and prosper, conference attendees will also be eligible for giveaways and prizes.
When it comes to cybersecurity and home working, CIOs and IT teams have a challenge – How to ensure the same level of protection is provided for remote workers as they get when they are in the office. To help we have compiled a set of cybersecurity best practices for home workers to help IT teams prepare for a massive increase in telecommuting
The cybersecurity protections at home will not be nearly as good for home workers as protections in the office, which are much easier to implement and maintain. IT departments will therefore need to teach telecommuting workers cybersecurity best practices for home working and their devices will need to be configured to access applications and work resources securely. With so many workers having to telecommute, this will be a major challenge.
The coronavirus pandemic has forced businesses to rapidly expand the number of telecommuting workers and having to increase capacity in such a short space of time increases the potential for mistakes. Further, testing may not be nearly as stringent as necessary given the time pressure IT workers are under. Their teams too are likely to be depleted due to self-isolating workers.
One area where standards are likely to slip is staff training on IT. Many employees will be working from home for the first time and will have to use new methods and applications they will not be familiar with. The lack of familiarity can easily lead to mistakes being made. It is important that even though resources are limited you still teach cybersecurity best practices for home workers. Do not assume that telecommuting workers will be aware of the steps they must take to work securely away from the office.
Steps for IT Teams to Take to Improve Cybersecurity for Home Workers
Listed below are some of the key steps that IT teams need to take to improve security for employees that must now work from home.
Ensure VPNs are Provided and Updated
Telecommuting workers should not be able to access their work environment unless they use a VPN. A VPN will ensure that all traffic is encrypted, and data cannot be intercepted in transit. Enterprise-grade VPNs should be used as they are more robust and provide greater security. Ensure there are sufficient licenses for all workers, and you have sufficient bandwidth available. You must also make sure that the VPN is running the latest software version and patches are applied, even if this means some downtime to perform the updates. VPN vulnerabilities are under active attack.
Set up Firewalls for Remote Workers
You will have a firewall in place at the office and remote workers must have similar protections in place. Software firewalls should be implemented to protect remote workers’ devices. Home routers may have inbuilt firewalls. Talk employees through activating hardware firewalls if they have them on their home routers and ensure that passwords are set to prevent unauthorized individuals from connecting to their home Wi-Fi network.
Apply the Rule of Least Privilege
Remote workers introduce new risks, and with large sections of the workforce telecommuting, that risk is considerable. Remote workers are being targeted by cybercriminals and through web- and email-based attacks. In the event of a malware infection or credential theft, damage can be limited by ensuring workers only have access to resources absolutely necessary for them to perform their work duties. If possible, restrict access to sensitive systems and data.
Ensure Strong Passwords are Being Set
To protect against brute force attacks, ensure good password practices are being followed. Consider using a password manager to help employees remember their passwords. The use of complex passwords should be enforced.
Implement Multifactor Authentication
Multifactor authentication should be implemented on all applications that are accessed by remote workers. This measure will ensure that if credentials are compromised, system access is not granted unless a second factor is provided.
Ensure Remote Workers’ Devices Have Antivirus Software installed
Antivirus software must be installed on all devices that are allowed to connect to work networks and the solutions must be set to update automatically.
Set Windows Updates to Automatic
Working remotely makes it harder to monitor user devices and perform updates. Ensure that Windows updates are set to occur automatically outside of office hours. Instruct workers to leave their devices on to allow updates to take place.
Use Cloud-Based Backup Solutions
To prevent accidental data loss and to protect against ransomware attacks, all data must be backed up. By using cloud-based backups, in the event of data loss, data can be restored from the cloud-backup service.
Teach Cybersecurity Best Practices for Home Workers
All telecommuting workers must be shown how they need to access their work environment securely when working away from the office. Reinforce IT best practices with home workers, provide training on the use of VPNs, provide training on cybersecurity dos and don’ts when working remotely, and explain procedures for reporting problems.
Define Procedures for Dealing with a Security Incident
Members of the IT team are also likely to be working remotely so it is essential that everyone is aware of their role and responsibilities. In the event of a security incident, workers should have clear procedures to follow to ensure the incident is resolved quickly and efficiently.
Implement a Web Filter
A web filter will help to protect against web-based malware attacks by blocking access to malicious websites and will help to prevent malware downloads and the installation of shadow IT. Also consider applying content controls to limit employee activities on corporate-owned devices. Drive-by malware attacks have increased and the number of malicious domains registered in the past few weeks has skyrocketed.
Use Encrypted Communication Channels
When you need to communicate with telecommuting workers, ensure you have secure communications channels to use where sensitive information cannot be intercepted. Use encryption for email and secure text message communications, such as Telegram or WhatsApp.
Ensure Your Email Security Controls are Sufficient
One of the most important cybersecurity best practices for home workers is to take extra care when opening emails. Phishing and email-based malware attacks have increased significantly during the coronavirus pandemic. Ensure training is provided to help employees identify phishing emails and other email threats.
Consider augmenting email security to ensure more threats are blocked. If you use Office 365, a third-party email security solution layered on top will provide much better protection. Exchange Online Protection (EOP) is unlikely to provide the level of protection you need against phishing and zero-day malware threats. Consider an email security solutions with data loss protection functions to protect against insider threats.
Monitor for Unauthorized Access
More devices connecting to work environments makes it much easier for threat actors to hide malicious activity. Make sure monitoring is stepped up. An intrusion detection system that can identify anomalous user behavior would be a wide investment.
For further information on enhancing email security and web filtering to protect remote workers during the coronavirus pandemic, contact TitanHQ today.
In this post, we explore email security and home working and offer advice to help businesses ensure their workers, devices, and networks are protected.
The 2019 Novel Coronavirus pandemic has forced many workers to self-isolate at home and an increasing number of employees want to work from home to reduce the risk of contracting COVID-19. Businesses are under pressure to allow their workers to stay at home and use either company-issued or personal devices to access their networks and work remotely.
Cybercriminals are constantly changing their tactics, techniques, and procedures and they have jumped at the opportunity provided by the Novel Coronavirus. People are scared and rightly so. COVID-19 has a high mortality rate and the virus is spreading like wildfire. People want information about cases in their local area, advice on how to protect themselves, and information about possible cures. Cybercriminals have obliged and are conducting phishing campaigns that claim to offer all that information. Many campaigns have now been detected from many different threat groups that attempt to obtain login credentials and spread malware. Since early January when the first major campaigns were detected, the volume of coronavirus and COVID-19 emails has increased significantly.
Campaigns are being conducted impersonating authorities on the Novel Coronavirus and COVID-19, such as the World Health Organization (WHO), the U.S. Centers for Disease Control and Prevention (CDC), the U.S. Department of Health and Human Services, and other government agencies. COVID-19-themed emails are being sent to remote workers that spoof HR departments warning about cases that have been detected within the organization. Health insurers are being spoofed in campaigns that include invoices for coverage for COVID-19.
Since January, more than 16,000 Coronavirus and COVID-19-themed domains have been registered which are being used to host phishing kits and distribute malware. Researchers at CheckPoint Software report that those domains are 50% more likely to be malicious than other domains registered in the same period.
Email security and home working will naturally be a major concern for IT teams given the sheer number of home workers due to the Coronavirus pandemic and the volume of attacks that are now being conducted targeting home workers. With so many devices now connecting to networks remotely, if cybercriminals do obtain credentials, it will be much harder for IT teams to identify threat actors connecting remotely. Fortunately, there are steps that can be taken to improve email security and home working need not majorly increase risk.
You should make sure that your employees can only connect to your network and cloud-based services through a VPN. Enterprise VPNs can be configured to force all traffic through the VPN to reduce the potential for error. Make sure that the VPN is configured to start automatically when the device is powered up.
It is crucial that all remote workers are protected by a robust and effective email security solution. It is not possible to stop cybercriminals targeting remote workers, but it is possible to stop phishing and malware threats from reaching inboxes.
To protect your employees against phishing attacks and malware, an advanced email security solution is essential. If you use Office 365 for email, do not rely on Office 365 email security. You will need greater protection than Exchange Online Protection provides to protect against phishing, spear phishing, and zero-day threats.
SpamTitan has multiple detection mechanisms to identify and block the full range of email threats. SpamTitan incorporates SPF and DMARC to provide protection against email impersonation attacks, machine learning algorithms and predictive technology to protect against zero-day attacks, advanced phishing protection from whaling and spear phishing attacks by scanning inbound email in real-time, dual antivirus engines to block malware threats, and email sandboxing for in-depth analysis of suspicious attachments. SpamTitan also includes 6 specialist RBLs, supports whitelisting, blacklisting, and greylisting, and incorporates multiple threat intelligence feeds.
There is an increased risk of insider threats with remote workers. To provide protection and prevent accidental policy violations, SpamTitan incorporates a data loss prevention filter to stop credit card numbers, Social Security numbers, and other data types from being sent via email.
No email security solution will be able to block 100% of email threats, 100% of the time. It is therefore important to provide regular cybersecurity training to employees to make them aware of phishing threats, train them how to identify a phishing email or social engineering scam, and to condition remote employees how to respond should a threat be received. Phishing simulation exercises are also useful to find out which employees require additional training and to identify possible gaps in training programs. IT security basic training refreshers should also be provided to ensure employees know what can and cannot be done with work devices.
Multifactor authentication must be implemented on all applications and email accounts to provide protection in the event of an account compromise. If credentials are stolen and used from a previously unknown location or an unfamiliar device, a second authentication factor must be provided before access is granted. You should also disable macros on all user devices unless a specific user needs to use macros for work.
You can arrange a demonstration to see SpamTitan in action and you can also sign up for a free trial to put SpamTitan to the test in your own environment.
The TrickBot Trojan is a sophisticated banking Trojan that was first identified in 2016. While the malware was initially just an information stealer concerned with stealing online banking credentials, the malware has evolved considerably over the past four years and several modules have been added that provide a host of additional malicious capabilities.
The TrickBot Trojan’s information stealing capabilities have been significantly enhanced. In addition to banking credentials, it will steal system and network information, email credentials, tax data, and intellectual property. TrickBot is capable of moving laterally and silently infecting other computers on the network using legitimate Windows utilities and the EternalRomance exploit for the SMBv1 vulnerability. The malware can add a backdoor for persistent access. TrickBot also serves as a malware downloader and will download other malicious payloads, including Ryuk ransomware.
The Trojan is frequently updated and new variants are regularly released. The Command and Control infrastructure is also constantly changing. According to an analysis by Bitdefender, more than 100 new IPs are added to its C&C infrastructure each month with each having a lifespan of around 16 days. The malware and its infrastructure are highly sophisticated, and while steps have been taken to dismantle the operation, the attackers are managing to stay one step ahead.
TrickBot is primarily distributed by spam email through the Emotet botnet. Infection with Emotet sees TrickBot downloaded, and infection with TrickBot sees a computer added to the Emotet botnet. Once all useful information has been obtained from an infected system, the baton is passed over to the Ryuk ransomware operators with a reverse shell opened giving the Ryuk ransomware operators access to the system.
A recent analysis of a variant captured by Bitdefender on January 30, 2020 has shown another method of distribution has been added to its arsenal. The Trojan now has a module for bruteforcing RDP. The brute force RDP attacks are mainly being conducted on organizations in the financial services, education, and telecom industries and are currently targeted on organizations in the United States and Hong Kong at this stage, although it is likely that the attacks will spread geographically over the coming weeks. The attacks are being conducted to steal intellectual property and financial information.
Since the TrickBot Trojan is modular, it can be constantly updated with new features and the evolution of the malware so far, and its success, means it will continue to be a threat for some time to come. Fortunately, it is possible to prevent infections by practicing good cyber hygiene.
Spam is still the primary method of delivery for both the Emotet Trojan and TrickBot so an advanced spam filter is essential. Since new variants are constantly being released, signature-based detection methods alone are insufficient. SpamTitan incorporates a Bitdefender-powered sandbox to analyze suspicious email attachments for malicious activity. This ensures the malicious activity of never-before-seen malware variants is identified and the emails are quarantined before they can cause any harm.
If you don’t need RDP, ensure it is disabled. If you do, ensure access is restricted and strong passwords are set. Use rate limiting to block login attempts after a set number of failures and ensure multifactor authentication is implemented to stop stolen credentials from being used.
For further information on SpamTitan Email Security and to find out how you can improve your defenses against email and web-based attacks, contact the TitanHQ team today.
The City of Durham and the County of Durham in North Carolina have experienced a ransomware attack that has crippled both. The attack ‘started’ on March 6 in the late evening, which is common for ransomware attacks. Most take place in the evening and over the weekend, when there is less chance of the file encryption being detected.
Two separate attacks occurred simultaneously. Fast action by the IT department helped to contain the attack, but not in time to prevent approximately 80 servers from being infected. Those servers were encrypted and need to be rebuilt and approximately 1,000 computers had to be re-imaged.
There are many ways that cybercriminals gain access to business networks to deploy malware, but email is the most common attack vector. Most cyberattacks start with a phishing email and this attack was no different.
Ryuk ransomware was used to encrypt files on the network in order to extort money from the city and country. A ransom demand is issued which, depending on the extent of encryption, can range from several thousand dollars to several million. This phase of the attack is the most visible and causes the most disruption, but the attack actually started much earlier.
Ruyk ransomware is delivered by the TrickBot Trojan, an information stealer turned malware downloader. One installed on a networked device, the TrickBot Trojan performs reconnaissance, moves laterally, and installs itself on other computers on the network. Once all useful information has been found and exfiltrated, a reverse shell is opened and access to the system is given the ransomware operators. They will then move laterally and download their ransomware payload onto as many devices as possible on the network.
TrickBot downloaded by Emotet malware, a notorious botnet and Emotet is delivered via email. The Emotet campaigns used a combination of Office documents with malicious macros that download the malware payload and hyperlinks to websites where malware is downloaded. TrickBot may also be delivered directly through spam email. This Trio of malware variants can do a considerable amount of damage. Even if the ransom is not paid, losses can be considerable. The Trojans can steal a substantial amount of sensitive information including email credentials, banking credentials, tax information, and intellectual property.
In this case, seven computers appear to have been compromised in the first phase of the attack as a result of employees responding to phishing emails.
The key to blocking attacks such as this is to have layered defenses in place that are capable of blocking the initial attack. That means an advanced spam filtering solution is required to block the initial phishing emails and end users must receive regular security awareness training to help them identify any malicious emails that arrive in their inboxes. Multifactor authentication is needed to prevent stolen credentials from being used to access email accounts and endpoint security solutions are required to detect malware if it is downloaded.
To find out more about protecting your systems from phishing and malware attacks, and how a small per user cost per month can prevent a hugely expensive cyberattack, give the TitanHQ team a call today.
Several new COVID-19 phishing email campaigns have been detected over the past few days that are exploiting fear about the novel coronavirus pandemic to deliver computer viruses and steal sensitive information.
People are naturally worried about getting infected with the real virus especially with the high fatality rate, so emails related to COVID-19 are likely to be opened.
Some of the phishing emails that have been intercepted are easy to identify as malicious. They are poorly written with spelling mistakes and grammatical errors, but some campaigns have been expertly crafted and are highly convincing and are likely to catch out many people.
The first COVID-19 phishing campaigns were detected in January and the number has steadily grown over the past few weeks. Many different threat groups are now using COVID-19 phishing lures to fool the unwary into disclosing credentials, visiting malicious links, or downloading malware.
The World Health Organization (WHO) has issued a warning after several phishing campaigns were detected that impersonated WHO. The emails claimed to provide essential information about cases in the local area along with advice on how to avoid infection. One of the most recently detected campaigns claimed to provide “Coronavirus Updates” with the emails containing a ZIP file attachment that appeared to be a PDF file – MYHEALTH.PDF. However, the file was actually an executable file – MYHEALTH.exe. If the file was opened, it triggered the download of GULoader, which in turn downloads Formbook malware from Google Drive. Another similar campaign included a Word attachment that downloaded the TrickBot Trojan, which is being used to deliver Ryuk ransomware as a secondary payload.
The Centers for Disease Control and prevention is also being impersonated. One campaign claims the novel coronavirus had become an airborne threat and warns of new cases in the local area. The emails appear to have been sent from a legitimate CDC email account – CDC-Covid19[@]cdc.gov. The emails include an attachment titled “Safety Precautions” which appears to be an Excel spreadsheet, but it actually a .exe executable file. Double clicking on the file attachment triggers the download of a banking Trojan.
Email and text-based phishing campaigns are targeting UK taxpayers and impersonate HM Revenue and Customs (HMRC). The emails include a legitimate HMRC logo and advise the recipients about a new COVID-19 tax refund program. According the emails, the refund program was set up in cooperation with National Insurance and National Health Services and allows taxpayers to claim back tax to help deal with the coronavirus pandemic. In order to receive the refund, the user is told they must supply their name, address, mother’s maiden name and their bank card number.
In the past few days, a web-based malware distribution campaign has been identified. Several websites are now displaying world maps and dashboards that allow people to track the spread of the virus and find out about the location of new cases. People are naturally concerned about cases in their local area, and the website maps are attracting a lot of visitors.
Shai Alfasi, a security researcher at Reason Labs, discovered several websites using fake versions of maps and dashboards. The websites prompt users to download an application that allows them to track infections in real-time. The application is an executable file that delivers the AZORult information stealer.
With COVID-19 infections increasing and showing no sign of slowing, COVID-19 phishing campaigns are likely to continue. Organizations should raise awareness of the threat of COVID-19 phishing attacks with their employees and ensure appropriate technical solutions are implemented to block web and email-based attacks. TitanHQ can help with the latter and can provide advanced email and web security solutions to block these attacks. If you have not yet implemented a web filter or email security solution to protect your Office 365 accounts, now is a good time to start. Contact TitanHQ today for further information.
Microsoft has announced it has taken control of the U.S. infrastructure of the Necurs botnet and has taken steps to prevent the botnet operators from registering new domains and the rebuilding the Necurs infrastructure.
The Scale of the Necurs Botnet
The Necurs botnet first appeared in 2012 and has grown into one of the largest spam and malware distribution networks. The botnet consists of around 9 million devices that have been infected with Necurs malware. Each device within the botnet is under the control of the cybercrime group behind the botnet.
The Necurs botnet is used to commit a wide range of cybercrimes by the operators of the botnet as well as other cybercriminal groups who rent out parts of the botnet as a service. The Necurs botnet was used for malware and ransomware distribution, cryptocurrency mining, and attacks on other computers to steal credentials and confidential data. The Necurs botnet also has a distributed Denial of Service (DDoS) module capable of performing massive DDoS attacks, although this function is yet to be used.
The main use of the botnet is spamming. The botnet has been used to send vast quantities of spam email, including emails pushing fake pharmaceutical products, pump and dump stock scams, and Russian dating scams. To give an example of the scale of the spamming, over a 58-day period of observation, Microsoft found that a single Necurs malware-infected computer had sent out 3.8 million spam emails to 40.6 million email accounts. That is just one infected device out of 9 million! In 2017, the botnet was being used to spread Dridex and Locky ransomware at a rate of around 5 million emails an hour and between 2016 and 2019 the botnet was responsible for 90% of email-based malware attacks.
The Takedown of Necurs Infrastructure
Microsoft has tracked the criminal activity of the Necurs botnet operators for 8 years. The gang is believed to be Evil Corp, the Russian cybercriminal group behind the Dridex banking Trojan. Evil Corp has been named the most harmful cybercrime group in the world.
The takedown of the Necurs botnet involved a coordinated effort by Microsoft and partners in 35 countries. Microsoft obtained an order from the U.S. District Court for the Eastern District of New York on March 5, 2020 to seize the U.S. domains used by the botnet operators. These domains were used to issue commands to the 9 million infected computers.
Simply seizing the domains would not be sufficient to take down the botnet, as the botnet’s command and controls servers could be rapidly rebuilt. Domains used by the threat actors are often taken down, so new domains are constantly registered weeks or months in advance.
The key to long-term disruption of the botnet was cracking the algorithm used by the threat actors to generate new domains. Microsoft analyzed the algorithm and calculated more than 6 million domains that would be used by the threat actors over the next 25 months. Steps have been taken to prevent those domains from being registered and becoming part of the Necurs infrastructure.
The 9 million devices around the world are still infected with Necurs malware. Microsoft and its partners have identified the infected devices and are working with ISPs and CERT teams around the world to rid those devices of the malware.
Just a few days after new figures from the FBI confirmed business email compromise scams were the biggest cause of losses to cybercrime, news broke of a massive cyberattack on a Puerto Rico government agency. Cybercriminals had gained access to the email account of an employee, understood to work in the Puerto Rico Employee Retirement System.
The compromised email account was used to send requests to other government agencies requesting changes be made to standard bank accounts for remittance payments. Since the email account used was trusted, the changes to bank accounts were made. Scheduled payments were then made as normal and millions of dollars of remittance payments were wired to attacker-controlled bank accounts.
The Puerto Rico Industrial Development Company, a state-owned corporation that drives economic development of the country, was one of the worst hit. Emails were received requesting changes to bank accounts and two payments were made. The first payment of $63,000 was made in December and another payment of $2.6 million in January. Other departments were also targeted, including the Tourism Company. The latter made a payment of $1.5 million. In total, the scammers attempted to steal around $4.73 million.
The business email compromise scam was uncovered when those payments were not received by the correct recipients. Prompt action was then taken to block the transfers and some of the payments were frozen, but the government has not been able to recover around $2.6 million of the stolen funds.
A full investigation has been launched to determine how the attackers gained access to the email account to pull off the scam. While the method used has not been confirmed, BEC attacks usually start with a spear phishing email.
A phishing email is sent to a person of interest requesting urgent action be taken to address a problem. A link is supplied in the email that directs the user to a website that requests their email account credentials. The account can then be accessed by the attacker. Attackers often set up mail forwarders to receive a copy of every email sent to and from the account. This enables them to learn about the company and typical payments and construct highly convincing scam emails.
Once access to a corporate email account is gained, the BEC scam is much harder to identify and block. The best defense is to ensure that the initial phishing emails are not delivered, and that is an area where TitanHQ can help.
A new report from the FBI’s Internet Crime Complaint Center (IC3) has revealed the extent to which phishing is used to attack businesses and the huge losses that have resulted from another form of email attack – business email compromise (BEC) scams.
In 2019, IC3 received 467,361 complaints about cybercrime and there were reported losses in excess of $3.5 billion, up from $2.7 billion in 2018. The true losses and number of attacks will be far higher, as not all crimes and losses are reported. Phishing, vishing, smishing, and pharming attacks were the most prevalent crime types with 114,702 complaints submitted to IC3 in 2019. Those attacks resulted in losses of more than $57 million.
Source: IC3
There were 23,775 complaints about BEC attacks and losses to those attacks were more than $1.776 billion. On average, BEC attacks result in losses of around $75,000 and the attacks accounted for 50.75% of all losses to cybercrime in 2019.
Business email compromise attacks involve the impersonation of a known individual or company and a fake invoice and fraudulent wire transfer request. Alternatively, changes to vendor’s bank account details or requested or changes to direct deposit accounts for payroll. These email impersonation attacks involve spoofing an email account or compromising an account, with the latter usually achieved with phishing emails.
Email is also used to deliver ransomware – 2,0417 incidents and $8,965,847 in losses – and malware and viruses – 2,373 incidents and $2,009,119 in losses.
The Importance of a Layered Approach to Email Security
As the IC3 2019 cost of cybercrime report shows, the most common attack vector is email, so how can business owners protect against email-based attacks?
Businesses can either purchase cybersecurity solutions directly or engage a managed service provider to look after cybersecurity. If the decision is taken to manage cybersecurity in-house, it is essential to adopt a defense in-depth strategy and implement multiple layers of protection. Should one cybersecurity solution fail to block a threat, other layers will prevent the attack from succeeding.
Many businesses have adopted Office 365 and use it for email. Microsoft includes a basic level of email protection for Office 365 as standard – Exchange Online Protection (EOP). EOP serves as the first layer of protection against phishing attacks, malware, and spam, but EOP alone is not enough to block sophisticated phishing attacks, BEC attacks, and zero-day malware threats. An additional layer of protection is required.
Advanced Protection Against Phishing and Business Email Compromise Attacks
TitanHQ has developed an advanced anti-spam solution – SpamTitan – that provides an additional layer of protection against email threats.
To protect against known malware threats, dual anti-virus engines are used. However, new malware variants are constantly being released. Before AV engines can block these new threats, the threat must be identified and the malware signature is then added to the AV engine’s virus definitions. Until that happens, threats will not be identified as malicious and will be delivered to inboxes.
To improve protection against zero-day threats, TitanHQ uses sandboxing fro email. When a suspicious or unknown email attachment is received, it is sent to the sandbox where it is subjected to in-depth analysis to identify command and control center callbacks and potentially malicious actions.
Office 365 accounts are targeted by cybercriminals and their new phishing campaigns are tested against Office 365 protections to make sure the emails are delivered. One previous study showed that 25% of phishing emails are delivered to Office 365 inboxes.
To ensure phishing threats are detected that would otherwise not be blocked by EOP, SpamTitan uses a range of advanced detection techniques. They include multiple real-time blackhole lists and threat intelligence feeds, multi-layered message analysis, SURBL’s, Bayesian analysis, greylisting, and more. Protection against email impersonation attacks and spoofing is provided through Sender Policy Framework and DMARC, and all outbound emails are scanned to identify potential email account compromises.
SpamTitan is a full-service email security solution that protects your business, your employees, and your clients from email-based attacks. With SpamTitan, you can adopt a layered approach to email security at a very low cost per user.
If you want to make sure that your business is protected from costly email-based attacks, give the TitanHQ team a call.
Emotet is the biggest malware threat faced by businesses and activity has increased considerably in recent weeks after a lull in December. Several new campaigns are now being identified each week, most of which are target businesses. One of the most recent campaigns uses a tried and tested technique to install the |Emotet Trojan. Malicious Word documents masquerading as invoices, estimates, renewals, and bank details.
The campaign mostly targets organizations in the United States and the United Kingdom, although attacks have also been detected in India, Spain, and the Philippines. Approximately 90% of emails in this campaign target financial services, with around 8% of attacks on companies in the food and drink industry.
The malicious Word documents are either attached to emails or hyperlinks are included in the emails that direct the user to a compromised website where the Word document is downloaded. The websites used are frequently changed and new Emotet variants are frequently released to prevent detection. Email security solutions that rely on AV engines to detect malware are unlikely to detect these zero-day threats as malicious.
Since Emotet is a massive botnet, emails spreading the Emotet Trojan come from many different sources. Email security solutions that rely on real-time blacklists are unlikely to detect these sources as malicious.
Emotet is primarily distributed via email from infected devices, but recently another distribution method has been identified. Emotet also spreads via Wi-Fi networks. This method has been used for almost two years, but it has only just been detected by security researchers at Binary Defense.
When Emotet is installed, a worm.exe binary is dropped that runs automatically. It attempts to connect to nearly Wi-Fi networks and brute forces weak passwords. Once connected to a Wi-Fi network, a search is conducted for non-hidden shares on the network. An attempt is made to enumerate all users connected to the Wi-Fi network, devices are brute forced, and the Emotet binary is dropped.
How to Block Emotet
The constantly changing tactics of the Emotet gang make detection difficult and no single solution will provide protection against all forms of attack. What is needed is a defense in-depth approach and layered defenses.
The primary defense against a predominantly email-based threat such as Emotet is an advanced spam filtering solution. Many businesses have used Office 365 and rely on the protection provided by Exchange Online Protection (EOP), which is included as standard with Office 365 licenses. However, EOP alone will not provide enough protection against Emotet. EOP will block all known malware threats, but it struggles to identify zero-day attacks. To block zero-day attacks, more advanced detection methods are required.
SpamTitan has been developed to work seamlessly with EOP to protect Office 365 email from zero-day threats. SpamTitan uses a variety of techniques to identify Emotet, including dual antivirus engines to block known Emotet variants and sandboxing to block zero-day attacks. Suspicious or unknown attachments are sent to the sandbox where they are subjected to in-depth analysis to identify command and control server callbacks and other malicious actions. SpamTitan also scans outgoing emails to identify attempts to spread Emotet from an already-infected machine. SpamTitan also incorporates DMARC to identify email impersonation and domain spoofing, which are commonly used in emails spreading Emotet.
To provide protection against the web-based element of attacks, including Emotet emails that use malicious hyperlinks rather than email attachments, another layer needs to be added to cybersecurity defenses – a DNS filtering solution such as WebTitan.
WebTitan uses real-time URL threat detection powered by 650 million end users. The real-time database includes more than 3 million malicious URLs and IP addresses and each day around 100,000 new malicious URLs are detected and blocked. WebTitan also includes real-time categorization and detection of malicious domains, full-path URLs, and IPs, with up-to-the-minute updates performed to block new malicious sources. As soon as a URL is identified as being used to distribute Emotet (or other malware) it is blocked by WebTitan. WebTitan also conducts link & content analysis, static, heuristic, & behavior anomaly analysis, and features in-house and 3rd party tools and feeds to keep users protected from web-based threats.
Other essential steps to take to tackle the threat from Emotet include:
Disable macros across the organization
Ensure operating systems are kept up to date and vulnerabilities are promptly patched.
Set strong passwords to thwart brute force attacks
Ensure endpoint protection solutions are deployed on all devices
Provide security awareness training to employees
Conduct phishing simulation exercises to identify employees that require further training
The first California Consumer Privacy Act lawsuit has been filed over an alleged failure to adequately protect consumer data. The lawsuit has been filed against Hanna Andersson, a children’s clothing company, and its ecommerce platform provider, Salesforce.com.
The California Consumer Privacy Act took effect on January 1, 2020. Under Civil Code 1798.100 – 1798.199, consumers could start exercising their new rights under CCPA from the compliance date. One of those rights is being able to take legal action against companies for privacy violations, such as the theft of personal data in a data breach.
The California Consumer Privacy Act lawsuit was filed in the U.S. District Court for the Northern District of California on behalf of a victim of a 2019 data breach. The lawsuit alleges negligence and a failure to implement reasonable safeguards to protect consumer data, and that the data breach occurred as a direct result of the alleged negligence. A claim for damages has not been stated, although the right has been reserved to seek damages and relief at a later date.
The breach in question was announced by Hanna Andersson on January 15, 2020. Hackers had gained access to its systems and downloaded malware, which allowed the attackers to steal information such as names, personal information, and payment card data. That information was subsequently listed for sale on the dark web.
The California Consumer Privacy Act allows Californians to file for damages of up to $750 per data breach, so a class action California Consumer Privacy Act lawsuit arising from a sizeable data breach could prove extremely costly for a company. In this case, the data breach affected approximately 10,000 California residents, so damages up to $7,500,000 could potentially be claimed.
Enforcement of CCPA
Enforcement of compliance by the California Attorney General has been delayed and will start 6 months after the publication of the final regulations or July 1, 2020, whichever comes sooner. Since the final regulations have yet to be published, the enforcement date will be July 1, 2020. California Attorney General Xavier Bercerra has already stated that he will make an example of businesses that fail to comply with CCPA.
It should be noted that there is nothing in CCPA that prevents the state attorney general from issuing notices of noncompliance before that date and consumers can already file lawsuits to claim damages. It is therefore essential for all entities covered by CCPA to ensure that they are honoring the new consumer rights and have implemented safeguards to protect consumer data.
How TitanHQ Can Help with CCPA Compliance
TitanHQ offers two powerful security solutions that can help covered entities ensure the data of consumers is protected and data breaches are prevented. These two cybersecurity solutions protect against the two most common attack vectors – Email and the internet.
SpamTitan is a powerful anti-spam, anti-malware, and anti-phishing solution that protects email systems from phishing and spear phishing attacks, known and zero-day malware threats, and email-based ransomware attacks.
WebTitan is a companion solution that blocks the web-based element of phishing attacks, exploit kits, and drive-by malware downloads over the internet, while also controlling the content that employees can access on wired and wireless networks.
TitanHQ can also help covered entities comply with the right to know and right to delete consumer rights afforded by CCPA through ArcTitan. ArcTitan is an email archiving solution that allows organizations to meet state and federal email data retention requirements and quickly find emails containing consumer data. If a California resident exercises their right to know what data is held on them by a company, or requests all of their personal data is deleted, that information can quickly be found in the archive. ArcTitan will also allow you to quickly find email data for eDiscovery in the event of any legal disputes.
For further information on these solutions, to schedule a product demonstration, or to arrange a free trial of the full solutions (with full customer support), give the TitanHQ team a call today.
Tax season is now underway and business email compromise scammers have stepped up their efforts to obtain W-2 forms for tax fraud. These attacks often start with spear phishing emails targeting the CEO and the executive board. Once email credentials have been obtained, the accounts are then accessed, and emails are sent internally to payroll and the HR department requesting the W-2 forms of employees who have worked in the previous tax year.
Scammers target businesses as there is much greater potential for profit than attacks on individual taxpayers, although consumers also need to be wary of IRS-related phishing scams. This time of year sees an increase in IRS phishing scams. Scammers impersonate the IRS and send emails informing taxpayers about a tax refund that is due and demands are sent for outstanding tax, with threats of dire consequences if prompt action is not taken to address issues.
Advances in email security have meant cybercriminals have had to get creative as it is harder to sneak phishing emails past email defenses. Phishing scams are now commonly initiated via text message, post, and over the telephone. There has already been one campaign identified where consumers are being targeted using robocalls warning that Social Security numbers have been suspended after suspicious activity was detected.
While many of these scams seek personal information, others are conducted to spread malware. One threat group that started its tax-related scams early this year is the Emotet gang. A campaign is currently being conducted that uses emails containing fake signed W-9 forms.
Signed W-9 forms are requested by companies from their contractors if they have been paid in excess of $600 during the tax year. Many companies will have requested signed W-9 forms from their contractors to confirm addresses and tax identification numbers, so they will be expecting copies of these forms in their inboxes.
The Emotet emails are short and to the point, saying “Thank you for your help. Pleased see attached file.” The emails include a Word document attachment named W-9.doc. When the document is opened, the Office 365 logo is displayed along with text stating the document was created in OpenOffice and requires the user to enable editing and enable content. Doing so triggers the silent download of the Emotet Trojan.
This is just one of the tax-related messages being used by the Emotet gang. There are likely to be many more variants sent over the next few weeks. Other cybercriminal gangs will similarly be conducting their own tax-themed phishing campaigns to spread different malware variants and ransomware.
Businesses, tax preparers, and consumers need to be on high alert during tax season for phishing scams and emails spreading malware.
Now is a good time for businesses to review their cybersecurity defenses and enhance protection against phishing and malware attacks. If you use Office 365 and rely on the anti-phishing protections built into Office 365 (EOP), you should consider enhancing your anti-phishing and anti-malware protection with a third-party spam filter – One that has superior malspam detection capabilities.
This is an area where TitanHQ can help. SpamTitan uses a variety of advanced techniques to detect and block phishing threats and zero-day malware, including an email sandbox where unknown and suspicious email attachments are subject to in-depth analysis. Give the TitanHQ team a call to find out more about SpamTitan, improving Office 365 malware and phishing protection, and to arrange a product demonstration and free trial of SpamTitan.
In the meantime, take steps to alert your workforce about tax-season phishing scams and prepare them in case a phishing email arrives in their inbox. An email alert sent to your employees about the threat of tax-season scams could prevent a costly phishing attack or malware infection.
A novel coronavirus phishing campaign has been detected that uses scare tactics to trick users into infecting their computer with malware.
The World Health Organization has now declared the 2019 novel coronavirus outbreak a global emergency. The number of cases has increased 10-fold in the past week with almost 9,100 cases confirmed in China and 130 elsewhere around the world.
A worldwide health crisis such as this has naturally seen huge coverage in the press, so it is no surprise that cybercriminals are capitalizing on the concern and are using it as a lure in a malspam campaign to scare people into opening an email attachment and enabling the content.
A novel coronavirus phishing campaign has been detected that uses a fake report about the coronavirus to get email recipients to open a document that details steps that should be taken to prevent infection. Ironically, taking the actions detailed in the email will actually guarantee infection with a virus of a different type: Emotet.
The coronavirus phishing campaign was identified by IBM X-Force researchers. The campaign is targeted on users in in different Japanese prefectures and warning of an increase in the number of local confirmed coronavirus cases. The emails include a Word document attachment containing the notification along with preventative measures that need to be taken.
If the attachment is opened, users are told they must enable content to read the document. Enabling the content will start the infection process that will see the Emotet Trojan downloaded. Emotet is also a downloader of other malware variants. Other banking Trojans and ransomware may also be downloaded. Emotet can also send copies of itself to the victim’s contacts. Those messages may also be coronavirus related.
To add credibility, the Emotet gang makes the emails appear to have been sent by a disability welfare service provider in Japan. Some of the captured messages include the correct address in the footer.
More than 2,000 new infections have been confirmed in the past 24 hours in China and all of its provinces have now been impacted. Cases have now been reported in 18 other countries with Thailand and Japan the worst hit outside of China with 14 cases confirmed in each country. As the coronavirus spreads further and more cases are reported, it is likely that the Emotet gang will expand this campaign and start targeting different countries using emails in different languages. Kaspersky lab has also said that it has identified malspam campaigns with coronavirus themes that use a variety of email attachments to install malware.
Businesses can protect against Emotet, one of the most dangerous malware variants currently in use, by implementing a spam filtering solution such as SpamTitan that incorporates a sandbox where malicious documents can be analyzed in safety to check for malicious actions.
For further information on protecting your email system, contact TitanHQ today.
It has been well documented how much time businesses waste dealing with spam and there is no denying the threat that malicious spam emails (malspam) pose, but it is not just a problem for big business. Spam in academia is also a major problem.
A recent study published in the journal, Scientometrics, explores the cost of spam in academia. The study was primarily focused on spam emails sent by new, non-peer-reviewed journals that are attempting to gain a share of the market. These journals are adopting the same spam tactics often used by scammers to sell cheap watches and cut-price medications and for phishing and spreading malware.
Three researchers – Jaime A. Teixeira da Silva, Aceil Al-Khatib, and Panagiotis Tsigaria – attempted to quantify the amount of time that is being wasted dealing with those messages and the losses that result.
To assess the extent of the problem, the researchers used figures from several studies on spamming to obtain an average number of targeted spam emails that academics receive each day. They opted for a conservative figure of 4-5 messages, per academic, per day. Most of those messages take just a few seconds to open and read but that time mounts up. They assumed an average time of 5 seconds per message – less than half a minute per day. That equates to $100 per researcher, per year at an average hourly rate of $50. Using the United Nations estimate of the number of researchers in academia globally, the total global cost of spam in academia was estimated to be $1.1 billion a year.
That figure is based on the lost time alone and does not factor in non-targeted spam emails – bulk unsolicited emails not specifically targeting researchers. Add in the time dealing with those messages and the global cost reaches $2.6 billion a year. To put the cost into perspective, $2.6 million is much more than the time researchers devote to peer review, which has been estimated at a cost of $1.9 billion a year. The figures do not include the considerable losses due to phishing, malware, and ransomware attacks. Factor in those costs and the losses would be several orders of magnitude higher.
Co-author of the study, Panagiotis Tsigaris, a professor of economics at Thompson Rivers University in Canada, explained that there is no silver bullet when it comes to dealing with spam and suggested several ways that the cost of spam in academia could be reduced.
Tsigaris suggests that penalties should be increased for publishing in predatory journals, and that academics should be educated about spam email and that improvements should be made to email filtering technology.
Here at TitanHQ, we are well aware of the problem of spam, both in terms of the productivity losses that spam causes, and harm caused by malicious spam emails.
To help prevent losses and downtime due to spam and email-based threats, TitanHQ has developed a powerful, easy-to-use, and cost-effective cloud-based spam filtering solution called SpamTitan. SpamTitan has been independently tested and shown to block in excess of 99.9% of spam email, 100% of known malware and ransomware threats, and thanks to a host of detection measures and sandboxing, SpamTitan is also effective at blocking zero-day (new) malware and ransomware threats.
To find out more about SpamTitan and how you can block more spam and ensure malicious emails do not reach your researchers’ inboxes, give the TitanHQ team a call today.
TitanHQ has announced a new partnership with Pax8. The partnership means Pax8 partners now have access to TitanHQ’s cloud-based email security solution – SpamTitan – and its DNS filtering solution, WebTitan.
Pax8 is the leader in cloud distribution. The company simplifies the cloud buying process and empowers businesses to achieve more with the cloud. The company has been named Best in Show for two consecutive years at the Next Gen and XChange conferences and is positioned at number 60 in the 2019 Inc. 5000 list of the fastest growing companies.
Pax8 carefully selects the vendors it works with and only offers market-leading channel friendly solutions to its partners. When searching for further cybersecurity solutions for its partners, TitanHQ was determined to be the perfect fit. TitanHQ is the leading provider of cloud-based email and web security solutions for managed service providers (MSPs) serving the SMB marketplace and its cybersecurity solutions are much loved by users. This was clearly shown in the 2019 G2 Crowd Report on Email Security Gateways where SpamTitan was named leader, having achieved 4- or 5-star ratings by 97% of its users, with 92% saying they would recommend the solution to other businesses.
Phishing, malware, and ransomware attacks have all increased in the past year and the cost of mitigating those attacks continues to rise. By implementing SpamTitan and WebTitan, SMBs and MSPs can secure their email environments and block web-based threats and keep their networks secure.
SpamTitan provides excellent protection for Office 365 environments. The solution detects and blocks phishing and email impersonation attacks and prevents known and zero-day malware and ransomware threats from reaching inboxes. The WebTitan Cloud DNS filtering solution blocks the web-based component of cyberattacks by preventing end users from visiting malicious websites, such as those harboring malware and phishing kits.
Both solutions are quick and easy to implement, can be seamlessly integrated into MSPs service stacks and cloud-management platforms, and Pax8 partners benefit from highly competitive and transparent pricing, centralized billing, and leading customer support.
“I am delighted to partner with the Pax8 team,” said Ronan Kavanagh, CEO, TitanHQ. “Their focus and dedication to the MSP community are completely aligned with ours at TitanHQ, and we look forward to delivering our integrated solutions to their partners and customers.”
The Emotet botnet took a Christmas holiday but it’s now up and running again and the massive phishing and spamming campaigns have resumed. These campaigns, which involve millions of spam emails, use a variety of lures to trick people into opening an attachment and enabling content. The content in question includes a macro that runs a PowerShell command that downloads and executes the Emotet Trojan.
The Emotet Trojan is bad news. Emotet was once just a banking Trojan whose purpose was to steal online banking credentials. It still does that and much more besides. Emotet also steals credentials from installed applications and browsers. It is also self-propagating and will send copies of itself via email to the victim’s contacts. As if that was not bad enough, Emotet has another trick up its sleeve. It is also a downloader of other malware variants such as the TrickBot Trojan and Ryuk ransomware. These additional payloads allow data to be stolen and sold for profit and for files across the network to be encrypted and ransom demands issued. Emotet has also delivered cryptocurrency miners in the past and could deliver any number of other malware payloads.
The scale of the botnet is staggering. In the first quarter of 2019, Emotet was responsible for 6 out of 10 malicious payloads delivered via email. There are often breaks in activity, but even though the threat actors behind the botnet took almost half of 2019 off, Emotet still ranks as the top malware threat of the year.
Emotet sprung back to life on January 13, 2020, with targeted attacks on the pharmaceutical industry in North America, but it didn’t take long for the attacks to spread even further afield. Now more than 80 countries are being attacked and in addition to English, campaigns have been detected in Italian, Polish, German, Spanish, Japanese, and Chinese.
The lures used to fool end users into opening email attachments are highly varied and often change. Tried and tested lures such as fake invoices, orders, statements, agreements, payment remittance notices, receipts, and delivery notifications are often used in attacks on businesses, which are the primary targets. Before the botnet shut down for a break in December, Greta Thunberg-themed emails were being used along with Christmas party invitations. A host of new lures can be expected in 2020.
The themes of the emails may change but the messages have one thing in common. They require an end user to take action. That is usually opening a document, spreadsheet, or other file, but could be a click on a hyperlink in an email. Once that action is taken, Emotet will be silently downloaded.
There are two main ways of blocking attacks and both are necessary. The first is to ensure that the email system is secure, which means implementing an effective spam filter. Businesses that use Office 365 will have a modicum of protection through Exchange Online Protection (EOP), which is included with Office 365 subscriptions. However, businesses should not rely on EOP alone. Layered defenses are required.
SpamTitan is a powerful spam filter that will improve protection against malware threats such as Emotet. SpamTitan can be layered on top of Office 365 to provide greater protection and prevent the malware from being delivered to inboxes. Dual anti-virus engines are incorporated into the solution to detect known threats and SpamTitan includes a sandbox for identifying threats that signature-based detection mechanisms miss.
Many businesses deploy a variety of security solutions but fail to prepare their employees for an attack. If malicious emails make it past security solutions and are delivered to inboxes, all it takes is for one employee to fail to spot the threat and respond for Emotet to be installed (and potentially ransomware as well). It is therefore important to provide regular security awareness training to everyone in the company from the CEO down. If employees are not told how to identify malicious emails, they cannot be expected to spot threats and report the messages to the security team.
Fortunately, through a combination of email security solutions and security awareness training, the threat from Emotet can be neutralized. For more information on the former, give TitanHQ a call today.
Whenever there is a major event that attracts a lot of media attention cybercriminals will be poised to take advantage, so it is no surprise that warnings are being issued about Travelex phishing scams.
The Travelex ransomware attack that struck on New Year’s Eve involved a ransomware variant called Sodinokibi. The gang responsible is one of the most prolific threat groups using ransomware. The group’s attacks are highly targeted and seek to encrypt entire networks and the ransom demands reflect the scale of encryption. Travelex was initially issued with a demand for a payment of $3 million. That soon doubled to $6 million when payment was not made within the allocated timescale.
The fallout from the attack has been immense, which is unsurprising given that Travelex is the largest provider of currency exchange services worldwide. Many banks and retailers rely on Travelex to provide for their currency exchange services. Without access to those online services, currency exchange services came to a grinding halt. It has taken two weeks for Travelex to start bringing some of its services back online, but its website remains down and the disruption continues.
The attackers claimed to have stolen large quantities of customer data from Travelex. The attackers threatened to publish or sell the data if the ransom was not paid. This tactic is becoming increasingly common with ransomware gangs. In this case, the sodinokibi gang claimed to have gained access to Travelex systems 6 months previously and said they had stolen customer data including names, payment card information, and Social Security numbers and National Insurance numbers. The gang had also recently attacked the American IT company Artech Systems and had posted 337MB of data stolen in that attack, demonstrating to others that it was not an empty threat. Travelex maintained that no customer data had been stolen, but that has yet to be confirmed.
Warning Issued About Travelex Phishing Scams
Travelex customers should naturally err on the side of caution and monitor their accounts for signs of fraudulent use of their information but there are other risks from an attack such as this.
Travelex has issued a warning to its customers recommending they should be alert to the threat of phishing attacks via email and over the phone. Opportunistic scammers often take advantage of major events such as this and Travelex phishing scams are to be expected, as was the case following the TalkTalk data breach. These phishing scams are likely to be most effective on Travelex customers who have lost money as a result of the attack. Any offer of compensation or a refund is likely to attract a response.
For consumers, the advice is never to open email attachments or click on links in unsolicited emails. Businesses should also take steps to protect their networks from malware and phishing attacks.
Businesses should adopt a defense in depth strategy to protect against phishing scams and malware attacks. An advanced email security solution such as SpamTitan should be used to protect Office 365 accounts. SpamTitan improves protection against zero-day malware and phishing threats and blocks threats at the gateway.
A web filtering solution such as WebTitan should be used to block the web-based component of phishing and malspam campaigns and prevent end users from visiting malicious websites. End user training is also a must. It is important to teach employees how to identify phishing emails and malspam, and condition them how to respond when suspicious emails are received.
A new ransomware threat – Ako ransomware – has emerged which is targeting business networks and is being distributed via spam email. The ransomware is being offered to affiliates under the ransomware-as-a-service model and the aim of the attackers is clear. To maximize the probability of payment of the ransom by making recovery harder, and to steal data prior to encryption to ensure the attack is still profitable if the ransom is not paid. Having the data could also help convince the victims to pay up, as we have seen in recent attacks involving Maze and Sodinokibi ransomware, where threats are issued to publish stolen data if the ransom is not paid.
The developers of Ako ransomware appear to be going for large ransom payments, as they are not targeting individual workstations, rather the entire network. The ransomware scans local networks for other devices and will encrypt network shares. The ransomware deletes shadow copies and recent backups and disables Windows recovery to make recovery more difficult without paying the ransom.
Encrypted files are given a randomly generated file extension and retain the original file name. No ransom amount is stated in the ransom note. Victims are required to contact the attackers to find out how much they will need to pay for the keys to decrypt their files.
One of the intercepted emails being used to distribute the ransomware uses a password-protected zip file as an attachment. The email appears to be a business agreement which the recipient is asked to check. The password to open and extract the file is included in the message body. The zip file attachment – named agreement.zip – contains an executable file which will install Ako ransomware if it is run. The malicious file is called agreement.scr.
There is no free decryptor for Ako ransomware. Recovery without paying the ransom will depend on whether viable backups exist that have not also been encrypted. It is therefore important to make sure backups are regularly performed and at least one copy of the backup is stored on a non-networked device to prevent it also being encrypted by the ransomware. Backups should also be tested to make sure file recovery is possible.
Since Ako ransomware is being distributed via spam email, this gives businesses an opportunity to block an attack. An advanced spam filtering solution should be implemented that scans all inbound messages using a variety of detection mechanisms to identify malware and ransomware threats. A sandbox is an important feature as this will allow email attachments to be analyzed for malicious activity. This feature will improve detection rates of zero-day threats.
nd user training is important to ensure that employees do not open potentially malicious files. Training should condition employees never to open email attachments in unsolicited emails from unknown senders. As this campaign shows, any password protected file sent in an unsolicited email is a big red flag. This is a common way that ransomware and malware is delivered to avoid detection by antivirus solutions and spam filters.
Anti-spam solutions and antivirus software will not be able to detect the threat directly if malicious files are sent in password-protected archives, which can only be opened if the password is entered. Rules should therefore be set to quarantine password-protected files, which should only be released after they have been manually checked by an administrator. With SpamTitan, these rules are easy to set.
Ako ransomware is one of many new ransomware threats that have been released in recent months. High profile attacks on companies such as Travelex that see massive ransom demands issued, which in many cases are paid, show a huge payday is possible.
Ransomware developers will keep developing new threats for as long as attacks remain profitable, and there is not likely to be a shortage of affiliates willing to run spamming campaigns to get their slice of the ransom payments.
With the attacks increasing, it is essential for you to have strong defenses that can detect and block malware, ransomware, and phishing threats, and that is an area where TitanHQ can help.
To find out more about how you can improve your defenses against email and web-based threats, give the TitanHQ team a call today.
The Travelex ransomware attack that started around December 31, 2019 is one of several recent ransomware attacks where threat actors have upped the ante by threatening to publish data stolen from victims prior to the deployment of ransomware.
A New Trend in Ransomware Attacks
Most ransomware attacks, especially those conducted by affiliates using ransomware-as-a-service, see ransomware deployed instantly. An employee receives a ransomware attachment via email, opens the attachment, and the encryption process is started. Now, several threat actors have taken steps to increase the probability of their ransom demand being paid.
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has recently issued warnings about changing ransomware tactics, which now involve data theft prior to file encryption. This tactic is nothing new, as several threat actors have been conducting these types of attacks for some time, attacks of this nature have been increasing.
to the network is gained, the attackers then move laterally and gain access to as many devices as possible. Data is stolen and when the attackers have stolen as much as they want, ransomware is deployed. In these types of attacks, the time between the initial compromise and deployment of ransomware is typically several months.
Data may be stolen and sold online with the ransomware deployed as a coup de grace after a long-term compromise to extort money from the company. Now it is increasingly common for a threat to be issued along with the ransom demand that the stolen data will be published or sold if the ransom is not paid.
This tactic has been adopted by the threat actors behind Maze ransomware and they have gone ahead and published stolen data when the ransom was not paid. The threat actors using MegaCortex ransomware and LockerGoga ransomware have similarly issued threats.
Now the gang behind Sodinikibi (REvil) ransomware have also changed tactics and have started issuing threats to publish stolen data. The Sodinokibi gang have made several threats to sell on or publish stolen data but it was only recently that they did just that. The gang attacked Artech Information Systems, one of the largest IT staffing companies in the U.S. When the ransom demand was not paid, 337MB of stolen data was published on a Russian hacking and malware forum. The Travelex ransomware attack is one of the latest Sodinokibi ransomware attacks, and a threat to publish stolen data was similarly issued.
The Travelex Ransomware Attack
On New Year’s Eve, Travelex took its systems offline to contain the infection and limit the damage caused. More than two weeks on, Travelex systems are still offline although the company is now starting to restore some of its systems. The number of branches affected by the attack, and banks and other companies that rely on its currency exchange services, makes this one of the most serious and damaging ransomware attacks ever.
With its systems offline, Travelex has been unable to provide its currency services to banks such as HSBC, Royal Bank of Scotland, NatWest, First Direct, Barclays and Lloyds, all of which rely on Travelex for providing their currency services. Many other companies, such as the supermarket chains Sainsbury’s and Tesco, have also had to stop providing online currency services to their customers. Travelex has been forced to provide services manually using pen and paper for over the counter currency exchanges in its branches. More than 70 countries in which Travelex operates were affected by the attack.
Travelex has only released a limited amount of information about the attack, but the attackers have been in contact with several media outlets. Initial reports suggested a payment of $3 million was required for the keys to unlock the encryption, although the demand doubled to $6 million when payment was not received within the stipulated 2 days. The attackers also threatened to publish data stolen in the attack if the payment was not made within 7 days.
Travelex issued a statement saying no customer data was breached and that the infection was contained, a position that has been maintained since the attack, even though the Sodinokibi gang has threatened to publish customer data.
The Sodinokibi ransomware gang, through a spokesperson, said the gang had stolen 5GB of customer data including customers’ names, dates of birth, credit card information, Social Security numbers, and National Insurance numbers. The gang claimed that all stolen data would be deleted and would not be used if the ransom demand was paid, but that the data would be sold if payment was not received. The gang also said access to Travelex systems was gained 6 months before the ransomware was deployed.
How Was Travelex Attacked?
It is not known at this stage exactly how ransomware was installed on its network, but there have been several security researchers that have offered some clues. According to BleepingComputer, Travelex was using insecure services prior to the attack. Security researcher Kevin Beaumont found Travelex had AWS Windows servers that did not have Network Level Authentication enabled, which could have given the attackers the opportunity they needed to launch an attack.
A critical vulnerability in the Pulse Secure VPN enterprise solution for secure communications – CVE-2019-11510 – was identified and was patched by Pulse Secure on April 24, 2019, but many companies were slow to apply the patch, despite receiving multiple warnings from Pulse Secure. An exploit for the vulnerability was made public on August 21, 2019.
Troy Mursch, chief research officer at Bad Packets, found that Travelex had not applied the patch by the time the exploit was released. The Sodinokibi ransomware gang said they compromised Travelex 6 months prior to the deployment of ransomware. This could have been the vulnerability that was exploited.
Recovery Now Well Underway
On January 13, 2020, more than 2 weeks after the ransomware attack was experienced, Travelex issued a statement confirming that the recovery process was well underway, although the firm’s website was still offline. The company had started restoring its currency services to banks and its own network. Internal order processing has been restored and customer-facing systems are slowly being brought back online. What Travelex has not confirmed is whether the ransom was paid. No Travelex data appears to have been published online so it is possible that a ransom payment has been negotiated with the attackers.
Cost of the Travelex Ransomware Attack
The ransom payment is considerable but is likely to be several orders of magnitude less than the costs of downtime and disruption to its services.
No customer data appears to have been misused, but Travelex could still face a barrage of lawsuits from customers and the Information Commissioner’s Office and other data protection authorities my choose to fine Travelex over the data breach, either for the exposure of data or for the failure to report under GDPR.
GDPR requires data breaches to be reported to data protection authorities within 72 hours and it appears that did not happen. The maximum financial penalty for a GDPR violation is €20 million or 4% of a company’s global annual turnover, whichever is greater. Travelex’s global annual turnover in 2018 was $947.86 million. A fine of $189.57 million could therefore be issued. It should be noted that even if data was not stolen by the attackers and was just made inaccessible, it still counts as a reportable data breach under GDPR.
A payment of $6 million to the attackers would only be a tiny proportion of the total losses from downtime, lost business, lawsuits, and regulatory fines.
Customers of Canadian banks have been targeted by cybercriminals in an extensive phishing campaign that has been ongoing for at least the past two years, according to Check Point Research which uncovered the campaign. As with many other financial phishing scams, the attackers spoof the website of a well-known bank and create a virtual carbon copy of the home page of the bank on a lookalike domain, which often only differs from the genuine domain name by a letter or two.
A link to the fraudulent site is then sent in a mass spamming campaign to email addresses on the specific country top level domain where the bank operates. The emails instruct users to visit the banks website and login, usually under the guise of a security alert. When the link in the email is clicked, the user is directed to the spoofed site and may not notice the domain name is not quite right. They then enter their login credentials which are captured by the scammers. The credentials are then used to make fraudulent wire transfers to accounts controlled by the attackers.
In this campaign, the emails include a PDF email attachment. PDF files tend to be trusted to a higher degree than Word documents and spreadsheets, which end users have usually been instructed to treat as suspicious. The PDF file includes a hyperlink, which the user is instructed to click. Since the hyperlink is in the document rather than the email body, it is less likely to be scanned by email security solutions and has a higher chance of being delivered.
The user is told that they are required to update their digital certificate to continue using the online banking service. The PDF file includes the bank logo and a security code, which the user is required to enter when logging in. The code is included in the PDF attachment rather than email body for security reasons. As with most phishing scams, there is urgency. The recipient is told that the code expires in 2 days and that they must register within that time frame to avoid being locked out of their account.
The landing pages on the websites are identical to those used by the banks as the attackers have simply taken a screen shot of the bank’s landing page. Text boxes have been added where the username, password, and token number must be entered. Users are then asked to confirm the details they entered while the attackers attempt to access their account in real-time and make a fraudulent transfer.
These tactics are nothing new. Scams such as this are commonplace. What is surprising is how long the campaign has been running undetected. The scammers have been able to operate undetected by registering many lookalike domains which are used for a short period of time. Hundreds of different domains have been registered and used in the scam. At least 14 leading banks in Canada have had their login pages spoofed including TD Canada Trust, Scotiabank, Royal Bank of Canada, and BMO Bank of Montreal.
All of the websites used in the scam have now been taken down, but it is all but guaranteed that other lookalike domains will be registered and further scams will be conducted.
A spamming campaign has been detected that is piggybacking on the popularity of Greta Thunberg and is using the climate change activist’s name to trick individuals into installing the Emotet Banking Trojan.
Emotet is one of the most active malware threats. Emotet was first detected in 2014 and was initially used to steal online banking credentials from Windows users by intercepting internet traffic. Over the years it has undergone several updates to add new functionality. It has had a malspam module added, which allows it to send copies of itself via email to a user’s contacts. Emotet also includes a malware downloader, allowing it to download a range of other malware variants such as other banking Trojans and ransomware.
The malware is used indiscriminately in attacks on individuals, businesses, and government agencies, with the latter two being the main targets. Emotet is primarily spread via spam email, and while exploits are not used to spread to other devices on the network – EternalBlue for instance – other malware variants downloaded by Emotet can. TrickBot for instance.
The Greta Thunberg spam campaign aims to get users to open a malicious Word attachment and enable content. If that happens, Emotet will be silently downloaded to the user’s device, sensitive banking information will be stolen, and further malware may be downloaded.
The campaign was active over the holiday period and used a variety of Christmas-themed lures to entice users into opening the email attachment. Some of the emails did not include an attachment and instead used a hyperlink to direct the user to a website where the malicious document could be downloaded.
One of the emails wished the recipient a Merry Christmas and urged them to consider the environment this Christmastime and join a demonstration in protest against the lack of action by governments to tackle the climate crisis. The email claimed details about the time and location of the protest were included in the Word document. The email also requested the recipient to send the email on to all their colleagues, friends, and relatives immediately to get their support as well. Several variations along that theme have been detected.
To increase the likelihood of the recipient enabling content, when opened the document displays a warning that appears to have been generated by Microsoft Office. The user is told that the document was created in OpenOffice and it is necessary to first enable editing first and then enable content. Doing the latter will enable macros which will start the infection process.
The emails are well written and have been crafted to get an emotional response, which increases the likelihood of the user taking the requested action. The emails have been sent in multiple languages in many different countries.
Whenever there is a major news event, popular sports tournament, or other event that attracts global interest, there will be cybercriminals taking advantage. Regardless of the theme of any email, if it is unsolicited and asks you to click a link or open an email attachment, it is best to assume that it is malicious.
Businesses can protect their networks against threats such as these by implementing an advanced spam filtering solution such as SpamTitan. SpamTitan will identify threats such as phishing attacks and will prevent the messages from reaching inboxes. SpamTitan also includes dual anti-virus engines to detect known malware and machine learning techniques and sandboxing to identify and block zero-day malware.
For further information on how SpamTitan can protect your business from email threats such as this, contact TitanHQ today.
The majority of businesses have experienced a phishing attack in the past year, and according to one survey on SMBs in the United States, 72% have experienced a phishing attack in the past 3 months.
In healthcare, phishing is the leading cause of data breaches by some distance. In November 2019, there were 17 phishing-related data breaches reported to the Department of Health and Human Services Office for Civil Rights out of 33 for the month. Since OCR only makes breach reports public if they have resulted in the exposure of 500 or more records, the total number of phishing attacks is likely to be substantially higher.
Phishing attacks are increasing, and the reason is simple. Phishing is the easiest way of attacking an organization to deliver malware or obtain sensitive information. That is because phishing targets the weakest link: Employees. Employees are getting better at identifying phishing emails through security awareness training, but cybercriminals have responded and are now conducting highly sophisticated phishing attacks that are much harder for employees to identify.
There has also been an increase in spear phishing attacks. This is a much more targeted form of phishing. Instead of millions of emails being sent out in a campaign, only a handful are sent or to very specific targets. The emails are written to maximize the chances of success and are usually personalized.
So how can a business improve its defenses against phishing and spear phishing? Unfortunately, there is no silver bullet. Businesses need to take a defense in depth approach to significantly improve resilience to phishing attacks.
The best place to start is with an advanced email security solution. Phishing requires some form of manual action in order to succeed. If you prevent phishing emails from reaching inboxes, employees will not be able to click on links or download malware. An advanced email security solution will be able to block the vast majority of phishing emails before they reach your email system.
You will no doubt already have a spam filtering solution in place, but is it effective? Are phishing emails still being delivered? One common mistake made by SMBs is to believe that their Office 365 environment is well protected by default, when the reality is Exchange Online Protection (EOP) that comes with Office 365 fails to block many phishing attempts. One study showed 25% of phishing emails were not blocked by EOP. If you want to improve your defenses against phishing, you should use a third-party anti-spam and anti-phishing solution on top of EOP: One that compliments EOP but provides greater protection. SpamTitan for example.
With more phishing emails being blocked, your security posture will be much improved, but you can’t stop there. No anti-phishing solution will block all phishing threats, 100% of the time. Since all it takes is for one phishing email to be clicked for a data breach to occur, you need to add another layer to your defenses.
A DNS filtering solution provides protection against the web-based part of phishing attacks. When an employee clicks a link in an email and is directed to a fake Office 365 login page or a site where malware is downloaded, the attempt to access the site will be blocked.
A DNS filter blocks attempts to access phishing sites at the DNS lookup stage, before any web content is downloaded. If an attempt is made to access a phishing site, the employee will be directed to a block page before any harm is done. DNS filters can also block malware downloads from sites that are not yet known to be malicious.
Employees are the weak link that are targeted by cybercriminals so it is important they are trained how to recognize phishing emails. You should provide security awareness training regularly to develop security aware culture in your organization. Over time, employees can be conditioned to respond correctly and report phishing threats to the security team. Also conduct phishing simulation exercises to make sure training has been effective. A failed phishing simulation allows you to identify a weak link and provide further training.
If all of the above defenses have failed, there is another layer that can keep your business protected: Multi-factor authentication. MFA requires another factor to be used before access to an email account or other system is provided. If an employee’s login credentials are disclosed in a phishing attack, MFA should stop those credentials from being used by a cybercriminal to access to gain access email accounts and other systems.
All of these layers are necessary to block today’s sophisticated phishing threats. It may seem like a lot of expense, but the above anti-phishing measures need not be expensive. TitanHQ can’t train your employees to be security titans, but through SpamTitan Email Security and WebTitan DNS filtering, phishing threats can be blocked.
IT professionals have long known that employees are a weak link in the security chain. Recent studies have confirmed this to be the case. Employees are poor at identifying phishing emails and other email-based threats and, to be fair on employees, many have received no training and phishing scams are becoming much more targeted and sophisticated.
The number of successful phishing attacks on businesses is difficult to determine, as many attacks go unreported, even when they result in the exposure of consumer data. In regulated industries, such as the healthcare industry in the United States, the picture is much clearer.
The Health Insurance Portability and Accountability Act – or HIPAA as it is better known – requires healthcare organizations to report breaches of patient information. Summaries of data breaches of 500 or more records are also made public and can be seen on the Department of Health and Human Services’ Office for Civil Rights data breach portal.
In 2019 alone, there have been at least 147 incidents of hacking of email accounts. The cost of those breaches is staggering. In those 147 incidents, the hacked email accounts contained the records of 2,762,691 individuals. According to the Ponemon Institute/IBM Security 2019 Cost of a Healthcare Data Breach report, the cost per exposed healthcare record is $423. Those breaches are therefore likely to have cost $1,168,618,293.
A recent study conducted by GetApp confirmed how often employees are fooled by phishing attacks in other industries. For the study, 714 individuals were surveyed from a range of businesses in the United States. Almost a quarter of those businesses have experienced at least one successful phishing attack and 43% of employees said that someone in their organization had clicked on a phishing email.
The aim of the study was to explore whether businesses were providing security awareness training to their employees to help them identify phishing emails. Only 27% of organizations did. It is therefore no surprise that employees often fall for phishing scams.
The provision of security awareness training, with a particular focus on phishing and social engineering, is vital. Even with layered defenses, some phishing emails will arrive in inboxes, so employees need to be taught the skills they need to help them identify email threats. Employees should then be tested by conducting phishing email simulations. That allows businesses to find out if the training has been taken on board. Without training and testing, employees will remain a liability. Over time their phishing identification shills will improve.
It is worth noting that security awareness training for employees is a requirement of HIPAA, yet many employees are still fooled. Training and phishing simulations can help reduce an organization’s susceptibility to phishing attacks, but employees, being human, will still make mistakes.
The solution is layered defenses. No one cybersecurity solution will block all phishing attempts, and certainly not without also blocking many legitimate email communications. Multiple solutions are therefore required.
It is essential for advanced email security defenses to be implemented to block phishing emails and make sure phishing and malspam (spam emails containing malware) never reach inboxes. That means an advanced spam filtering solution is a must.
SpamTitan for has been independently tested and shown to block in excess of 99.9% of spam emails and 100% of emails containing known malware. SpamTitan also blocks zero-day threats using a combination of advanced detection techniques. This is achieved through heuristic analyses, blacklists, trust scores, greylisting, sandboxing, DMARC, and SPF to name just a few.
SpamTitan has also been developed to compliment Office 365 security and provide a greater level of protection against phishing and other malicious email threats. It should be noted that Microsoft’s Exchange Online Protection was recently shown to allow 25% of phishing emails through.
Should phishing emails arrive in inboxes and be opened by end users, other controls are required to prevent clicks from resulting in malware infections or the theft of credentials. Here a web filtering solution such as WebTitan is important. When a link in an email is clicked, before the webpage is displayed, the URL and the content of the webpage is checked and the user is prevented from visiting the webpage if it, or its domain, is associated with phishing or malware distribution. Malware downloads can also be blocked from websites, even those with a high trust score. Together these solutions form the backbone of your phishing defenses. Further, these two solutions are quick and easy to implement, simple to use and maintain, and they are inexpensive.
Add antivirus protection, multi-factor authentication, and end user training, and you will be well protected from phishing and email and web-based malware attacks.
For further information on improving your defenses against phishing, spear phishing, and malware, give the TitanHQ team a call today.
If you are a managed service provider, contact the TitanHQ channel team and discover why TitanHQ is the leading provider of cloud-based email and web security solutions for MSPs serving the SMB market.
Over the past 2 decades TitanHQ has been developing powerful cybersecurity solutions for SMBs and managed service providers (MSPs) that serve the SMB market. Naturally at TitanHQ we have great belief in our email security solution, SpamTitan. We believe it is the ideal spam filtering solution for SMBs and MSPs for preventing a myriad of email threats from reaching inboxes.
TitanHQ is the leading provider of cloud-based email security to MSPs serving the SMB market. We regularly receive positive feedback from MSPs and SMBs about how the solution has saved them hours of work compared to other email security solutions and has helped them improve email security and block more spam and stop malware and ransomware from reaching inboxes.
Positive feedback from end users proves we are getting it right and it inspires us to continue improving the solution to ensure it will keep on protecting our customers from malware, ransomware, viruses, botnets, and social engineering and phishing attacks for many years to come.
The positive feedback is not only provided to our engineers and customer service and sales teams. IT decision makers have posted highly positive reviews on the top business software review platforms and are letting other IT professionals know about their experiences implementing the solution, integrating it with their other cybersecurity solutions and management platforms, and what it is like to use SpamTitan on a daily basis.
In fact, across the different business review sites, SpamTitan has consistently received high scores. There is no other email security product on the market that has achieved such a wealth of positive reviews and feedback from end users.
Some of the positive reviews across the leading business software review sites are detailed below:
Gartner Peer Insights
Gartner Peer insights is one of the most highly respected review platforms from the world’s leading business advisory and research company. While Gartner strictly polices the review site, Gartner is unbiassed and has no hidden agenda. The review platform gives IT professionals the opportunity to give their honest feedback on software solutions that they have implemented to help other IT professionals save time and money in their search.
36 qualified users of SpamTitan have left reviews on the site and the solution has achieved highly positive feedback with an average user score of 4.7 out of 5.
“SpamTitan has been a very responsive vendor to work with, both during the sales process and with post-sales support. Tickets are responded to within several hours and often resolved within a day. The product itself is very MSP-friendly supporting delegation to client admins, multiple delivery pools, and attractive pricing. The catch rate is better than Exchange Online.” Microsoft Team Lead in the Services Industry
“SpamTitan takes a little technical knowhow, but it’s powerful, flexible and affordable.” Director of IT and Telecom in the Healthcare Industry.
“SpamTitan is superb giving control back to the user and giving time back to IT staff. The product is amazing, it stopped 99% of spam and gives total control back to the user, it is web based and was easy to migrate to. The support and migration management from TitanHQ was brilliant.” IT Security Manager in the Manufacturing Industry.
G2 Crowd
G2 Crowd is one of the leading business software review sites. 139 verified users of SpamTitan have left reviews on the site and the solution has achieved an overall score of 4.6 out of 5. SpamTitan has been rated consistently highly in all rating categories, achieving 9.3 out of 10 for meets requirements and ease of doing business with, 9.2 for ease of setup and quality of support, 9.1 for ease of use, and 9.0 for ease of admin.
Additionally, each quarter, G2 Crowd compiles its Email Security Grid and rates solutions based on customer feedback and market presence. For four consecutive quarters, SpamTitan has been the Top Email Security Solution.
“I really like the customization that is available for this product. We have total control over the spam filter environment for all our customers. The environment is stable which is very important to us and our customers. The support staff was great when we were getting our environment configured. They were quick to reply to emails and reach out to assist us as needed. The spam filtering is top-notch and much better than other products we have used.” Jeff Banks, Director Of Technology.
Antispam that is affordable, flexible and powerful.” Mike S, Director of IT and Telecommunications.
“Cloud Version is Great for Managed Service Providers.” Andrew B, Vice President.
“Minimizes our exposure to harmful malware and junk emails.” David C, Outreach Specialist.
Google Reviews
112 users of SpamTitan have taken the time to submit their feedback to Google Reviews. The solution is consistently given top marks by users and has achieved an overall review score of 4.9 out of 5.
Some of the positive feedback from users includes:
“TitanHQ is an excellent solution which ticks many boxes. It’s simple to setup, and gives a huge range of functionality all from within one place. My experience of the Support help desk has been great with a team that really do know their product. I highly recommend TitanHQ.” Chris Bell.
“The Titan Span filter is by far one of the best email filters I have ever used. It was simple to setup, it allows users to release their own emails from quarantine quick and easy.” Joseph Walsh.
“Great product. Spam reduced to almost zero and no user complaints. Configuration is simple and support is awesome. Love it!” George Homme.
Capterra
Capterra is a leading software review site that has been active for 20 years. The site has now been purchased by Gartner which moderates reviews on the site. Capterra includes more than 700 categories of software products and is one of the most highly respected business software review sites. It is relied upon by IT decision makers the world over.
SpamTitan has been reviewed by 379 users and has achieved an overall review score of 4.6 out of 5.
“It’s as close to “set it and forget it” as you can come in the IT field. Right out of the box support helped me set everything up in less than 20 minutes, no hardware to worry about, nothing like that. Literally all I have to do is check to see if something was blocked incorrectly once in a while, white list it, and done. I’ve been using spam titan for almost a year and in that time we have blocked over 200k spam/malicious emails for a 30 person company before they even hit employee mailboxes. I shut off the service for 48 hours just to make sure it easy legit, it was, and I haven’t shut it off again since. Whitelisting and blacklisting domains and specific emails are super easy. Support Staff are awesome and go into detail when resolving problems if they were to arise or even if you just have a question. They have always been friendly and courteous and super personable and have been some of the best people to work with in all my years doing IT.” Benjamin Jones, Director Of Information Technology.
“SpamTitan has saved me, saved my company time, and has some of the best support people around. It’s as close to “set it and forget it” as you can come in the IT field. Right out of the box support helped me set everything up in less than 20 minutes, no hardware to worry about, nothing like that. Literally all I have to do is check to see if something was blocked incorrectly once in a while, white list it, and done. I’ve been using spam titan for almost a year and in that time we have blocked over 200k spam/malicious emails for a 30 person company before they even hit employee mailboxes.” Benjamin J, Director of Information Technology.
Spiceworks
Members of the Spiceworks community have also rated SpamTitan highly. The solution has been reviewed by 56 users and has an overall rating of 4.6 out of 5.
Software Advice
The software review site Software Advice includes 350 reviews of SpamTitan from business users and has achieved an average score of 5.58 out of 5.
SpamFilterReviews
According to SpamFilterReviews, SpamTitan is the top-rated spam filtering solution on the site with a score of 4.9 out of 5.
Cyberattacks on managed service providers have been increasing over the past few months and they are now a key target for hackers. If a hacker can gain access to the systems of a managed service provider, their remote administration tools can be used to launch attacks on their clients.
There have been several major cyberattacks on managed services providers in the past few weeks, with nation-state-backed hacking groups targeting MSPs serving enterprises and ransomware gangs are conducting attacks on MSPs serving small and medium-sized businesses.
Three major cyberattacks on managed service providers serving healthcare organizations in the United States have been reported in the past two months. All three have affected more than 100 healthcare clients and one impacted 400.
In late November, the Milwaukee-based managed IT service provider, Virtual Care Provider Inc., was attacked with Ryuk ransomware. The attack started on November 17, 2019, and affected all of its clients’ data. Around 110 nursing homes and acute care facilities were prevented from accessing their patients’ medical records. The consequences for its clients were dire. Assisted living facilities and nursing homes were prevented from billing for Medicaid, which meant essential funding was not provided and nursing homes were prevented from ordering essential drugs for patients. Virtual Care Provider was issued with a $14 million ransom demand, which the company could not afford to pay. The managed service provider had around 20% of its services affected and had to rebuild around 100 servers.
The ransomware was deployed as a secondary payload by the TrickBot Trojan. TrickBot had been installed on its network 14 months previously via a malicious email attachment.
A few weeks later, a Colorado-based managed service provider serving dental practices was attacked with ransomware. Complete Technology Solutions was infected with a ransomware variant called Sodinokibi. First, the MSP was attacked, and then its remote administration tools were used to deploy ransomware on the networks of more than 100 dental practices. A ransom demand of $700,000 was issued, which the MSP refused to pay. Its clients are now having to pay the attackers for the keys to decrypt their files. Only a few that had backups stored off the network were able to recover without paying the ransom.
This is the second such attack to affect a company serving the dental industry. The dental record backup service provider, PerCSoft, was also attacked with Sodinokibi ransomware. That attack affected approximately 400 dental practices. CyrusOne was also attacked with Sodinokibi ransomware and its managed services division and six of its clients were affected.
It is not only ransomware that is being used in the attacks. Nation-state threat groups such as APT10 are also targeting MSPs. Their aims are different. The attacks are being conducted to gain access to the intellectual property of their enterprise customers.
As cyberattacks on managed service providers increase, MSPs must ensure that they have adequate defenses in place to keep the hackers at bay. This is an area where TitanHQ can help. TitanHQ is the leading provider of cloud-based email and web security solutions for managed service providers that serve the SMB market.
TitanHQ offers a trio of solutions for MSPs under the TitanShield program. SpamTitan email security is a powerful cloud-based solution that keeps inboxes free of spam, phishing emails, and malware. SpamTitan incorporates SPF and DMARC to block email impersonation attacks, dual antivirus engines to detect known malware threats, and heuristics and sandboxing to identify and block zero-day threats.
WebTitan Cloud is a 100% cloud-based DNS filtering solution that works seamlessly with SpamTitan to block web-based phishing attacks and malware downloads. The solution allows you to monitor and identify malicious threats in real-time and includes AI-driven protection against active and emerging phishing URLs, including zero-minute threats.
The third solution is ArcTitan, a cloud-based email archiving solution that provides protection against data loss and helps MSPs and their clients meet their compliance obligations. ArcTitan serves as a black box flight recorder for email and stores email data securely in the cloud on Replicated Persistent Storage on AWS S3. When emails need to be searched and recovered, the searches are lightning-fast. ArcTitan can search up to 30 million emails a second.
ArcTitan has recently been moved to a brand new system, with the service delivered as a highly available, self-healing horizontally scaled Kubernetes cluster. Within that cluster are many different components working in harmony together, but independently. Should any component go down, that component can be taken offline and repaired with no impact on the others, ensuring a much more reliable service with minimal or no disruption during an outage. With ArcTitan, email is protected from cyberattacks.
These solutions are not only an ideal for improving the security posture of MSP clients, they can help to ensure that MSP systems are protected from attack. All TitanHQ solutions are quick and easy to implement, have a low management overhead, and are API-driven so they can easily be incorporated into MSP’s remote management and monitoring systems.
To find out more about the TitanShield program for managed service providers and to discover how TitanHQ’s cybersecurity solutions can improve yours and your clients’ security posture, give the TitanHQ channel team a call today.
Recent research has highlighted just how important it is for businesses to implement a range of defenses to ensure phishing emails are not delivered to inboxes and how business phishing protections are failing.
The studies were conducted to determine how likely employees are to click on phishing emails that arrive in their inboxes. Alarmingly, one study indicated almost three quarters of employees were fooled by a phishing test and provided their credentials to the attacker. In this case, the attacker was the consultancy firm Coalfire.
71% of the 525 businesses that were tested had at least one employee disclose login credentials in the phishing test, compared to 63% last year. At 20% of businesses, more than half of the employees who were tested fell for the phishing scam, compared to 10% last year.
A second study conducted by GetApp revealed a quarter of 714 surveyed businesses said they had at least one employee who responded to a phishing attack and disclosed their login credentials and 43% of businesses had employees that had clicked on phishing emails. The study also revealed only 27% of businesses provide security awareness training to employees, only 30% conduct phishing simulations, and 36% do not have multi-factor authentication in place on email.
The Importance of Layered Phishing Defenses
To mount an effective defense against phishing and other cyberattacks, a defense in depth approach to security is required.
With layered defenses, businesses are not replying on a single solution to block phishing attacks. Multiple defenses are put in place with the layers overlapping. If one measure proves to be ineffective at blocking a phishing email, others are in place to provide protection.
One area where many businesses fail is relying on Office 365 anti-phishing controls. A study by Avanan showed Office 365 phishing defenses to be effective at blocking most spam emails, but 25% of phishing emails were delivered to inboxes.
What is required is an advanced anti-spam and anti-phishing platform that can be layered on top of Office 365 to ensure that these phishing emails are blocked. SpamTitan can be seamlessly implemented in Office 365 environments and provides superior protection against phishing and malware attacks. SpamTitan blocks more than 99.9% of spam and phishing emails, 100% of known malware, and incorporates a host of features to identify zero-day threats.
As good as SpamTitan is at blocking email threats, other layers should be implemented to block phishing attacks. If a phishing email arrives in an inbox, a web filter will provide protection by blocking attempts by employees to visit phishing websites and sites hosting malware. WebTitan is a powerful DNS filtering solution that protects against the web-based element of phishing attacks. WebTitan adds an extra layer to phishing defenses and will block attempts by employees to visit malicious sites.
If an attacker succeeds in obtaining the credentials of an employee, it is important that those credentials cannot be used to gain access to the account. That protection is provided by multi-factor authentication. Multi-factor authentication is not infallible, but it will prevent stolen credentials from being used to access accounts in the majority of cases.
Security awareness training is also vital. Employees are the last line of defense and that defensive line will be tested. If employees are not trained how to identify phishing emails and other email security threats, they cannot be expected to recognize threats when they land in inboxes. An annual training session is no longer enough, considering how many phishing attacks are conducted on businesses and how sophisticated the attacks are becoming.
Security awareness training should consist of an annual training session with regular refresher training sessions throughout the year. Employees should be kept up to date on the latest tactics being used by cybercriminals to help them identify new scam emails that may bypass email security defenses. Phishing simulation exercises are also important. If these simulations are not conducted, businesses will have no idea how effective their training sessions have been, and which employees have not taken the training on board.
A new phishing campaign has been detected that is targeting Office 365 admins, whose accounts are far more valuable to cybercriminals than standard Office 365 accounts.
A standard Office 365 email account can used for spamming or conducting further phishing attacks on the organization or business contacts. However, there is a problem. When the account is used for phishing, the sent messages are likely to be noticed by the user. Failed delivery messages will also arrive in the user’s inbox. The account may only be able to be used for a short time before an account compromise is detected.
The attackers targeting Office 365 admins aim to compromise the entire domain. Office 365 admins can create new accounts on the domain, which are then used for phishing. Since the only person using that account is the attacker, it is likely the malicious actions will not be noticed, at least not as quickly. The only person who will see the failed delivery messages and sent emails is the attacker.
The newly created account abuses trust in the business domain. Any individual to receive such a phishing message may mistakenly believe the email is a legitimate message from the company. The messages also take advantage of the reputation of a business. Since the business domain will have been used only to send legitimate messages, the domain will have a high trust score. That makes it far more likely that the emails being sent from the new account will be delivered to inboxes and will not be picked up by Office 365 spam filters. The Office 365 admin may also have access to all email accounts on the domain, which will allow the attacker to steal a huge amount of email data.
In theory, Office 365 admins should be better at identifying phishing emails than other employees in the organization as they usually work in the IT department; however, these emails are very realistic and will likely fool many Office 365 admins.
The lure being used is credible. The emails appear to have been sent by Microsoft and include the Microsoft and Office 365 logos. The emails claim that the organization’s Office 365 Business Essentials invoice is ready. The user is told to sign into the Office 365 admin center to update their payment information, set their Message Center preferences, and edit their release preferences or join First Release and set these up if they have not done so already. The emails include an unsubscribe option and are signed by Microsoft and include the correct contact information. The emails also link to Microsoft’s privacy statement.
The embedded hyperlinks in the emails link to an attacker-controlled domain that is a carbon copy of the official Microsoft login page. If the user’s credentials are entered, they are captured by the attacker.
This campaign highlights how important it is to have layered email security defenses in place to block phishing attacks. Many phishing emails bypass standard Office 365 anti-phishing controls so additional protection is required.
An advanced anti-phishing solution such as SpamTitan should be layered on top of Office 365 to provide greater protection against sophisticated phishing attacks. Approximately 25% of all phishing emails bypass standard Office 365 phishing protections.
Another anti-phishing layer that many businesses have yet to implement is a web filter. A web filter, such as WebTitan, provides protection when messages are delivered to inboxes, as it blocks attempts by employees to visit phishing websites. When a link to a known phishing website is clicked, or the user attempts to visit a questionable domain, they will be directed to a block page and the phishing attack will be blocked.
The aim of this post is to provide you with some easy to adopt email security best practices that will greatly improve your organization’s security posture.
Email is the Most Common Attack Vector!
It is a certainty that business email systems will be attacked so email security measures must be implemented. The best form of email security is to do away with email altogether, but since businesses rely on email to communicate with customers, partners, and suppliers, that simply isn’t an option.
Email not only makes it easy to communicate with the people you need to for your business to operate, it also allows cybercriminals to easily communicate with your employees and conduct phishing attacks, spread malware and, if a corporate email account is compromised, communicate with your customers, partners and suppliers.
Email security is therefore essential, but there is no single solution that will protect the email channel. A spam filtering solution will stop the majority of spam and malicious email from reaching inboxes, but it will not block 100% of unwanted emails, no matter what solution you implement. The key to robust email security is layered defenses. If one defensive measure fails, others are in place that will provide protection.
You need a combination of technical, physical, and administrative safeguards to secure your email. Unfortunately, there is no one-size-fits-all approach that can be adopted to secure the email channel but there are email security best practices that you can adopt that will improve your security posture and make it much harder for cybercriminals to succeed.
With this in mind, we have outlined some of the most important email security best practices for your business and your employees to adopt.
Email Security Best Practices to Implement Immediately
Cybercriminals will attempt to send malware and ransomware via email, and phishing tactics will be used to steal sensitive information such as login credentials, so it is important to be prepared. Listed below are 8 email security best practices that will help you keep your email system secure. If you have not yet implemented any of these best practices, or have only done so partially, now is the time to make some changes.
Develop a Cybersecurity Plan for Your Business
We have included this as the first best practice because it is so important. It is essential for you to develop a comprehensive cybersecurity plan for your entire organization as not all threats arrive via email. Attacks come from all angles and improving email security is only one of the steps you need to take to improve your overall cybersecurity posture.
There are many resources available to help you develop a cybersecurity plan that addresses all cyber risks. The Federal Communications Commission has developed a Cyberplanner to help with the creation of a custom cybersecurity plan and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has recently issued a Cyber Essentials Guide for Small Businesses and Governments. Take advantage of these and other resources to develop an effective cybersecurity plan.
Implement an Advanced Spam Filtering Solution
A spam filter serves as a semi-permeable membrane that prevents email threats from being delivered to inboxes and lets genuine emails pass through unimpeded. This is the single most important security measure to implement to protect against email threats and productivity-draining spam.
If you use Office 365 you will already have some protection, as Office 365 includes a spam filter and anti-virus software, but it falls short on phishing protection and will not block zero-day malware threats. You need layered defenses to secure email which means a third-party spam filter should be used on top of Office 365. Research from Avanan showed that 25% of phishing emails bypass Office 365 defenses.
There are many spam filtering services for SMBs, but for all-round protection against known and zero-day threats, ease of implementation, ease of use, and price, SpamTitan is the best choice for SMBs.
Ensure Your Anti-Virus Solution Scans Incoming Emails
You will no doubt have anti-virus software in place, but does it scan incoming emails? Email is one of the main ways that malware is delivered, so anti-virus software for email is a must. This does not necessarily mean you need a different antivirus solution. Your existing solution may have that functionality. Your spam filter is also likely to include AV protection. For example, SpamTitan incorporates dual anti-virus engines for greater protection and a sandbox where email attachments are analyzed for malicious actions. The email sandbox is used to detect and block zero-day malware – New, never-before-seen malware variants that have yet to have their signatures incorporated into AV engines.
Create and Enforce Password Policies
Another obvious email security best practice is to create a password policy that requires strong passwords to be set. There is no point in creating a password policy if it is not enforced. Make sure you implement a control measure to prevent weak passwords from being set. Weak passwords (password, 123456, or dictionary words for example) are easy to remember but also easy to guess. Consider that cybercriminals are not sitting at a computer guessing passwords one at a time. Automation tools are used that make thousands of password guesses a minute. It doesn’t take long to guess a weak password! You should also make sure rate limiting is applied to block an IP from logging in after a set number of failed login attempts.
It is a good best practice to require a password of at least 8 characters to be set, with a combination of upper- and lower-case letters, numbers, and symbols, and to block the use of dictionary words. Consider allowing long passphrases to be used as these are easier for employees to remember. Check the National Institute of Science and Technology (NIST) advice on secure password practices if you are unsure about creating a password policy.
Implement DMARC to Stop Email Impersonation Attacks and Domain Abuse
DMARC, or Domain-based Message Authentication, Reporting & Conformance to give it its full name, is an email protocol that uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to determine whether an email is authentic.
By creating a DMARC record you are preventing unauthorized individuals from sending messages from your domain. DMARC also lets you know who is sending messages from your domain, and it lets you set a policy to determine what happens to messages that are not authenticated, I.e. quarantine them or reject them. Some email security solutions, such as SpamTitan, incorporate DMARC authentication.
Not only DMARC help you block email impersonation attacks, it also prevents abuse of your domain. Your DMARC record tells receiving email servers not to accept messages sent from authenticated users, thus helping protect your brand.
Implement Multi-Factor Authentication
Multi-factor authentication is yet another layer you can add to your anti-phishing defenses. Multi-factor authentication, as the name suggests, means more than one method is used to authenticate a user. The first factor is usually a password. A second factor is also required, which is something a person knows or possesses. This could be a mobile phone, to which a one-time PIN code is sent, or a token on a trusted device.
This safeguard is vital. If a password is obtained, in a phishing attack for example, the password alone will not grant access to the email account without an additional factor being provided. A combination of a password, token, and one-time PIN is a good combination.
Train Your Employees and Train Them Again
No matter how tech savvy your employees appear to be, assume they known nothing about cybersecurity. They will certainly not routinely stick to email security best practices unless you train them to do so and then hammer the message home.
Before letting any employee have access to email, you should provide security awareness training. Your training should cover email security best practices such as never opening email attachments from unknown senders, never enabling content in documents unless the document has been verified as legitimate, and never to click hyperlinks in emails or send highly sensitive information such as passwords via email.
You must also train your employees how to recognize phishing emails and other malicious messages and tell them what to do when suspicious emails are received. Anyone with access to email or a computer must be provided with security awareness training, from the CEO down.
One training session is not enough. Even an annual training session is no longer sufficient. You should be providing regular training, be sending cybersecurity newsletters warning about the latest threats, and using other tools to help create a security culture in your organization.
Conduct Phishing Awareness Simulation Exercises
You have provided training, but how do you know if it has been effective? The only way to tell is to conduct tests and that is easiest with phishing simulation exercises. These are dummy phishing emails that are sent to employees when they are not expecting them to see how they respond. You maybe surprised at how many employees respond and disclose sensitive information, open attachments, or click links in the emails.
The aim of these emails is to identify people that have not taken their training on board. The idea is not to punish those employees, but to tell you who needs further training. There are several companies that can assist you with these exercises. Some even offer free phishing simulation emails for SMBs.
TitanHQ is Here to Help!
TitanHQ has developed SpamTitan to be easy for SMBs to implement, use, and maintain. It requires no hardware, no software, and all filtering takes place in the cloud. Not only does SpamTitan offer excellent protection against the full range of email-based threats, it is also one of the lowest cost solutions for SMBs to implement.
Give the TitanHQ team a call today for more information on SpamTitan and to find out about how you can also protect your business from web-based threats and meet your compliance requirements for email.
SMBs and Managed Service Providers (MSPs) that serve the SMB market have many spam filtering services to choose from. In this post perform a VadeSecure vs SpamTitan Email Security comparison to help you decide on the best solution to meet the needs of your business.
Who are VadeSecure?
VadeSecure is a French company that was founded in 2009. The company has developed a predictive email defense solution to protect businesses from email-based threats and spam email, and also consumers through their ISPs. The company has yet to make great inroads in the MSP market, although that is part of the company’s plan, having recently raised $79 million in venture capital to help them achieve this aim.
SpamTitan Email Security from TitanHQ
TitanHQ is the leading provider of cloud-based email and web security solutions for MSPs that serve the SMB market. TitanHQ has more than 2 decades of experience in email and web security and has developed two award winning solutions for MSPs – WebTitan (Web Security) and SpamTitan Email Security. Here we will focus on SpamTitan Email Security.
VadeSecure vs SpamTitan Email Security
Take a quick look at VadeSecure and SpamTitan Email Security and you may think that both solutions are very similar, and in some respects they are. Both are cloud-based email security solutions that have been designed to block email threats and keep inboxes free from spam and malicious messages and attachments. Both solutions have been developed to provide an additional security layer for Office365 to block the many spam and malicious messages that bypass O365 security controls.
However, there are some very important differences between the solutions as far as MSPs are concerned. VadeSecure has been developed solely for the Telco market, but MSPs have unique requirements that are not well catered to. A deeper dive into the products and a more thorough comparison of VadeSecure vs SpamTitan Email Security from an MSP perspective reveals the two solutions are very different products.
SpamTitan is very much MSP focused. Over time, with the increased investment, VadeSecure may become a more MSP friendly solution, but as it stands VadeSecure and SpamTitan Email Security are not equivalent solutions.
Comparison of VadeSecure and SpamTitan Email Security for MSPs
SpamTitan Email Security has been developed by MSPs for MSPs. SpamTitan Email Security is therefore a very MSP-focused product, which incorporates many MSP-friendly features. SpamTitan is a true multi-tenant solution. With SpamTitan Email Security, MSPs are given a multi-tenancy view of all customers with multiple management roles. This allows MSPs to easily monitor all customer deployments and the trial-base, assess the health of those deployments, view activity volumes across your entire customer base, and quickly identify any issues that need to be addressed. VadeSecure lacks this customer-wide view of the system and does not integrate with RMMs or PSAs.
Configurability and Customization Potential
Configurability is also a key consideration. VadeSecure is not easily configurable to meet your needs. For instance, it does not support custom rules, so you have to use Office 365 Exchange admin functionality for configuration. In a similar vein, the potential for customization is limited with VadeSecure. With SpamTitan Email Security, there is plenty of scope for customization. You can create custom rules to meet the needs of your customer base thanks to highly granular controls that can be applied to domains, groups, or individual users. This level of granularity is important, as it allows you to carefully configure the solution to meet the needs of each client. You can tailor the solution to suit the risk tolerance of each individual client and adopt a more aggressive or more permissive approach on a per client basis and minimize false positives and false negatives. VadeSecure lacks the granularity to allow this for each customer.
Management and Reporting
You are implementing email security to provide your customers with greater security, but you need to make sure the solution remains effective over time. You will therefore need to identify issues as they arise and perform tweaks to continue to protect your clients to the highest degree. To achieve this, you need highly granular reports. Without them you will not have the visibility you need. SpamTitan’s suite of pre-configured and customizable reports give you full visibility into your deployments to allow you to quickly identify and correct any issues.
You can also generate reports (manually or automatically) that you can send to your clients to show them how effective the solution is, the threats that are being blocked, and why continued protection is essential. With VadeSecure you lack this visibility and cannot find out what has been blocked for end users or obtain detailed information on spam emails and threats. Client management is also more difficult with VadeSecure. MSPs need to login to each client’s Office 365 environment for management, which makes reporting much more time consuming.
Revenue Potential and Margins
Because SpamTitan allows MSPs to customize their deployments, MSPs have superior management capabilities and can offer clients greater value, which means greater margin potential for MSPs. It also makes it harder for clients to switch providers as their MSP is more of a strategic partner rather than just an IT service provider.
With TitanHQ there is also greater potential to make more margin by cross selling other services. MSPs that sign up with TitanHQ and join the TitanShield program have access to two other revenue generating solutions: WebTitan DNS filtering and ArcTitan Email Archiving. These allow you to maximize monthly recurring revenue with each client. Additional revenue-generating solutions are not available with VadeSecure.
VadeSecure Vs SpamTitan Email Security Pricing
Currently, pricing with VadeSecure is complex and the solution is expensive for MSPs. VadeSecure is charged on a per module basis, which means you need to factor in a lot of additional costs, such as anti-virus protection and GreyMail which are not included as standard. With SpamTitan there is one flat fee that includes all features of the solution. TitanHQ pricing is totally transparent and there are no hidden extras.
After speaking with customers that have tried VadeSecure, we have learned that the total number of users are not aggregated into the MSP discount with VadeSecure. You could have 100 x 10-seat licenses (1,000 users), but VadeSecure pays at 10 seats each and not the 1,000 seats overall. In contrast, TitanHQ’s appreciates how MSPs work and has developed a flexible pricing policy accordingly.
Quick Comparison of Features
In the image below we have compared the basic features of both SpamTitan and VadeSecure as a quick reference to show you some of the key differences between VadeSecure and SpamTitan Email Security.
MSPs that serve customers with Office 365 environments should adopt a layered approach to security and should not rely on the anti-spam and anti-phishing defenses incorporated into Office 365. Additional layers are required to better protect clients, which will mean you spend less time on support and remediating phishing attacks.
TitanHQ can provide two additional layers to your security stack: SpamTitan and WebTitan, both of which work seamlessly together to protect against all email and web-based threats.
To find out more about these solutions, how you can reduce the cost of email security and web security for your customers while earning a profitable margin, contact the TitanHQ team today and ask to speak to the channel team.
Cybercriminals are inventive and their attacks are becoming increasingly sophisticated. To help ensure you are prepared and can defend your business against these attacks, we have listed the top 10 cybersecurity threats your business is likely to face, along with some tips to help you prevent a costly data breach.
Cybercriminals are not just trying to attack large enterprises. Sure, a cyberattack on a large healthcare system or blue-chip company can be incredibly rewarding, but the defenses they have in place make attacks very difficult. SMBs on the other hand have far fewer resources to devote to cybersecurity and as a result they are easier to attack. The potential rewards may not be as great, but attacks are more likely to succeed which means a better return on effort. That is why so many SMBs are now being attacked.
There is a myriad of ways that a company can be attacked, and the tactics, techniques and procedures used by cybercriminals are constantly changing. The top 10 cybersecurity threats listed below include the main attack vectors that need to be blocked and will serve as a good starting point on which you can build a robust cybersecurity program.
Top 10 Cybersecurity Threats Faced by SMBs
We have listed the top 10 cybersecurity threats that SMBs need to defend against. All the threats listed below need to be addressed as any one of them could easily result in a costly data breach, data loss, or could cripple your business. Some of the threats listed below will be harder to address than others, and it will take time for your cybersecurity defenses to mature. The important thing is to start the ball rolling and address as many of these areas as soon as possible.
Human Error and Insider Threats
We have listed human error first, as it doesn’t matter what hardware and software solutions you implement, human error can easily undo much of your good work. Mistakes will be made by employees on occasion. What you need to do is reduce the potential for errors and limit the harm that can be caused.
Developing robust policies and procedures and providing training will help to ensure that your employees know how to act and more importantly, how not to.
Mistakes are not the only thing you need to take steps to try to prevent. There may also be individuals on your payroll who will take advantage of poor security for personal gain. You will also need to tackle the problem of insider threats and make it harder for rogue employees to cause harm and steal data. The measures listed below will help address threats from within and reduce risk.
Passwords
Enforce the use of strong passwords but make it easier for your employees to remember them so they don’t try to circumvent your password policy or, heaven forbid, write their passwords down. Implement a password manager to store their passwords so they only have one password or pass phrase to remember.
Rule of Least Privilege
It is obvious, but often overlooked. Don’t give employees access to resources they do not need for their day-to-day work duties. If their credentials are compromised, this will limit the harm caused. It will also limit the harm that can be caused by rogue employees.
Block the Use of USB Devices
USB devices make it easy for rogue employees to steal data and for malware to be accidentally or deliberately be introduced. Implement technical controls to prevent USB devices from being connected, and if they are required for work purposes only give permission to certain individuals to use them. Ideally, use more secure methods of transferring or storing data.
Monitor Employee Activity
If rogue employees are stealing data, you are only likely to find out if you are monitoring their computer activity. Similarly, if credentials are compromised, system logs will highlight any suspicious activity. Make sure logs are created and monitored. Consider using a security information and event management (SIEM) solution to automate this as much as possible.
Terminate Access at Point of Termination
Terminating an employee? Terminate their access to your systems at the point of termination. It is surprising how often employee access rights are not terminated for days, weeks, or even months after an employee has left the company.
We will cover some more important safeguards to implement to protect against user error in the following 9 SMB cybersecurity threats.
Phishing and Social Engineering Attacks
Phishing is arguably the biggest cybersecurity threat faced by SMBs. Phishing is the use of social engineering techniques to persuade people to divulge sensitive information or take an action such as installing malware or ransomware. This is most commonly achieved via email, but can also occur via text messages, social media websites, or over the telephone.
Do not assume that your employees have common sense and know not to open email attachments from unknown individuals or respond to enticing offers from legal representatives of Nigerian princes. You must train your employees and teach cybersecurity best practices and show them how to identify phishing emails. Refresher training should be provided at regular intervals and you should conduct phishing simulation exercises (which can largely be automated) to find out who has taken the training on board and who is a liability that needs further training.
Employees are the last line of defense. You need a layer of security above your employees to make sure their security awareness training is never required. That means an advanced anti-spam solution needs to be in place to block threats before they reach inboxes. If you use Office 365, you should still implement an antispam solution. A recent study by Avanan revealed 25% of phishing emails bypass Office 365 antispam defenses.
Another layer of protection should also be implemented to protect against phishing: Multi-factor authentication. This is the use of an additional authentication factor that will kick into action if an attempt is made to use credentials from an untrusted device or location. If credentials are compromised in a phishing attack, multi-factor authentication should stop them from being used to gain access to email accounts, computers, or network resources.
Malware and Ransomware
Malware, viruses, ransomware, spyware, Trojans, worms, botnets, and cryptocurrency miners are all serious threats that you must take steps to block. It goes without saying, but we will say it none the less, you need to have antivirus software installed on all endpoints and your servers.
Malware can be installed in many ways. As previously mentioned, blocking USB devices is important and spam filtering software with sandboxing will protect you from email-based attacks. Most malware infections now occur via the internet, so a web filtering solution is also important. This will also add an extra layer to your phishing defenses. A web filter will block drive-by malware downloads, prevent employees from visiting malicious sites (including phishing websites) and also allows you to enforce your internet usage policies. A DNS filtering solution is the best choice. All filtering takes place in the cloud before any content is downloaded and it will not add to your patching burden.
Shadow IT
Shadow IT – The term given for any hardware or software in use that has not been authorized by your IT department. This could be a portable storage device such as a zip drive, a VPN client to bypass your web filter, an application to help with work tasks, or all manner of other software. It is surprising to find exactly how many of these programs are installed on users’ devices when IT support staff are called upon to sort out a problem!
So, what is the problem? Anything installed without authorization is a potential security and compliance risk. Your security team has no control over patching, and vulnerabilities in those applications could easily go addressed for months and give hackers an easy entry point into your network. Fake applications could be downloaded that are really malware, software packages often include a host of potentially unwanted programs and spyware, and any data stored in these applications could be transmitted to unsecure locations. Those applications and data contained therein are also unlikely to be backed up by the IT department. If anything happens, data can easily be lost.
Unpatched Software
The importance of prompt patching cannot be understated. Vulnerabilities exist in all software solutions. Sooner or later those vulnerabilities will be found, and exploits will be developed to take advantage. Security researchers are constantly looking for flaws that could potentially be exploited by threat actors to gain access to sensitive information, install malware, or remotely execute code. When these flaws are identified and patches are released, they need to be applied promptly. Oftentimes, vulnerabilities are being actively exploited by the time a patch is released. It is essential for these vulnerabilities to be addressed as soon as possible and for all software to be kept up to date.
When software or operating systems are approaching end of life, you must upgrade. When patches stop being issued and software is unsupported, any vulnerabilities will remain unaddressed and can easily be exploited.
Out of Date Hardware
Not all vulnerabilities come from out of date software. The hardware you use can also introduce risks. You must keep an inventory of all your hardware, so nothing slips through the cracks. Firmware updates should be applied as soon as it is made available and you should monitor for any devices that are approaching end of life. If your devices do not support the latest operating systems, then it is time to replace your hardware. This will naturally come at a cost, but so do cyberattacks and data breaches.
Unsecured IoT Devices
The Internet-of-Things offers convenience but IoT devices are a potential liability. IoT devices can send, store or transmit data so they must be be secured.
Unfortunately, in the hurry to connect everything to the internet device manufacturers often overlook security as do users of these devices. Take security cameras for instance. You may be able to access your cameras remotely, but you may not be the only person who can. If your security cameras are hacked, thieves could see what you have, where it is located, and where and when security is lax. There have been cases of security cameras being hacked due to the failure to change default credentials for remote management.
Ensure you change the default credentials on the devices and use strong passwords. Keep the devices up to date, and if the devices need to connect the network, make sure they are isolated from other resources. Cybercriminals can also take advantage of flaws in the applications to which these IoT devices connect. They must also be kept up to date.
Man-in-the-Middle Attacks and Public Wi-Fi
A man-in-the-middle (MITM) attack is an attack scenario where communications between two individuals (or one individual and a website or network) are intercepted and potentially altered. An employee may believe they are communicating securely, when everything they are saying or doing is being seen or recorded. An attacker could even control the conversation between two people and be communicating with each separately while both individuals believe they are communicating with each other. This method of attack most commonly occurs through unsecured Wi-Fi hotspots or evil twin hotspots – Fake Wi-Fi hotspots set up in coffee shops, airports, and any other location where free Wi-Fi is offered.
If you have remote workers, you need to take steps to ensure that all communications are kept private. This can be achieved in two main ways. By making sure employees use a secure VPN that encrypts their communications over public or unsecured Wi-Fi networks and also by implementing a DNS filtering solution. The DNS filtering solution provides the same protection for remote workers as it does for on-premises workers and will prevent malware downloads and employees from accessing malicious websites.
Mobile Security Threats
There is no denying the convenience of mobile devices (laptops, tablets, smartphones). They allow workers to be instantly contacted and lets them work from any location. Mobile devices improve employee mobility, can lead to greater employee satisfaction, and will help you to boost productivity. However, the devices also introduce new risks. Whether you supply these devices or operate a BYOD policy, you need to implement a range of security controls to ensure those risks are managed.
You need to make sure you know of every device that you allow to connect to the network. A mobile device security solution can help you gain visibility into mobile device use and allow you to control your applications and data.
You should ensure the devices have security controls applied, can only access your network via secure channels (VPN), ensure the devices are covered by a DNS filtering solution, and any work data stored on the devices needs to be encrypted.
Remote Desktop Protocol
Remote desktop protocol (RDP) allows employees remotely connect to your computers and servers when they are not in the office and lets your managed service provider quickly sort out your problems and maintain your systems without having to pay a visit. RDP also gives hackers an easy way to gain access your computers, servers, and steal data or install malware. Do you need RDP enabled? If not, disable it. Does it need to be used internally only? Make sure that RDP is not exposed to the internet.
If you do need RDP, then you need to exercise extreme caution. Make sure that users can only connect via a VPN or set firewall rules. Limit the individuals who have permissions to use RDP, ensure strong passwords are set, and that rate limiting is implemented to protect against brute force attacks. Also use multi-factor authentication.
Stolen RDP credentials are often used by hackers to gain access to systems, brute force attempts are often conducted, and vulnerabilities in RDP that have not been patched are frequently exploited. This is one of the main ways that ransomware is installed.
These are just the top 10 cybersecurity threats faced by SMBs. There are many more risks that need to be identified and mitigated to ensure you are protected. However, by addressing the above issues you will have already made it much harder for hackers and cybercriminals to do your business harm.
TitanHQ is Here to Help!
TitanHQ can assist by providing you with advanced cybersecurity solutions to protect against several of the above listed top 10 cybersecurity threats and will the two most commonly used attack vectors – email and the web-based attacks. These solutions – SpamTitan and WebTitan – are 100% cloud based, easy to implement and maintain, and will provide superior protection against malware, ransomware, viruses, botnets, and phishing attacks.
Further, these powerful solutions are affordable for SMBs. You are likely to be surprised to find out how little these enterprise-grade security solutions will cost. If you are a managed service provider that services the SMB market, you should also get in touch. SpamTitan and WebTitan have been developed by MSPs for MSPs. There is a host of reasons why TitanHQ is the leading provider of cloud-based email and web security solutions to MSPs that service the SMB market!
Contact our friendly (and non-pushy) sales team today to find out more, book a product demo, and register for a free trial.
TitanHQ has announced that a new version of its award-winning cloud-based anti-spam service and anti-spam software has been released. SpamTitan v7.06 incorporates a new RESTapi to allow clients and partners to seamlessly integrate SpamTitan into their own systems.
The new version was released on November 12, 2019 and has automatically been applied to the cloud-based offering. Users of SpamTitan software will have had the latest version downloaded, although they will need to login to their UI to apply the update.
As part of the regular patching cycle, SpamTitan patches have been released to address reporting engine issues and patches and ISO/OVA images are now available. These have been released for several packages including OpenSSL, OpenSSH, PHP, ClamAV and sudo. The patches must also be applied manually by administrators on their appliance(s).
TitanHQ has had a busy 2019. The company has experienced 30% growth in 2019 and has just had its busiest ever quarter for MSP growth. The growth has been driven by demand from MSPs for easy to use email security and web security solutions to protect their SMB clients from the growing number of cybersecurity threats.
TitanHQ now has more than 2,200 MSP partners using its platform and the strong Q3 growth has continued in Q4 helped by the new “Margin Maker for MSPs” Q4 initiative.
“Implementing the RESTapi and encouraging API adoption are vital steps in our partnership expansion plans,” explained TitanHQ CEO, Ronan Kavanagh. “We have enjoyed a record-breaking growth and the latest enhancements and new features that have been added to SpamTitan will help to ensure growth in 2020 will continue at record levels.”
Phishers are constantly changing tactics and coming up with new ways to fool people into handing over their credentials or installing malware. New campaigns are being launched on a daily basis, with tried and tested lures such as fake package delivery notices, fake invoices and purchase orders, and collaboration requests all very common.
In a departure from these common phishing lures, one threat group has opted for a rarely seen lure, but one that has potential to be very effective: Fake court subpoenas. The emails use fear and urgency and are designed to get users to panic and click quickly.
This campaign has been running for a few weeks and is targeting users in the United Kingdom, although this scam could easily be adapted and used in attacks on users in other countries.
Many phishing scams have the goal of stealing credentials to allow email accounts or Office 365 accounts to be accessed. In this case, the aim of the attack is to spread information stealing malware called Predator the Thief.
The phishing emails appear to have been sent by the Ministry of Justice in the UK. The sender field has Ministry of Justice as the display name and the emails have the Ministry of Justice crest, although the actual email address suggests the email has come from the Department of Justice (DOJ).
The emails warn the user that they have been subpoenaed. They are supplied with a case number along with a date when they have been ordered to attend court.
The emails include a hyperlink which the user must click to find out details of the charge and the documents they will need to bring with them to court. Urgency is added by warning the recipient they only have 14 days to respond to provide notice, and that the court case will proceed without them if they do not respond.
The URL in the email is seemingly benign, as it links to Google Docs – a trusted website. Clicking the link will see the user first directed to Google Docs, then redirected to OneDrive. When the user arrives on the OneDrive site, a document is downloaded. That document contains a malicious macro that launches a PowerShell command that downloads Predator the Thief malware.
Predator the Thief is an information stealer that can take screenshots and steals email and FTP credentials, along with cryptocurrency wallets and browser information. In contrast to many browser information stealers, this malware variant doesn’t just target the main browsers, but a host of less popular browsers. Once information has been stolen, the malware cleans up and exits, which makes it harder for the infection to be detected.
Phishing scams such as this highlight the need for layered security. Naturally, an advanced anti-spam solution such as SpamTitan should be implemented to block these threats and ensure and ensure messages are not delivered to end users’ inboxes. SpamTitan also includes DMARC email authentication to block mail impersonation attempts and a sandbox where email attachments are analyzed for malicious actions.
SpamTItan blocks in excess of 99.9% of all malicious emails, but it is not possible to block 100% of threats no matter what email security solution you use. This is where another layer is required. WebTitan is a DNS filtering solution that blocks threats such as this at the point where a DNS lookup is performed. This allows malicious websites to be blocked before any content is downloaded. WebTitan can also be configured to block downloads of certain file types.
With these two solutions in place, your business will be well protected against phishing emails and web-based malware downloads.
Q3, 2019 has seen TitanHQ register record-breaking growth in the MSP market with its busiest ever quarter for MSP sales. TitanHQ now has more than 2,200 MSP partners and its cloud-based email security, web security, and email archiving platforms are now used by more than 8,200 businesses around the world.
Many great success stories start from humble beginnings, and TitanHQ is no exception. The company started life as Copperfasten Technologies in 1999 and sold anti-spam appliances to local businesses from its Galway, Ireland base. The company then developed its own cybersecurity solutions, starting with the anti-spam and anti-phishing solution, SpamTitan.
The product portfolio grew to include WebTitan web filtering, a powerful DNS-based web security solution to protect businesses from the full range of internet threats. That was followed by the launch of ArcTitan, a cloud-based email archiving solution for businesses that eases their email storage and compliance burden.
That trio of core TitanHQ products has proven to be a massive hit with managed service providers, although not by accident. Many companies have developed innovative solutions for SMBs but have only realized the importance of the MSP market later on. Additional features are then added to appeal to MSPs. TitanHQ took a different approach. Its solutions were developed by MSPs for MSPs and MSPs were considered at every stage of product development. The result is a suite of security solutions tailor-made for MSPs.
This approach, along with cutting-edge technology and industry-leading customer support, has seen the company go from strength to strength and become the gold standard in email and web security and the leading global provider of cloud-based security solutions for MSPs servicing the SMB market.
Phishing attacks on businesses are soaring, new malware variants are being released at record levels, and the current ransomware epidemic is threatening to derail businesses. Many SMBs lack the internal resources to block these threats and turn to MSPs to provide the security they need.
To cope with the increased demand, MSPs need solutions with 100% cloud-based architecture that seamlessly integrate into their existing centralized management systems and are easy to implement, use, and maintain. Ideally, those solutions need to be flexible, have a range of hosting options, be available in white-label form to take MSP branding, and also include generous margins. That is a big ask, and many solutions only tick a few of those boxes. However, TitanHQ’s suite of solutions include all those features and more.
TitanHQ also offers extensive sales enablement and marketing support, world-class customer service, and each MSP has a dedicated account manager, engineers, and a support team to help them maximize their sales opportunities and really grow their businesses.
As part of the celebration of the Q3, 2019 MSP growth, TitanHQ has launched a new initiative to ensure Q4 will be an even bigger success.
On October 22, TitanHQ announced a new disruptive price package for a SpamTitan Email Security and WebTitan DNS filtering bundle at an exclusive once-in-a-lifetime price. The initiative has been called Margin Maker for MSPs and is intended to ensure MSPs build profitability instantly in Q4, 2019.
The two solutions are provided in two private clouds, customized to meet MSPs email and web security needs, and secure the most common attack vectors – email and the web. The package includes advanced protection for email, including Office 365 environments, complimented by WebTitan DNS filtering to block web-based threats and implement content control for on-premises and remote workers. These solutions are naturally provided with extensive sales enablement and marketing support.
The aim is to make TitanHQ’s email and web security platforms even more appealing to MSPs and to encourage MSPs to offer both SpamTitan email security and WebTitan web filtering to their clients and maximize revenues.
One MSP that is already boosting its profits and achieving increased, reliable recurring monthly revenues is UK-based OpalIT. The MSP has bases in Newcastle and Edinburgh and a 6,000+ customer base. Prior to joining the TitanShield program, OpalIT was offering its clients firewall filtering and email filtering with Barracuda and Vade. The company has now switched to TitanHQ’s cybersecurity bundle and is pushing SpamTitan Email Security, WebTitan DNS filtering, and ArcTitan email archiving to its clients and is reaping the rewards.
“Opal IT moved to TitanHQ because of our MSP focused solutions, ease of deployments, extensive APIs functionality and the increased margin they’re now making. Our cybersecurity bundle solutions allow MSPs to provide their downstream customers with a layered defense approach” said Rocco Donnino, EVP Strategic Alliances, TitanHQ.
If you are a managed service provider, now is the perfect time to sign up with TitanHQ. Come and meet the TitanHQ channel team at the following MSP events to find out more about the TitanShield program for MSPs, OEMs, and service providers, and take advantage of the amazing new MSP package.
If you are unable to attend any of these events, be sure to give the TitanHQ team a call to find out more and take advantage of this exciting new and exclusive offer.
A new Stripe phishing campaign has been detected that uses fake warnings advising users about an invalid account to lure people into divulging their credentials and bank account information.
Stripe is an online payment processor used by many online firms on their e-commerce websites to accept payments from their customers. As such, the company is perfect for spoofing as many people will be aware that the company processes payments and will think it reasonable that they need to provide credentials and bank account information to ensure payments are processed.
The scam starts with a phishing email supposedly from the Stripe Support department. The email advises the customer that the information associated with their account is currently invalid. The message is sent as a courtesy notice warning the user that their account will be placed on hold until the matter is corrected. The user is asked to review their details to correct the issue. A button is included in the email for users to click to do this.
The emails contain spelling mistakes and questionable grammar, so are likely to be identified as suspect by vigilant individuals. Security awareness training often teaches employees to hover their mouse arrow over a hyperlink to find out the true URL, but in this campaign it will not work. The attackers have added a title to the HTML tag of the embedded hyperlink so when the mouse arrow is hovered over the “Review your Details” button, that text will be displayed instead of the URL.
If that button is clicked, the user will be directed to a seemingly legitimate Stripe login page. The login box is a clone of the real login page and a series of boxes will be displayed, each requiring different information to be entered, including bank account and contact information.
When the user is required to enter their password, regardless of what is typed, the user will be advised that they have entered an incorrect password and will be asked to enter the password again. The user is then directed to the legitimate Stripe login page to make it appear they have been on the correct Stripe website all along.
Anti-Phishing Demo
Protect your MSP clients with the newest zero-day threat protection and intelligence against anti-phishing, business email compromise and zero-day attacks with PhishTitan. Free Demo
Similar tactics are used in countless other phishing campaigns targeting other well-known companies. The presence of spelling mistakes and grammatical errors in messages should tip off end users that the email is a phishing attempt, but all too often end users fail to notice these errors and click and divulge sensitive information.
One issue is a lack of cybersecurity training in the workplace. If employees are not trained how to identify phishing emails, it is inevitable that some will end up falling for these scams and will divulge their credentials. Those credentials can be used to gain access to bank accounts or email accounts, with the latter often used to conduct further phishing attacks on the organization. One email account breach can easily lead to dozens of breached accounts.
For example, a phishing attack on a U.S. healthcare provider started with a single phishing email and led to 73 email accounts being compromised. As for cybersecurity awareness training, this is often nonexistent. One recent study on 2,000 employees in the United Kingdom revealed three quarters had received no workplace cybersecurity training whatsoever.
Protected by Microsoft Office 365 Anti-Phishing Controls? Are You Sure?
One in every 99 emails is a phishing email, so it is important to ensure your defenses are capable of blocking those messages. Many businesses mistakenly believe they are protected against these emails by Microsoft’s Office 365 anti-phishing controls. While those measures do block spam email and some phishing messages, one recent study by Avanan has shown 25% of phishing attacks sneak past Office 365 defenses and are delivered to inboxes. For an average firm that means several phishing emails will reach end users’ inboxes every day. To ensure your business is protected against phishing attacks, additional anti-phishing controls are required on top of Office 365.
Businesses can protect their Office 365 accounts against phishing by layering SpamTitan on top of Office 365. SpamTitan is an advanced anti-phishing and anti-malware solution that provides superior protection against phishing, malware, spear phishing, and zero-day attacks.
Heuristics rules are used to analyze message headers and these rules are constantly updated to include the latest threats. Bayesian analysis and heuristics are used to check message content, and along with machine learning techniques, new threats are blocked and prevented from reaching inboxes. Sandboxing is also used to assess email attachments for malicious code used to install malware in addition to dual-AV engines that scan for known malware.
These advanced measures ensure that Office 365 inboxes are kept free from malware and phishing emails. These advanced capabilities along with the ease of implementation and use and industry-leading customer support are why SpamTitan is the leading provider of anti-spam and anti-phishing solutions for SMBs and managed service providers that serve the SMB market.
For further information on SpamTitan, to book a product demonstration or set up a free trial, contact the TitanHQ team today.
IT Nation Connect 2019, the ConnectWise conference for the IT professional community, will be taking place on October 30, 31, and November 1 at the Hyatt Regency in Orlando, Florida.
The event is the leading conference for companies that sell, support, and service technology and is focused on helping attendees build a strong business and achieve long-term success. Attendees will gain practical advice from experts in the IT Nation community and will have the opportunity to build meaningful business connections and learn how to work on their businesses.
This year’s topics for the session tracks are mergers & acquisitions, growth & scalability, talent development & leadership, service delivery & customer success, sales & marketing, and security.
Security is a key focus of IT Nation Connect 2019. The event will provide opportunities to discover how security frameworks and IT solutions can help you bulletproof your business and protect your clients’ networks from cyberattacks. Attendees will also gain deep insights into the current state of security in the MSP space.
Leading security experts will be discussing the steps that the government is taking to combat cyber threats, the lessons the government and private firms have learned, and how security experts see the threat landscape evolving over the coming year.
Founders and CEOs of the most successful MSPs and IT firms will explain what it is like to be a trailblazer, how they achieved their successes, the mistakes they made on the way, and what the future holds for the IT Nation community.
More than 80 thought leaders, ConnectWise partners, and ConnectWise colleagues will taking over 130 educational, networking and panel sessions and will be sharing success stories, best practices, and the lessons they have learned to help attendees succeed and grow their businesses.
The conference offers an exceptional opportunity for learning, networking, and discovering technology solutions that can save you time, money, and boost the profitability of your business. Such an important event for the IT community is not to be missed.
TitanHQ will be attending the event to explain why TitanHQ is the global leader in cloud-based email and web security solutions for MSPs servicing the SMB market, the advantages of doing business with TitanHQ, and how TitanHQ solutions can help you better protect your environment and those of your clients from increasingly sophisticated cyber threats.
TitanHQ Marketing Director Dryden Geary, Sales Director Conor Madden, and Inside Sales Executive Peter Cooke will explain the benefits of the TitanShield program for MSPs, OEMs, technology partners, and Wi-Fi providers and show you just how easy it is to incorporate SpamTitan email security, WebTitan DNS filtering, and ArcTitan email archiving into your security stacks.
If you are attending the event, be sure to make time to meet with TitanHQ and feel free to reach out in advance of the event if you have any questions.
The 2019 Canalys Cybersecurity Forum will be taking place in Barcelona on October 16-17, 2019. The event is the only independent conference dedicated to the cybersecurity channel and is one of the most important events of the year for managed service providers (MSPs).
The event provides an incredible opportunity for MSPs looking to enhance their security stacks, provide greater value, and better protect their clients from increasingly sophisticated security threats. Attendees will have the opportunity to have 1:1 meetings with more than 700 established and new partners and discover best practices to adopt to get the most out of their cybersecurity solutions.
The event is also a must for MSPs who have yet to start offering managed security services as it will allow them to form new partnerships with Europe’s best cybersecurity solution partners who will help them grow their businesses significantly over the coming year.
Leading cybersecurity vendors will be taking thought-crunching sessions and sharing their knowledge to help partners succeed. Attendees will be able to engage in intense debates and interact with some of the brightest minds in the field of cybersecurity. Questions can be posed in multi-vendor theatre panels to get the answers from the leading cybersecurity solution providers in the EMEA region.
Highlights of this year’s event include panels, theatre and keynotes exploring the re-imaging of the idea of solutions, generalist vs. specialist in the cybersecurity channel, the next catalyst that will drive security sales, and how the role of the CSO is evolving in the hybrid IT world.
Canalys analysts will also be providing keynote speeches and sharing their insights into the current threat landscape and some of the burning issues of the moment. The event will also see Canalys name the new Threat Fighter and MSSP winners in the Canalys Channel Partner Awards.
TitanHQ Sales Director, Conor Madden
The event provides an amazing opportunity for networking with more than 200 channel partner delegates in attendance. New alliances can be formed and along with the knowledge gained, attendees will be able to make important decisions that will have a major positive impact on growth for the coming year.
TitanHQ is a proud sponsor of the 2019 Canalys Cybersecurity Forum and the team will be on hand to answer questions and explain why TitanHQ is the global leader in cloud-based email and web security solutions for the MSP that services the SMB market.
TitanHQ Strategic Alliance Manager, Marc Ludden
At the event you will be able to discover the considerable benefits of using SpamTItan email security, WebTitan DNS filtering, and ArcTitan email archiving to solve your clients security issues, better protect them from cybersecurity threats, and help them achieve their compliance objectives… and how easy TitanHQ makes this for MSPs.
TitanHQ Sales Director Conor Madden will be a panelist at the event and will be answering questions from attendees on email security, web security, email archiving and how to get the most out of TitanHQ’s cybersecurity solutions for MSPS and SMBs.
Marc Ludden, TitanHQ’s Strategic Alliance Manager, will also be attending and meeting with enterprise-level clients and major MSPs and ISPs to help them push TitanHQ products downstream to their customers, grow their businesses, and improve their bottom lines.
You can find out more about this one in a year opportunity here – Canalys Cybersecurity Forum 2019 – and feel free to reach out to TitanHQ in advance of the event.
If you are unable to attend this year’s Canalys event, TitanHQ will be on the road throughout October and November. Be sure to connect at one of the other fall 2019 events below:
If you are looking for a Cisco Umbrella alternative, you are not alone. TitanHQ has helped multiple businesses change from Cisco Umbrella to WebTitan Cloud. In most cases, the main reason why businesses seek a Cisco Umbrella alternative is to save money; but – depending on which Cisco Umbrella plan you subscribe to – WebTitan Cloud can also help better protect your business against web-borne threats and give you more control over Internet usage.
One of the challenges of evaluating a Cisco Umbrella alternate is that there are four versions of Cisco Umbrella – ranging in capabilities from a basic (and not entirely effectively) web filter to a top-of-the-range Secure Access Service Edge (SASE) solution. This makes it difficult to conduct apples-for-apples comparisons especially with regards to price due to a lack of pricing transparency with both the licensing costs and the add-ons – some of which are necessary and one of which is mandatory.
Cisco Umbrella Review
The four versions of Cisco Umbrella are DNS Essentials, DNS Advantage, SIG Essentials, and SIG Advantage; and because the versions increase in capabilities as you go through the range, we have provided a synopsis of each version´s capabilities below.
DNS Essentials
DNS Essentials is the entry-level version of Cisco Umbrella. It blocks websites known to be harboring malware and published to conduct phishing attacks, blocks or allows Internet access by domain or category, and enables system administrators to create user policies and view activity reports – albeit at an additional cost if you integrate DNS Essentials with (for example) Active Directory.
The big problem with the DNS version of Cisco Umbrella is that it does not decrypt and inspect the content of encrypted websites. Therefore, if a website is not yet known to be harboring malware – or contains adult content that would normally be blocked by category – the filter will not be able to identify the content and the website will evade detection as a malicious or harmful website.
DNS Advantage
This version of Cisco Umbrella is more advanced than the entry-level version inasmuch as it supports SSL decryption and inspection and will block websites and files based on anti-virus inspection. It also blocks direct-to-IP traffic such as command and control callbacks that bypass DNS filters and can be integrated with the Cisco Investigate console to analyze threats (at an additional cost).
However, like the DNS Essentials version, DNS Advantage only blocks websites by domain, rather than by URL. This can create issues if, for example, you want to prevent users wasting time reading the sports pages of an online newspaper but want to give the finance team access to the online newspaper´s money pages. The same limitation applies to “allow” lists. It´s either all or nothing.
SIG Essentials
The first of two Secure Internet Gateway (SIG) packages improves on the DNS packages by providing more granularity over Internet usage. This version also comes with a cloud firewall that can be configured to block or allow specific IPs, ports, and protocols, while the anti-virus engine can be configured to scan previously benign files to check for previously disguised threats.
The drawback of this solution is that it is not a complete Secure Internet Gateway solution without subscribing to multiple add-ons (for example, outbound traffic scans) or overcoming limitations on services such as cloud storage scans. It is also important to be aware there is a mandatory charge for onboarding (applies to all versions) and an extra charge for priority technical support.
SIG Advantage
SIG Advantage has been acknowledged as a leading SASE solution by Gartner´s Magic Quadrant and this version of the Cisco Umbrella includes almost everything that is an add-on in other versions (except onboarding and technical support). Furthermore, you can enhance the capabilities of the SASE solution by taking advantage of Cisco Talos Incident Response (at a cost).
If there is an issue with this version, it is that it includes many features and capabilities that may exist in other security solutions already being used by the business (i.e., Microsoft Sentinel, Amazon Security Lake, etc.). Additionally, if the business does not have the technical abilities in-house to take advantage of all the capabilities, you won´t see a good ROI from SIG Advantage.
Cisco Umbrella Licensing
Each of the versions has a subscription-based licensing structure – the price of which varies according to the number of users, the length of the subscription, and the location of the business. The cost of add-ons is also calculated in the same way, offering economies of scale to larger companies in the “right” area who subscribe for the maximum five years.
Generally, the cost of Cisco Umbrella licensing has to be paid all-upfront, although some resellers allow monthly, quarterly, or annual payments. Additionally, while you might be able to get a better deal from resellers, you have to be sure that the deal you are getting includes all the add-ons you require to filter the Internet securely and effectively.
How Much Does Cisco Umbrella Cost?
Due to there being four different version of Cisco Umbrella, multiple add-ons, and a lack of pricing transparency it is impossible to answer the question how much does Cisco Umbrella cost. Some resellers advertise the DNS Essentials version with prices starting from $1.50 per user per month (for > 25,000 users/5-year subscription), but it is not possible to determine what this price includes.
Anecdotal evidence suggests the cost of the DNS Advantage version including mandatory onboarding and technical support is $2.70 per user per month for a business with 100 to 499 users. Even if other add-ons are included in the price, this still seems a little high compared with a Cisco Umbrella alternate such as WebTitan for which the equivalent cost per user per month id $1.58.
Is Cisco Umbrella Pricing Negotiable?
Although few businesses reveal how much they are paying for Cisco Umbrella, there does appear to be a range of prices published in user forums and comment boxes that imply you can get a discount off Cisco Umbrella pricing if you negotiate hard enough. What´s not clear is whether any discount off Cisco Umbrella pricing is from Cisco directly or from resellers.
Resellers is probably the best way to go if you are looking to protect a large number of users because resellers have profit margins they will likely be prepared to trim to get the business. Additionally, you can also play one reseller against another. However, beware of “introductory offers”, as the price will increase significantly when the time comes to renew the subscription.
Can the Cisco Umbrella Price be Justified?
It depends on what your business needs. If, for example, you compare the anecdotal price of the DNS Advantage version against a Cisco Umbrella alternative such as WebTitan, you could save around 40% by switching to WebTitan. Even if you negotiate a deal for DNS Advantage, the version of Cisco Umbrella you get is still going to lack granular filtering to effectively control Internet usage.
However, if your business needs all the bells and whistles of the SIG Advantage version of Cisco Umbrella – and none of the SASE solution´s capabilities are duplicated in existing security solutions – you may feel the Cisco Umbrella price is justified. However, we would strongly suggest researching what else is available before committing to a long term subscription.
WebTitan Cloud: An Ideal Cisco Umbrella Alternative
Cost is not the only consideration when looking for a Cisco Umbrella alternative – you need to sure that your DNS filtering and Internet security solution is providing you with maximum protection against web-borne threats and maximum control over Internet usage. You can be assured of both with WebTitan Cloud.
For example, rather than updating threat databases retrospectively as some solutions do, WebTitan Cloud´s threat database is updated in “real-time” to mitigate the risk of emerging threats evading detection. Additionally, WebTitan Cloud includes “Zero-Minute” protection against emerging phishing threats.
With regards to maximum control over Internet usage, WebTitan Cloud allows system administrators to apply acceptable usage policies by user, group, department, or location. Policies can also be applied by time of day, or – for schools – by school year to ensure students only have access to age-appropriate content.
Finally, WebTitan Cloud has been developed to be easy to implement, configure, use, and maintain. We aim for minimal administrative overhead, but there will naturally be times when things don’t go according to plan. In the event of a problem, all customers benefit from world class support at no extra cost (and in no priority order).
WebTitan Cloud Benefits for MSPs
One of the features of WebTitan Cloud that is particularly attractive to MSPs is the ability to host the solution locally within their own environment. Most businesses will choose to host WebTitan Cloud with TitanHQ, but the option is available if this suits you better. MSPs can also be supplied with WebTitan Cloud in white label format for rebranding and reselling.
Transparent pricing – including monthly billing
Multiple hosting options, including within your own data center
Product can be supplied in white label format for rebranding
No monthly minimums or yearly commitments
The product can scale to meet your needs (and shrink too if needed)
Extensive suite of customizable reports
Easy integration into existing security and customer management systems
World-class customer support included in the cost
Generous margins for MSPs
Access to an extensive library of support materials
Book a Free Web Filtering Demo to Find Out More
If you have any questions about WebTitan Cloud, would like information on how you can switch from Cisco Umbrella, or would like a product demonstration, complete the form below and one of the WebTitan team will be in touch to organize a convenient time for your free no-obligation demo.
The demo will not only show how easy it is to set up WebTitan Cloud, but how effective it is at blocking web-borne threats and helping your business control Internet usage. The opportunity also exists to take advantage of a free trial of WebTitan Cloud to evaluate its potential as a Cisco Umbrella alternative in your own environment.
The collapse of the package holiday operator Thomas Cook left thousands of holidaymakers stranded, hundreds of thousands of holiday bookings have been cancelled, and more than 9,000 staff have lost their jobs. The company and other UK firms in its group have been forced into compulsory liquidation and cybercriminals have been quick to take advantage. Dozens of Thomas Cook-related domains were registered following the collapse of the firm and several Thomas Cook phishing scams have been detected.
Customer that have incurred out-of-pocket expenses as a result of the collapse of the company and anyone who has paid for a package holiday that has been cancelled may be entitled to a refund or compensation. That has given scammers the perfect opportunity to launch phishing attacks seeking bank account an credit card information.
Customers who have booked Thomas Cook holidays are protected under the ATOL scheme and refunds are being processed by the Civil Aviation Authority, which has set up a subdomain on its website – thomascook.caa.co.uk – where customers can submit claims for refunds. More than 360,000 holidays have been booked for more than 800,000 holidaymakers, who are entitled to refunds. More than 60,000 customers submitted refund forms on the first day that the website was set up and claims for out-of-pocket expenses are being processed by travel insurance firms. The CAA has stated that it will take 60 days for the refunds to be issued.
Anyone who has yet to submit their claim should exercise caution as there are multiple phishing scams being conducted offering money back on canceled holidays, reimbursement of out-of-pocket expenses, compensation, and fake updates on the status of refund claims. Any email received in relation to Thomas Cook should be treated as a potential scam.
Scams may be conducted with the aim of spreading malware or ransomware. Malicious code is contained in file attachments that trigger a malware download when the attachment is opened. However, far more common in situations when people are demanding refunds is to send phishing emails containing hyperlinks to malicious websites. Those websites require sensitive information such as credit card information and bank account details to be entered. Scammers are well aware that in order for refunds to be processed, bank account information would be required and phishing forms have been set up on fake Thomas Cook domains to do just that.
While there may be some giveaways that emails are not genuine – spelling mistakes and grammatical errors – some Thomas Cook phishing scams are virtually impossible to distinguish from genuine communications. Banks have also been notifying customers by email, which has presented scammers with even more opportunities to hoodwink Thomas Cook customers. There have also been reports of former employees being targeted by scammers offering compensation.
The golden rule to avoid becoming a victim of Thomas Cook phishing scams is never to respond to a request in an unsolicited email. Attachments should not be opened, hyperlinks in emails should not be followed, and contact information included in the message body should not be used. Only use official channels such as the CAA website, and contact banks and travel insurance firms directly using verified contact information.
The cost of a ransomware attack can be considerable. Several attacks in the United States have seen payments of hundreds of thousands of dollars made for the keys to unlock the encryption. While those payments are certainly high, they are a fraction of the total cost of a ransomware attack which are usually several times the cost of any ransom payment.
Recovery without paying a ransom can be considerably more. The ransomware attack on the city of Baltimore saw a ransom demand of around $76,000 issued. Baltimore refused to pay. The attack is estimated to have cost the city at least $18.2 million.
The cost of that ransomware attack is high, but nowhere the cost of a suspected September 2019 ransomware attack on the Danish hearing aid manufacturer Demant. The firm experienced the attack on or around September 3, 2019. One month on and the firm still hasn’t recovered. In a recent message to its investors, the firm said the cyberattack would cost an estimated $80 million to $95 million, even though the company held a cyber insurance policy. Without that policy the bill would have been $14.6 million higher.
According to a notice on the firm’s website, it experienced “a critical incident” when its “IT infrastructure was hit by cyber-crime.” Ransomware was not mentioned by the firm although it has been reported as a ransomware attack by the Danish media.
The attack impacted its Polish production and distribution facilities, French cochlear implants production sites, Mexican production and service sites, its amplifier production site in Denmark, its entire Asia-Pacific network, and its enterprise resource planning (ERP) system.
The firm is recovering its IT infrastructure and believes it will take a further two weeks for systems to be restored and business operations to approach normality. However, the effects of the attack are expected to be long-lasting.
The inability to access its systems across all these areas has caused major disruption to the company. The firm has been unable to supply its products, receive and process orders, and clinics in its network have had difficulty servicing end users.
Due to the limited information released it is unclear whether the company refused to pay a ransom, if the attackers could not supply valid keys to unlock the encryption, of if this was a sabotage attack akin to the NotPetya wiper malware attacks of 2017.
If this was a ransomware attack, the losses far exceed those of the Norwegian aluminum and energy company Norsk Hydro, whose ransomware attack cost the firm around $70 million, although it is a fraction of the cost of the NotPetya attacks on the shipping firm Maersk and FedEx, both of which caused losses of around $300 million.
These incidents all demonstrate just how damaging cyberattacks can be and the massive costs of recovery. As is typical, the cost of recovering its IT systems accounted for a small proportion of the total cost – around $7.3 million. The bulk of the losses were due to lost sales and the inability to process orders, which the company says make up around half of the estimated losses.
In a press release, the firm said in addition to the lost sales, “the incident has prevented us from executing our ambitious growth activities in some of the most important months of the year – particularly in the US, which is our biggest market.”
Malware, ransomware and wiper malware are most commonly delivered via a small number of attack vectors. All too often they start with a phishing email, exploitation of RDP, drive-by malware download, or the exploitation of unpatched vulnerabilities. The cost of preventative measures to block these attack vectors is pocket change by comparison to the cost of recovery from an attack.
TitanHQ cannot help businesses with securing RDP and patching promptly, but we can help businesses secure the email system and protect against drive-by malware downloads and other web-based attacks.
To find out more about how you can improve security against email- and web-based attacks, from a cost of as little as 90 cents per user per month, give our sales team a call.
The sales team will be happy to explain the ins and outs of our web and email security solutions, schedule product demonstrations, and help set you up for a free trial of our SpamTitan email security and WebTitan web security solutions and greatly improve your defenses against phishing, ransomware, malware, and wiper attacks.
The Emotet botnet sprung back to life following a 4-month period of dormancy over the summer. The first campaigns, which involved hundreds of thousands of messages, used lures such as fake invoices, payment remittance advice notices, and statements to lure recipients into opening a malicious Word document, enabling content, and inadvertently launching a string of actions that result in the downloading of Emotet: One of the most dangerous malware variants currently being distributed via email.
It has only been a few days since those campaigns were detected, but now a new campaign has been detected. The latest malspam campaign also delivers Emotet but this time the lure is a free copy of Edward Snowden’s book – Permanent Record. The book is an account of Edward Snowden’s life that led up to his whistleblowing actions in 2013.
The campaign includes English, Italian, Spanish, and German language versions which claim to offer a free scanned copy of the former CIA staffer’s book. The English language version of the book is being distributed via email, so the attackers claim, because it is “Time to organize collective readings of Snowden book everywhere.” The email tells the recipient to “Go buy the book now, read it, share it, discuss it,” but conveniently a scanned copy is attached called Scan.doc.
As with the previous campaign, opening the attachment will display a Microsoft Product Notice – with appropriate logo – informing the user that Word has not been activated. The user is required to enable content to continue using Word and view the content of the document. At this point, all it takes is a single click to silently install Emotet. Once installed, Emotet will download other malware variants, including the TrickBot Trojan. Emotet is also being used to distribute ransomware payloads.
While the lures in the Emotet campaigns are regularly changed, they have all used malicious scripts in Word documents which download Emotet. The emails may be sent from unknown individuals or email addresses may be spoofed to make the emails appear to have come from a contact or work colleague.
The lures are convincing and are likely to fool may end users into opening the attachments and enabling content. For businesses, that can lead to a costly malware infection, theft of credentials, fraudulent bank transfers, and ransomware attacks.
Businesses can reduce risk by ensuring employees are told never to open email attachments in unsolicited emails from unknown senders, but also to verify the authenticity of any email attachment by phone before taking any action. It is also important to condition employees never to enable content in any document sent via email.
While end user security awareness training is essential, advanced anti-malware solutions are also required to prevent those messages from ever reaching inboxes.
SpamTitan includes DMARC authentication to block email impersonation phishing attacks and a Bitdefender-powered sandbox where suspicious email attachments can be safely executed and studied for malicious actions.
Along with a wide range of other content checks, including Bayesian analysis and greylisting, emails such as these can be blocked and prevented from being delivered to end users.
The dangers of ransomware attacks have been made abundantly clear to more than 5,000 patients in California whose medical records have been permanently lost as a result of a ransomware attack on their healthcare provider.
Simi Valley, CA-based Wood Ranch Medical experienced the attack on August 10, 2019 which saw ransomware deployed and executed on its servers which contained the medical records of 5,835 patients. The attack caused permanent damage to computer systems, and since backup copies of patient records were also encrypted, those records have been permanently lost. It is unclear how much the attackers demanded as payment for the keys and whether those keys would have worked had the ransom been paid.
Without patient records and faced with the prospect of having to totally rebuild the medical practice from scratch, the decision was taken to permanently close the business. Patients have been forced to find alternative healthcare providers and no longer have access to their medical records.
This is the second healthcare provider in the United States that has been forced out of business due to a ransomware attack. Brookside ENT and Hearing Center in Battle Creek, Michigan also closed its practice this year as a result of a ransomware attack. In that case, the practice owners refused to pay the ransom demand and patient records were permanently encrypted. The practice owners decided it was not possible to rebuild the practice from scratch and announced their early retirement.
It is unclear exactly how the ransomware was installed in each of these incidents, so it is not possible to determine what defenses could have been improved to prevent the attacks. However, in both cases, recovery of files from backups was not possible.
The purpose of a backup is to ensure that in the event of disaster, data will be recoverable. File recovery may be time consuming and downtime due to the attack likely to be expensive, but data will not be permanently lost.
In order to ensure file recovery is possible, backups must be tested. Files may be corrupted during the backup process and data restoration may not be possible. If backups are not tested to make sure files can be recovered, it will not be possible to guarantee file recovery in the event of disaster.
These incidents also highlight another fundamental rule of backing up. NEVER store the only copy of a backup on a networked or internet-connected computer.
In the event of ransomware attack, it is highly likely that backup copies on networked devices will be encrypted along with shadow volume copies. Ransomware encrypts these files to make sure the only way of recovering data is paying the ransom.
Even paying a ransom comes with no guarantee that data will be recoverable. Files may be corrupted through the encryption/decryption process – some data loss is inevitable – and the attackers may not be able to supply valid keys to decrypt files.
A good backup approach to adopt to prevent disasters such as these is a 3-2-1 strategy. 3 backups should be created, which should be stored on 2 different media, with 1 copy stored securely off site on a device that is not networked or connected to the internet.
After a quiet summer, the Emotet botnet is back in action. The threat actors behind Emotet are sending hundreds of thousands of malicious spam emails spreading the Emotet Trojan via malicious Word documents.
Emotet first appeared in 2014 and was initially a banking Trojan used to obtain credentials to online bank accounts. The stolen credentials are used to make fraudulent wire transfers and empty business accounts. Over the years the Trojan has evolved considerably, with new modules being added to give the malware a host of new features. Emotet is also polymorphic, which means it can change itself each time it is downloaded to avoid being detected by signature-based anti-malware solutions. Up until the start of 2019, more than 750 variants of Emotet had been detected.
The latest iteration of Emotet is capable of stealing banking credentials and other types of information. It is also capable of downloading other malware variants, which has led to security researchers naming it ‘triple-threat malware,’ as it has been used recently to download the TrickBot Trojan and Ryuk ransomware. These three malware threats along with the scale of the operation make Emotet one of the most dangerous threats faced by businesses. It is arguably the costliest and most destructive botnet ever seen.
Last summer, Emotet activity was so high and the threat so severe that the Department of Homeland Security issued an alert to all businesses in July 2018 warning them of the threat. That warning was mirrored by the UK National Cyber Security Center which published its own warning about the malware in September 2018. Activity remained high well into 2019, but suddenly stopped at the start of June when command and control server activity fell to next to nothing.
The hiatus in activity was only brief. Researchers at Cofense Labs discovered its command and control servers had been activated again in late August and a massive spamming campaign commenced on September 16 using bots in Germany. The campaign was initially focused on businesses in the United States, Germany, and United Kingdom but the campaign has now spread to Austria, Italy, Poland, Spain, and Switzerland.
After being downloaded, Emotet spreads laterally and infects as many devices as possible on the network. Email accounts on infected machines are hijacked and used to send further spam emails to all contacts in the account. Finally the malware downloader module is used to a secondary and often tertiary malware variant.
The latest campaign uses Word documents containing malicious macros, which launch PowerShell scripts that fetch the Emotet Trojan from a variety of different compromised websites, many of which are running the WordPress CMS.
The campaign uses a variety of lures including invoices, payment remittance advice, and statements, the details of which are contained in Word documents that require content to be enabled to view the document content.
Upon opening the document, the user is requested to accept the Office 365 license agreement. Failure to enable content, so the document claims, will result in Microsoft Word features being disabled.
This campaign includes personalized subject lines including the recipients name to increase the likelihood of a user taking the requested action. Genuine email thread are also hijacked to make it appear that the user has already been communicating with the sender of the email. Around a quarter of attacks use hijacked email threads. Data from Cofense indicates emails are being sent from 3,362 hijacked email accounts from 1,875 domains.
It is currently unclear whether Ryuk ransomware is being distributed in this campaign. Several researchers have confirmed that TrickBot is being downloaded as a secondary payload.
The key to blocking attacks with polymorphic malware is to implement layered defenses, including an advanced spam filtering solution, anti-virus software, and web filter. It is also important to ensure that the staff is made aware of the threat of attack and the types of email that are being used to spread the Trojan.
G2 Crowd, the independent peer-to-peer business software review site, has published its G2 Crowd Grid® Summer 2019 Report for Cloud Email Security. For the third consecutive quarter, SpamTitan has been named the leading cloud email security provider having been awarded the highest score for customer satisfaction.
G2 Crowd is the largest tech marketplace for businesses. The site attracts more than 3 million visitors and contains more than 843,500 reviews from verified software users. The reviews and Grid Reports are relied upon by countless businesses to help them make better software buying decisions.
Each quarter, G2 Crowd produces Grid reports that highlight the key players in different software categories. The G2 Crowd Grids are used to rank software solutions based on market presence and user satisfaction and categorize each as wither a niche player, contender, high performer, or leader. To be named a leader, a product must have a strong market presence and high user satisfaction level.
Market presence is determined by the size of the company, its social impact, and market share. The user satisfaction score is calculated from amalgamated reviews from verified users of the software.
User reviews are important when choosing a software solution. If the software is difficult to use, fails to live up to expectations, or does not provide the required functionality, staff will avoid using it as much as possible. For a security solution that is particularly bad news.
The Summer 2019 report includes 9 email security solutions. SpamTitan achieved the highest overall customer satisfaction score – 97% – of all nine solutions by some distance. The next highest customer satisfaction scores were for Proofpoint Email Security & Protection (75%), Area 1 Security (69%), and Barracuda Email Security Gateway (61%).
In addition to the Grid reports, amalgamated scores are included for six different customer satisfaction criteria: Ease of setup, ease of use, ease of admin, ease of doing business, quality of support, and meets requirements. Once again, SpamTitan topped the list with the highest score for ease of setup (92%) and ease of use (92%) and was one of only two solutions that achieved scores of over 90% in each of the six categories.
“The overwhelmingly positive feedback on G2 Crowd from users of SpamTitan is indicative of our commitment to ensuring the highest levels of customer success,” said Ronan Kavanagh, CEO, TitanHQ. “That’s an incredible achievement for a product that is significantly more affordable than the market leaders.”
This fall, TitanHQ will be attending several Managed Service Provider (MSP) events and trade shows throughout Europe and the United States.
TitanHQ has been developing innovative cybersecurity solutions for MSPs for more than two decades and all solutions have been created with MSPs firmly in mind. By involving MSPs in the design process, TitanHQ has been able to ensure that its products incorporate features to make life easier for MSPs, such as easy integration into MSPs management systems through the use of APIs to features rarely found in cybersecurity products – such as full white label versions ready for MSP branding and the ability to host the solutions within MSPs own environments.
Trade shows give the TitanHQ team the opportunity to meet face to face with prospective clients to discuss their email and web security needs and get face to face feedback from current customers that have already integrated TitanHQ products into their technology stacks.
The TitanHQ team kicked off the fall schedule of trade shows on September 12 at the Taylor Business Group BIG 2019 Conference at the Westin Hotel in Chicago, where members got to meet the TitanHQ team to discuss the new TitanShield program and discover how TitanHQ products can improve security for their clients while saving MSPs time and money.
At the same time, TitanHQ was at the CloudSec Europe 2019 Conference in London demonstrating WebTitan Cloud, SpamTitan Cloud, and ArcTitan to MSPs and cloud service providers.
If you were unable to attend either of these two events or did not get the chance to meet with the team, all is not lost. The fall schedule has only just commenced and there are still plenty of opportunities to meet the team to discuss your requirements and find out how TitanHQ products can meet and exceed your expectations.
Trade Events Attended by TitanHQ – Autumn, 2019
Date
Event
Location
September 17, 2019
Datto Dublin
Dublin, Ireland
September 18, 2019
MSH Summit
London, UK
October 6-10, 2019
Gitex
Dubai, UAE
October 7-8, 2019
CompTIA EMEA Show
London, UK
October 16-17, 2019
Canalys Cybersecurity Forum
Barcelona, Spain
October 21-23, 2019
DattoCon Paris
Paris, France
October 30, 2019
MSH Summit North
Manchester, UK
October 30, 2019
IT Nation Evolve (HTG 4)
Florida, USA
October 30, 2019
IT Nation Connect
Florida, USA
November 5-7, 2019
Kaseya Connect
Amsterdam, Netherlands
If you plan on attending any of the above events this fall, be sure to come and visit the TitanHQ team and feel free to reach out ahead of the events for further information.
Rocco Donnino, Executive Vice President-Strategic Alliances, LinkedIn
Eddie Monaghan, MSP Alliance Manager, LinkedIn
Marc Ludden, MSP Alliance Manager, LinkedIn
Dryden Geary, Marketing Director
Google has acknowledged a vulnerability in the Google Calendar app is being exploited by cybercriminals to inject fake and malicious items into Google Calendar.
Several Google Calendar phishing campaigns were detected over the summer of 2019 which were exploiting this flaw. The campaigns saw Google Calendar spam sent to large numbers of users, including invites to events and other requests and special offers that popped up on unsuspecting users’ screens.
These notifications contained links to webpages where users could find out more information about the events and special offers. If events were accepted, they would be inserted into users’ calendars and would trigger automatic notifications. The offers and invites would keep on appearing until the users’ clicked the link. Those links directed users to phishing pages where credentials were harvested.
Some of the scams required credit card information to be entered, others required the user to login using their Office 365 credentials. Links could also direct users to webpages where drive-by malware downloads take place.
Most people are aware of the threat of phishing emails, malicious text messages, and social media posts that harvest sensitive information, but attacks on calendar services are relatively unheard of. Consequently, many users will fail to recognize these notifications and calendar items as malicious, especially when they appear in a trusted app such as Google Calendar.
Unfortunately, these attacks are possible because in the default setting, anyone can send a calendar event to a user. That event will be inserted into the user’s calendar and will automatically trigger notifications, as is the case with legitimate events.
In addition to events, messages can include special offers, notifications of cash prizes, alerts about money transfers, and all manner of other messages to entice the user to click a malicious link and disclose sensitive information or download malware.
Google Calendar is not the only calendar service that is prone to these attacks. Apple users have also been targeted, as have users of other calendar apps.
How to Block Google Calendar Phishing Attacks
Recently, a Google employee acknowledged the increase in ‘calendar spam’ and confirmed action was being taken by Google to address the problem.
In the meantime, users can prevent these spam and phishing messages from appearing by making a change to the app settings. Users should navigate to Event Settings > Automatically Add Invitations, and select the option “No, only show invitations to which I’ve responded” and uncheck the “show declined events” option in View Options.
Businesses should also consider including Google Calendar phishing scams in their security awareness training programs to ensure employees are aware that phishing attacks are not limited to email, text message, telephone calls, and social media posts.
Business email compromise scams are now the leading cause of cyberattack-related losses. Billion are being lost each year and there are no signs of the attacks abating. In fact, it has been predicted that the number of attacks and losses will continue to increase.
Around 1% of global GDP is lost to cybercrime each year and that figure is increasing rapidly. Currently, around $600 billion is lost each year to cybercrime. A FinCEN report from July 2018 shows that suspicious activity report (SAR) filings have increased from $110 million per month in 2016 to $301 million per month in 2018 and Cybersecurity Ventures predicts losses will increase to $6 trillion globally by 2021. According to the FBI, more than $1.2 billion was lost to business email compromise scams in the United States alone in 2018.
Business email compromise (BEC) scams involve the impersonation of an executive or other individual, whose compromise email account is used to send fraudulent wire transfer requests. A variation sees a business associate of the company spoofed and requests sent demanding outstanding involves be paid. The latter is now more common than attacks spoofing the CEO.
BEC attacks usually start with a spear phishing attack to obtain email account credentials. Once email credentials are compromised, the account is used to send messages to other individuals in the organization, such as employees in the payroll, HR, or finance department. Since the emails come from a trusted source within the organization and the wire transfer requests are not unusual, payment is often made.
A successful attack can see sizable wire transfers made to accounts controlled by the attackers. Payments are often for tens of thousands of dollars or, in some cases, millions of dollars. A recent attack on a subsidiary of the car manufacturer Toyota Boshoku Corporation saw a fraudulent transfer of $37 million made to the attackers.
While that incident stands out due to the scale of the loss, fraudulent transfers of millions of dollars are far from unusual. In many cases, only a small percentage of the transferred funds are recovered. Since these attacks can be extremely profitable, it is no surprise that the so many cybercriminal gangs are getting in on the act and are conducting campaigns.
A new report from the insurer AIG shows BEC attacks are now the leading reason for cybersecurity-related insurance claims, having overtaken ransomware attacks for the first time. 23% of all cyberattack-related claims are due to BEC scams.
In the most part, these BEC attacks can be prevented with basic cybersecurity measures. AIG attributes the rise in claims to poor security measures at the targeted organizations. Investigations have uncovered numerous basic cybersecurity failures such as not providing security awareness training to employees, the failure to enforce the use of strong passwords, no multi-factor authentication, and poor email security controls.
If businesses fail to implement these basic cybersecurity measures, attacks are inevitable. Cyber-insurance policies may cover some of the losses, but many SMBs will not be in a position to make a claim. For them, BEC attacks can be catastrophic.
If you run a business and are concerned about your defenses against phishing, spear phishing, and BEC attacks, contact TitanHQ to find out more about effective cybersecurity solutions that can block BEC attacks.
Cybercriminals are using SharePoint to send malicious documents to businesses in the United Kingdom. This tactic has seen many messages pass through email security defenses undetected and arrive in inboxes.
The campaign appears to be targeting businesses in the financial services and aims to obtain Office 365 credentials and username/password combos from other email service providers. Those credentials can be used to gain access to sensitive information in email accounts and cloud storage repositories such as OneDrive.
In the latest campaign, the attacker used a compromised email account at a London legal firm to send emails to employees of businesses in the financial services sector. The attacker uses SharePoint to send a request to review a document. In order to view the document, the user is required to click an embedded hyperlink in the email.
If that link is clicked, the user is directed to SharePoint and onto another malicious URL where they are requested to download a OneNote document. In order to download that document, the user is required to enter their login credentials.
Since the initial URL is for the SharePoint domain, many email security solutions fail to identify the link as malicious. Similar tactics have been used in phishing campaigns that link to OneDrive, Citrix ShareFile, Google Drive, and Windows.net. Since the domains are thought to be benign and the email messages do not contain any malware, the messages are delivered to end users.
The URL used in this campaign is likely to arouse suspicion even though it is a SharePoint domain, but not all users carefully check URLs and the full URL may not be visible on mobile devices, which increases the risk of an end user being fooled into disclosing their login credentials. The spoofed OneDrive for Business portal to which the user is directed is also a poor imitation, but it is sufficiently realistic to fool many end users. Other identified phishing campaigns using file sharing websites are far more convincing and are unlikely to be detected as malicious even by security conscious employees.
When credentials are compromised, the email account is often used to send further phishing emails to other individuals in the organization. Since those emails come from an internal account, users are more likely to respond. The attackers can also view past message threats in the compromised account and use those messages to continue a conversation. The messaging style of the account holder can also be mimicked to add further realism to the phishing emails. Typically, businesses discover one email account has been compromised, but the investigation reveals the attack is far more widespread and many email accounts have been compromised. Once recent phishing attack on a U.S. healthcare provider saw an astonishing 72 email accounts compromised!
To block these threats, an advanced email security solution is required. Businesses should look for a solution that incorporates DMARC. DMARC incorporates SPF and DKIM email authentication protocols and verifies that the IP address used to send the email is authorized to send emails from that domain. If that check fails, the email is blocked. This is one of the most important and most effective methods of detecting and blocking email impersonation attacks, including BEC attacks and lateral phishing attempts.
Fortunately, a combination of an advanced spam filtering solution and end user security awareness training will help to ensure that emails do not reach inboxes and, if they do, that employees will be alert to the threat and will avoid clicking the link and disclosing their credentials.
In this post we will explain why businesses using Office 365 should implement a third-party email archiving service rather than use the Office 365 email archiving feature to ensure compliance.
Many businesses have ditched their on-premise Exchange email systems and have migrated their email to the cloud. There are many benefits of such a move. Switching to the cloud means it is not necessary to purchase and maintain on-premises hardware and the space devoted to housing that hardware can be freed up and put to better use. There is also no limit on the number of mailboxes that can be set up and mailbox limits do not need to be set as storage space is never an issue.
Businesses store huge amounts of business-critical information in mailboxes, such as contacts, purchase orders, legal documents, and intellectual property. It is important that this information is always available and cannot be accidentally deleted. A study by IDC suggests that 60% of business-critical information is actually stored in the email system, and much of that data is not stored elsewhere. It is therefore no surprise that when ransomware attacks result in encryption of email data, businesses have little option other than pay the ransom demand.
Most of the time, data in the email system is not required, so it makes sense to archive the messages. When information in the archive needs to be recovered, it can be found with a simple search.
If a customer gets in touch, emails related to past email conversations can be recovered, but if emails need to be recovered for legal reasons, businesses need to demonstrate that the email in the archive is exactly the same as the message that was received or sent. They must be able to prove emails have not been altered in any way.
Users of Office 365 can prove the authenticity of an email by placing it on Legal Hold in Office 365. Messages placed on Legal Hold are stored in their original, unedited form. Legal Hold is activated by the Office 365 administrator through the admin panel. Provided Legal Hold remains switched on, edited and deleted messages can be recovered along with the original message through the Compliance Center.
To ensure compliance, Legal Hold should never be switched off. Without Legal Hold, messages can be forever lost from the email system. There are two legal hold options available – Litigation Hold and In-Place Hold. The former will ensure that all messages are retained, even if they are deleted from mailboxes. They will be retained for as long as Litigation Hold remains active.
With In-Place Hold, the admin can set criteria for a search query and only messages that meet that search query will be preserved. With In-Place Hold, if a user deletes an email that is not covered by the search query, it will be purged within 14 days and will not be recoverable, even by the IT team. With this option, businesses will not be able to prove that a message has not been sent. If a message is not in the archive, it could just mean that the message was not picked up by the search query.
Legal Hold is therefore the best option, but while Legal Hold is set up, the mailbox cannot be deleted, even if that individual leaves the company. If a user account is deleted, and that user has a mailbox, since the account is no longer connected to a user account, it will be marked for deletion. It does not matter if the account is still on Legal Hold.
Most third-party email archiving solutions use an archiving method called journaling. Journaling takes a copy of all incoming and outgoing emails on the mail server – or all messages for selected users – in real time. In addition to the message, all associated meta-data and attachments are included in the journal message. This archiving method is utilized by Microsoft Office 365, but there are limitations. For example:
Searches are limited to under 10,000 mailboxes in any one search
Search results are limited to 250 results in the Compliance Center. For more results in a single search, a .PST file must be used. Since .PST files can be edited, this method does not guarantee message authenticity as edits could potentially be made.
Only a maximum of 2 eDiscovery searches can be made at any one time by the same company
If the email service goes down, emails on Litigation Hold and/or live email cannot be accessed
If Litigation Hold is turned off, it is not possible to prove that emails are originals
Without a permanent Litigation Hold, it is not possible to prove that an email has not been sent
Searches are limited to the Outlook search bar
Searches can be difficult for non-technical users
Searches are slow, especially when searching multiple folders or mailboxes.
If individuals leave the company, emails will only be retained if the mailbox is maintained and that has cost implications.
The latter issue can prove costly for organizations. In order to maintain a mailbox when a user has left the company, the license for that user must be maintained. If that user is replaced, another license will be required for that person’s replacement.
That means that for an organization with 50 employees who stay for an average of 2 years, in four years the company would be paying for 200 licenses a year, even though at any one time only 50 licenses should be required. That adds up to a significant extra and unnecessary cost.
TitanHQ has developed its email archiving solution, ArcTitan, to work seamlessly with Office 365. The solution solves the above compliance and performance issues and augments Microsoft’s Compliance Center with much more powerful search and recovery tools. Messages can be found and retrieved much more quickly and efficiently, and there are considerable savings to be made as customers only pay for the licenses they need, regardless how many individuals leave the company and are replaced.
Key Features of ArcTitan
Scalable, email archiving that grows with your business
Email data stored securely in the cloud on Replicated Persistent Storage on AWS S3
Lightning fast searches – Search 30 million emails a second
Rapid archiving at up to 200 emails a second
Automatic backups of the archive
Email archiving with no impact on network performance
Ensure an exact, tamperproof copy of all emails is retained
Easy data retrieval for eDiscovery
Protection for email from cyberattacks
Eliminate PSTs and other security risks
Facilitates policy-based access rights and role-based access
Only pay for active users
Slashes the time and cost of eDiscovery other formal searches
Migration tools to ensure the integrity of data during transfer
Seamless integration with Outlook
Supports, single sign-on
Save and combine searches
Perform multiple searches simultaneously
Limits IT department involvement in finding lost email
Compliant with regulations such as HIPAA, SOX, GDPR, Federal Rules of Civil Procedure, etc.
If you are looking for a more powerful email arching solution to work on top of Office 365 that can be quickly and easily implemented in one step and will save you money and ensure compliance, give the TitanHQ team a call.
An innovative phishing campaign has been discovered that uses branded Microsoft Office 365 login pages to trick victims into believing they are logging into their genuine Office 365 account.
The phishing emails warn the user that a message synchronization failure has blocked the delivery of emails to the user’s account. A link is supplied with the anchor text “Read Message” which directs the user to a fake Office 365 login page where they can review the messages and decide what to do with them.
If the user clicks on the link, their email address will be checked and validated, and the user will be directed to the phishing page. What makes this campaign unique is the check allows the attackers to scrape the branded tenant Office 365 login page used by the company via HTTP GET requests. The company’s custom background and logo are added dynamically to the phishing page. If a company does not have a custom login page, the standard Office 365 background is used.
The login pages are clones of the tenant pages, so they are unlikely to be recognized as fake by users. The phishing pages are also hosted on legitimate cloud storage infrastructure. The domains include either the blob.core.windows.net or azurewebsites.net domains, which have valid Microsoft SSL certificates. The result is a highly convincing campaign that is likely to fool many employees into divulging their login credentials.
Microsoft Office 365 Users are Under Attack!
Microsoft Office 365 is the most widely adopted cloud service by user count and has more than 155 million active users. 1 in 5 U.S. employees use at least one Office 365 service and half of businesses that use cloud services use Office 365. With such high numbers it is no surprise that Office 365 users are being targeted.
What is of major concern is the number of phishing emails that are bypassing standard Office 365 phishing defenses. A study by Avanan this year showed 25% of phishing emails bypass Office 365 defenses and arrive in employees’ inboxes.
When access is gained to one email account, it can be used for lateral phishing attacks on other employees in the organization. The goal of the attackers is to compromise as many accounts as possible and, ideally, an administrator account. Compromised accounts can also be used for BEC attacks, credentials can be used to access other Office 365 resources, and email accounts can be plundered for sensitive data.
How to Protect Your Business and Block Office 365 Phishing Attacks
There are three key measures to take to improve your defenses against Office 365 phishing attacks. The most important step is to improve anti-phishing protections with a third-party anti-spam and anti-phishing solution.
SpamTitan can be implemented in minutes and will provide superior protection against phishing attacks on Office 365 accounts. The solution has been independently tested and shown to block more than 99.9% of spam emails and 100% of known malware. A sandboxing feature allows suspicious attachments to be detonated in a safe and secure environment where all actions are analyzed for malicious activity and DMARC authentication of emails provides protection from email impersonation attacks that usually bypass Office 365 filters.
No anti-phishing solution will provide total protection against phishing attacks, so it is important to ensure that employees receive security awareness training. The workforce should be taught about the risks of email attacks and how to identify phishing emails. With training, you can turn your employees into strong last line of defense.
Even the most security-conscious employee could be fooled into disclosing their Office 365 credentials by a sophisticated phishing email. It is therefore important to implement 2-factor authentication.
2-factor authentication requires a second method of authenticating users, other than a password, when they attempt to login from an unfamiliar location or new device. In the event of credentials being compromised, account access can be blocked by -factor authentication. However, 2-factor authentication is not infallible, so businesses should not rely on this measure alone to protect their Office 365 accounts.
A new CAPTCHA phishing scam has been detected which is being used to trick users into downloading a malicious file that intercepts multi-factor authentication codes on a user’s smartphone. With the codes, hackers can perform a more extensive attack and gain access to a much wider range of resources such as email and bank accounts.
When a visitor lands on the phishing page, a check is performed to determine what device is being used. If the user is on an Android device, a malicious APK file is downloaded to their device. Any other platform will receive a zip file containing malware.
A fake version of the familiar Google reCAPTCHA is displayed on the phishing page. It closely resembles the legitimate version, although it does not support sound and the images do not change when they are clicked. The fake reCAPTCHA is housed on a PHP webpage and any clicks on the images are submitted to the PHP page, which triggers the download of the malicious file. This campaign appears to be focused on mobile users.
On an Android device, the malicious APK intercepts PIN codes from two-factor authentication messages, which allow the attackers to gain access to the user’s bank account. With these PIN codes, an email account can also be compromised, which would allow further accounts to be compromised by requesting password resets.
A successful attack could see several accounts used by an individual subjected to unauthorized access. Businesses are also attacked in a similar manner. Successful attacks on businesses could give the attackers access to huge volumes of sensitive company data and even infrastructure resources.
This method of delivering malware is nothing new and has been around since 2009. A CAPTCHA phishing campaign was detected in February 2018 attempting to download a malicious file, and a similar campaign was run in 2016.
A method of attack is adopted for a while then dropped. While it is possible to prepare the workforce for phishing attacks such as this through training, security awareness training alone is not enough as tactics frequently change, and new methods of attack are frequently developed.
As this attack shows, two-factor authentication is far from infallible. In addition to this method of obtaining 2FA codes, the SS7 protocol used to send SMS messages has flaws that can be exploited to intercept messages.
Security awareness training and 2FA are important, but what is required on top of these protections is a powerful anti-spam and anti-phishing solution. Such a solution will block phishing emails at the gateway and make sure they are not delivered to inboxes.
It is important to choose a solution that provides protection against impersonation attacks. Many phishing campaigns spoof a familiar brand or known individual. A solution that incorporates Domain-based Message Authentication, Reporting & Conformance (DMARC) will help to ensure that the sender of the message is genuine, by performing checks to make sure that the sender of the message is authorized to send messages from that domain.
Most anti-phishing solutions incorporate an anti-virus component that scans all incoming attachments for malware and malicious code, but cybercriminals are using sophisticated methods to evade detection by AV solutions. Files may include malicious code that is hard to detect. A sandbox is therefore required to execute suspicious attachments in a safe environment where they can be monitored for malicious activity. By testing attachments in the sandbox, malicious files can be identified and more genuine emails and attachments will arrive in inboxes.
SpamTitan incorporates these features and more. Together they help to ensure a catch rate in excess of 99.9%, with a low false positive rate of 0.03%. With SpamTitan in place, you will be well protected against phishing attacks such as the latest CAPTCHA scam.
Equifax phishing scams have been detected which are attempting to take advantage of individuals who were affected by the 143-million record data breach and want to make a claim to recover their out-of-pocket expenses.
Several lawsuits have been filed against Equifax over the breach. One of those lawsuits, filed by the Federal Trade Commission, has recently been settled for $700 million. That figure includes a fund of $425 million to cover claims from victims of the breach.
Anyone who was affected by the breach is entitled to submit a claim, and with so many people affected, scammers have a more than reasonable chance of landing an email in the inbox of an individual who was affected by the breach. More than half the population of the United States had their information exposed.
In order to make a claim, victims of the breach must visit a website set up by Equifax where claims can be processed. The name of the correct domain reflects its purpose – equifaxbreachsettlement.com – which does have a hint of phishiness about it.
Cybercriminals have set up a plethora of fake sites that closely resemble the genuine website, with similarly phishy but realistic names. Those sites similarly allow victims of the breach to submit a claim.
When submitting a claim on the genuine website, the claimant must enter their contact information and make their claim. They can choose to have the payment sent on a pre-paid card or by check in the mail. At no point must a Social Security number, bank account information, or credit card information be entered.
Large-scale spam campaigns are being conducted inviting victims of the breach to submit their claim and receive their share of the settlement amount. Hyperlinks are embedded in the messages which link to fake Equifax claim webpages.
After landing on these phishing webpages, users are guided through making a claim. Contact information is requested along with other sensitive information to confirm identity. Bank account information is also requested to process direct deposit refunds.
After entering in all that information, the claim is submitted, and the user is likely to be unaware that their sensitive information has been stolen.
Any email received in relation to the Equifax data breach settlement should be treated as potentially suspicious. Anyone wanting to make a claim should visit equifaxbreachsettlement.com
Microsoft Office 365 is being adopted by businesses at a staggering rate. Office 365 is now the most widely used cloud service in terms of number of users. One in 5 corporate employees use an Office 365 cloud service and, according to Gartner, 56% of businesses using cloud services use Office 365.
Any platform that attracts such high numbers of business users is a major target for cybercriminals. Hackers are developing innovative ways of attacking businesses and bypassing Office 365 protections to get their phishing emails delivered to inboxes.
Campaigns are tested on genuine Office 365 accounts to ensure Office 365 defenses are bypassed, before targeted campaigns are conducted on business users. Microsoft’s standard Exchange Online Protection (EOP) is not sufficient to block these threats. At a minimum, users need to pay for Advanced Threat Protection (APT) to provide the level of protection required to block the types of sophisticated phishing attacks that are fast becoming the norm.
Four campaigns that have recently been identified use novel tactics to evade detection and fool end users into disclosing their login credentials.
Custom 404 Error Pages Used to Host Office 365 Phishing Forms
Microsoft researchers identified a novel tactic being used in a phishing campaign targeting office 365 users – 404 error pages to host phishing forms. 404 error pages are displayed when a website visitor attempts to visit a page that does not exist. By customizing the 404 page and using it to host a phishing form, the attackers have a virtually unlimited supply of phishing URLs to use. Any random URL would bring up the 404 page and the phishing form. Many email security solutions would not detect the link as malicious.
Voicemail Notifications Used as Lure in Office 365 Phishing Campaign
Avanan researchers recently identified a phishing campaign that uses voicemail notifications as a lure to obtain Office 365 credentials. The emails include Microsoft Office 365 logos and notification of the time of a call, the caller number, and the length of the voicemail message.
The text and logos are combined into three images in the email and an HTML file is attached which the email claims is the voicemail message. If opened, the HTML attachment uses meta refresh to redirect a user from the locally stored HTML page to an Internet-hosted page where they are presented with an Office 365 login box. Credentials are required to listen to the message through the spoofed voicemail management system.
Office 365 Admin Credentials Targeted
Office 365 credentials are valuable, but none more so than administrator credentials. A typical employee may have an email account containing sensitive data and their credentials may allow a limited number of cloud resources to be accessed. A set of administrator credentials would give an attacker the ability to create new accounts, access other users’ accounts, send messages from their email accounts, and access a much greater range of resources.
Office 365 admins are being targeted in a campaign that uses Office admin alerts about time-sensitive issues to lure them into disclosing their credentials. Two common lures are a critical problem with the mail service and the discovery of an unauthorized access incident.
Attacks Use Credentials in Real Time
A phishing campaign has been detected in which the attackers use the data captured from fake Office 365 login forms to access the genuine Office 365 account in real-time. If the login fails, a warning is displayed requesting the user re-enter their credentials. When the correct credentials have been entered, the user is redirected to their real Office 365 inbox, most likely totally unaware that their credentials have been stolen.
These are just four new tactics being used by cybercriminals to gain access to the Office 365 credentials of business users. Without advanced anti-phishing defenses in place, many of these sophisticated phishing emails will be delivered to end users’ inboxes. Security awareness training for employees will go a long way toward strengthening your last line of defense, but unless the majority of email threats are blocked, data breaches will occur.
Businesses using Office 365 need to ensure their email security defenses are up to scratch and can detect and block advanced phishing threats. That means paying for Office 365 ATP or using a third-party anti-spam and anti-phishing solution.
With SpamTitan layered over Office 365, businesses will be protected from the full range of email-based threats. Advanced phishing techniques such as those detailed above are detected and neutralized by SpamTItan.
TitanHQ’s DNS filtering solution, WebTitan, adds another layer of security to protect against phishing attacks. WebTitan blocks all known malicious web pages and scans new websites for malicious content. Threats are detected and webpages are blocked before any content can be downloaded.
For further information on securing Office 365 accounts and improving your anti-phishing defenses, contact the TitanHQ team today.
Hotels in America are being targeted by cybercriminals in a campaign spreading a remote access Trojan (RAT) called NetWiredRC. The RAT is delivered via malicious emails targeting financial staff in hotels in North America.
The campaign uses a typical lure to get recipients to open the attached file. The message claims there are invoices outstanding and the recipient is asked to validate payment. The invoices are included in a zip file attached to the email.
If the file is extracted and the executable is launched, the Trojan will be downloaded by a PowerShell script. The Trojan achieves persistence by loading itself into the startup folder and will run each time the computer boots. The malware gives the attacker full control over an infected computer. Files can be uploaded and downloaded, further malware variants can be installed, keystrokes can be logged, and credentials can be stolen.
The ultimate aim of the threat actors behind this campaign is not known, although most cyberattacks on hotels are conducted to gain access to guest databases and payment systems. If malware can be loaded onto POS systems, card details can be skimmed when guests pay for their rooms. It can be months before hotels discover their systems have been breached, by which time the card details of tens of thousands of guests may have been stolen. Hutton Hotel in Nashville, TN, discovered in 2016 that its POS system had been infected with malware for three years.
There have been several recent cases of cyberattacks on hotels resulting in guest databases being stolen and sold on darknet marketplaces. The data breach at Marriott resulted in the theft of 339 million records and Huazhu Hotels Group in China experienced a breach of 130 million records.
Data breaches can prove incredibly costly. The cost of the data breach at Marriott could well reach $200 million, but even smaller data breaches can prove costly to resolve and can cause serious damage to a hotel’s reputation.
The latest spam campaign shows just how easy it is to gain a foothold in a network that ultimately leads to a 3-year data breach or the theft of more than 300 records: The opening of an attachment by a busy employee.
Hotels can improve their defenses by implementing cybersecurity solutions that block the threats at source. SpamTitan protects businesses by securing the email system and preventing malicious messages from reaching end users’ inboxes. WebTitan is an advanced web filtering solution that allows hotels to block malware downloads and carefully control the websites that can be accessed by staff and guests.
For further information on TitanHQ’s cybersecurity solutions for hotels, contact the sale team today.
TitanHQ has announced it has entered not a new partnership with one of the United Kingdom’s leading Managed Service Providers (MSPs), OneStopIT.
For more than 16 years, OneStopIT has been helping small to medium sized businesses (SMBs) implement enterprise-class technology solutions. The Edinburgh-based MSP is focused on providing process-driven IT solutions to growing organizations at an affordable price.
Through the company’s dealing with UK businesses it has become clear that one of the biggest problem areas is phishing. Phishing attacks on UK businesses are now occurring at record pace and those attacks are costing businesses dearly.
UK businesses need advanced, enterprise-level cybersecurity solutions, but at an affordable SMB-friendly price. To improve protection against phishing and malware attacks, OneStopIT turned to TitanHQ.
TitanHQ has developed powerful cloud-based solutions for the SMB marketplace that incorporate enterprise-grade security features, but at a price that is affordable for even the smallest business. These solutions have been developed to be delivered by MSPs and can be easily incorporated into MSP auto-provisioning, billing, and management systems.
Under the new partnership, OneStopIT will be offering its customers SpamTItan-powered advanced email security and anti-phishing protection, WebTitan-powered DNS-based web filtering, and an ArcTitan-powered email archiving service.
All three solutions have been seamlessly integrated into OneStopIT’s security stack and are now being used to better protect its customers from today’s advanced and sophisticated cyber threats.
“ The proliferation of phishing threats across Office 365 is a real problem for SME’s in the UK and we’re partnering with a key vendor in this space to protect our customers and also give them the OneStopIT premium service they are used to,” said Ally Hollins-Kirk, CEO of OneStopIT.
Cabarrus County in North Carolina is the latest victim of a major Business Email Compromise attack. The scammers impersonated a building contractor that was constructing a new high school in the County and succeeded in redirecting a $2.5 million payment to their account.
One of the contractor’s email accounts was compromised and an email was sent to a contact at the County requesting a change to the usual bank account.
Any request for such a change naturally needed to pass checks, but since the scammers had sent through all the appropriate documentation, the banking information was changed. The scammers then waited until the next regular payment was made. That payment was for $2,504,601.
The missing payment was queried by the contractor, Branch and Associates, and an investigation uncovered the scam. The relevant banks were informed to freeze the accounts to prevent the money from being withdrawn, but despite the quick response, the banks were only able to recover $776,518.40. The scammers had managed to divert $1,728,082.60 to a variety of accounts and had pocketed the funds.
The County was protected by an insurance policy, but it only provided $75,000 of coverage. $1,653,082.60 of the funds had to be covered by the County, in addition to the costs of investigating the attack, implementing additional security measures, and the cost increase of its insurance premiums after making such a large claim.
In this case the transfer was substantially larger than the average fraudulent BEC wire transfer, but transfers of this magnitude are far from unusual. Figures released by the U.S. Financial Crimes Enforcement Network (FinCEN) show there has been a 172% increase in losses to BEC attacks since 2016. Attacks are also increasing in frequency. In 2018, 1,100 BEC attacks were reported by businesses and $310 million per month was lost to BEC attacks.
FinCEN’s report shows businesses in the manufacturing and construction industries are the most commonly targeted and face the greatest risk of attack, although all businesses need to be aware of the threat and should take steps to reduce risk.
Defending against BEC attacks requires a variety of technical and administrative safeguards. There is no single solution that can be implemented which will detect and block all BEC attacks.
BEC scams usually start with a phishing email, so steps should be taken to improve email security. Advanced email security solutions such as SpamTitan can identify and block these BEC threats. SpamTitan also provides protection against the second stage of the attack. In addition to scanning all incoming emails, SpamTitan also scans outbound email for potential threats coming from within the organization.
Not all threats can be blocked, even with highly advanced email security defenses, so it is essential for the workforce to be trained how to identify potential email threats. Policies and procedures should also be developed covering amendments to banking credentials and email requests for bank transfers over a certain size.
Companies that fail to take action to reduce risk could well find their losses included in next year’s FinCEN BEC financial losses report.
If you have not implemented an anti-spam service, if you are unhappy with your current provider, or if you use Office 365 for email, contact the TitanHQ team today to find out more about improving your security posture and increasing your defenses against BEC attacks.
Email archiving solutions have been developed by many cloud service providers, but prices can vary considerably between products, even between products that include a virtually identical set of features. Finding the best value email archiving solution for your business can be a challenge.
While the difference in price may only be a dollar or two per user, when multiplied by the number of employees in the organization the cost difference can be of the order of several thousand dollars a year.
To help you get the best possible price on email archiving, we have created a 2019 email archiving price comparison grid. The grid includes some of the leading names in email archiving and gives a typical price per user per month and per year, along with the total annual cost for a business with 100 mailboxes. The prices were taken from price lists available on 04/05/2018.
As you can see from the grid, TitanHQ’s email archiving solution, ArcTitan, is very competitively priced and is an affordable solution for most businesses. Being cloud-based, an email archive is quick and easy to set up and no hardware or software is required.
2019 Email Archiving Costs
Key Features of ArcTitan
100% cloud-based – No hardware or software is required
No limits on numbers or storage space
Virtually unlimited scalability
Enhances Search and Storage functionality of Office 365
Rapid archiving – Processes 200 emails a second
Lightning fast searches - ArcTitan can search millions of emails a second.
Intuitive design ensures easy use by all employees on desktop and mobile
Full audit trail maintained
Remote access to the archive from authorized users from any location or device
Full protection against data loss and mail server outages with automatic backups
Industry-leading customer support
Facilitates policy-based access rights and role-based access
Only pay for active users
Slashes the time and cost of eDiscovery other formal searches
Migration tools to ensure the integrity of data during transfer
Seamless integration with Outlook
Supports, single sign-on
Save and combine searches
Perform multiple searches simultaneously
Limits IT department involvement in finding lost email
Compliant with regulations such as HIPAA, SOX, GDPR, Federal Rules of Civil Procedure, etc.
As with all other TitanHQ solutions, we offer all visitors a free demonstration of ArcTitan in action. This gives businesses an opportunity to see the full product and all the product features. During the demo, businesses have access to an experienced engineer who can answer any questions you have about email archiving solutions.
At the end of the demo, if you are happy with what you have seen, you can purchase a license and start using ArcTitan within minutes. If you are not happy for any reason, there is no obligation to proceed with a purchase and TitanHQ will wish you the best of luck with your search for an alternative solution.
If you have any questions about ArcTitan, or to book a product demonstration, contact TitanHQ today.
FAQs
Why do I need an archive if I backup my email?
Backups and email archives are not the same. Backups protect against catastrophic failure and allow mailboxes to be restored to a certain point in time. You cannot easily search a backup, so recovering emails can be an incredibly labor-intensive and time-consuming process and backups may not be adequate if emails need to be provided for court cases.
Are there any hidden email archiving costs?
One ‘hidden’ cost with many email archiving service providers is the need to continue to pay for archiving for all mailboxes, even if an employee leaves the company. Over time, that cost can build up, especially if you have a high staff turnover. With ArcTitan you only pay for the number of active mailboxes and you also benefit from very competitive email archiving pricing.
Is hosted email archiving pricing more expensive than on-premises?
That will largely depend on the number of mailboxes and email volume. For most businesses, once storage space, IT support and maintenance, and backups are factored in, hosted email archiving is usually the most cost-effective and easiest option. Hosted email archiving can be paid for monthly and there are no start-up costs. With on-premise archiving you need to purchase and implement the hardware and software.
What else should I consider when selecting an email archiving service provider?
Our email archiving service cost comparison includes the major providers of cloud-based email archiving for businesses and MSPs as a guide to show you the cost savings. You also need to consider how easy the solutions are to use and how quickly messages can be found in the archive. We are convinced you will love the performance of ArcTitan, which is why we encourage you to take advantage of the free demo.
Do you provide help with migrating an existing email archive?
All ArcTitan customers benefit from industry-leading customer support. If you need help migrating your email archive from an existing service provider, expert technical support is on hand from our team of highly skilled engineers. Full support is also provided during the free demo to ensure you get the most out of ArcTitan.
New figures have been released by the U.S. Financial Crimes Enforcement Network (FinCEN) on 2018 Business Email Compromise attacks. The latest FinCEN report highlighted the pervasiveness of the threat and potential for the attacks to result in serious financial harm.
Business Email Compromise (BEC) attacks are concerned with gaining access to a business email account and using that account to send messages to other individuals in an organization and business contacts. While compromised email accounts can be used for a variety of purposes, with BEC the primary goal is usually to convince an employee to make a fraudulent wire transfer or send sensitive information such as employee W-2 Forms.
Social engineering techniques are used to obtain the credentials of a high-level executive and convince an employee to make a fraudulent transfer. While at face value these scams are simplistic – they involve sending an email that requests a bank transfer be made – the scams are often highly sophisticated.
More than $300 Million a Month Was Lost to 2018 Business Email Compromise Attacks
The FinCEN report shows why these attacks are worth the effort. The average fraudulent transaction value in 2018 was $125,439 and $310 million per month was lost to BEC scams in 2018.
FinCEN received approximately 1,100 suspicious activity reports in 2018 that were attributed to BEC scams. It should be taken into consideration that many businesses are not obliged to report security breaches such as BEC scams, so the total losses will be considerably higher.
BEC attacks are also being conducted far more frequently and losses to the scams have skyrocketed. The 2016 FinCEN report indicates at least $110 million was lost to BEC scams. Losses to BEC scams have increased by 172% increase in just two years.
There has been a marked change in BEC scam tactics over the last two years, which has helped to increase the dollar amount of each fraudulent transaction.
As previously mentioned, the scams involve compromising an email account, which was commonly the email account of the CEO or CFO. The email accounts were used to send wire transfer requests and the average transaction value was $50,272. The 2018 figures show that there has been a shift from attacks that impersonate the CEO to attacks impersonating contractors and other vendors.
If a vendor’s email account is compromised, fake invoices can be sent to all companies that the vendor works for. Further, the typical amount of a vendor invoice is substantially higher than the transfer amounts typically requested by CEOs.
FinCEN’s figures show the average fake invoice transaction value was $125,439 for fake invoices from contractors, which is $75,167 more than the typical CEO email request.
FinCEN’s 2017 figures indicate 33% of BEC attacks involved impersonation of the CEO, but the percentage had fallen to just 12% in 2018. 39% of all BEC attacks in 2018 involved the impersonation of an outside entity such as a business associate, contractor, or vendor.
How to Improve Defenses Against BEC Attacks
With attacks increasing and losses spiraling, businesses need to take steps to reduce risk by improving email security and providing further training to employees. Employees should be made aware of the risk of BEC attacks, told about the latest threats, and should be taught how to identify a scam email. Policies should also be developed and implemented which require verification of all emailed transfer requests and bank account changes.
Training and policies will help to create a strong last line of defense, but the primary goal should be blocking the scam emails at the email gateway to ensure end users are not tested. That requires a powerful anti-spam service such as SpamTitan. SpamTitan blocks more than 99.97% of all spam and malicious emails to keep business inboxes threat free.
For further information on SpamTitan and other cybersecurity protections to reduce the risk of phishing and BEC attacks, contact TitanHQ today.
There are several common misconceptions about email archiving which are preventing many businesses from creating an email archive. It is often only when email data needs to be recovered that businesses realize just how important an email archive is. Of course, by then it is too late.
In this post we debunk some of the email archiving myths and explain why email archiving is now essential for almost all businesses, regardless of industry or business size.
Misconception #1: An Email Archive is the Same as a Backup
The recent increase in ransomware attacks has highlighted the importance of creating backups of all critical data. An email backup contains all messages in a mailbox. If anything happens to that mailbox – it is encrypted by ransomware for instance – all email data can be recovered.
An email archive could serve the same purpose but differs in some very important ways. An email archive serves as a depository for all emails that are no longer required but need to be retained to meet state and federal data retention requirements.
If an email, group of emails, needs to be recovered, the messages can be located and restored very quickly. That is because the archive includes email metadata and the archive is searchable. A backup is intended for mass email recovery. Finding individual emails in a backup can be incredibly time consuming, costly, and difficult.
You can restore emails from a backup following a ransomware attack, but for eDiscovery and dealing with customer complaints, an email archive is required.
Misconception #2: Email Archives are Only Necessary in Highly Regulated Industries
The Sarbanes-Oxley Act of 2002 (SOX) requires organizations maintain an audit trail for 7 years, which includes email communications. However, it is not only organizations covered by SOX that must retain emails. Several states have enacted laws that require email data to be retained for a set period of time.
Further, no company is immune to litigation. The Federal Rules of Civil Procedure require email communications to be produced as part of eDiscovery. Those communications must be found and provided quickly, which is only possible with an email archive. The failure to produce emails can result in significant financial penalties.
Misconception #3: Email Archives Must be Stored On-Premises
There is no law that states email archives must be housed on-premises, but many companies mistakenly believe that this is necessary. They then purchase expensive hardware and software to create an on-premises email archive. This is often out of security concerns as IT departments feel they can better protect email data in house.
However, cloud service providers offer the same if not greater security, and their solutions require no hardware purchases nor ongoing hardware and software maintenance. Businesses are therefore paying unnecessarily high prices for their email archive.
There is no need to purchase expensive hardware to store sizable email archives and resources do not need to be made available to maintain the hardware and software. On-premises systems also tend to lack flexibility, whereas cloud-based email archives are extremely scalable. When greater capacity is required, additional storage space is always available.
Many businesses only retain emails for a limited period of time, such as 90 days, after which messages are permanently deleted. There is a common view that If an email is deleted, it cannot cause any harm. However, if a complaint is received or emails need to be produced for eDiscovery, the failure to produce those messages could see a company liable for data destruction.
If you want to meet compliance requirements, reduce costs, and be able to recover email data instantly, an email archive is required.
ArcTitan: The Easy Way to Implement a Cloud Email Archive
TitanHQ offers a powerful, fast, and easy to use archiving solution that allows customers to securely store email data in the cloud. ArcTitan is a set and forget solution that serves as a black box flight recorder for email. Whenever an email needs to be found, you are selected for a compliance audit, or receive and eDiscovery request, the archive can be quickly searched and emails can be recovered in seconds or minutes. Emails are sent to the archive at a rate of around 200 messages a second and searches of the archive can be performed at a rate of up to 30 million messages a second.
With ArcTitan emails are sent to the archive in real-time when they arrive at your mail server. An exact copy of the email is sent to the archive, messages are de-duplicated, compressed and sent to Replicated Persistent Storage on Amazon AWS S3 and the archive is automatically backed up to ensure they can always be recovered. With ArcTitan there are no software updates to be performed, as that is handled by TitanHQ. A full audit log is maintained and you can prove that any emails produced have not been altered – Which is essential for compliance and eDiscovery requests.
Some of the key features of ArcTitan are listed below:
Scalable, email archiving that grows with your business
Email data stored securely in the cloud on Replicated Persistent Storage on AWS S3
Lightning fast searches – Search 30 million emails a second
Rapid archiving at up to 200 emails a second
Automatic backups of the archive
Email archiving with no impact on network performance
Ensure an exact, tamperproof copy of all emails is retained
Easy data retrieval for eDiscovery
Protection for email from cyberattacks
Eliminate PSTs and other security risks
Facilitates policy-based access rights and role-based access
Only pay for active users
Slashes the time and cost of eDiscovery other formal searches
Migration tools to ensure the integrity of data during transfer
Seamless integration with Outlook
Supports, single sign-on
Save and combine searches
Perform multiple searches simultaneously
Limits IT department involvement in finding lost email
Compliant with regulations such as HIPAA, SOX, GDPR, Federal Rules of Civil Procedure, etc.
To find out more about the benefits of email archiving and for further information on ArcTitan. Contact TitanHQ today.
Two new Office 365 phishing scams have been detected in the past few days. One scam uses a fake Office 365 site to deliver the Trickbot Trojan and the other is a spear phishing campaign targeting Office 365 administrators to capture their credentials.
The Trickbot campaign uses a realistic domain – get.office365.live – that has all the typical elements of a genuine Microsoft website, including links to Microsoft resources. The website, identified by MalwareHunterTeam, detects the visitor’s browser and displays a popup within a few seconds of landing on the website.
A different warning is displayed for Firefox and Chrome users, with the associated logos. The warning comes from either the Chrome or Firefox Update Center. The message states that the user has an older version of the browser, which may cause incorrect site mapping, loss of all stored and personal data, and browser errors. An update button is supplied to download the browser update.
If the update button is clicked, it triggers the download of an executable file called upd365_58v01.exe. If that executable is run, the Trickbot Trojan will be downloaded and inserted into a svchost.exe process. That makes it harder for the user to detect the information stealer through Task Manager.
The Trickbot Trojan has several capabilities. It is a banking Trojan that can intercept banking credentials using webinjects. It also contains a password grabbing module which steals saved login credentials, autofill information, browsing history, and Bitcoin wallets. The malware also serves as a downloader for other malware variants and a module also been developed for propagation which includes the EternalBlue exploit.
Once installed, the malware stays in continuous contact with its C2. Due to the obfuscation methods used, the infection is unlikely to be detected by an end user, but the network admin may notice unusual traffic or attempts to connect to blacklisted domains.
This is a professional Office 365 phishing campaign that is likely to fool many end users. It is currently unclear whether traffic is being directed to the site through malvertising redirects or phishing emails.
Office 365 Admins Targeted
A phishing campaign has been detected which is targeting Office 365 administrators. Fake browser warnings are used to trick admins into disclosing their login credentials.
Emails have been constructed using the Microsoft and Office 365 logos which contain a warning about an aspect of Office 365 which requires the admin’s immediate attention. One message warns the admin about a mail redirect on an Office 365 inbox which indicates there has been an account compromise. Another advises the admin that the company’s Office 365 licenses have expired.
The emails contain a link for the admin to use to login to their Office 365 account to address the problem. The user will be directed to a webpage on the windows.net domain which has a valid certificate from Microsoft. The Microsoft login box is identical to that used on the Microsoft site.
Most admins will be vigilant and wary of warnings such as these. Even if the links are clicked, admins are likely to check the domain to make sure it is genuine. However, these scams are conducted because they do work. Some admins will be fooled and will disclose their credentials.
Admin credentials are highly valuable as they allow an attacker to create new office 365 accounts, access other user’s mailboxes, and send phishing emails from other accounts on the domain. These targeted attacks on admins are becoming more common due to the high value of the accounts and the range of attacks they allow a hacker to perform.
There is no single cybersecurity solution that will provide total protection from phishing attacks. What is needed is a defense in depth approach. End users should be provided with ongoing security awareness training to ensure they are aware of the most common threats and know how to identify potential scams. Phishing simulations are useful for gauging how effective training has been.
However, the priority must be to block these attacks and prevent end users from being tested. An advanced spam filter such as SpamTitan blocks more than 99.97% of spam and phishing emails. SpamTitan scans all incoming messages for malware and uses dual anti-virus engines for greater accuracy. A sandboxing feature has also now been added to allow the safe execution and analysis of suspicious email attachments.
WebTitan serves as an additional security layer that prevents end users from visiting malicious websites. The DNS filter can be used to exercise control over the types of websites that can be visited by employees and blocks all attempts to visit blacklisted websites, such as those that have been used for malware distribution, scams, or phishing.
Contact TitanHQ today to find out more about how SpamTitan and WebTitan can block Office 365 phishing attacks, the different deployment options, pricing information, and to book a product demonstration.
New Office 365 Phishing Scams FAQs
Will a spam filter block all spam and phishing emails?
No spam filter will be 100% effective, 100% of the time, which is why it is important to implement layered defenses. Many spam filters block around 99% of spam. SpamTitan is an advanced spam filter that has been independently verified as blocking 99.97% of spam email with a low false positive rate of just 0.03%.
How does email content filtering work?
Once initial checks have been performed to identify malware and emails from known spam sources, message content filtering takes place. Email content is analyzed, and each email is assigned a spam score based on phrases, keywords, images, and hyperlinks. A threshold is set and if that score is reached, the message will be rejected or quarantined.
What is greylisting and why is it important?
Greylisting is an important spam filtering mechanism for detecting new sources of spam. Greylisting initially rejects an email and requests the message is resent. Since email servers being used for spamming are busy sending huge volumes of messages, they do not respond to these requests or there is a significant delay. The delay is a good indicator that the message is spam.
Why should I scan outbound emails?
Outbound scanning is important for several reasons. By scanning outbound emails, email account compromises can be detected quickly to block business email compromise attacks. Attempts to use internal email accounts for sending malware and spam will be blocked, and tags can be applied to certain data types to identify attempted data theft by malicious insiders.
The past few months have seen an increase in reported cyberattacks on ships. The rise in cyberattacks on the commercial shipping network has prompted the U.S. Coast Guard to issue a warning.
This is the second such warning to be issued by the U.S. Coast Guard in the past three months. Together with a recent shipping industry report, they confirm that shipping companies and commercial vessels are being targeted by hackers and many of those attacks are succeeding.
Ships are now largely controlled by computers and mouse clicks and there is increasing reliance on electronic navigation systems. It is now common for operational technology and information technology to be linked together via onboard networks and certain systems are now connected to the internet. When devices are networked and connect to the Internet, hackers are given the opportunity to attack.
The cyberattack that prompted the latest warning occurred in February 2019. A ship bound for the Port of New York started experiencing severe disruption to its shipboard network. Vessel control systems were not affected, although the functionality of the network was severely degraded. The U.S. Coast Guard led a forensic investigation which revealed malware had been installed on the network.
The ship was known to be vulnerable to attack so the crew did not typically use the network for personal matters such as email. The network was only used for business purposes, which involved contact with third parties to maintain charts, manage cargo data, and communicate with shore-side facilities. It is currently unclear how the malware was installed, but what is clear is that cybersecurity defenses were nowhere near sufficient.
The advice from the Coast Guard is to implement network segmentation to limit the harm that can be caused in the event of an attack. Network profiles should be created for each user, and the rule of least privilege should be applied. Anti-virus software should be installed, all software should be kept up to date, and care should be taken connecting any external device to a networked computer due to the risk of malware.
If hackers can gain access to the network, they can steal sensitive data, cause serious disruption to internal networks, and systems could even be rendered inoperable. An extortion attack involving ransomware, for instance, could leave shipping firms with no alternative other than to pay up.
These attacks are the latest in a string of cyberattacks on commercial vessels. In December 2018, 21 shipping associations and industry groups produced a set of guidelines on cybersecurity onboard ships to help commercial vessel operators improve security, secure their networks, and make it difficult for hackers.
The report details recent USB-based attacks, RDP-based attacks, phishing attacks, ransomware attacks, and attacks involving malware, viruses, and worms. The attacks have caused major delays to shipping firms, financial losses, and in some cases have jeopardized safety.
Just as captains must make sure that access to the engine room is restricted, the same should be the case for computer systems. If systems are not secured, cyberattacks are inevitable.
TitanHQ can help shipping firms protect against email and web-based attacks and block the two main vectors that are used to attack commercial vessels.
Contact the team today to ask about SpamTitan and WebTitan: TitanHQ’s award winning antispam and DNS filtering solutions.
A serious outage has affected the spam filtering service, OnlyMyEmail, leaving customers without spam protection for several days.
The spam filtering service, also known as MXDefender, suddenly stopped working on Thursday and customers have been left in the dark about what has happened. Many have taken to online forums and social media to find answers but have only found hundreds of other customers asking the same questions. Customers have not been able to submit support tickets, the website is down, and the phone lines have been jammed.
MSPs know all too well that their clients are vulnerable to attack while their spam filtering service is down. Without the filter in place, spam, phishing, and malware-laced emails can flood into inboxes. All it takes is for one employee to respond to one of those messages for a costly breach to occur.
Several MSPs on forum such as Spiceworks have expressed their frustration about the prolonged outage and have already had to move their clients to alternative service providers to ensure they are protected until the issues are resolved. Two large MSPs have already switched to SpamTitan as a result of the OnlyMyEmail outage.
TitanHQ has received many enquiries about SpamTitan since the OnlyMyEmail service went down, as customers seek an alternative solution to protect their inboxes from email threats and spam. Many have given up waiting for an answer from OnlyMyEmail.
If you are a managed service provider or business that has been affected by the outage, it is important to implement a replacement spam filtering solution as soon as possible. The failure to do so will leave you extremely vulnerable to attack.
TitanHQ has developed an award-winning anti-spam and anti-phishing solution that has been shown to block more than 99.9% of spam in independent tests.
The 2019 G2 Crowd Report on Email Security Gateways named SpamTitan the leader for customer satisfaction. 97% of users awarded the product 4 or 5 stars and 92% of users would recommend the product to others.
TitanHQ ranked top for quality of support with an overall score of 94% – 10% more than the average score for support. SpamTitan clearly outperformed products from likes of Cisco, Barracuda, Mimecast, and SolarWinds.
SpamTitan is available as a cloud-based solution or gateway solution running on a virtual machine on your own hardware. MSPs have a range of hosting options and the solution can be easily integrated into existing MSP systems using TitanHQ’s APIs.
If you want an easy to implement anti-spam solution that provides enterprise-class protection at an affordable SMB price, SpamTitan is the ideal choice.
Sign up for the free trial and you can be protected in minutes.
You may have heard of ransomware-as-a-service – where ransomware is rented for a cut of the profits generated – but now there are a growing number of hackers offering phishing-as-a-service.
Ransomware-as-a-service proved popular as it allowed people without the skill set to create their own ransomware to conduct attacks and take a share of the profits. Conducting phishing attacks is easier. It requires no knowledge of malware or ransomware. All that is required is a hosted web page that mimics a brand you want to target, a phishing kit, and an email account to send phishing emails far and wide.
There is still entry barrier to cross before it is possible to conduct phishing attacks. Phishing requires some knowledge and skill as a spoofed phishing web page must be created and emails crafted that will attract a click. The web page will also need to be hosted somewhere so a compromised domain will therefore be required.
Phishing-as-a-service provides all of that. To get started, you purchase one of several phishing templates based on what you are targeting – Office 365, SharePoint, OneDrive, Google, or DocuSign credentials for example. The phishing pages are sold complete with phishing kits loaded and one month’s hosting.
One group offering phishing-as-a-service guarantees the phishing page will be hosted for one month and includes a three-link backup. If one URL fails or is reported as a phishing website, a further two links can be provided on request followed by a further three after that.
Phishing-as-a-service takes all the time-consuming work out of starting a phishing campaign and allows phishing campaigns to be conducted by individuals with next to no specific skills. Once payment is made for the web page, all that is required is the ability to conduct a spam campaign. The service also comes with the option of purchasing lists of email addresses for the country of choice. All that is required to conduct a phishing campaign is payment ($30+) for phishing-as-a-service and a convincing phishing email.
With the entry barrier being substantially lowered, phishing attacks are likely to become much more frequent. It is therefore essential for businesses of all sizes to take steps to improve protections and reduce susceptibility to phishing attacks.
If you are defending against any attack it pays to know your enemy. It is therefore essential for all employees with an email account to be provided with security awareness training and be taught how to recognize a phishing attack.
It is also important to implement cybersecurity solutions that help to ensure your last line of defense will not be tested. You should have an advanced anti-spam solution in place to block the vast majority of phishing threats. If you use Office 365 for your business email, a third-party anti-spam solution will provide a greater level of protection.
An additional protection against phishing attacks that is often overlooked is a DNS filter or web filter. A web filter gives organizations control over what their employees can do online and which websites they can visit. Any website that has been reported as malicious is automatically blocked using blacklists and webpages are scanned in real-time and blocked if malicious. If a phishing email reaches an inbox and attracts a click, the attempt to access the phishing website can be blocked.
If you want to improve your email and web security posture or you are looking for better value cybersecurity solutions, TitanHQ can help. Contact TitanHQ today to discuss your email and web security requirements and you will be advised on the best solutions to meet your needs.
TitanHQ offers a free trial on all products and is happy to arrange product demonstrations on request.
A new strain of ransomware has been identified which has been used in multiple attacks over the past few weeks.
All of the attack vectors used to distribute the ransomware are not yet known, but samples of the ransomware have been distributed via a spam email campaign.
The spam email campaign uses a tried and test format to deliver the ransomware payload. A Word document called Info_BSV_2019.docm is attached to emails with requests that the recipient open the document. In order for the contents to be displayed, the user is told they must enable macros. Enabling macros will launch code that downloads an executable file, which is renamed LooCipher.exe and is executed.
The ransomware will encrypt a standard range of file types, but instead of deleting the original files, they are retained as zero-byte files. Encrypted files are given the extension .lcphr.
The ransomware creates a file on the Windows Desktop called c2056.ini, which includes the unique ID number of the computer, the time limit for paying the ransom, and the Bitcoin wallet address for payment. The ransom note warns that deletion of the ini file will prevent file recovery.
Users are given 5 days to pay the ransom or the key to unlock files will be permanently deleted. The ransom is €300 ($330) in Bitcoin per device. No option is provided to test to see whether a file can be decrypted.
LooCipher ransomware may not be particularly polished, but it has already claimed several victims. Recovery will depend on an organization’s ability to restore files from backups. It is not clear whether the attackers hold valid keys to decrypt encrypted files.
Ransomware attacks have been increasing following a decline in popularity of ransomware with hackers in 2018. There have been high profile attacks on U.S. cities and ransoms and hundreds of thousands of dollars have been paid in ransoms. Ransomware attacks on healthcare organizations have increased, and several new strains of ransomware have emerged.
Recently the Department of Homeland Security warned of the risk of wiper malware attacks by Iranian threat actors, as tensions between the United States and Iran continue to increase.
These malware threats may be delivered by a variety of different methods, but spam email is the delivery vector of choice. Protecting against these malware threats requires an advanced spam filtering solution capable of precision control over incoming email and the ability to scan messages and analyze attachments for malicious code.
SpamTitan uses twin AV engines to identify known malware and a sandbox to analyze suspicious attachments to identify malicious actions and provides superior protection against malware, ransomware, viruses, botnets, and phishing attacks.
To find out more about how you can improve email security with SpamTitan, contact the TitanHQ team today.
Tension is rising between the United States and Iran following the downing of a U.S. Global Hawk surveillance drone close to the Strait of Hormuz and the recent mine attacks.
Less visual are the attacks on IT systems. The Washington post recently reported that the United States had conducted a successful cyberattack on the Islamic Revolutionary Guard Corps, part of the Iranian military, which is believed to have been involved in the mine attacks.
Iranian-affiliated hacking groups have conducted cyberattacks on U.S. industries and government agencies and those attacks are increasing in frequency. So much so that the Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Chris Krebs, sent out a warning on Twitter about the increased risk of attack.
“CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies,” said Krebs.
Threat actors affiliated with Iran have been using wiper malware in targeted attacks on businesses, government agencies, industries, and infrastructure. Whereas ransomware encrypts files with the aim of receiving a ransom payment, the purpose of wiper malware is to permanently destroy data and wipe systems clean.
Wiper malware has previously been used in major attacks, some targeted, others less so. In 2012, Saudi Aramco, a Saudi Arabian oil firm, was attacked with a wiper malware variant called Shamoon. The malware wiped tens of thousands of computers.
More recently were the NotPetya attacks. While initially thought to be ransomware, it was later discovered there was no mechanism for file recovery and the malware was a wiper. Some companies were hit hard. The shipping firm Maersk suffered losses of around $300 million due to NotPetya. Global losses are estimated to be between $4-8 billion.
Hackers working for the Iranian regime commonly gain access to computers and servers through the use of phishing, spear phishing, credential stuffing, and password spraying.
“What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network,” warned Krebs.
As with ransomware, recovery from a wiper malware attack is reliant on backups, except there is no safety net as a ransom cannot be paid to recover data. It is therefore essential that a working copy of all data is maintained, with one copy stored securely off-site on a non-networked, non-internet exposed device.
Even with a working copy of data, recovery can be time consuming and costly. It is therefore important to ensure that solutions are in place to block the main attack vectors.
A spam filtering solution with advanced anti-malware capabilities is therefore required to block email-based attacks. A web filtering solution can prevent users from visiting malicious websites or inadvertently downloading malware and employees should be provided with security awareness training to help them recognize potential threats.
Standard cybersecurity best practices should be adopted such as ensuring strong password policies are implemented and enforced, multi-factor authentication is implemented, all software is kept up to date and patched are applied promptly. IT departments should also ensure permissions are set to the rule of least privilege.
A phishing campaign targeting university employees has already claimed several victims and has seen many email accounts compromised.
Emails are tailored to the institution and use a range of social engineering tricks to convince employees to click a link in the email and enter their Office 365 login credentials to access online content. The credentials are captured and used to gain access to university email accounts.
Once credentials have been obtained, a treasure trove of sensitive data can be plundered. Emails and email attachments contain personally identifiable information of staff, students, and parents, which can be used to commit identity theft and other fraudulent acts. Proprietary information can be obtained, along with details of contacts. The compromised accounts can also be used to conduct further phishing attacks on the university and externally on business contacts and other educational institutions.
Campaigns convincing users to install malware can give the attackers full control of university computers and a foothold to move laterally throughout the network. Access to university email accounts and backdoors in university computers are sold on the dark web, along with a range of stolen and forged university documents.
The healthcare industry is heavily targeted by cybercriminals due to the high value of health data. Health data is versatile and can be used for a multitude of fraudulent purposes. It also has a long-life span and can be used for much longer than financial information. Cybercriminals are also now realizing the potential rewards from attacks on universities. Student data is similarly versatile, and the wealth of data stored in university email accounts provides plenty of opportunities for profit.
Oregon State University is the latest university to announce it is the victim of a phishing attack. The Office 365 email account of an employee was compromised, through which the attacker had access to the records of 636 students. The account was used to send phishing emails to other entities throughout the United States.
Graceland University in Iowa and Southern Missouri State University recently announced that several email accounts had been compromised in recent phishing attacks, which would have allowed access to be gained to sensitive information.
It is unclear whether this is a single campaign or part of a wave of separate attacks on universities. What is clear is the attacks are increasing, so universities should take steps to improve email and web security.
Employees are being targeted so it is important to ensure that staff members are taught email security best practices and are shown how to identify phishing emails.
Technological defenses can also be improved to prevent malicious messages from arriving in Office 365 inboxes. As an additional protection, a DNS filter can be used to prevent users from accessing phishing websites and other known malicious web pages.
TitanHQ has developed powerful anti-phishing and anti-malware solutions for universities that help them protect against email and web-based attacks.
SpamTitan is a powerful anti-spam service that incorporates DMARC authentication and sandboxing to provide superior protection against impersonation and malware attacks for Office 365 users.
WebTitan is a DNS filtering solution that prevents users from accessing known malicious websites, such as those used for phishing and distributing malware.
To improve Office 365 phishing defenses and better protect your email accounts and networks from malware attacks, contact TitanHQ for further information on these two powerful cybersecurity solutions for educational institutions.
The largest managed service provider conference of 2019 will be taking place in San Diego on 17-19 June.
DattoCon is the premier conference for MSPs, bringing together a plethora of vendors and industry experts to help MSPs learn business building secrets, gain invaluable product insights, and learn technical best practices. The networking and learning opportunities at DattoCon are second to none. DattoCon19 is certainly an event not to be missed.
TitanHQ is a Datto Select Vendor and a proud sponsor of DattoCon19. TitanHQ has developed cybersecurity solutions to exactly meet the needs of MSPs. All solutions area easy to implement and maintain and can be integrated into MSP’s existing systems via a suite of APIs. TitanHQ provides the web security layer to Datto DNA and D200 boxes and is the only third-party security company trusted to work with Datto.
The TitanHQ team will be on hand at the conference to discuss your email and web security needs and will offer practical advice to help you better serve the needs of your customers and get the very most out of TitanHQ solutions.
Visitors to the TitanHQ stand (booth 23) will have the opportunity to learn about TitanHQ’s exclusive TitanShield Program for MSPs. Through the TitanShield program, members have access to SpamTitan email security and phishing protection; the WebTitan DNS filter; and the ArcTitan email archiving solution. Around 2,000 MSPs have already signed up to the program and are using TitanHQ solutions to protect their clients.
If you currently use Cisco Umbrella to provide web and malware protection, you may be paying far more for security than is necessary and could well be struggling with product support. Be sure to speak to the team about the savings from switching and the support provided by TitanHQ. A visit will also be useful for MSPs that are currently supporting Office 365, as the team will explain how spam, phishing and malware protection can be enhanced.
TitanHQ Executive Vice President-Strategic Alliances, Rocco Donnino, will be on the panel for the new, Datto Select Avendors event on Monday. The event runs from 3PM to 4PM and brings together experts from several select companies who will help solve some of the epic problems faced by MSPs today.
Additional Benefits at DattoCon19
New TitanHQ customers benefit from special show pricing.
A daily raffle for a free bottle of vintage Irish whiskey.
Two DattoCon19 parties: TitanHQ and BVOIP are sponsoring a GasLamp District Takeover on Monday 6/17 and Wed, 6/19.
DattoCon Details
DattoCon19 will be taking place in San Diego, California on June 17-19, 2019
If you are not yet registered for the event you can do so here.
TitanHQ will be at booth 23
The global user review website, G2, is the go-to place to find reviews of business software and services. Unlike many other review websites, G2 gives users of the software and services the opportunity to provide their feedback on how the products perform. Millions of businesses use the website to make smarter buying decisions and select the best products and services to meet their needs.
This year, for the first time, G2 has launched a new Best Software Companies in EMEA list. To produce the list, G2 used the reviews of more than 66,000 users of the products of more than 900 companies. To be selected as one of the best companies is only possible if users of products and services have given their endorsement.
“G2’s ever-expanding breadth and depth of product, review, and traffic coverage provide over 5 million data points to help buyers navigate the complex world of digital transformation”, said G2 CEO Godard Abel. “In our Best Software Companies in EMEA list, we leverage this data to identify the companies our users tell us are best helping them reach their potential”.
TitanHQ has developed a suite of advanced cybersecurity solutions to keep businesses protected from email and web-based threats and help MSPs serving that market effortlessly provide managed cybersecurity services to their clients.
“TitanHQ earned its place on the list thanks to the value our customers place on the uncompromised security and real-time threat detection we provide,” said Ronan Kavanagh, CEO, TitanHQ. “The overwhelmingly positive feedback from on G2 Crowd is indicative of our commitment to ensuring the highest levels of customer success.”
The use of ransomware to attack businesses continued to decline throughout 2018 after extensive use of the file-encrypting malware by cybercriminals in 2016 and 2017. In 2018, ransomware fell out of favor with cybercriminals, who turned to other forms of cybercrime to make money.
However, ransomware is seeing something of a resurgence in 2019. The latest Breach Insights Report from Beazley Breach Response Services shows ransomware attacks are increasing once again. In the first quarter of 2019, ransomware attack notifications from its clients increased by 105% from Q1, 2018. Ransom demands are also increasing.
The rise in attacks has continued in Q2. Attacks using MegaCortex ransomware surged in late April. The ransomware variant was first identified in January and was only used in a handful of attacks in the following three months, but in the last week in April, 47 confirmed attacks were reported.
Dharma ransomware attacks have similarly increased. According to Malwarebytes, the past two months have seen a 148% increase in attacks. The threat actors behind Dharma ransomware are now using a variety of methods to distribute their ransomware payload.
The most common method of distribution is phishing emails. Emails contain embedded hyperlinks that direct users to a malicious website where the ransomware payload is downloaded. Email attachments containing malicious scripts are also used to download the ransomware payload.
Attacks are also taking place via remote desktop protocol over TCP port 3389. Brute force attacks are conducted to gain access to a device then ransomware is deployed. Dharma ransomware has also been identified in fake antivirus software programs which are pushed via a variety of websites. Users are tricked into downloading fake AV software after receiving a fake alert about a malware infection that has been detected on the user’s device.
Ransomware has also been used in conjunction with other malware such as Emotet. Emotet was once a banking Trojan but has since morphed into a botnet, capable of stealing login credentials, propagating itself via email on an infected device, and is capable of downloading other malware payloads. Emotet has been used to distribute Ryuk ransomware.
There have been upticks in attacks using other ransomware variants and the popularity of ransomware continues to grow, with some industries targeted more than others. Healthcare organizations are an attractive target as access to patient data is critical for providing medical services. There is a higher probability of ransom demands being paid due to reliance on patient data.
A recent report from Recorded Future has confirmed that attacks on towns, cities, and local government systems are soaring. Its study confirmed that there were 169 attacks on county, city, or state government systems and police and sheriffs’ offices since 2013. There were 38 ransomware attacks in 2017, 53 in 2018, and 22 attacks have already occurred in 2019 and the year is not yet halfway through.
Akron, OH; Albany, NY; Jackson County and Cartersville, GA; and Lynn, MA, have all been attacked this year and the city of Baltimore, MA, has been struggling to recover from its attack for the past two weeks with many city services still disrupted.
The rise in attacks is understandable. The potential rewards from a successful attack are high, many victims have no alternative but to pay, and thanks to ransomware-as-a-service, attacks are easy to pull off and require little in the way of skill.
As long as the attacks continue to be profitable, they will continue. What businesses need to do is to make it much harder for the attacks to succeed and to ensure that if disaster does strike, recovery is possible without having to pay a ransom.
Recovery depends on viable backups of all critical files being available. That means regular backups must be made, those backups need to be tested to make sure files can be restored, and copies need to be stored securely where they cannot also be encrypted.
Remote Desktop Protocol is a weak point that is commonly exploited. If RDP is not required, it should be disabled. If disabling RDP is not an option, strong, complex passwords should be used and access should only be possible using a VPN.
To block web-based attacks, consider implementing a web filtering solution such as WebTitan which prevents users from visiting known malicious websites and downloading executable files types.
One of the primary methods of delivering ransomware is spam and phishing emails. An advanced spam filtering solution should be implemented to block malicious emails and ensure they are not delivered to end users’ inboxes. SpamTitan now incorporates a sandbox, which allows suspicious files to be executed in a secure environment where activities of the files can be safely analyzed for malicious actions. SpamTitan also scans outgoing mail for signs of infection with Emotet.
While these technical controls are important, you should not forget end users. By providing security awareness training and teaching end users how to recognize potential threats, they can be turned into a strong last line of defense.
Fortunately, with layered defenses you can make it much harder for ransomware attacks to succeed and can avoid becoming yet another ransomware statistic.
The French Value Added Distributor (VAD) Exer has partnered with TitanHQ and will start offering its email security, DNS filtering, and email archiving solutions to French VARs.
Exer specializes in network security, mobile security, and managed cybersecurity services and currently works with over 600 French VARs and integrators helping them improve security for their clients.
TitanHQ is a leading provider of email security and DNS filtering services to SMBs, and MSPs and VARs serving the SMB market. The company’s award-winning cybersecurity solutions are now used by more than 7,500 businesses and 1,500 MSPs around the world.
TitanHQ is keen to expand its footprint in France and collaboration with Exer will help the company achieve its aims.
“Our advanced threat protection for email and web security was designed to keep businesses productive and information secure. We are pleased to be offering the Exer partner community choice, enhanced functionality and greater overall value,” explained TitanHQ Executive VP, Rocco Donnino.
“Collaboration with TitanHQ is an opportunity to represent a brand internationally recognized on 3 key technologies: Web Content Filtering, Anti-Spam, and Email Archiving. We are eager to propose these security solutions to ours VARs,” explained Exer CEO, Michel Grunspan. “Our regional presence and our expertise will be our strength for asserting the presence of TitanHQ in the French market”
The collaboration will see Exer offer all three TitanHQ solutions to French VARs: SpamTitan, WebTitan, and ArcTitan.
SpamTitan offers superior protection against all email-based threats and blocked 7 billion spam emails in January 2019. The solution is regularly updated to ensure it continues to protect against the latest email threats. The most recent update saw the incorporation of DMARC and sandboxing to the solution.
WebTitan is a DNS filtering solution that allows businesses to block web-based threats and carefully control the web content that can be accessed by users, both on and off the network. In January, the solution blocked more than 60 million malicious websites to keep businesses protected.
ArcTitan is an email archiving solution that helps businesses meet their compliance requirements. The solution was used to securely archive 10 million emails in January 2019.
French VARs will be able to find out about TitanHQ solutions at Exer’s Tour De France, which commences in Lille on May 23, 2019 at Hameau de la Becque (09:00-13:00).
Shade ransomware was first identified by security researchers in 2014, when it was primarily being used in attacks on Russian businesses; however the threat actors behind this ransomware variant have broadened their horizons and attacks are now being conducted around the world. The United States is now the most attacked country followed by Japan, India, Thailand, and Canada. Russia has now fallen from top spot to seventh.
Shade ransomware, like many ransomware variants, is primarily spread via email. Emails are sent to businesses which appear at first glance to be invoices or bills. The emails contain links to websites hosting malicious files which are downloaded to the user’s device. A variant of this method uses a PDF attachment which contains a link inside which must be clicked to download a fake invoice or bill.
The downloaded files use JavaScript or other scripts to download the Shade ransomware payload. Shade ransomware encrypts a wide range of files and changes the background on the infected computer to alert the user that their files have been encrypted. Ransom notes are also saved to the Desktop with the filename of README1.txt through to README10.txt. Those text files advise the victim to email a code to an email address to receive instructions on how the ransom payment must be made.
An analysis of the latest campaigns was recently conducted by Palo Alto Networks Unit 42 team. That analysis revealed the attackers are concentrating their attacks on high-tech companies, retailers, wholesalers, telecommunications, and educational institutions and the threat actors behind the campaigns have been highly active in 2019.
Since Shade ransomware is most commonly spread via spam email, to reduce the risk of an attack, businesses should implement an advanced email gateway solution that is capable of identifying and blocking the malspam emails that ultimately deliver Shade ransomware.
SpamTitan protects businesses from Shade ransomware and other email-based malware attacks. SpamTitan includes dual antivirus engines to detect malicious files attached to emails and scans the content of messages and subjects them to a Bayesian analysis and heuristics to identify signatures of spam and malicious messages.
The solution now incorporates a Bitdefender-powered sandbox feature which allows files to be opened in a safe and secure environment where they can be analyzed for malicious activity. The solution also allows users to block attachments commonly used to deliver malware, such as zip files and executable files such as .exe and .js.
These and other protection mechanisms help to ensure that only legitimate emails are delivered and malicious messages are prevented from being delivered to end users’ inboxes.
If you want to protect your business against ransomware and malware attacks, contact TitanHQ today to find out more about SpamTitan and take the first step towards improving your security posture.
A critical Windows vulnerability has been identified which could be exploited in a WannaCry-style malware attack. The vulnerability is pre-authentication and requires no user interaction to exploit, as such it is wormable. A patch was issued by Microsoft on May 14, 2019 to correct the flaw. The patch should be applied immediately to prevent the flaw from being exploited.
A remote attacker could exploit the flaw to deliver malware to a vulnerable device and, by incorporating the exploit into the malware, move laterally and infect all vulnerable devices on the network.
The vulnerability, tracked as CVE-2019-0708, is in Remote Desktop Services (previously called Terminal Services) and requires a relatively low level of skill to exploit. To exploit the flaw, an attacker would need to send a specially crafted request to the Remote Desktop Service on a targeted device via RDP. Once exploited, an attacker could download malware and install other programs, view, change, or delete data, create new user accounts with admin privileges, and take full control of a vulnerable device. The vulnerability has been assigned a CVSS v3 base score of 9.8 out of 10.
Microsoft has incorporated security protections into the latest Windows versions, so Windows 8 and Windows 10 users are unaffected. However, earlier versions of Windows contain the vulnerability.
Patches have been released for all vulnerable Windows versions, including Windows XP and Windows 2003, both of which have reached end of life and are no longer supported, as was the case with the Windows Server Message Block (SMB) vulnerability that was exploited by WannaCry.
Affected Windows versions are:
Windows Server 2008 R2
Windows Server 2008
Windows 7
Windows XP
Windows 2003
Businesses running machines with the above operating systems should test the patch and apply it as soon as possible. In the meantime, a workaround should be implemented to prevent the flaw from being exploited.
The workaround requires TCP port 3389 to be blocked on the firewall and for Network Level Authentication (NLA) to be enabled on all systems running vulnerable Windows versions. If NLA is enabled, before the flaw can be exploited, an attacker would first need to authenticate to remote Desktop Services using a valid account. While the workaround will reduce the risk of exploitation of the vulnerability, it is not a replacement for the patch, which should still be applied as soon as possible. Businesses should also disable Remote Desktop Services if they are not essential and RDP should not be exposed to the internet.
Microsoft has warned that the failure to mitigate the vulnerability, either by applying the patch or using the workaround, could result in another global attack on the scale of WannaCry. Such an attack is extremely likely. When patches are released to address critical flaws, it doesn’t take long for them to be reverse engineered and for exploits to be crafted. Such a high severity flaw is likely to be exploited quickly. It may only take a few days before the first attacks are conducted.