SpamTitan from TitanHQ has been named the leader in the Spring 2019 G2 Crowd Secure Email Gateway Performance Report.
Chicago, Illinois-based G2 Crowd was formed in 2012 to help businesses make the right software purchasing decisions. The company runs a peer-to-peer review platform that amalgamates software reviews to give business professionals an accurate picture of the usability of software solutions and how they match up to expectations.
Finding a software solution that ticks all the right boxes is one thing. Finding a solution that works in practice and is easy to use is another matter entirely. Many businesses only discover that a poor purchasing decision has been made after licenses have been purchased and a product has been implemented, by which time it is too late to change.
The G2 Crowd platform informs purchasing decisions and allows business professionals, investors, and buyers to make the right choice first time. The platform incorporates more than 500,000 user reviews and attracts more than 1.5 million visitors a month.
In addition to the website, G2 Crowd compiles and published a series of Grid reports each quarter. The grid reports are based on customer satisfaction and market presence and let businesses know the best software solutions to purchase.
In order to be included in the Spring 2019 G2 Crowd Secure Email Gateway Performance Report, secure email gateway solutions had to have the following capabilities:
- Ability to scan incoming messages for potentially malicious content
- Scan for malware, viruses and other malicious code and filter out those messages
- Allow whitelisting or blacklisting to control suspicious accounts
- Securely encrypt communications
- Incorporate email archiving functionality for compliance.
The secure email gateway solutions assessed for the report were offerings from TitanHQ, Cisco, McAfee, SolarWinds, Barracuda, Barracuda Essentials, Proofpoint, Symantec, MobileIron, Sophos, Security Gateway, and Mimecast.
Each solution was assessed and assigned a position in the G2 Crowd Grid. Niche solutions had a small market presence and low customer satisfaction level, Contenders had strong market presence but low customer satisfaction level. High Performers had low market presence but scored highly for customer satisfaction, and the Leaders quadrant contained products that scored highly for customer satisfaction with a strong market presence.
SpamTitan was the out and out leader, scoring highest for customer satisfaction across all categories under assessment: Quality of support, ease of use, meets requirements, and ease of administration. Scores in those categories ranged from 90% to 94%.
TitanHQ the leader in business email security, today announced it has been recognized as a leader in the G2 Crowd Grid? Spring 2019 Report for Email Security.
97% of users of SpamTitan gave the product a score of 4 or 5 stars out of 5 and 92% said they would recommend SpamTitan to other businesses.
TitanHQ’s web security gateway was also rated in the Spring 2019 G2 Crowd Secure Web Gateway Performance Report, and was named a Strong Contender, achieving a score of 94% compared to the average of 87%.
“Our customers value the uncompromised security and real-time threat detection. The overwhelmingly positive feedback from SpamTitan users on G2 Crowd is indicative of our commitment to ensuring the highest levels of customer success” said Ronan Kavanagh, CEO, TitanHQ.
TitanHQ has been developing cybersecurity solutions for SMBs, SMEs, and MSPs for more than 25 years. During that time, the threat landscape has changed dramatically, which has called for regular updates to its cybersecurity solutions to ensure they continue to protect against the latest threats.
In the past couple of years, the number of email attacks being conducted on businesses have skyrocketed and the methods used to spread malware and phish for sensitive information have become much more sophisticated.
TitanHQ regularly performs updates to its cybersecurity solutions to respond to the changing tactics of cybercriminals and the latest update to SpamTitan has seen even more powerful features added to take protection against email threats to the next level: Sandboxing and DMARC authentication.
The sandboxing feature serves as a secure container where suspicious email attachments can be analysed in detail to determine whether they perform any malicious actions. The Bitdefender-powered sandbox is used to execute suspicious files where they can cause no harm, and monitor for C2 calls, and suspicious and malicious actions.
This new feature helps to ensure that more genuine email messages and attachments are delivered, and zero-day malware threats are detected and eradicated from the email system.
DMARC authentication has also been incorporated, which provides greater protection against email impersonation attacks which spoof legitimate senders. It has become increasingly common for cybercriminals to spoof domains to make phishing emails appear genuine and bypass standard email filtering controls. By using DMARC to verify the sender of the domain, detection of phishing and spear phishing emails has been greatly improved.
TitanHQ will be explaining these two new features, how they work, and their benefits for SMBs, SMEs, and MSPs that serve the SMB/SME market in an upcoming webinar.
If you are a current SpamTitan customer and would like to learn more about these new features, an MSP looking for a powerful email security solution to protect your clients, or you work at an SMB/SME and want to improve your email defenses, register for the webinar and find out more about the new and improved SpamTitan.
Date: Thursday, April 4, 2019
Time: 12pm, EST
The webinar will last 30 minutes, and advance registration is necessary.
CryptXXX has quickly become one of the main strains of ransomware, although until recent times infection was only possible via malicious websites. Now I.T. experts Proofpoint have discovered CryptXXX ransomware emails. The group behind the attacks have created a new attack vector. CryptXXX ransomware emails include a Word document containing a malicious macro. If the macro is permitted to run it will load a VB script into the memory which will use Powershell to make contact with the attackers’ command and control server. Once a connection has been established, CryptXXX will be installed onto the victim’s computer. Authors have realized the benefits to be obtained from implementing an affiliate model to help infect machines and now a number of new players have joined the ransomware market.
If a “ransomware kit” is supplied, individuals with little hacking expertise can carry out own ransomware campaigns. The ransomware authors can charge a nominal amount for supplying the kit, and can also take a share on the back end. When an affiliate infects a computer and a ransom is given, the authors receive a cut of the payment. This model works well and there is no shortage of hackers willing to try their hand at running ransomware campaigns. The CryptXXX ransomware emails are being shared by an affiliate (ID U000022) according to Proofpoint.
Spotting CryptXXX Ransomware Emails
The CryptXXX ransomware emails are being transmitted with a subject line of “Security Breach – Security Report #Randomnumber.” The emails include only basic details about a supposed security breach that has happened. The security report is sent as an attached Word document. The body of the email includes the date, time of the attack, the provider, location, IP address, and port. The email recipient is told to open the file attachment to view details of the attack and find out about the actions that should be implemented.
The file attachment titled like “info12.doc” according to Proofpoint. If the attached Word file is downloaded, a Microsoft Office logo is displayed. The user is told that the document has been created in a newer version of Microsoft Office. The content of the document will only be shown if macros are enabled. Enabling the macros will lead to the VB script being loaded. Then ransomware will then be installed and users’ files encrypted.
There is no remedy action if files are encrypted. The victim must pay the ransom or lose their files. Once an infection has taken place, files can only be rescued from backups if the victim does not pay the ransom requested.
CryptXXX Ransomware Still Being Sent by Neutrino
Since the demise of the Angler exploit kit, CryptXXX was transferred to Neutrino. There was a dramatic drop in infections as activity temporarily stopped; however, Invincea recently reported a surge in activity via compromised company websites. The SoakSoak botnet is being implemented to scan the Internet for vulnerable websites. The websites being hit run the WordPress Revslider slideshow plugin. Scripts are appended to the slideshow that send visitors to a malicious site including Neutrino.
CryptXXX will only be installed if the endpoint lacks specific security tools that would detect an installation. If Wireshark, ESET, VMware, Fiddler, or a Flash debugging utility is present, the ransomware will not be installed.
TitanHQ is pleased to announce that the SpamTitan email security solution for SMBs and managed service providers (MSPs) has been updated and has two brand new features to improve detection rates of zero-day malware, advanced persistent threats (APTs), and sophisticated phishing attacks.
From today, users of SpamTitan and all new customers will benefit from DMARC email authentication for incoming messages and advanced protection from new malware threats with a new sandboxing feature. Both of these new features have already been rolled out and have been made available at no extra cost.
SpamTitan has already become the gold standard for email security for SMBs and MSPs serving the SMB market. With SpamTitan in place, all incoming messages are subjected to checks using award-winning anti-malware technologies. Static analysis and advanced behavior detection technologies ensure a catch rates in excess of 99.9% and a low false positive rate of just 0.03%. The new sandboxing feature will improve catch rates and reduce false positives further.
When emails pass SpamTitan’s checks, files attached to the emails will be sent to the sandbox for in-depth analysis. The sandbox is a quarantine area from which there is no escape. When files are detonated in the sandbox, their actions can be studied without causing any harm.
All actions of the files are recorded, including attempts to evade detection. The Bitdefender-powered sandbox leverages purpose-built, advanced machine learning algorithms, conducts aggressive behavior analysis, and studies anti-evasion techniques. A memory snapshot comparison is also conducted to detect previously unknown threats.
The sandbox is used for testing application files, executable files, and documents for malicious actions. The results of the analysis are then checked against online repositories to identify potentially malicious actions. If the files are determined to be malicious, they are quarantined and the threat intelligence is passed to Bitdefender’s cloud threat intelligence service. All Bitdefender and SpamTitan users will then be automatically protected if that threat is encountered again.
The new sandboxing feature takes SpamTitan threat protection to the next level and provides superior protection against elusive threats in the pre-execution stage, including targeted attacks, obfuscated malware, custom malware, ransomware, and APTs.
DMARC is the gold standard for protecting against email impersonation attacks. These attacks impersonate known contacts, government agencies, and well-known brands, with email messages appearing to have been sent from their trusted domains. DMARC authentication allows these email impersonation attacks to be detected and blocked.
These two new features have been provided at no extra cost and are immediately available to current users of SpamTitan products to provide even greater protection against the most difficult to detect threats.
There are some very valid reasons why you should block access to file sharing websites. These websites are mainly used to share pirated software, music, films, and TV shows. It would be improbable that the owner of the copyright would take action against an employer for failing to stop the illegal sharing of copyrighted material, but this is an unnecessary legal danger.
However, the chief risk from using these websites comes in the form of malware. Research completed by IDC in 2013 indicated that out of 533 tests of websites and peer-2-peer file sharing networks, the downloading of pirated software lead to spyware and tracking cookies being downloaded to users’ computers 78% of the time. More concerning is the fact that Trojans were downloaded with pirated software 36% of the time.
A survey carried out on IT managers and CIOs at the time showed that malware was downloaded 15% of the time with the software. IDC found that overall there was a 33.3% chance of infecting a machine with malware by using pirated software.
Even browsing on torrent sites can be harmful. This week Malwarebytes said that visitors to The Pirate Bay were shown malicious adverts. An advertiser used a pop-under to silently redirect users to a malicious site that had the Magnitude exploit kit which was used to install Cerber ransomware onto users’ devices.
A study completed by UC San Diego involved testing pirated software downloads using VirusTotal. VirusTotal reviews files against the databases of 47 different anti-virus services. The research team found that 50% of pirated files were infected with malware.
Dealing with malware from pirated software was found to take around 1.5 billion hours per year. For companies the cost can be considerable. IDC estimated the cost to enterprises to be around $114 billion in 2013 alone. And that was just for the clean-up. The cost of data breaches caused by illegal software installations was calculated at around $350 billion.
Groups can monitor devices and check for unauthorized software downloads on individual devices; however, by the time a software installation has been identified, malware is likely to already have been downloaded. A recent report by Verizon indicates that on average, hackers are able to extract data within 28 minutes of obtaining access to a system.
One of the simplest ways to manage risk is to block file sharing websites including P2P and torrent sites. A web filter can be easily set up to block file sharing websites and stop them from being accessed. Many web filters can also be set up to block specific file types from being installed, including keygens and other executables.
By preventing access to file sharing websites organizations can ensure that copyright-violating activities are stopped and malware risk is effectively handled. Additionally, web filters can be used to block web-borne threats including phishing websites, compromised webpages, spam and botnets, adware, malware, ransomware, and anonymizers.
Choosing not to block file sharing websites could turn out to be expensive for a company. It is far better to block possibly dangerous websites and online activities than to have to cover the cost of removing malware infections and managing with data breaches.
The best security against malware, spam, hacker attacks, policy breaches and other email and web threats is a layered set of defenses in which software, services, hardware and policies are incorporated to safeguard data and other assets at the network, system and application tiers. However, an obvious – but often-disregarded – layer in this cake of protection is the common sense of your staff – one of the critical layers to stop threats from gaining a foothold. As the picture says ‘just because you can, doesn’t mean you should’, this is where common sense is important.
Spear phishing is an increasing issue where a targeted false email that seems to be legitimate is sent to individuals or a company in order to obtain data. For instance e, by looking at a Facebook page of someone with whom I am not connected. I can see that she is a realtor, has listed a home at 657 Noble in [city name withheld], was born on January 26th, has a cat named Lou, is a member of the Agent Leadership Council at a southern California realty organization, likes ice skating, resides in Thousand Oaks, speaks French, and took a vacation to Orlando on February 11th. If I was a hacker intent on sending her a spearphishing email – perhaps with the intent of infecting her PC with Zeus – I could use these details to craft an email that she would be likely to click on. For example, an email with the title “Need to schedule a vet appointment for Lou” or “We mistakenly overcharged you on your recent trip to Orlando”, or maybe even a LinkedIn invitation that includes personal details, would likely get her attention and increase the possibility of her becoming a victim of a spear phisher. This is not to say that this Facebook customer lacks common sense, but the details she has posted could be used against her and her company and needs to be looked at in that light.
Spam filtering technology is successful at preventing spam emails that include links to malware sources (albeit with some spam filters more effective than others). The RSA exploit in April 2011, in which some staff members received an email with an Excel attachment, was due to spearphishing emails that were effectively quarantined by spam filtering technology, but later opened by staff members from the quarantine. A spearphishing email at the Oak Ridge National Laboratory in April 2011 was received by 530 workers, 11% of whom clicked on a malicious link. Many users are not adequately when asked for information. For instance, before last year’s royal wedding between Prince William and Kate Middleton, a Facebook hacking scam was doing the rounds asking respondents to create their royal wedding guest name. This name consisted of one grandparent’s name, the name of a first pet, and the name of the street on which the victim lived when they were younger – all likely responses to security questions one might get asked when resetting a password.
TitanHQ kickstarted its 2019 MSP roadshow program on February 14 with events in London and Florida. The 2019 season will see the TitanHQ team attend 15 roadshows and conferences in Ireland, Canada, the Netherlands, the UK, and the USA and meet new and prospective MSP partners, Wi-Fi providers, and ISPs.
In the summer of 2018, TitanHQ formed a strategic alliance with Datto which saw WebTitan Cloud and WebTitan Cloud for WiFi web filtering solutions incorporated into the Datto networking range. TitanHQ has been working closely with Datto MSPs ever since and has been helping them add web filtering to their security stacks and start providing their clients with world-class web filtering services.
Following on from a highly successful series of Datto roadshows in 2017, the TitanHQ team is back on the road and will be attending 7 Datto roadshow events over the coming 5 months, finishing off at DattoCon in June. The campaign started today at the TitanHQ-sponsored Datto Roadshow in Tampa, Florida. TitanHQ Alliance Manager Patrick Regan attended the roadshow and has been meeting with MSP to explain about WebTitan Cloud, WebTitan Cloud for WiFi, SpamTitan, and ArcTitan, and how they can benefit MSPs an help them build a high margin security practice.
For two years now, TitanHQ has been a member of the IT Nation community and has been helping MSPs get the most out of TitanHQ products to better serve the needs of their clients. It has been a great learning experience and a thoroughly enjoyable couple of years. The first of three IT Nation event took place today – The IT Nation Q1 EMEA Meeting in London. The event was attended by TitanHQ Alliance Manager Eddie Monaghan, who will be helping MSPs discover TitanHQ email security, DNS filtering, and email archiving solutions all week.
TitanHQ Alliance Manager, Eddie Monaghan.
If you were unable to attend either of these events, there are plenty more opportunities to meet with TitanHQ over the coming months. The full schedule of events that will be attended by members of the TitanHQ team are detailed below. We look forward to meeting you at one of the upcoming roadshow events in 2019.
TitanHQ 2019 MSP Roadshow Dates
|February 14, 2019
||IT Nation (HTG) Q1 EMEA Meeting
|February 14, 2019
||Tampa, FL, USA
|March 5, 2019
||CompTIA UK Channel Community
|March 7, 2019
||Datto Roadshow EMEA
|March 11, 2019
||CompTIA Community Forum
||Chicago, IL, USA
|March 12, 2019
||Datto Roadshow NA
||Norwalk, CT, USA
|March 19, 2019
||Datto Roadshow EMEA
|March 26, 2019
||Datto Roadshow EMEA
|March 26, 2019
||Datto Roadshow NA
|April 25, 2019
||Long Island, NY, USA
|April 29, 2019
||IT Nation Evolve (HTG 2)
||Dallas, TX, USA
|May 6, 2019
||Connect IT Global (Kaseya Connect)
||Las Vegas, NV, USA
|May 13, 2019
||IT Nation (HTG) Q1 EMEA Meeting
|May 14, 2019
||Washington DC, USA
|June 17, 2019
||San Diego, CA, USA
The malware known as ‘Ovidiy Stealer’ is password stealing software that will capture login details and send the information to the hacker’s C2 server. As with most other password stealers, information is captured as it is entered into websites such as banking portals, web-based email accounts, social media accounts and other online services.
However, even if a device is infected, the Ovidiy Stealer will not capture information entered via Internet Explorer or Safari. The malware is also not persistent and if the computer is rebooted the malware will stop trying to complete its task.
Sadly, if you use Chrome or Opera, your confidential personal data is likely to be compromised. Other browsers known to be supported include Orbitum, Torch, Amigo and Kometa. However, sd the malware is being regularly updated it is likely other browsers will come online soon.
Ovidiy Stealer is a new malware, first identified only a month ago. It is chiefly being implemented in attacks in Russian-speaking regions, although it is possible that multi-language versions will be developed and attacks will soon be seen in other regions.
Proofpoint Researchers, who first detected the password stealing malware, are of the opinion that email is the primary attack vector, with the malware packaged in an executable file shared as an attachment. Proofpoint also thinks that rather than email attachments, links to download pages are also being implemented. Samples have been seen bundled with LiteBitcoin installers and the malware is also being sent through file-sharing websites, in particular via Keygen software cracking programs.
New password stealers are regularly being released, but what make the Ovidiy Stealer different and makes it particularly dangerous is it is being made available online at a particularly low price. Just $13 (450-750 Rubles) will get one build bundled into an executable ready for delivery using a spam email campaign. Due to the low cost there are likely to be many malicious actors carrying out campaigns to spread the malware, hence the range of attack vectors.
Would be hackers willing to part with $13 are able to see the number of infections using a web control panel complete with login. using the control panel they can control their account, view the number of infections, build more stubs and review the logs generated by the malware.
Safeguarding against malware such as Ovidiy Stealer demands caution as it requires time before new malware are discovered by AV solutions. Some AV solutions are already identifying the malware, but not all of them. As ever, when receiving an email from an unknown sender, do not click on attachments or visit hyperlinks.
Sextortion scams have been in the rise in the last six months and these scams normally implement the technique of threatening to expose a user’s online activities (pornography habits, dating/adultery site usage) to all their contacts and friends/family unless a payment is completed.
A number of the recent sextortion scams have boosted their credibility by claiming to have users’ passwords. However, new sextortion scams have been discovered that are using a different tactic to get users to pay up. The email template seen in this scam is similar to other recent sextortion scams. The scammers say that they have a video of the victim viewing adult content. The footage was captured using the victim’s webcam and has been spliced with screenshots of the content that was being looked at.
In the new campaign the email includes the user’s email account in the text of the email, a password (probably an old password compromised in a previous breach), and a hyperlink that the victim is asked to click to download the video that has been created and see exactly what will soon be shared via email and social media networks.
Clicking the link in the video will lead to the downloading of a zip file. The compressed file includes a document including the text of the email and the supposed video file. That video file is really an information stealer – The Azorult Trojan.
This type of scam is even more likely to be successful than past campaigns. Many people who receive a sextortion scam email will see it as fake. However, the a link to download a video being included may lead to many people downloading the file to see if the threat is real.
If the zip file is downloaded and the Azorult Trojan executed, it will silently gather data from the user’s computer – similar information to what the hacker claims to have already obtained: Cookies from websites the user has visited, chat histories, files stored on the computer, and login information entered through browsers such as email account and bank details.
The Azorult Trojan will also install a secondary payload: GandCrab ransomware. Once data has been gathered, the user will have their personal files encrypted: Documents, spreadsheets, digital photos, databases, music, videos, and more. Recovery will only be possible if these files having been backed up and not also encrypted by the ransomware. Apart from permanent file loss, the only other option will be to pay a sizeable ransom for the key to decrypt the files.
If the email was issued to a business email account, or a personal email account that was accessed at work, files on the victim’s work computer will also be encrypted. As a record of the initial email will have been extracted on the device, the reason why the malware was downloaded will be made clear to the IT department.
The key to not being tricked is to disregard any threats sent using email and never click links in the emails or click on email attachments.
Web filtering for schools has been a requirement in order to qualify for E-Rate discounts on telecommunications and Internet services since the Children´s Internet Protection Act (CIPA) was passed in 2000.
Following this, many states have also passed their own legislation making it a requirement for schools to filter the Internet to ensure children are safeguarded from harmful website content. So far, 24 states have developed legislation to stop children from accessing harmful images including pornography in schools and libraries.
Even in those states where web filtering for schools is not obligatory, lobby groups and parents’ associations have asked for more stringent controls in relation to the content that can be accessed on school computers and through school networks. Web filtering for schools a requirement rather than an option.
While the chief purpose of web filtering for schools is to prevent access to obscene or harmful website content, many schools have opted to put in place a content filtering solution as a cybersecurity tactic. Web filters are used to stop malware downloads and obstructing phishing attacks.
Previously, web filtering required a physical appliance to be placed on a firewall. Appliance based web filters have a number of weaknesses. Appliances are not cheap and need to be updated and maintained by IT support staff. They also restrict the number of users that can access the Internet. When capacity needs to be strengthened, new hardware needs to be bought.
Now a rising number of schools are choosing a lower cost solution. Cloud based web filtering for schools does not necessitate the purchasing of any additional hardware, saving schools thousands of dollars in equipment investment. There is also no obligation for IT teams to be on site. When using a cloud-based solution, everything is cloud based and no software installations are required. DUe to this the entire system can be managed remotely. In order to begin all that you need is for a simple change to be made to the DNS to point it to the solution provider’s servers. That process usually takes just a very short period of time.
If you are browsing online and you will be have to tackle a wide range of threats, some of which could lead to your bank account being emptied or sensitive information being exposed and your accounts being compromised. Then there is ransomware, which could be used to prevent you from accessing your files should you not have backups or opt not to pay the ransom.
The majority of websites now being created are malicious websites, so how can you stay safe online? One solution deployed by businesses and ISPs is the use of a web filter. A web filter can be set up to restrict access to certain categories of Internet content and block most malicious websites.
While it is possible for companies or ISPs to purchase appliances that are located between end users and the Internet, DNS filters allow the Internet to be filtered without having to buy any hardware or install any software. So how is DNS filtering operated?
How is DNS Filtering Operated?
DNS filtering – or Domain Name System filtering to give it its full tname – is a technique of preventing access to certain websites, webpages, or IP addresses. DNS is what permits easy to remember domain names to be used – such as Wikipedia.com – rather than typing in IP addresses – such as 126.96.36.199. DNS maps IP addresses to domain names.
When a domain is bought from a domain register and that domain is hosted, it is given a unique IP address that allows the site to be found. When you try to access a website, a DNS query will be carried out. Your DNS server will look up the IP address of the domain/webpage, which will permit a connection to be made between the browser and the server where the website is hosted. The webpage will then be opened.
So how does DNS filtering operate? With DNS filtering set up, rather than the DNS server returning the IP address if the website exists, the request will be subjected to certain security measures. If a particular webpage or IP address is recognized as malicious, the request to access the site will be denied. Instead of connecting to a website, the user will be sent to a local IP address that will display a block page explaining that the site cannot be opened.
This control could be implemented at the router level, via your ISP, or a third party – a web filtering service provider. In the case of the latter, the user – a business for example – would point their DNS to the service provider. That service provider keeps a blacklist of malicious webpages/IP addresses. If a site is known to be malicious, access to malicious sites will be prevented.
Since the service provider will also group webpages, the DNS filter can also be implemented to block access to certain categories of webpages – pornography, child pornography, file sharing websites, gambling, and gaming sites for example. Provided a business sets up an acceptable usage policy (AUP) and sets that policy with the service provider, the AUP will be live. Since DNS filtering is low-latency, there will be next to no delay in logging onto safe websites that do not breach an organization’s acceptable Internet usage policies.
Can a DNS Filter Prevent Access to All Malicious Websites?
Sadly, no DNS filtering solution will stop access to all malicious websites, as in order for this to be accomplished, a webpage must first be identified as malicious. If a cybercriminal creates a brand-new phishing webpage, there will be a delay between the page being set up and it being reviewed and added to a blocklist. However, a DNS web filter will prevent access to the majority of malicious websites.
Can DNS Filtering be Avoided?
Proxy servers and anonymizer sites could be deployed to mask traffic and bypass the DNS filter unless the chosen solution also prevents access to these anonymizer sites. An end user could also manually amend their DNS settings locally unless they have been locked down. Determined persons may be able to find a way to bypass DNS filtering, but for the majority of end users, a DNS filter will block any effort to access forbidden or harmful website material.
No single cybersecurity solution will let you to block 100% of malicious websites but DNS filtering should definitely form part of your cybersecurity operations as it will allow most malicious sites and malware to be blocked.
When pondering how much to spend on cybersecurity defenses, be sure to consider the cost of a retail data breach. Ill-advised security practices and a lack of proper cybersecurity defenses can cost a company quite a bit.
A data breach of the scale of that which impacted Home Depot in 2014 will cost hundreds of millions of dollars to address. The home depot data breach was huge. It was the largest retail data breach involving a point of sale system that has been seen so far. Malware had been downloaded that allowed cyber criminals to obtain over 50 million credit card numbers from home depot customers and around 53 million email addresses.
The attack was completed using stolen credentials from one of the retailer’s vendors. Those credentials were used to obtain access to the network. Those privileges were subsequently elevated, the Home Depot network was explored, and when access to the POS system was obtained, malware was downloaded to record credit card details. The malware infection went unnoticed for five months between April and September 2014.
Last year, Home Depot agreed to pay out $19.5 million to customers that had been impacted by the breach. The payout included the costs of providing credit monitoring services to those affected by the breach. Home Depot has also paid out a minimum of $134.5 million to credit card companies and banks. The latest settlement amount will permit banks and credit card companies to submit claims for $2 per compromised credit card without having to show proof of losses suffered. If banks can show losses, they will have up to 60% of losses compensated.
The total cost of the retail data breach is approximately $179 million, although that figure does not incorporate all legal fees that Home Depot must pay, and neither does it include undisclosed settlements. The final cost of the retail data breach will be much bigger. It is already getting closer to the $200 million mark.
Then there is the reputation damage due to the breach. Following any data breach, customers often take their business to a different company. Many consumers impacted by the breach have chosen to shop elsewhere. A number of studies have been carried out on the fallout from a data breach. One HyTrust study states that companies may lose 51% of customers following a breach of sensitive data.
The next step in the evolution from hardware-based and software-based solutions for filtering Internet content is cloud-based web filtering software. Similar to the majority of cloud-based technologies, cloud-based web filtering software is convenient, trustworthy and scalable. It does not have the high costs of hardware-based solutions nor the high maintenance overheads of software-based programmes; and, although all three solutions pretty much operate the same way, cloud-based web filtering software has its benefits.
Cloud-Based Web Filtering Software
Cloud-based web filtering software is operated from in the cloud rather than physically attached to – or downloaded to – your network. In order to log on to the service, you simply need to redirect your DNS server settings to point to our servers. The cloud-based software then implements itself automatically, and you can either begin filtering the Internet using the software´s default settings, or set up and apply your own user policies via the web-based management portal.
As with most solutions for filtering Internet content, cloud-based web filtering software deploys a three-tier mechanism to enhance defenses against online threats, improve productivity and stop users accessing inappropriate material:
- The first line of defense is SURBL and URIBL filters. These look at each request to visit a web page against lists of IP addresses known to lead to malware downloads, phishing attacks and spam emails. When a match is identified, the request to visit the web page is not allowed. The lists of IP addresses are automatically updated as new threats are spotted.
- Behind the “blacklists”, category filters can be used to stop users looking at websites in certain categories. Administrators may want to stop users visiting websites known to have a high likelihood of harboring malware (pharmaceutical and travel websites), those likely to affect productivity (gaming and social networking) or those including inappropriate material.
- Keyword filters can be employed used to fine-tune the category filters and stop users looking at websites containing exact word matches, specific apps or specific file extensions. This fine-tuning mechanism adds granularity to the Internet filtering process to set up Internet filtering without obstructing workflows.
Category filters and keyword filters can be switched on by individual users, user-group or company-wide according to your existing user policies. Most products for filtering Internet content can be integrated with management tools such as Active Directory in order to speed up the process of applying roles. Thereafter, administrators can review web activity in real-time via the management portal, or schedule customized reports by user, user-group, organization-wide, bandwidth usage, category or time.
Improve Network Performance with Cloud-Based Web Filtering Software
One unexpected benefit of cloud-based web filtering software is how it enhances network performance – or, strictly speaking, how it reduces the workload put on servers by other solutions for filtering Internet content. This is due to way in which encrypted web pages are reviewed by cloud-based web filtering software to deduce the nature of their content.
Most software for filtering Internet content use a process called SSL inspection to decrypt, review, and re-encrypt the content of “secure” web pages. SSL inspection is now an obligatory part of Internet filtering because hackers have been able to obtain fake SSL certificates and their malware payloads would avoid detection if it were not for SSL inspection.
A heavy workload is put on servers by hardware and software solutions for filtering Internet content is because there is such a high volume of encrypted web pages that need inspecting. Since Google revelead it would enhance the rankings of encrypted websites in search engine results pages, more than 50% of the most-visited web pages in the world are encrypted.
The decryption, inspection and re-encryption of half the world´s most-visited Internet pages place an incredible strain on servers. Often it will lead to delays in some web-based activities – i.e. email – or users will find Internet access is temporarily unavailable. Although cloud-based web filtering software also utilizes SSL inspection to figure out the content of encrypted web pages, the process is carried out on the cloud – eliminating the workload on network servers and allowed an Internet service with excellent latency.
Home purchasers and real estate agents in the United Kingdom and Ireland are being targeted by cybercriminals using a new solicitor email campaign. The scam, which includes mimicking a solicitor, is costing victims thousands. Additionally, there have some cases seen where cybercriminals are contacting solicitors emails claiming to be their clients and asking for changes in their bank details. Any pending transfers are then sent to the criminals’ accounts.
As funds for home purchases are sent to solicitors’ accounts before being shared with the sellers, if cybercriminals can amend the bank details for the transfers, the funds for the purchase will be paid straight into their bank accounts.
While email spoofing is not unusual, this solicitor email scam often includes the hacking of solicitors’ email accounts. Once access has been obtained, cybercriminals search for emails shared from buyers and sellers of homes to identify possible targets. While the hacking of email accounts is taking place, there have also been instances where emails between buyers, sellers and their solicitors have been captured. When bank details for a transfer are sent, the hackers amend the bank information in the email to their own and then send the email on.
The solicitor email scam is sophisticated and communications are monitored until the crucial point in the purchasing process when a bank transfer is about to be completed. Since the possible rewards are considerable, cybercriminals are willing to invest the time and effort into the scam and be patient. Buyers, vendors and solicitors are well researched and the emails appear authentic.
This conveyancing scam has been on the rise in recent months and it has now become the most common cybercrime impacting the legal sector. The Law Society, a representative organization for solicitors in the UK, has issued a warning about the conveyancing scam due to an rising number of complaints, although it is currently unclear how many fraudulent transfers have been completed.
The simple way to prevent such a scam from being successful is to contact the homebuyer or seller before any transfer is made and to verbally confirm the bank details. Additionally policies can be developed requiring bank account information to only be sent via postal mail.
The Solicitors Regulation Authority has issued guidance that advises against the use of email for property transactions due to the potential for cybercriminals to intercept and spoof messages. Email may be simple, but with such large sums being transferred it pays to use an abundance of caution.
While this solicitor email scam has been seen in many places across the UK and Ireland, legal firms in the United States should also use caution.
Sextortion scams have been very popular with cybercriminals during 2018. A well written email and an email list are all that is needed for this to be successful. The latter can easily be bought almost nothing via darknet marketplaces and hacking forums. No expertise is required to run sextortion scams and as scammers’ Bitcoin wallets show, they are successful.
Many sextortion scams threaten to reveal a user’s online activities (pornography habits, dating/adultery site usage) to all their contacts and friends/family unless a payment is completed. Some of the recent sextortion scams have increased credibility by claiming to have users’ passwords. However, new sextortion scams have been discovered in the past few days that are using a different tactic to get users to pay the ransome.
The email template used in this scam is very like those in other recent sextortion scams. The scammers say that they have a video of the victim viewing adult content. The footage was captured through the victim’s webcam and has been spliced with screenshots of the content that was being looked at.
In the new campaign the email includes the user’s email account in the copy of the email, a password (most likely an old password accessed in a previous breach), and a hyperlink that the victim is encouraged to click to download the video that has been created and see what will soon be distributed via email and social media networks.
VIsiting the link in the video will trigger the downloading of a zip file. The compressed file includes a document including the text of the email along with the supposed video file. That video file is really an information stealer – the Azorult Trojan.
This sort of the scam is even more likely to be successful than past campaigns. Many individuals who receive a sextortion scam email will see know what it is: A mass email including an empty threat. However, the inclusion of a link to download a video could lead to many individuals download the file to find out if the threat is authentic .
If the zip file is downloaded and opened and the Azorult Trojan executed, it will quietly gather information from the user’s computer – similar information to what the hacker claims to have already obtained: Cookies from websites the user has seen, chat histories, files stored on the computer, and login information entered through browsers such as email account and bank details.
However, it doesn’t stop there. The Azorult Trojan will also install a secondary payload: GandCrab ransomware. Once information has been gathered, the user will have their personal files encrypted: Documents, spreadsheets, digital photos, databases, music, videos, and more. Recovery will depend on those files having been backed up somewhere else and not also encrypted by the ransomware. Aside from permanent file loss, the only other option will be to pay a sizeable ransom to decrypt the hacked files.
If the email was sent to a company email account, or a personal email account that was logged onto at work, files on the victim’s work computer will be encrypted. As a record of the original email will have been extracted on the device, the reason why the malware was downloaded will be made clear to the IT department.
The key to not being tricked is to ignore any threats sent using the email and never click links in the emails nor open unexpected email attachments.
Companies can tackle the threat by using cybersecurity solutions such as spam filters and web filters. The former stops the emails from being sent while the latter blocks access to sites that host malware.
The final weekend of 2018 has seen a significant newspaper cyberattack in the United States that has disrupted production of several newspapers published by Tribune Publishing.
The attacks were malware-related and impacted the Saturday editions of the Los Angeles Times, the San Diego Union-Tribune, the Chicago Tribune, the New York Times, the Wall Street Journal, and others. The malware attack occurred on Thursday, December 27, and caused major issues throughout Friday.
All of the impacted newspapers shared the same production platform, which was disrupted by the malware infection. While the sort of malware used in the attack has not been publicly revealed, several insiders at the Tribune have reported that the attack involved Ryuk ransomware.
Ransomware is a sort of malware that encrypts critical files stopping them from being accessed. The main goal of hackers is normally to obtain ransom payments in exchange for the keys to decrypt the encrypted files. It is also typical for ransomware to be deployed after network access has been obtained and sensitive information has been stolen, either to mask a data breach or in an effort to make an attack even more profitable. It is also not unknown for ransomware attacks to be carried out to cause disruption. It is suspected that this newspaper cyberattack was conducted chiefly to disable infrastructure.
The sort of ransomware used in an attack is normally easy to identify. After encrypting files, ransomware changes file extensions to an (often) unique extension. In the case of Ryuk ransomware, extensions are amended to .ryk.
The Los Angeles Times has attributed it to threat actors based external to the United States, although it is unclear which group was behind the cyberattacks. If the attack was carried out to disable infrastructure it is probable that this was a nation-state sponsored attack.
The initial Ryuk ransomware cyberattacks happened in August. Three U.S. companies were hacked, and the attackers were paid at least $640,000 for the keys to unlock the data. An analysis of the ransomware showed it shared code with Hermes malware, which had previously been connected to the Lazarus Group – An APT group with links to North Korea.
While many ransomware campaigns used mass spamming tactics to share the ransomware and infect as many end users as possible, the Ryuk ransomware attacks were much more focused and involved considerable reconnaissance and extensive network mapping before the ransomware is finally sent out. As is the case with SamSam ransomware attacks, the campaign is run manually.
Several tactics are used to obtain access to networks, although earlier this year a warning about Ryuk ransomware was broadcasted by the U.S. Department of Health and Human Services saying that the email to be one of the main attack vectors, highlighting the importance of email security and end user training to help staff recognize email-based threats.
Giving gift vouchers as Christmas presents is always popular and this year is no exception. Many gift card-themed scams were detected over Thanksgiving weekend that offered free or cheap gift cards to lure online shoppers into parting with their credit card details.
2018 has seen a surge in business email compromise (BEC) style tactics, with emails seeming to have been sent from within a company. The emails purport to have been sent from the CEO (or another executive) asking for accounts and administration staff purchase gift cards for clients or requesting gift cards be purchased to be used for charitable donations.
To minimize the risk from gift card scams and other holiday-themed phishing emails, companies must ensure they have strong spam filtering technology in place to block the emails at source and prevent them from landing in inboxes.
Consumers can be tricked into parting with credit card details, but businesses too are in danger. Most of these campaigns are carried out in order to gain access to login credentials or are used to install malware. If an end user responds to such a scam while at work, it is their employer that will be hit with the cost of being hacked.
2018 has seen many businesses targeted with gift card scams. The latest reports from Proofpoint suggest that out of the organizations that have been targeted with email fraud attacks, almost 16% had witnessed a gift card-themed attack: Up from 11% in Q2, 2018.
Many corporations businesses have Office 365 installed, but even Microsoft’s anti-phishing security has allowed phishing emails to slip through the net, especially at businesses that have not paid extra for advanced phishing protection. Even with the advanced anti-phishing security measures, emails still make it past Microsoft’s filters.
To obstruct these malicious messages, an advanced third-party spam filter is necessary.
Adobe has released an unscheduled update to correct vulnerabilities in Adobe Flash Player, including a zero-day flaw that is currently being targeted in the wild by an APT threat group on targets in Russia. One target was a Russian healthcare center that supplies medical and cosmetic surgery services to high level civil servants of the Russian Federation.
The zero-day flaw is a use-after-free weakness – CVE-2018-15982 – which enables arbitrary code execution and privilege execution in Flash Player. A malicious Flash object operates malicious code on a victim’s computer which gives command line access to the system.
The vulnerability was noticed by security researchers at Gigamon ATR who reported the vulnerability to Adobe on November 29. Researchers at Qihoo 360 discovered a spear phishing campaign that is being used to send a malicious document and linked files that exploit the weakness. The document used in the campaign was a forged staff questionnaire.
The emails included a .rar compressed file attachment which included a Word document, the vulnerability, and the payload. If the .rar file is unpacked and the document viewed, the user is shown a warning that the document may damage the computer. If the content is activated, a malicious command is run which extracts and initiates the payload – a Windows executable file named backup.exe that is hidden as an NVIDIA Control Panel application. Backup.exe acts as a backdoor into a system. The malicious payload gathers system data which is sent back to the hackers via HTTP POST. The payload also downloads and runs shell code on the infected device.
Qihoo 360 researchers have labelled the campaign Operation Poison Needles due to the identified target being a healthcare center. While the attack seems to be politically motivated and highly targeted, now that details of the vulnerability have been made public it is likely that other threat groups will use exploits for the vulnerability in more and more attacks.
It is therefore vital for companies that have Flash Player installed on some of their devices to update to the most recent version of the software as soon as they can. That said, removing Flash Player, if it is not required, is a better option given the number of vulnerabilities that are identified in the software each month.
The vulnerability is Flash Player 188.8.131.52 and all previous versions. Adobe has addressed the flaw together with a DLL hijacking vulnerability in version 184.108.40.206.
Is your business looking for a lightning-fast, enterprise-class method of email archiving? Nowadays, it is a requirement in business to have an email archiving solution in order to ensure that emails are not lost, emails can be retrieved on demand and storage space is kept to a minimum. Although native Microsoft Exchange Email Archiving is already available, most businesses will find the archiving options are not up to standard. The only alternative is to adopt a third-party email archiving solution. This will provide all the features required by businesses, as well improve efficiency and save on cost. In order to improve efficiency and meet the requirements of businesses, TitanHQ developed ArcTitan: A secure, fast, cloud-based email archiving solution.
What Email Archiving is and its Importance
Businesses have been required by federal, state, and industry regulations to retain emails for many years. Often a considerable amount of storage space is taken up through storing emails, especially when you consider the number of emails that are typically sent and received by employees daily. Although it suffices for businesses to store emails in backups to meet legal requirements, backups are not searchable. When a business needs to recover a certain email, it needs to be recovered quickly. This is simply not possible with backups, they are not searchable. The solution to this problem is an email archive. In comparison to backups, email archives are searchable and messages can be retrieved quickly and with minimal effort.
Email Archiving Necessary for eDiscovery and GDPR Compliance
An email archiving solutions for eDiscovery is essential. There have been a number of cases where, as part of the eDiscovery process, businesses have received heavy fines for the failure to produce emails. An example of this can be seen in the Zubulake v. USB Warburg case where the plaintiff was awarded $29 million as a result of the failure to produce emails.
In order to comply with GDPR legislation, email archives are now vital. Since May 25, 2018, when the EU’s General Data Protection Regulation came into effect, companies have been required on request to produce (and delete) every element of an individual’s personal data, including personal data contained in emails. This can be incredibly time consuming without an email archive and may result in data being unlawfully retained since backups are not searchable. The fines for GDPR compliance failures can reach as high as €20 million or 4% of global annual revenue, whichever is more substantial.
Native Microsoft Exchange Email Archiving Drawbacks
Native Microsoft exchange email archiving provides businesses with journaling and personal archive functions, but there are drawbacks to each. While the functions meet some business requirements such as freeing up space in mailboxes, they lack the full functions of a dedicated archive and do not meet all eDiscovery requirements.
When using native Microsoft Exchange email archiving, end users have too much control over the information that is loaded into an archive and they can’t delete emails unless a legal hold is activated. For admins, retrieving emails can be complicated and extremely time consuming.
With native Microsoft Exchange email archiving, functions fail to meet the needs of a lot of businesses particularly those in highly regulated industries. Although the native Microsoft Exchange email archiving functions have improved over the years, the limitations remain with most product versions and archiving can be complex with certain email architectures.
Any business that uses multiple email systems alongside Microsoft Exchange will require a third-party email archiving solution. This is due to Microsoft Exchange not supporting the archiving of emails from other platforms.
There has been an improvement in email archiving with Office 365. SMBs that use Office 365 already have email archiving functionality included in their plans, but it is only free of charge with E3-E5 plans. Additional plans charge around $3 per user, which is more expensive than custom-built archiving solutions such as ArcTitan.
Native Microsoft Exchange email archiving is an option for businesses, but Microsoft Exchange was not developed specifically for email archiving. However, despite the improvements that have been made by Microsoft, a third-party solution for email archiving on Microsoft Exchange is still required.
A third-party email archiving solution will make managing your email archiving significantly more efficient. It will save your IT department a considerable amount of time trying to locate old messages, especially for the typical requests that are received which are light on detail. The advanced search options in ArcTitan make search and retrieval of messages much faster and easier.
ArcTitan: Lightning-Fast, Enterprise-Class Email Archiving
ArcTitan has been specifically developed for email archiving making it more specialised than competitors. ArcTitan has been designed to meet all the archiving needs of businesses and allow managed service providers to offer email archiving to their clients.
The benefits of ArcTitan include extremely fast email archiving and message retrieval, secure encrypted storage and compliance with industry regulations such as HIPAA, SOX, FINRA, SEC and GDPR. ArcTitan allows businesses meet eDiscovery requirements without having to pay for additional eDiscovery services from Microsoft. ArcTitan also maintains an accurate audit trail. This allows businesses to have near instant access to all of their emails. ArcTitan serves as a black box recorder for all email to meet the various eDiscovery requirements and ensures compliance with federal, state, and industry regulations.
ArcTitan requires no hardware or software, is quick and easy to install, and slots in to the email architecture of businesses with ease. The solution is highly scalable (there are no limits on storage space or users), it is easy to use, lightning fast and stores all emails safely and securely.
Businesses that have not yet implemented a Microsoft Exchange email archiving solution typically save up to 75% storage space. Costs are also kept to a minimum with a flexible pay as you go pricing policy, with subscriptions paid per live user.
- Unlimited cloud based email archiving including inbound/outbound/internal email, folders, calendars and contacts
- A full data retention and eDiscovery policy
- HIPPA, SOX (and more) standard compliance and audited access trail
- SuperFast Search™ – email is compressed, zipped, uses message de-duplication and attachment de-duplication ensuring the fast search and retrieval
- Web console access with multi-tiered and granular access options – You decide user access permissions
- No hardware / software installation required
- Works with all email servers including MS Exchange, Zimbra, Notes, SMTP/IMAP/Google/PO
- Secure transfer from your email server
- Encrypted storage on AWS cloud
- Instantly searchable via your browser – You can find archived emails in seconds
- Maintains a complete audit trail
- Optional Active Directory integration for seamless Microsoft Windows authentication
- Optional Outlook email client plugin
If you have not yet implemented an email archiving solution, if you are unhappy with the native Microsoft Exchange email archiving features, or if you are finding your current archiving solution too expensive or difficult to use, contact TitanHQ today to find out more about the benefits of ArcTitan and the improvements it can offer to your business.
A California wildfire scam is underway that asks for donations to help those impacted by the recent wildfires. The emails seem to come from the CEO of a company and are aimed at its staff members in the accounts and finance sections.
It should come as no shock that hackers are taking advantage of yet another natural disaster and are trying to con people into giving donations. Scammers often move swiftly following natural disasters to pull on the emotions and defraud businesses. Similar scams were carried out in the wake of the recent hurricanes that hit the United States and caused widespread harm.
The California wildfire scam, discovered by Agari, is a business email compromise (BEC) attack. The emails seem to have been sent by the CEO of a company, with his/her email address used to transmit messages to company staff. This is often accomplished by spoofing the email address although in some instances the CEO’s email account has been compromised and is used to broadcast the messages.
The California wildfire scam includes one major red flag. Rather than ask for a monetary donation, the scammers request money in the form of Google play gift cards. The messages ask for the redemption codes to be sent back to the CEO by reply.
The emails are sent to staff members in the accounts and finance departments and the emails ask that the money be donated in 4 x $500 denomination gift cards. If these are returned to the CEO, he/she will then forward them on to company clients that have been impacted by the California wildfires.
The reason Google play gift cards are asked for is they can easily be exchanged on darknet forums for other currencies. The gift cards are almost impossible to trace back to the hacker.
The messages include lots of grammatical errors and incorrect spellings. Even so, it is another indication that the messages are not authentic. However, scams like this are sent because they are successful. Many people have been tricked by similar scams previously.
Safeguarding against scams like this requires a combination of technical controls, end user training and company policies. An advanced spam filtering solution should be be put in place – SpamTitan for instance – to stop messages such as these from arriving in inboxes. SpamTitan checks all incoming emails for spam signatures and uses complex techniques such as heuristics, machine learning and Bayesian analysis to spot advanced and never-before-seen phishing campaigns.
End user training is vital for all staff, especially those with access to corporate bank accounts. Those workers are usually targeted by scammers. Policies should be put in place that require all requests for changes to bank accounts, unusual payment requests, and wire transfers above a certain threshold to be confirmed by phone or in person before they are given approval.
A combination of these tactics will help to secure businesses from BEC attacks and other email scams.
One of the ways that threat actors download malware is using malvertising. Malvertising is the positioning of malicious adverts on legitimate websites that send visitors to websites where malware is installed. The HookAds malvertising campaign is one such example and those responsible for the campaign have been particularly active recently.
The HookAds malvertising campaign has one aim – to direct people to a website hosting the Fallout exploit kit. An exploit kit is malicious code that operates when a visitor arrives on a web page. The visitor’s computer is explored to determine whether there are any flaws – unpatched software – that can be exploited to silently download files.
In the case of the Fallout exploit kit, users’ devices are explored for several known Windows vulnerabilities. If one is discovered, it is exploited and a malicious payload is installed. Several malware variants are currently being shared via Fallout, including data stealers, banking Trojans, and ransomware.
According to threat analyst nao_sec, two different HookAds malvertising campaigns have been identified: One is being used to broadcast the DanaBot banking Trojan and the other is sending two malware payloads – The Nocturnal data stealer and GlobeImposter ransomware via the Fallout exploit kit.
Exploit kits can only be implemented to deliver malware to unpatched devices, so businesses will only be under threat from of this web-based attack vector if they are not 100% up to date with their patching. Sadly, many businesses are slow to run patches and exploits for new vulnerabilities are frequently uploaded to EKs such as Fallout. Due to this, a security solution is needed to obstruct this attack vector.
The threat actors responsible for the HookAds malvertising campaign are taking advantage of the low prices for advertising blocks on websites by low quality ad networks – those often utilized by owners of online gaming websites, adult sites, and other types of websites that should not be logged onto by employees. While the site owners themselves are not actively working with the threat actors behind the campaign, the malicious adverts are still displayed on their websites along with legitimate ads. The use of a web filter is advisable to mitigate this threat.
There has been a rise in malspam campaigns spreading Emotet malware in recent time, with many new campaigns initiated that spoof financial institutions – the operating methods of the threat group responsible for the campaigns.
The Emotet malware campaigns use Word documents which have malicious macros. If macros are enabled, the Emotet malware payload is installed. The Word documents are either shared as email attachments or the spam emails include hyperlinks which bring users to a website where the Word document is installed.
Various social engineering tricks have been implemented in these campaigns. One new tactic that was spotted by Cofense is the wrapping of malicious hyperlinks in Proofpoint’s (PFPT) TAP URL Defense wrapping service to make the email seem benign.
According to Cofense, the campaign sends Emotet malware, although Emotet in turn installs a secondary payload. In previous campaigns, Emotet has been sent along with ransomware. First, Emotet steals details, then the ransomware is used to steal money from victims. In the most recent campaign, the secondary malware is the banking Trojan named IcedID.
Another campaign has been discovered that uses Thanksgiving themed spam emails. The messages seem to be Thanksgiving greetings for employees, and similarly include a malicious hyperlink or document. The messages say that the document is a Thanksgiving card or greeting. Many of the emails have been personalized to help with the deception and include the user’s name. In this campaign, while the document downloaded seems to be a Word file, it is actually an XML file.
Emotet malware has been refreshed recently. In addition to stealing details, a new module has been incorporated which harvests emails from an infected user. The past six months’ emails – which include subjects, senders, and message content – are stolen. This new module is thought to have been added to enhance the effectiveness of future phishing campaigns, for corporate espionage, and data theft.
The recent rise in Emotet malware campaigns, and the highly varied tactics implemented by the threat actors behind these campaigns, emphasise the importance of adopting a defense in depth strategy to block phishing emails. Groups should not rely on one cybersecurity solution to provide protection against hacking attacks.
Phishing campaigns aim for a weak link in security defenses: Staff members. It is therefore wise to ensure that all employees with corporate email accounts are trained how to recognize phishing threats. Training needs to be constant and should cover the latest tactics used by hackers to spread malware and steal details. Staff members are the last line of defense. Through security awareness training, the defensive line can be significantly enhanced.
As a frontline defense, all businesses and groups should use an advanced spam filtering solution. While Office 365 email includes a basic level of protection against phishing attacks, a powerful third-party anti-phishing and spam filtering solution is needed to provide security against more complex email attacks.
SpamTitan is an advanced email filtering software that uses predictive techniques to supply superior protection against phishing attacks, zero-day attacks, and new malware variants that bypass signature-based security.
Along with scanning message content, headers, attachments, and hyperlinks for spam and malware signatures, SpamTitan employs heuristics, machine learning, and Bayesian analysis to spot emerging threats. Greylisting is used to spot and obstruct large scale spam campaigns, such as those usually carried out by the threat actors spreading banking Trojans and Emotet malware.
Email archiving is a great way for a company to win business and boost revenue. Although it is often an overlooked service, it can add value and improve profits for MSPs. Email archiving has a high margin, generates regular additional income, is easy to implement and manage and is an easy sell to clients.
Email Archiving in SMBs
Email archiving is now essential for organisations of all sizes, from SMBs to the largest enterprises. Large numbers of emails are sent and received on a daily basis by companies. Copies of those emails need to be stored, saved, and often retrieved. Storage of emails in mailboxes can often pose problems. Emails and attachments often need a considerable amount of storage, which means hardware must be purchased and maintained. Storing large volumes of emails in mailboxes is not a secure way of storing emails.
Although storing emails in backups is an option, it is far from ideal. Space is still needed and recovering emails when they are required is not a straightforward task as backup files are not indexed and searching for messages can take a considerable amount of time.
An email archive, in comparison, is indexed and searchable and therefore emails can be retrieved on demand quickly and with ease. If there is a legal dispute or when an organisation needs to demonstrate compliance (with GDPR or HIPAA for example) businesses need to be able to recover emails in an efficient manner. Additionally, an email archive also provides a clear chain of custody, which is also required to comply with a lot of regulations.
Cloud-based archives offer secure storage for emails and have no restrictions on storage space. The cloud storage offered is also highly scalable and emails can be easily retrieved, regardless of the location.
In summary, email archiving can enhance security, lower costs, improve efficiency and is an invaluable compliance tool.
Email Archiving in MSPs
Due to the benefits of email archiving it should be an easy sell for MSPs, either as Office 365 archiving-as-a-service as an add-on or incorporated into existing email packages. This is in order to offer greater value and make your packages unique compared to those of your competitors.
Office 365 archiving-as-a-service will generate regular income for very little effort as an add-on service. It will also improve the meagre returns from simply offering Office 365 to your clients. Overall, it can help you to attract more business when put as part as a package.
Email Archiving Made Simple Made Simple for MSPs by ArcTitan
TitanHQ is a leading provider of cloud-based security solutions for MSPs. TitanHQ products such as SpamTitan, WebTitan and ArcTitan SaaS email archiving have all been developed from the group up to specifically meet the various needs of MSPs.
ArcTitan has been developed by TitanHQ to be easy to implement and manage. It seamlessly integrates into MSPs service stacks, allowing them to provide greater value to clients and make email services a much more lucrative offering. As a result of this, TitanHQ is able to offer generous margins on ArcTitan for MSPs.
Benefits of ArcTitan for MSPs
- Easy implementation
- Software downloads not necessary
- No hardware requirements
- Secure, cloud-based storage
- Easy to operate centralised management system
- Increases profitability of Office 365
- Highly scalable email archiving
- Easy set up for MSPs
- Usage easy for clients
- Improved margins for MSPs
- Full suite of APIs supplied for simpler integration
- Multiple hosting options: TitanHQ Cloud, dedicated private cloud, or host the solution in your own data centre
- Fully rebrandable (ArcTitan can be supplied in white-label form ready for your own branding)
- Usage-based pricing and monthly billing available
- World class customer service and support
If you are yet to start offering email archiving to your clients or if you are unhappy with your current provider, contact the TitanHQ MSP team today for full ArcTitan product information, pricing details and further information on our MSP Program.
TitanHQ has recently expanded its partnership with Z Services, the leading SaaS provider of cloud-based cybersecurity solutions in the MENA region, which will result in new WebTitan and ArcTitan integrations.
Z Services operates 17 secure data centers in the UAE (base location), Qatar, Egypt, Saudi Arabia, Morocco, Jordan, Kuwait, Oman, Bahrain, and Kuwait. It is the only company in the Middle East and North Africa to offer a multi-tenant, cloud-based, in-country, cybersecurity architecture.
Z Services partnered with TitanHQ in February of 2017 and integrated TitanHQ’s award-winning email filtering technology into its service stack. Through doing this, it enabled Z Services to start offering SpamTitan-powered Z Services Anti-Spam SaaS to its clients. TitanHQ’s email filtering technology now also enables Z Services’ clients to filter out spam email and protect against sophisticated email-based threats such as malware, viruses, ransomware, botnets, phishing and spear phishing.
Due to the integration proving to be such a great success for Z Services, the firm has now decided to take its partnership with Titan HQ to the next level by integrating two new TitanHQ-powered SaaS solutions into its service stack. WebTitan – TitanHQ’s award-winning web filtering technology and ArcTitan – its innovative email archiving solution, have now both been incorporated Z Services’ MERALE SaaS offering. MERALE has been specifically developed to meet the needs of small to medium sized enterprises, such as cybersecurity, threat protection, and compliance solutions.
“With cybersecurity growing as a critical business concern across the region, there is a clear need to make security an operational rather than a capital expense. Hence the paradigm shift in the delivery of effective security solutions from the traditional investment and delivery model to an agile SaaS model through the primary connectivity provider of SMEs – the ISPs,” explained Z Services’ President for the Middle East and North Africa, Nidal Taha. “MERALE will be a game-changer in how small and medium businesses in the region ensure their protection, and as a subscription-based service, it removes the need for heavy investments and long-term commitments.”
Speaking from Titan HQ’s point of view, CEO Ronan Kavanagh said “We are delighted to continue our successful partnership with Z Services and share their vision for serving the SME segment with leading edge SaaS based security solutions. With this development Z Services is strengthening its leadership position as an innovative cloud-based cybersecurity solutions provider in the Middle East and North Africa.”
TitanHQ’s cloud-based cybersecurity solutions have been developed specifically to meet the needs of Managed Service Providers. More than 7,500 businesses worldwide are currently using the email filtering, web filtering, and email archiving solutions supplied by TitanHQ and more than 1,500 MSPs are now offering TitanHQ solutions to their clients.
When compared to many other cybersecurity solution providers, TitanHQ offers its products with a range of hosting options (including within an MSP’s own infrastructure), as full white label solutions ready for MSPs to apply their own branding. Through offering their clients TitanHQ solutions MSPs are able to significantly reduce costs related to support and engineering. They achieve this by blocking a wide range of cyber threats at source. MSPs also benefit from generous margins and world class customer service and support.
If you are an MSP and have not yet incorporated email filtering, web filtering, and email archiving solutions into your service stack, if you are unhappy with your current providers, or are looking to increase profits significantly while also ensuring your clients have the best protection against email and web-based threats, contact TitanHQ today for further information.
FilesLocker, a new ransomware threat has been discovered is currently being offered as ransomware-as-a-service (RaaS) via a TOR malware forum. FilesLocker ransomware is not a extremely sophisticated ransomware variant, but it still poses a major threat.
FilesLocker ransomware is a dual language ransomware variant that shows ransom notes in both Chinese and English. MalwareHunterTeam has found a Chinese forum on TOR where it is being offered to affiliates to distribute for a percentage of the ransom payments.
Unless advertised more widely, the number of affiliates that sign up may be restricted, although it may prove popular. There are a number of features which could see the ransomware variant favored over other RaaS offerings, notably a sliding scale on commissions. The developers are offering a 60% cut of ransoms, which will go up by 75% if sufficiently high numbers of infections can be generated.
While relatively straightforward, FilesLocker ransomware still uses an RSA 2048+AES algorithm to lock files and it erases Windows shadow copies to hamper efforts to recover files without paying the ransom. FilesLocker is also capable of file encryption in a broken network environment.
No server is needed and the ransomware is working on all Windows versions later than XP plus 32-bit and 64-bit Windows Server. Users are also able to easily keep an eye for infections through a tracking feature which displays infections by country.
There is no free decryptor for FilesLocker ransomware in existence. Recovery can only be completed by restoring files from backups.
While news of a new RaaS offering is never welcome, there has at least been some good news on the ransomware front this recently at least for some victims.
GandCrab ransomware is another RaaS offering that has been for sale since January 2018. It has been widely adopted, with many affiliates using it to distribute the ransomware over the past 10 months.
A GandCrab ransomware decryptor was designed by Bitdefender in February that was able to unlock files encrypted by version 1.0 and v1.1 of GandCrab ransomware. The decryptor was developed after private keys were released online. However, it didn’t take long for v2.0 to be released, for which no free decryptor is available. There have been a number of further updates to GandCrab ransomware over the past few months, with v5.0 of the ransomware variant released in late September.
This week, Bitdefender has revealed that after collaboration with the Romanian Police, Europol and other law enforcement bodies, a new decryption tool has been developed that permits GandCrab ransomware victims to decrypt files for free, provided they have been hacked with version 1, 4, or 5 of the ransomware.
The version can be deduced by the extension used on encrypted files. V1=GDCB; v2/3=CRAB; v4=KRAB; and v5 uses a completely random 10-character extension.
The free GandCrab ransomware decryptor has been placed to the NoMoreRansom Project website. Bitdefender is currently attempting to put in plsvr on a free decryptor for v2 and v3 of GandCrab ransomware.
A new sextortion scam has been discovered that tries to fool the recipient of the message into believing their email account has been compromised and that their computer is under full control of the hacker.
The hackers trick he user’s email address so that it appears that the message has been issued from the user’s email account – The sender and the recipient names are the exact same.
A quick and simple check that can be performed to deduce whether the sender name shown is the actual account that has been used to send the email is to click forward. When this is completed, the display name is shown, but so too is the actual email address that the message has been broadcast from. In this instance, that check does not work making it seem that the user’s email account has actually been compromised.
The messages used in this campaign try to extort money by suggesting the hacker has obtained access to the user’s computer by means of a computer virus. It is alleged that the virus gives the attacker the ability to review the user’s internet activities in real time and use the computer’s webcam to record the user.
The hacker claims that the virus was placed to the computer due to the user viewing an adult website and that while viewing internet pornography the webcam was active and recording. “Your tastes are so weird,” states the hacker in the email.
The hacker claims that they will synch the webcam footage with the content that the user was looking at and send a copy of the video to all the user’s partner, friends, and relatives. It is said that all the user’s accounts have been compromised. The message also has an example of one of the user’s passwords.
While it is very unlikely that the password given in the email is valid for any of the user’s account, the message itself will still be worrying for some individuals and will be enough to get them to make the requested payment of $800 to have the footage erased.
However, this is a sextortion scam where the hackers have no leverage as there is no virus and no webcam footage. However, it is clear that at least some recipients were not willing to take a risk.
According to security experts SecGuru, who received a version of the email in Dutch and found a similar English language version, the Bitcoin account used by the hacker had received payments of 0.37997578 Bitcoin – $3,500 – in the first two days of the attack. Now 7 days after the first payment was completed, the earnings have grown to 1.1203 Bitcoin – $6,418 – with 15 people having paid.
A similar sextortion scam was carried out in the summer which also had an interesting twist. It implemented an old password for the account that had been downloaded from a data dump. In that instance, the password was real, at least at some point in the past, which made the scam seem authentic.
An updated version of Azorult malware has been discovered. The most recent version of the data stealer and malware downloader has already been deployed in attacks and is being shared via the RIG exploit kit.
Azorult malware is mainly an information stealer which is used to download usernames and passwords, credit card numbers, and other data including browser histories. Newer versions of the malware have seen cryptocurrency wallet-stealing capabilities included.
Azorult malware was first spotted in 2016 by researchers at Proofpoint and has since been deployed in a large number of attacks via exploit kits and phishing email campaigns. The latter have used hyperlinks to malicious sites, or more commonly, malicious Word files with malware downloaders.
In 2016, the malware variant was first installed with the Chthonic banking Trojan, although more recent campaigns have seen Azorult malware deployed as the primary malware payload. This year has seen many different threat actors pair the information stealer with a secondary ransomware payload.
Campaigns have been noticed using Hermes and Aurora ransomware as secondary payloads. In both campaigns, the main aim is to obtain login credentials to raid bank accounts and cryptocurrency wallets. When all useful information has been taken, the ransomware is activated, and a ransom payment is requested to unlock the decrypted files.
A new version of the Azorult was distributed in July 2018 – version 3.2 – which included significant improvements to both its stealer and downloader functions. Now Proofpoint researchers have discovered a new variant – version 3.3 – which has already been placed with RIG. The new variant was on the market shortly after the source code for the previous version was leaked online.
The new variant uses an alternative method of encryption, has improved cryptocurrency stealing functionality to permit the contents of BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore, and Exodus Eden wallets to be stolen, a new and improved loader, and a new admin panel. The latest version has a lower detection rate by AV software ensuring more installations.
If your operating systems and software are always fully patched and current you will be secure from these exploit kit downloads as the vulnerabilities targeted by RIG are not new. However, many businesses are slow to apply patches, which need to be thoroughly tested. It is therefore strongly advisable to also use a web filtering solution such as WebTitan to provide additional protection against exploit kit malware downloads. WebTitan stops end users from visiting malicious websites such as those hosting exploit kits.
The most recent version of Azorult malware was first put on sale on October 4. It is possible that other threat actors will buy the malware and distribute it via phishing emails, as was the case with older versions. It is therefore wise to also put in place an advanced spam filter and ensure that end users are shown how to recognize malicious emails.
An undated strain of Azorult malware has been discovered which downloader has already been used in attacks and is being shared using the RIG exploit kit.
Azorult malware is mainly an information gatherer which is used to obtain usernames and passwords, credit card details, and other data including browser histories. Newer versions of the malware have seen cryptocurrency wallet-stealing capabilities included.
Azorult malware was first discovered in 2016 by researchers at Proofpoint and has since been utilized in a large number of attacks through exploit kits and phishing email campaigns. The latter have used links to malicious sites, or more typically, malicious Word files including malware downloaders.
Back in 2016, the malware variant was first installed in tandem with the Chthonic banking Trojan, although later campaigns have seen Azorult malware deployed as the primary malware payload. 2018 has seen multiple threat actors pair the information stealer with an accompanying ransomware payload.
Campaigns have been identified using Hermes and Aurora ransomware as secondary payloads. In both attacks, the initial target is to steal login details to raid bank accounts and cryptocurrency wallets. When all useful data has been obtained, the ransomware is enabled, and a ransom payment is requested in order to decrypted files.
A new strain of the Azorult was issued in July 2018 – version 3.2 – which contained major improvements to both its stealer and downloader functions. Now Proofpoint researchers have discovered a new variant – version 3.3 – which has already been included with RIG. The new variant was released just after the source code for the previous version was leaked on the Internet.
The new variant uses an alternative method of encryption, has enhanced cryptocurrency stealing functionality to allow the contents of BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore, and Exodus Eden wallets to be obtained, a new and improved loader and an updated admin panel. The latest version is more difficult for AV software to notice ensuring more installations.
If your operating systems and software are kept fully updated you will be safeguarded against these exploit kit downloads as the vulnerabilities exploited by RIG are not new. However, many businesses are slow to apply patches, which need to be extensively tested. It is therefore important to also deploy a web filtering solution.
Last May, security specialists at Proofpoint identified a spam email campaign that was sharing a new banking Trojan titled DanaBot. At first it was thought that a single threat actor was using the DanaBot Trojan to target groups in Australia to obtain online banking details.
That campaign has persisted, but in addition, campaigns have been noticed in Europe targeting customers of banks in Italy, Germany, Poland, Austria, and the UK. Then last month a further DanaBot Trojan campaign was carried out targeting U.S. banks.
The DanaBot Trojan is a modular malware programmed in Delphi that can install additional components to add various different functions.
The malware can capture screenshots, obtain form data, and record keystrokes in order to obtain banking credentials. That data is sent back to the attackers’ C2 server and is then used to steal money from corporate bank accounts.
A review of the malware and the geographical campaigns shows alternative IDs are used in the C2 communication headers. This strongly suggests that the attacks in each region are being carried out by different individuals and that the DanaBot Trojan is being provided as malware-as-a-service. Each threat actor is charged with running campaigns in a specific country or set of countries. Australia is the only country where there are two affiliates conducting campaigns. Overall, there appears to currently be nine hackers running distribution campaigns.
The country-specific campaigns are using a variety of tools to distribute the malicious payload, which include the new Fallout exploit kit, web injects, and spam email. The latter is being used to share the Trojan in the United States.
The U.S. campaign sends a fax notice lure with the emails seeming to come from the eFax service. The messages look authentic and are complete with appropriate formatting and logos. The emails include a button that must be clicked to download the 3-page fax message.
Clicking on the button will install a Word document with a malicious macro which, if permitted to run, will initiate a PowerShell script that downloads the Hancitor downloader. Hancitor will then install the Pony stealer and the DanaBot Trojan.
Proofpoint’s review of the malware revealed similarities with the ransomware groups Reveton and CryptXXX, which suggests that DanaBot has been developed by the same group to blame for both of those ransomware threats.
The U.S. DanaBot campaign is focused on customers of various U.S. banks, including RBC Royal Bank, Royal Bank, TD Bank, Wells Fargo, Bank of America, and JP Morgan Chase. It is probable that the campaigns will spread to other countries as more threat actors begin to use the malware.
Stopping attacks requires detailed defense against each of the attack vectors. An advanced spam filter is necessary to block malspam. Subscribers to Office 365 should increase protection with a third-party spam filter such as SpamTitan to supply better protection against this threat. To stop web-based attacks, a web filtering solution should be implemented. WebTitan can block efforts by end users to visit websites known to include exploit kits and IPs that have previously been used for malicious aims.
End users should also advised to never open email attachments or visit hyperlinks in emails from unknown senders, or to enable macros on documents unless they are 100% certain that the files are authentic. Companies in the United States should also think about warning their employees about fake eFax emails to increase awareness of the threat.
It is becoming increasingly clearer that the margin for MSPs with regards to Office 365 lies in the security aspect of the application. Office 365 is currently in huge demand with over 135 million commercial monthly users. Through trusted advisers such as MSPs, resellers and Microsoft Cloud Solution Providers, its adoption amongst small and mid-size businesses continues to grow at a rapid pace.
Currently, partners can purchase from Microsoft Cloud Service Providers such as AppRiver, Intermedia, Pax8, etc. and can then resell 0365 licenses to their downstream customers. However, the margins made from this activity are very small. Office 365 is a reliable solution for the customer base of many VARs and MSPs. Although it allows them to capture new business, it lacks the ability to make significant margin. This leads to many VARs and MSPs questioning the point of 0365.
Despite it being evident that 0365 is a great email and productivity application, MSPs can’t build a sustainable business on such small margins. Cloud backup, migrations and other services can add to the value of an Office 365 offer, however:
- 73% of 2018 MSP 501 listees rated their fastest growing service as security
- 55% chose professional services
- only 52% selected Office 365
For MSPs, consultants and resellers, O365 represents an opportunity to help build a profitable practice based around subscription sales to SMBs. It also helps clients to learn how to protect their investment within their IT budget and secure their network through a “defense in depth” approach.
Due to the continuing onslaught of phishing attacks and ransomware, IT budgets are being built with security in mind. Given the regular headlines reporting countless exploits where hackers have sabotaged an O365 environment with ease, this doesn’t come as a surprise. Security is a feature that Microsoft has added to 0365 but unfortunately this does not meet the security benchmarks set by most organizations. A recent study showed that a third of business owners do not have safeguards in place to combat cyber breaches. What’s more is that 60% of small businesses that suffer a breach go out of business within six months of the attack.
As email security experts who have gained over 20 years’ experience, we are aware new malware can penetrate the usual email filtering mechanisms. It has been the case for quite an amount of time that older email protection technologies, analysis reputation and fingerprinting as examples, are no longer effective against the evolution of these threats. Recent research conducted by Osterman shows that Microsoft’s EOP can detect 100% of all known viruses and updates every 15 minutes. However, the research also discovered it didn’t have the same security effects against unknown or new malware delivered by email.
As trusted providers, MSPS have a huge opportunity to provide a “full suite” of cloud productivity tools such as 0365, Dynamics, Azure and cloud security and compliance such as email security and web security, DLP, and archiving to their downstream SMB customers at combined margins of over 75 to 100%. This can be achieved without massive increases to their monthly spend.
Small to medium-sized businesses are focused only on the necessary to keep the lights on and to grow the business. Microsoft’s main messages to organizations choosing Office 365 is the cost savings that are achievable from moving to a cloud-based solution. A move such as this would save the company money and allow IT staff to work on business problems and, ultimately, add more value to the company. Web and email security and compliance do not need to be detrimental to those looking to save costs in their IT spend and productivity.
How MSPs can boost margins on 0365 business
It is evident the Margin for MSPs to be made with Office 365 lies in security. If MSPs fail to invest in security as a service and a defense in depth approach, it could prove almost impossible to make their 0365-business profitable. The dilemma for partners has moved past whether to offer security for 0365, it is now at point where partners need to discover how to best deliver a cost-effective advanced security platform that can handle todays advanced threats. This should be achieved while also keeping IT security budgets in check for their SMB customers.
In todays world consultants, managed service providers and resellers have the opportunity to offer customers a very cost-effective defense in depth approach to security. MSPs can now deliver advanced security with TitanHQ’s Private Cloud Security services – SpamTitan (email security), WebTitan (content filtering) and ArcTitan (email archiving) – alongside O365 subscriptions. Through doing this they can ensure they make healthy margins, while continuing to keep monthly costs down for their customers.
Currently, Office 365 continues to be the leader in the productivity and collaboration space. However, for partners selling and managing this service, margins remain tight. As partners sell and manage more 0365 mailboxes, offering add-on security is the answer to making the process more profitable.
Be Mindful of Gaps in Security with 0365
For MSPs looking to take their business further, offering security in depth service to plug the Office 365 security gaps is the answer. Email has become central to running an organization and, as a result, is constantly targeted by attackers. Because of this, it is vital for MSPs to use a reliable third-party security vendor like TitanHQ, who’ve been specializing in email and web security for 25 years. Unlike Microsoft, security is our area of expertise.
Today, we work with over 2000 MSP’s worldwide daily. We protect your customers from malware, phishing, viruses, ransomware, botnets and other cyber threats. A lot of these customers are Office 365 users. Our products were built from the ground up with MSP’s for MSP’s, which we feel is crucial. We save MSP’s time by stopping problems with support and engineering at source. We also provide ideal products to sell in your technology stack which allows you to increase margin. Contact us today to learn how MSPs like you can boost margins on Office 365 business.
Hotels, restaurants, and telecommunications businesses are being targeted with a new hacking email campaign that delivers a new form of malware called AdvisorsBot. AdvisorsBot is a malware installer which, like many malware variants, is being distributed using spam emails containing Microsoft Word attachments with malicious macros.
Clicking on an infected email attachment and enabling macros on the document will see Advisorsbot installed. Advisorsbot’s primary aim is to complete fingerprinting on an infected device. Data will be gathered on the infected device is then communicated to the threat actors’ command and control servers and further instructions are given to the malware based on the data gathered on the system. The malware records system data, details of programs installed on the device, Office account details, and other details. It is also able to capture screenshots on an infected device.
AdvisorsBot malware is so titled because the early examples of the malware that were first seen on May 2018 contacted command and control servers that contained the word advisors.
The spam email campaign is mainly being conducted on targets in the U.S., although infections have been detected worldwide. Several thousands of devices have been infected with the malware since May, according to the security experts at Proofpoint who discovered the new malware threat. The threat actors thought to be behind the attacks are a APT group known as TA555.
Various email lures are being implemented in this malware campaign to get the recipients to open the infected attachment and turn on macros. The emails sent to hotels seem to be from people who have been charged twice for their stay. The campaign on restaurants uses emails which say that the sender has suffered food poisoning after eating in a particular establishment, while the attacks on telecommunications firms use email attachments that seem to be resumes from job applicants.
AdvisorsBot is coded in C, but a second form of the malware has also been seen that is written in .NET and PowerShell. The second variant has been called PoshAdvisor. PoshAdvisor is executed via a malicious macro which runs PowerShell command that installs a PowerShell script which executes shellcode that runs the malware in the memory without writing it to the disk.
Xbash malware is one of many new malware threats to be discovered in recent times that uses the file-encrypting properties of ransomware with the coin mining functionality of cryptocurrency mining malware.
In 2018, several cybersecurity and threat intelligence companies have discovered that ransomware attacks have plateaued or are dropping. Ransomware attacks are still profitable, although there is potential to make more money through cryptocurrency mining.
The recent Internet Organized Crime Threat Report published by Europol notes that cryptojacking is a new cybercrime trend and is now a commonly-seen, low-risk revenue stream for cybercriminals, but that “ransomware remains the key malware threat”. Europol states in its report that a decline has been witnessed in random attacks via spam email, instead cybercriminals are focusing on attacking businesses where greater profits lie. Those attacks are highly concentrated.
Another new trend offers cybercriminals the best of both worlds – the use of versatile malware that have the elements of both ransomware and cryptocurrency miners. These highly versatile malware variants provide cybercriminals with the chance to obtain ransom payments as well as the chance to mine for cryptocurrency. If the malware is downloaded on a system that is not ideally suited for mining cryptocurrency, the ransomware function is enabled and vice versa.
Xbash malware is one such danger, albeit with one major caveat. Xbash malware cannot restore files. In that respect it is more similar to NotPetya than Cerber. As was the case with NotPetya, Xbash malware just masquerades as ransomware and requests a payment to restore files – Currently 0.2 BTC ($127). Payment of the ransom will not lead to keys being supplied to unlock encrypted files, as currently files are not encrypted. The malware simply erases MySQL, PostgreSQL, and MongoDB databases. This function is enabled if the malware is installed on a Linux system. If it is downloaded on Windows devices, the cryptojacking function is turned on.
Xbash malware can also self-propagate. Once downloaded on a Windows system it will spread throughout the network by exploiting flaws in Hadoop, ActiveMQ and Redis services.
At present, infection takes place through the exploitation of unpatched flaws and brute force attacks on systems with weak passwords and unprotected services. Protection from this threat requires the use of strong, unique non-default passwords, prompt patching, and endpoint security solutions. Restricting access to unknown hosts on the Internet will stop communication with its C2 if it is installed, and naturally it is important that multiple backups are regularly made to ensure file recovery can happen.
Kaspersky Lab have said that there has been a doubling of these multi-purpose remote access tools witnessed over the past 18 months and their popularity is likely to continue to rise. This sort of versatile malware could well become the malware of choice for advanced threat actors over the course of the next year.
A new strain of Python-based ransomware has been discovered that appears to be Locky, one of the most widely deployed ransomware variants in 2016. The new ransomware variant has been labelled PyLocky ransomware by security researchers at Trend Micro who have noticed using it in hacking campaigns in Europe, particularly France, throughout July and August.
The spam email campaigns were, at first, sent in comparatively small batches, although over time the volume of emails sharing PyLocky ransomware has surged significantly.
Various social engineering tactics are being employed by the hackers to get the ransomware installed, including fake invoices. The emails identified by Trend Micro have included an embedded hyperlink which sends users to a malicious webpage where a zip file is installed. The zip file includes PyLocky ransomware which has been compiled using the PyInstaller tool, which allows Python applications to be changed to standalone executable files.
If downloaded, PyLocky ransomware will encrypt around 150 different file types including Office documents, image files, sound files, video files, databases, game files, archives, and program files. Files saved on all logical drives will be encrypted and the original copies will be replaced. A ransom note is then placed on the desktop which has been copied from the note used by the threat actors behind Locky, although the two cryptoransomware threats are not linked. Ransom notes are written in French, English, Korean, and Italian so it is likely that the attacks will become more widespread over the coming days.
While Python is not normally used to create ransomware, PyLocky is not the only Python-based ransomware variant to have been developed. Pyl33t was used in a number of attacks in 2017, and CryPy emerged in 2016. What makes the latest ransomware variant different is its anti-machine learning capabilities, which help to stop analysis using standard static analysis methods.
The ransomware attacks Windows Management Instrumentation (WMI) to figure out the properties of the system on which it is downloaded. If the total visible memory of a system is 4GB or greater, the ransomware will execute instantly. If it is lower than 4GB, the ransomware will remain dormant for 11.5 days – an attempt to figure out if it is in a sandbox environment.
A new Python-based form of ransomware has been discovered that closely resembles as Locky, one of the most commonly seen ransomware variants during 2016. The new ransomware variant has been titled PyLocky ransomware by security specialists at Trend Micro who have seen it being deployed in Europe, particularly France, during July and August.
The spam email campaigns were, at first, sent in relatively small batches, although over time the number of emails sending PyLocky ransomware has increased drastically.
Many social engineering tactics are being used by the hackers to get the ransomware downloaded to devices, including fake invoices. The emails captured by Trend Micro have included an embedded hyperlink which directs users to a malicious webpage where a zip file is installed. The zip file contains PyLocky ransomware which has been put together using the PyInstaller tool, which allows Python applications to be changed to standalone executable files.
If downloaded, PyLocky ransomware will encrypt around 150 different file variants including Office documents, image files, sound files, video files, databases, game files, archives, and program files. Files kept on all logical drives will be encrypted and the original files will be overwritten. A ransom note is then placed on the desktop which has been copied from the note used by the threat actors responsible for Locky, although the two cryptoransomware threats are not linked. Ransom notes are presented in French, English, Korean, and Italian so it is probable that the hacking campaigns will become more widespread going forward.
While Python is not normally used to develop ransomware, PyLocky is not the only Python-based ransomware variant to have been noticed. Pyl33t was used in many attacks in 2017, and CryPy was first seen in 2016. This, most recent ransomware variant is different in that is has anti-machine learning capabilities, which help to stop analysis using standard static analysis methods.
The ransomware uses Windows Management Instrumentation (WMI) to calculate the properties of the system on which it is downloaded. If the total visible memory of a system is 4GB or more, the ransomware will execute instantly. If it is less than 4GB, the ransomware will sleep for 11.5 days – an effort to determine if it is in a sandbox environment.
Stopping attacks can be done using a variety of cybersecurity measures. An advanced spam filtering solution like SpamTitan will help to stop the spam emails being send to end users’ inboxes. A web filter, such as WebTitan, can be implemented to control the websites that can be accessed by end users and block malicious file downloads. Security awareness training will allow end users recognize the threat for what it is. Advanced malware detection tools are necessary to spot the threat due to its anti-machine learning capabilities.
At present, there is no free decryptor for PyLocky available.
Spam or junk email may be the primary method of sharing delivering banking Trojans, however there are many other ways of convincing employees to download and install malware on their computers.
The CamuBot Trojan the method used is vishing. Vishing is the voice equivalent of phishing – the use of the telephone to trick people, either by convincing them to reveal sensitive information or to take some other steps such as downloading malware or making fraudulent bank transfers.
Vishing is regularly used in tech support scams where people are convinced to install fake security software to delete fictitious viruses on their computers. The campaign used to install the CamuBot Trojan is a different type of malware was identified by IBM X-Force researchers.
The attack begins with some reconnaissance. The hackers identify a business that uses a specific bank. Individuals within that group are then identified that are likely to have access the bank accounts used by the business – payroll staff for example. Those people are then contacted by telephone.
The hackers tell people that they are calling from the bank and are completing a check of security software on the user’s computer. The user is told to visit a webpage where a program will run a scan to find out if they have an up-to-date security module downloaded on their computer.
The fake scan is finished, and the user is informed that their security module is an out of date version. The caller then tells them that they must download the latest version of the security module and install it on their device.
Once the file is installed and executed, it runs just like any standard software installer. The user is told about the minimum system requirements required for the security module to work and the installer includes the bank’s logo and color scheme to make it appear authentic.
The user is taken through the installation process, which first requires them to disable certain processes that are running on their computer. The installer shows the progress of the fake installation, but in the background, the CamuBot Trojan is being downloaded. Once the process is finished, it connects to its C2 server.
The user is then brought to what appears to be the login portal for their bank where they must enter their login credentials. The portal is a phishing webpage, and the details to access the users bank account are recorded by the hacker.
Many banks ask a second factor for authentication. If such a security measure is in place, the hackers will instruct the user that a further installation is needed for the security module to work. They will be talked through the installation of a driver that enables a hardware-based authentication device to be remotely shared with the hacker. Once that has been installed and approved, the attackers are able to intercept any one-time passwords that are broadcasted from the bank to the user’s device, allowing the attackers to take full control of the bank account and permit transactions.
The CamuBot Trojan indicates that malware does not need to be stealthy to be successful. Social engineering methods can be just a effective at getting staff members to install malware.
The CambuBot Trojan campaign is mainly being carried out in Brazil, but the campaign could be rolled out and used in attacks in other countries. The methods used in this campaign are not new and have been used in several malware campaigns previously.
Xbash malware is one of many new malware threats to be discovered in recent weeks that uses the file-encrypting features of ransomware with the coin mining functionality of cryptocurrency mining malware.
In 2018, several cybersecurity and threat intelligence companies have reported that ransomware attacks have fallen. Ransomware campaigns are still profitable, although it is possible to make more money through cryptocurrency mining.
The recent Internet Organized Crime Threat Report issued by Europol notes that cryptojacking is a new cybercrime trend and is now a regular, low-risk revenue generator for hackers, but that “ransomware remains the key malware threat”. Europol has reported that a decline has been seen in random attacks using spam email, instead cybercriminals are focusing on attacking businesses where greater profits lie. Those attacks are highly concentrated.
Another emerging trend provides cybercriminals the best of both worlds – the use of versatile malware that have the features of both ransomware and cryptocurrency miners. These highly versatile malware variants provide cybercriminals with the chance to obtain ransom payments as well as the ability to mine for cryptocurrency. If the malware is downloaded on a system that is not ideally suited for mining cryptocurrency, the ransomware function is enabled and vice versa.
Xbash malware is one of these threats, albeit with one major caveat. Xbash malware cannot to restore files. In that regard it is closer to NotPetya than Cerber. As was the case with NotPetya, Xbash malware just masquerades as ransomware and requests a payment to restore files – Currently 0.2 BTC ($127). Payment of the ransom will not lead to keys being given to unlock encrypted files, as currently files are not encrypted. The malware simply erases MySQL, PostgreSQL, and MongoDB databases. This function is switched off if the malware is installed on a Linux system. If it is downloaded on Windows devices, the cryptojacking function is enabled.
Xbash malware can also self-propagate. Once downloaded on a Windows system it will spread throughout the network by exploiting weaknesses in Hadoop, ActiveMQ and Redis services.
At present, infection takes place through the exploitation of unpatched flaws and brute force attacks on systems with weak passwords and unprotected services. Protection against this threat requires the use of strong, unique non-default passwords, swift patching, and endpoint security solutions. Preventing access to unknown hosts on the Internet will stop communication with its C2 if it is downloaded, and naturally it is important that multiple backups are regularly made to ensure file recovery is possible.
Kaspersky Lab discovered there has been a doubling of these multi-purpose remote access tools over the past 18 months and their popularity is likely to continue to rise. This type of versatile malware could well prove to be the prevalent malware for hacker over the next year.
It is evident that email archiving has become vital in today’s business environment, but what is email archiving and what is its importance to businesses?
What Email Archiving is
An email archive is a store for old emails which are not needed on a day to day basis but may need to be accessed from time to time. An email archive saves all email conversations securely in a searchable format that allows companies to satisfy various state, federal, and industry requirements.
Saving Storage Space with Email Archiving
Although emails could be left in personal mailboxes, the number of emails received on a daily basis means the storage space required for each mailbox would be considerable. This is especially the case considering the requirement in many industries to store emails for several years. If this approach was used, employees would have to exercise strict control over their inboxes and mailbox folders and diligently deleted spam and non-official emails. Even with these terms, storage space would still likely become an issue in a short space of time.
Emails are Easily Searchable in Archives
Another common solution to preserve emails is a mailbox backup. Email backups can be used to recover emails that have been accidentally deleted and can even allow an entire mailbox to be restored in the event of a disaster.
However, as is the case with any store, knowing that an item is in storage does not mean it is necessarily easy to find. While you may need to invest a little time to find a particular item in your work storeroom, it can take awfully long time to find a single email in an email backup containing thousands or even tens of thousands of messages. The reason behind this; backups are not searchable.
An email archive differs from a backup as messages can be searched due to them being indexed. Finding a message in a backup file can take hours, even days. However, locating a message in an archive takes a matter of seconds, a minute or two at most. An email archive allows emails to be quickly found if it is ever required to produce them.
Usually, IT staff have much more important things to be working on than recovering accidentally deleted emails. An archive means an email can be easily searched and accessed by employees without any involvement from the IT department. What’s more, emails can be accessed from any location and emails found even when the mail server is down, if a cloud-based archive is used.
Of course, there are also situations when more formal searches are required, such as when issues are identified with an employee and HR needs further information on the matter. Legal requests from eDiscovery require large quantities of emails to be resurfaced and provided to attorneys, also customer disputes require email conversations to be found quickly. Having an archive within the business significantly reduces the time taken for these tasks to be performed. A company-wide search of emails takes 80% less time, typically, when an archive is used.
Importance of Email Archives for GDPR Compliance
Since the General Data Protection Regulation has come into effect in May of 2018, email archives are even more critical. As soon as a request is received from an individual who wants to exercise their right to be forgotten, all data must be erased. This, of course, includes data contained in email accounts. An email archive can make this process much more efficient by allowing emails to easily be found and deleted.
The email archive ensures that regardless of what may happen, all emails can be located. Emails in the archive are also court admissible and tamper-evident which makes email archives important for compliance with state, federal, and industry regulations.
Email Archive: Time and Money Saver for Companies
Improvement in mail service efficiency, reduction in server management costs, minimised storage costs; these are results of using an email archiving system in your business. Companies can save up to 75% on storage space when an archive is used. Additionally, it is a much quicker process to migrate emails to a new server when the majority of emails have been placed in an archive.
Overall, an email archiving system’s importance to businesses cannot be underestimated. It ensures emails are never lost or deleted, provides a failsafe in the event of disaster, maintains an audit trail and and ensures emails can be found quickly and efficiently. An email archive can save companies time, money, along with helping compliance with state, federal, and industry regulations.
ArcTitan: An Efficient, Low Cost Solution to Email Archiving for Businesses
For businesses who have not yet started using an email archiving solution, TitanHQ has an optimal solution. ArcTitan is a fast, efficient, scalable, and low-cost archiving solution for SMBs and enterprises.
A cloud-based email archiving solution that integrates seamlessly with Outlook, ArcTitan allows emails to be quickly archived and retrieved on demand with ease via super-fast, user-friendly search screens.
Storage space is reduced through the de-duplication and compression of all emails and all messages and attachments are stored securely in IL5 certified datacenters.
If you are searching for an easy-to-use email archiving solution that can be implemented in minutes, get in touch with the TitanHQ team today for further information.
Hotels, restaurants, and telecommunications businesses are the focus of a new spam email campaign that broadcasts a new form of malware titled AdvisorsBot. AdvisorsBot is a malware downloader which, like many malware variants, is being sent using spam emails containing Microsoft Word attachments with malicious macros.
Clicking on an infected email attachment and enabling macros on the document will allow the Advisorsbot to be downloaded. The software’s main role is to carry out fingerprinting on an infected device. Information will be gathered on the infected device is then sent to the threat actors’ command and control servers and further instructions are supplied to the malware based on the data gathered on the system. The malware records system information, details of programs downloaded to the device, Office account details, and other data. It can also capture screenshots on an infected device.
It has been given the title ‘AdvisorsBot’ due to the early samples of the malware that were first discovered in May 2018 which contacted command and control servers that included the word advisors.
The spam email campaign is mainly being aimed at targets in the United States, although infections have been seen globally. Several thousands of devices have been affected with the malware since May, according to the security researchers at Proofpoint who identified the new malware threat. The threat actors thought to be behind the attacks are a APT group called TA555.
Various email traps are being used in this malware campaign to encourage the recipients to open the infected attachment and turn on macros. The emails shared with hotels appear to be from individuals who have been doubly charged for their stay. The campaign targeting restaurants uses emails which claim that the sender has suffered food poisoning after eating in a particular establishment, while the campaign targeting attacks on telecommunications companies use email attachments that seem to be resumes from job applicants.
AdvisorsBot is programmed using C, but a second form of the malware has also been detected that is programmed in .NET and PowerShell. The second variant has been labelled PoshAdvisor. PoshAdvisor is executed via a malicious macro which runs a PowerShell command that installs a PowerShell script which executes shellcode that enables the malware in the memory without writing it to the disk.
These malware threats are still under development and are common to many recent malware threats which have a wide range of capabilities and the versatility to be used for various types of attack such as data stealing, ransomware delivery and cryptocurrency mining. The malicious actions carried out are determined based on the system on which the malware has been downloaded. If that system is perfectly suited for mining cryptocurrency, the relevant code will be downloaded. If the business is of particular interest, it will be earmarked for a more thorough compromise.
The action to take in order to guard against this campaign is the deploy an advanced spam filtering solution to stop the emails from being delivered and security awareness training for employees to condition them how to respond when such a threat is received to their inbox.
Most phishing attempts are carried out using email. However, recently there has been a significant surge in the use of other messaging services with WhatsApp phishing scams now rising in popularity amongst phishers.
WhatsApp phishing attacks are increasing for two main reasons. Firstly, the massive amount of platform subscribers. In January 2018, the number of monthly users of WhatsApp worldwide topped 1.5 billion, up from 1 billion users in mid-2017. Secondly, is the absence of anti-phishing measures to prevent malicious messages from being sent.
Many businesses have put in place spam filtering solutions, while personal users are happy due to the spam filtering on webmail services such as Gmail. Spam filtering solutions are highly effective at spotting phishing emails and other malicious messages and send them to the spam folder rather than sending them to inboxes.
Messaging services often do not have spam filtering controls. Therefore, malicious messages have a much greater potential for being delivered. many tactics are used to entice recipients to click the links in the messages, usually an offer of a free gift, a very good special offer on a product – the new iPhone for instance – or a money off voucher or gift card is available.
The messages include a link that sends the recipient to the phishing website. The link usually includes a preview of the website, so even if a shortlink is used for the URL, the recipient can see some details about the site. A logo may be displayed beside the page title. That makes it much more likely that the link will be visitied.
Additionally, the message often comes from a known person – a contact in the user’s WhatsApp friends. When a known individual vouches for the site, the chance of the link being clicked is much higher.
To add further authenticity to the WhatsApp phishing scams, the websites often use fake comments from social media sites stating that a gift card has been won or a reward has been received. Some of those comments are positive, and some are neutral, as you would expect from a real prize draw where not everyone is successful.
The websites used in WhatsApp phishing scams often use HTTPS, which show a green tick next to the URL to show that the site is ‘secure.’ Even though the green tick is no guarantee of the legitimacy of a site, many people believe the green tick means the site is genuine.
Gift cards are often handed out for participating in legitimate surveys, so the offer of either a gift card or entry into a free draw is not unusual. In return, the visitor to the site is necessary to answer some standard questions and provide information that would permit them to be contacted – their name, address, phone number, and email address for instance.
The data gathered through these sites is then used for additional phishing attempts via email, telephone, or snail mail which aim to obtain even more personal data. After answering the questions, the website may claim that the user has one, which needs entry of bank account information or credit card details so that the prize money can be paid.
These new WhatsApp phishing scams often have an additional component which assists in spreading the messages much more efficiently to other potential victims. Before any person can claim their free prize or even send their details for a prize draw, they must first agree to share the message with some of their WhatsApp contacts.
Should you receive an unsolicited link from a contact that offers a free gift or money-off voucher, there is a very good chance it may not be authentic and is a WhatsApp phishing scam.
It has been announced, by TitanHQ, that as part of its working alliance with networking and security solution supplier Datto, WebTitan Cloud and WebTitan Cloud for Wi-Fi have been included in the Datto networking range and are available to MSPs as of now.
Datto is the leading supplier of enterprise-level technology to small to medium sized businesses through its MSP partners. Datto provides data backup and disaster recovery solutions, cloud-to-cloud data protection tools, managed networking services, professional services automation, and remote monitoring and management utilities.
This means means that MSP partners can now provide their clients another level of security to safeguard them from malware and ransomware downloads and phishing campaigns.
WebTitan is a completely cloud-based DNS web filtering tool developed with MSPs in mind. Along with In addition allowing businesses to carefully manage the types of websites their employees can access through corporate wired and wireless networks, the solution provides high level t protection against phishing attacks and web-based threats.
With phishing now the main threat faced by SMBs and a rise in ransomware attacks, businesses are asking their MSPs to provide security solutions to counter the threat. Companies that put in place the solution are given real-time protection against malicious URLs and IPs, and employees are stopped from accessing malicious websites through general web browsing and via malicious URLs included in phishing emails.
TitanHQ CEO, Ronan Kavanagh said: “We are delighted that Datto has chosen TitanHQ as a partner in web security. By integrating TitanHQ’s secure content and web filtering service, we are well positioned to offer Datto MSPs a best of breed solution for their small to mid-size customers. We pride ourselves in equipping our community of Managed Service Provider partners with the right products and tools to allow each and every customer to succeed,” said John Tippett, VP, Datto Networking. “With that in mind, I’m delighted to welcome TitanHQ as a security partner and look forward to growing our partnership.”
MSPs will be able to see WebTitan in action at the TitanHQ-sponsored DattoCon 2018 conference in Austin, TX – the largest MSP event in the United States. TitanHQ’s full team will be present.
A new email-borne threat has recently been identified. Known as Fatboy ransomware , this new ransomware-as-a-service (RaaS) being sold on darknet forums in Russia. The RaaS provided would-be cybercriminals the chance to conduct ransomware campaigns without having to formulate their own malicious code.
RaaS has proven hugely popular. By providing RaaS, malicious code authors can inpact more end users by increasing the number of people sharing the ransomware. In the instance of Fatboy ransomware, the code author is offering restricted partnerships and is dealing with affiliates directly via the instant messaging platform Jabber.
Fatboy ransomware encrypts files via AES-256, generating an individual key for the files and then encrypting those keys via RSA-2048. A different bitcoin wallet is used for each client and a guarantee is made to transfer funds to the affiliates as soon as the money is transferred. By offering to deal directly with the affiliates, being transparent about the RaaS and offering support, it is envisaged that the code author is trying to earn trust.
Additionally, the ransomware interface has been translated into 12 different languages, allowing campaigns to be carried in many countries globally. Many RaaS offerings are restricted geographically by language.
Fatboy ransomware also has a new feature that aims to maximize the chance of the victim paying the ransom demand. This RaaS permit attackers to set the ransom payment automatically based on the victim’s location. In places with a high standard of living, the ransom payment will be higher.
To calculate the cost of living, Fatboy ransomware implements the Big Mac Index. The Big Mac Index was devised by The Economist as a method of determining whether currencies were at their correct values. If all currencies are at their correct value, the price of a product in each country should be identical. The product picked was a Big Mac. So the higher the cost of a Big Mac in the victim’s country, the higher the ransom demand that is sent out.
New ransomware variants are always being developed and RaaS permits many more individuals to conduct ransomware campaigns. It is no surprise that the number of ransomware attacks has increased.
The price of resolving a ransomware infection can be significant. Businesses must see to it that they have defenses in place to block attacks and ensure they can recover quickly.
Backup must be made regularly to ensure files can be easily rescued. Employees should be trained on security best practices to prevent them inadvertently downloading ransomware. Anti-spam solutions should also be put in place to stop malicious emails from reaching end users’ inboxes. Luckily, even with a predicted rise in ransomware attacks, companies can effectively mitigate risk if appropriate defenses are put in place.
An Adidas phishing scam has been discovered that offers free shoes and money. The messages say that Adidas is celebrating its 69th anniversary and is giving 2,500 lucky customers a free pair of Adidas trainers and a free $50 a month subscription.
The scam is aimed at users on mobile devices in specific locations. If the user clicks the link in the message and is found not to be using a mobile device, they will be sent to a webpage that displays a 404 error. The scam will also only operate if the user is in the United States, Pakistan, India, Norway, Sweden, Nigeria, Kenya, Macau, Belgium or the Netherlands.
Once the user is on a mobile device and living in one of the targeted countries, a series of four questions will be asked. The answers to the questions are irrelevant as all users will be sent a “free” pair of sneakers after answering the four questions.
In order to be able to claim the prize, users must provide the offer with their contacts on WhatsApp. Regardless of whether the user completes this, they will be sent to another webpage where they are asked further questions and are finally offered a “free” pair of sneakers worth $199.
However, in order to claim their free sneakers, the user must send $1. The user is advised that they will also be charged $49.99 a month for the subscription at the end of the month if they do not cancel. The user is told they can cancel at any time.
On the payment screen the user is informed that the payment will be processed by organizejobs.net. Going ahead with the payment will see the user charged $1, followed by the subscription cost of $49.99 in 7 days.
The campaign is being conducted on WhatsApp, although similar scams have been carried out via email and SMS messages. Many variations along the same theme have also been identified using different shoe producers.
The link given in the WhatsApp message appears to be authentic, using the official domain for the country in which the user is located. While the domain looks valid, this is an example of a homoglyph attack. Instead of the domain adidas.de, the i is replaced with a vertical line – a homoglyph attack.
These types of hacking campaigns are commonplace. Homoglyph scams take advantage of the ability to use non-ASCII characters in domain names. Similar scams use a technique referred to as typosquatting – where domains closely matching real brand names are registered: Incorrect spellings for instance, such as “Addidas” instead of Adidas, or with an i replaced with a 1 or an L.
In this instance, the hackers appear to be earning a commission for getting users to sign up, although disclosing debit and credit card details could easily see the data used to run up huge bills or drain bank accounts.
There are various alerts indicating this is an Adidas phishing scam. Close scrutiny of the domain will show it is incorrect. The need to share the message to contacts is unusual, being alerted of a charge after being told the shoes are free, the failure to ask the user to choose a pair of shoes or even pick their size, and an odd domain name is used to process payment. However, even with these tell-tale signs that the offer is not valid, this adidas phishing scam is likely to trick many people.
A weakness in the mobile Safari browser has been targeted by cybercriminals and used to extort money from people who have previously used their mobile device to access pornography or other illegal content. The Safari scareware stops the user from logging on to the Internet on their device by loading a series of pop-up messages.
A popup is shown the user that Safari cannot open the requested page. Clicking on OK to shut the message triggers another popup warning. Safari is then locked in an endless loop of popup ads that cannot be shut.
A message is shown in the background stating that the device has been locked because the user has been identified as having viewed illegal web content. Some users have reported messages including Interpol banners, which are intended to make the user believe the lock has been put on their phone by law enforcement. The only way of regaining access to the device, according to the messages, is to pay a fine.
One of the domains used by the hackers is police-pay.com; however, few users would likely be tricked into thinking the browser lock was put in place by a police department as the fine had to be paid in the form of an iTunes gift card.
Other messages tell the user that police action will be taken if the payment is not made. The hackers claim they will send the user’s browsing history and installed files to the Metropolitan Police if the ransom is not paid.
The Safari scareware campaign was recently discovered by Lookout, which passed details of the exploit onto Apple last month. Apple has now issued an update to its browser which stops the attack from taking place. Users can safeguard their devices against attack by updating their device to iOS version 10.3.
Scareware is not the same as ransomware, although both are used to extort money. In the case of ransomware, access to a device is obtained by the hacker and malicious file-encrypting malware is installed. That malware then locks users’ files with powerful encryption. If a backup of the encrypted files is not maintained, the user faces loss of data if they do not pay the hackers for the key to decrypt their locked files.
Scareware may incorporate malware, although more commonly – as was the case with this Safari scareware campaign – it involves inserting malicious code on websites. The code is implemented when a user with a vulnerable browser visits an infected webpage. The thinking behind scareware is to scare the end user into paying the ransom demand to unlock their computer. In contrast to ransomware, which cannot be unlocked without the necessary decryption key, it is usually possible to unlock scareware-locked browsers with a little computer knowledge. In this instance, control of the phone could be obtained by clearing the Safari cache of all cookies and data.
A recent report on spam email published by anti-virus software developer Kaspersky Lab revealed that the drop in spam email over the past few years appears to have reversed, with the first quarter of 2016 seeing a major rise in malicious spam email volume.
In recent years there has been a drop in the number of spam emails, as hackers have sought other ways to send malware and defraud computer users. In 2015, the volume of spam emails being broadcast fell to a 12-year low. Spam email volume dropped under 50% for the first time since 2003.
In June 2015, the volume of spam emails fell to 49.7% and in July 2015 the figures declined further still to 46.4%, according to anti-virus software developer Symantec. The decline was put down to the taking down of major botnets charged with sending spam emails in the billions.
Malicious spam email volume has stayed reasonably constant during 2015. Between 3 million and 6 million malicious spam emails were identified by Kaspersky Lab during 2015; however, toward the end of the year, malicious spam email volume went up. That trend has persisted in 2016.
Image source: Kasperky Lab
Wide Variety of Malicious Files Being Included in Spam Email
While it was typical for virus-loaded executable files to be broadcast as email attachments, these are now usually detected by email filters and are labelled as spam. However, spammers have been developing new methods of getting past traditional webmail spam filters. The spam emails detected by Kaspersky Lab now included a wide variety of malicious files.
One of the most commonly seen methods now used by spammers is to send office documents that have malicious macros. Microsoft Word files with the extension DOC and DOCX are normally used, as are rich text format files RTF, Adobe PDF files, and Microsoft Excel spreadsheets with the extensions XLS and XLSX.
These file formats are typically opened as many end users are less suspicious of office documents than they are about ZIP, RAR, and EXE files. Most office workers would be aware enough not to open a EXE file that was sent to them by a stranger, yet an office document – a file format they use on a daily basis – is less likely to create suspicion.
Instead of the emails including the actual malware, virus, or ransomware payload, they include Trojan downloaders that download JS scripts. Those scripts then complete the final stage of infection and download the actual malware or ransomware. This sort of attack is used to bypass anti-virus protections.
Email Spam Filters and Web Filters Important for Preventing Malware Infection
There has been a rise in drive-by downloads in recent years as hackers have lured victims to websites containing exploit kits that probe for flaws in browsers and browser plugins. Visitors are sent to these malicious websites when visiting compromised websites, using malvertising, and malicious social media posts. While drive-by downloads are still a significant threat, the use of web filters and anti-virus software browser add-ons are restricting these malware downloads and malicious websites.
Email is still a very effective way of bypassing past security defenses and getting end users to download malware on their devices. Carefully crafted emails that include unique text increase the chance of the scammers getting users to open malicious attachments. Commonly, the messages include personal details about the recipient including their name or address. This has helped the hackers to get the victims to take the desired action and run malicious macros and download malware.
It may be too soon to tell whether spam email volume has only temporarily gone up or if there is a reversal in the decline of spam, but groups and individuals should remain vigilant. The rise in malicious spam email volume should not be disregarded.
Two new phishing campaigns have been discovered in the last three weeks that have seen phishers sink to new depths. An active shooter phishing campaign has been discovered that uses fear and urgency to steal credentials, while a Syrian refugee phishing campaign takes advantage of compassion to boost the chance of victims paying ransom demands.
Mass shootings at U.S schools are increasing, with the latest incident in Parkland, Florida putting teachers and other staff on high alert to the danger of campus shootings. A swift response is essential when an active shooter alert is released. Law enforcement must be alerted quickly to catch the suspect and children and staff must be protected.
It is therefore no shock that fake active shooter threats have been seen in the phishing campaign. The emails are developed to get email recipients to click without thinking to see further information on the threat and have been developed to inflict fear and panic.
The active shooter phishing campaign was being deployed in a targeted attack on a single Florida school – an area of the country where teachers are very concerned about the threat of shootings, given recent events in the state.
Three active shooter phishing email variants were identified to the anti-phishing and security awareness platform supplier KnowBe4, all of which were used to send recipients to a fake Microsoft login page where they were asked to enter in their login details to view the alert. Doing so would give those credentials to the hacker.
The email subject lines used – although other variants could also be in seen – were:
- IT DESK: Security Alert Reported on Campus
- IT DESK: Campus Emergency Scare
- IT DESK: Security Concern on Campus Earlier
It is probably that similar campaigns will be carried out the future. Irrespective of the level of urgency, the same rules apply. Stop and consider any message before taking any action suggested in the email.
Phishing campaigns often target crises, major world events, and news of sports tournaments to influence users to click links or download email attachments. Any news that is current and attracting a lot of interest is more likely to lead to users taking the desired action.
There have been many Syrian refugee phishing campaigns run recently that take advantage of compassion to infect users with malware and obtain their credentials. Now cybersecurity researchers at MalwareHunterTeam have discovered a ransomware campaign that is using the drastic situation in Syria to convince victims to pay the ransom – By indicating the ransom payments will go to a very good cause: Assisting refugees.
Infection with what has been labelled RansSIRIA ransomware will see the victim shown a ransom note that claims all ransom payments will be sent to the victims of the war in Syria. A link is also given for a video showing the seriousness of the situation in Syria and links to a WorldVision document outlining the plight of children caught in the middle of the war.
While the document and images are authentic, the claim of the hackers probably is not. There is no evidence that any of the ransom payments will be sent to the victims of the war. If infected, the advice is not to pay and to try to recover files by other methods.
There are various different reasons why organizations need to archive their emails nowadays. Emails can contain valuable intellectual property that needs to be protected against loss. Intellectual property, a set of ideas, inventions, and designs, is the thing which gives your business value. For example, Google’s intellectual property is the secrets of their search algorithm.
The term intellectual property can include intangible property such as patents, trademarks and copyrights. These are registered in government coffers, where the government is responsible for enlisting such properties. If we take, for example, the case of a new sorting algorithm or a new chip design, those detailed design documents become a matter of public record where details of that invention will be noted so that someone cannot steal or copy it. In the case that these are stolen or copied, the rights holder can claim infringement.
But trade secrets take on many different formats, such as emails and documents attached to emails. Regardless of what system you use for messages, Exchange or Zimbra, they contain the complete chronological history of the development of your product from conception, to its release, all the way to its revision.
The importance of a reliable archive
Technologies have changed a lot over the years. As a result of this, these documents have been stored in different repositories over the years. Originally, it was stored in shared drives. Following this it was stored in Lotus Notes, then SharePoint. Data should be migrated as a company switches from one platform to another. However, there is the risk that the document or email you wrote 7 years ago and saved on a shared mount point on the LAN could, accidently, go missing. There lies the importance for a reliable system. In addition to this, losing archived documents and their attachments could potentially subject the company to significant regulatory and legal risk.
Legislation related to document retention
The government has specific requirements for document retention. These requirements exist in the EU but are stricter in the US.
As a consequence of the Enron bankruptcy, the Sarbanes-Oxley (SOX) act was passed. This was so companies could document the accuracy of their financial statements. In terms of health care, reform came in the shape of the Health Insurance and Patiently Portability Act (HIPPA).
As a result of the recent Recession and the collapse of Lehman brothers came Franks-Dodds, which is an update to Gramm-leach-Bliley.
The reasoning behind all of this legislation is to make it obligatory for companies to keep electronic records so that they can produce them in the case of litigation, accusations of fraud or whatever dispute a company has with stockholders, stakeholders, or regulators. If you happen to be accused of tampering with any electronic records, it is possible you could face jail time of up to 20 years. Sox record retention requirements is 5 years, for HIPAA it is 6. However, to avoid breaking litigation legislation, it is best to keep a permanent archive.
Protection of intellectual property
You should not only protect the blueprint for a product that needs protection, you should also protect its evolution. In the case of your company bringing action against a competitor for patent infringement or copyright violations, you will require email to document the trail that led to the development of this product. The emails between executives, customers and vendors will help the attorneys make the case that the competitor is profiting through another’s intellectual property.
From discovery to e-discovery
E-discovery is the new phrase that has replaced what attorneys used to call discovery. Archive is becoming more and more crucial. Failure to maintain an archive could constitute a breach of regulations or even result in contempt of court.
There are a number of different archive email systems. One method is the copying of PST and NSF data files to long term storage, then the importing of this data back online when you are looking for something from a few months or a few years ago. The drawbacks to this method is that it can prove inflexible and quite awkward. This method is comparable to exporting an Oracle database to archive format and then importing it back when you are looking for something that is offline.
A superior method of archive email is to sort it in a manner that appears to be not offline at all to the user. This is precisely what an archive email cloud vendor does. The benefit of this kind of configuration is that it lets users search the archive and retrieve documents into the active email folders. Using a cloud email archiving system such as ArcTitan will automatically put you in compliance with the rules for off-site, secure, and tamperproof archives.
Benefits to keeping a protected archive
- Your company may need the documents kept in the archive in the case of lawsuits. For example unlawful dismissal, product liability, criminal complaints.
- The archive is also vital in the case of vendor or contract disputes and issues surrounding product warranties. These are almost always found in emails, e.g. invoices, scanned contracts, and agreements.
- The archive is also important if your company were to lose the technical details of how to do something today that may have been done 5 years ago, when the employee who designed that was still a part of the company.
In summary, there is a wide array of reasons showing that organizations need to archive emails. Therefore you should aim to reduce risk to your business by putting your email archive in the secure cloud with a company that focuses on that such as ArcTitan.
A number of new AutoHotKey malware variants have been seen in recent weeks as threat actors turn to the scripting language to quickly develop new malware variants. The most recent discovery – Fauxpersky malware – is very adept at stealing passwords.
AutoHotKey is a widely-used open-source scripting language. AutoHotKey make it easy to set up scripts to automate and schedule tasks, even inside third-party software. It is possible to use AutoHotKey to work with the local file system and the syntax is easy, making it straightforward to use, even without much technical expertise. AutoHotKey allows scripts to be gathered into an executable file that can be easily run on a system.
The simplicity of AutoHotKey has been focused on by malware developers and AutoHotKey malware is now used for keylogging and to download other malware variants including cryptocurrency miners, the first of the latter was noticed in February 2018.
Many other AutoHotKey malware variants have since been found with the latest called Fauxpersky, so named because it masquerades as Kaspersky antivirus.
Fauxpersky malware is not complex, but it can be considered a serious threat – one that can cause considerable harm. If not noticed, it allows the hackers to steal passwords that can be used for highly damaging attacks and give the attackers a strnaglehold in the network.
Fauxpersky malware was first seen by security researchers Amit Serper and Chris Black. The researchers stated in a recent blog post that the malware may not be particularly advanced and stealthy, but it is a threat and could permit the authors to obtain passwords to gain access to data.
Fauxpersky infects USB drives which are used to transmit the malware between devices. The malware can also copy itself across the system’s listed drives. Communication with the hackers takes place via a Google Form, that is used to send stolen passwords and keystroke lists to the hackers’ inbox. Since the transmission is encrypted, it doesn’t seem to be data exfiltration by traffic monitoring systems.
Once downloaded it renames the drive and appends “Protected y Kaspersky Internet Security 2017” to the drive name. The malware lists all keystrokes made on a system and also adds context to help the hackers determine what the user is doing. The title of the window where the text is being typed is placed on the text file.
Once the list of keystrokes has been shared, it is erased from the hard drive to avoid detection. The experts reported the new threat to Google which rapidly took down the malicious form although others may well be set up to take its place.
AutoHotKey malware will probably not to replace more powerful scripting languages like PowerShell, although the increase in use of AHK and the number of new variants detected in recent weeks suggest it will not be dropped soon. AHK malware has now been seen with several obfuscation functions to make it harder to spot, and many AV vendors have yet to add the capability to detect this type of malware. For now, we are likely to see an explosion of AHK malware variants, especially keyloggers designed to illegally obtain passwords.
The rapid growth in the value of cryptocurrencies has been accompanied by concurrent growth in email campaigns spreading cryptocurrency mining malware. There has also been a big increase in new mining malware variants, with three new malware variants discovered in the past week. Conservative estimates indicate one malware variant has already been downloaded on at least 15 million systems, although the true figure could well be nearer to 30 million.
The data was released by the cybersecurity firm Palo Alto Networks, which completed an analysis of the URLs used in the campaign using Bitly telemetry. It is difficult to determine how many systems have been impacted since Bitly is not the only URL shortening service being implemented in the campaign. AdFly is also in use, which indicates the number of infected systems could well be twice as many.
The malicious links for this campaign are being shared in spam email. Clicking the links will send the user to a malicious website containing executable files that download the Monero mining application XMRig using VBS scripts. The popularity of Monero mining is due to the smaller processor demands than cryptocurrencies such as Bitcoin. Monero mining can take place on less powerful computers such as those normallin in a home. In addition to spam email campaigns, the malicious executable files are being installed to popular file sharing websites
Cryptocurrency mining malware does not seem like such a big threat to organizations as other forms of malware and ransomware, but there are implications for companies. The malware does require a significant amount of processing power, so there will be an effect on performance on infected machines. Infection will see applications slow considerably, and that will damage productivity.
Campaigns are also being carried out that target businesses. The focus is to installing cryptocurrency mining malware on business servers. These attacks are not email-based, instead flaws are identified and exploited to download the malware, with Apache Struts (CVE-2017-5638) and DotNetNuke (CVE-2017-9822) flaws commonly exploited.
You will probably already have been sent email requests from companies asking if they can continue contacting you via emails, but that is one of the requirements of GDPR. GDPR requires consent to be received to use – or continue to use – personal data With previous privacy policies failing to adhere with the new EU law, email requests are being sent to all people on mailing lists and those who have previously registered on websites to re-obtain consent.
All businesses that have dealings with EU residents are required to adhere with GDPR, irrespective of their location. Emails are therefore being issued from companies far and wide. Consumers are receiving messages from businesses that they may have forgotten they had dealings with in the past. If personal data is still being stored, email requests are likely to be sent asking for permission to retain that data.
Thehuge number of emails now being sent relating to GDPR has created a chance for scammers. GDPR phishing scams have been created to fool users into revealing sensitive information under the guise of GDPR related requests. There have been many GDPR phishing scams spotted in recent weeks. It is ironic that a regulation that aims to enhance privacy protections for EU residents is being used to violate privacy.
Apple Tricked in New Phishing Scam
Phishers often trick large, familiar brands as there is a greater possibility that the recipient of the message will have an account with that company. The largest global brands – Netflix, PayPal, Apple, and Google are all commonly impersonated.
These impersonation scams can be highly realistic. A request is sent via email that seems perfectly acceptable, the emails seem to have been sent from the company, and the email address of the sender is spoofed to appear genuine. The emails include branding and images which are familiar, and the messages can be almost indistinguishable from authentic communications.
The target is to get users to click on an embedded hyperlink and visit the company’s website and login. There is normally an urgent call to action, such as a security alert, threat of account closure, or loss of services.
Apple is one such brand that has recently been impersonated in GDPR phishing scams. The focus of the hackers is to get Apple customers to login to a fake site and share their credentials. Once the credentials have been gathered, the scammers have access the user’s account, which includes financial information, credit card details, and other personal details.
Airbnb GDPR Phishing Scams Discovered
Redscan has discovered Airbnb GDPR phishing scams recently. Users of its home sharing platform are asked to update their contact details due to GDPR law in order to go on using the platform. The request is entirely reasonable given so many firms are sending similar emails.
The emails allege to be from Airbnb customer service, include the correct images and branding, and direct users to a familiar looking web portal that differs only in the domain name. Users are asked to re-enter their contact details and payment card details.
A new threat, Saturn ransomware, has been recently identified by security researchers at MalwareHunterTeam. This malware derives its name from the extension added to encrypted files (.saturn).
Though it is simple enough to determine the ransomware variant used in an attack, this will be of little use to unsuspecting device owners as there is currently no decryptor available to rescue files.
Just one infection can rapidly spread laterally, encrypting files on an infected device as well as database shares. Rescuing files from backups may prove difficult as the Saturn ransomware searches for and erases shadow volume copies. Then is clears the Windows backup catalog and turns off Windows startup repair.
If no viable backup is maintained, the victim must pay a ransom payment in bitcoin of around $300 per infected device. If payment is not completed within 7 days of infection, the ransom payment doubles.
As is the case with many new ransomware variants, attacks can come from anywhere. This is due to the fact that the new ransomware variant is being provided to affiliates as ransomware-as-a-service.
Ransomware-as-a-service gives malware developers the power to maximize the number of infections – and profits – by hiring a large team of distributors to send spam emails, load the ransomware onto malicious websites and download the malicious software by taking advantage of weak security defenses. In exchange for their efforts, affiliates are allocated a percentage of the ransom payments that are made.
The developers of Saturn ransomware have made it very simple for affiliates. A portal has been produced that allows affiliates to obtain copies of the ransomware binary either embedded in exe files or Office, PDF files or other documents. To encourage individuals to using this ransomware variant as opposed to other RaaS offerings, the developers are offering a large percentage of the ransom payments to affiliates – 70%.
The simplicity of running campaigns along with the possible rewards for infection means many affiliates are likely to start utilizing the new ransomware variant in hacking campaigns. The new variant of malware is already being provided on various darknet forums.