Email Spam & Phishing Campaigns

Phishing and email spam is thought to cost businesses over $1 billion each year, and hackers are becoming more complex in the campaigns they launch to try to steal confidential data or passwords from innocent Internet users.

Part of the reason why phishing and email spam still work is the language used within the communication. The message to “Act Now” because an account seems to have been impacted, or because a colleague seems to need urgent support, often causes people to act before they think.

Even experienced security consultants have been caught by phishing and email spam, and the advice provided to every Internet user is:

  • If you do not know whether an email request is legitimate, try to verify it by contacting the sender independently of the information given in the email.
  • Never handover confidential data or passwords requested in an email or on a web page you have arrived at after clicking on a link in an email.
  • Turn on spam filters on your email, keep your anti-virus software up-to-date and turn on two-step authentication on all your accounts whenever you can.
  • Always use different passwords for separate accounts, and amend them frequently to stop being a victim of keylogging malware downloads.
  • Remember that phishing and email spam is not restricted to email. Watch out for scams sent through social media channels.

Phishing in particular has become a popular attack vector for hackers. Although phishing goes back to the first days of AOL, there has been a tenfold increase in phishing campaigns over the past 10 years reported to the Anti-Phishing Working Group (APWG).

Phishing is an extension of spam mail and can focus on small groups of people (spear phishing) or target executive-level management (whale phishing) in order to gather data or obtain access to computer systems.

The best way to safeguard yourself from phishing and email spam is to use the advice provided above and – most importantly – enable a reputable spam filter to block possibly unsafe emails from being sent to your inbox.

Advice on Spam

The main focus of our spam advice section is to keep you informed with the latest news on new email spam campaigns, email-based threats and anti-spam solutions that can be deployed to prevent those threats.

Email spam is more than an annoyance. Even if the amount of spam emails received by employees is relatively small, it can be a major drain on productivity, especially for groups with hundreds or thousands of employees. This section includes articles offering advice on how to reclaim those lost hours by cutting the number of messages that are delivered to your employees’ inboxes.

However, much worse than the lost hours are the malware and ransomware threats that arrive through spam email. Email is now the number one attack vector used by hackers to deliver malware and ransomware. Hackers are now using increasingly sophisticated methods to get around security solutions. Today’s spam emails use advanced social engineering tactics to trick end users into revealing login details and other sensitive information, and installing malicious software on their computers.

Major advances have also been made to malware and ransomware. Self-replicating worms are being used to infiltrate entire networks before ransomware attacks take place, maximizing the damage caused and the ransom payments that can be generated. The cost to industry is significant. In 2018 ransomware attacks resulted in $1 billion in losses by companies, with 2017 expected to see those losses increase to a staggering $4 billion. Blocking spam email messages from being sent  is therefore an essential element of any cybersecurity policy.

Good spam advice can help groups take action promptly to reduce the danger of email-based attacks.

DattoCon2019 Sponsor TitanHQ Helps Solve MSP Woes in San Diego

TitanHQ is excited to announce it will be a sponsor of the upcoming DattoCon19 MSP conference in San Diego on June 17-19.

The three-day conference is the premier event for managed service providers in the United States. Industry-leading MSPs, industry experts, and vendors will be holding sessions where MSPs can gain valuable insights into the business, learn best practices for maximizing profits and boosting sales growth, and discover the myriad of opportunities to boost monthly recurring revenue (MRR). Training will be offered on Datto solutions and vendors will be on hand to answer questions and solve MSP problems.

The focus on improving business impact growth and profitability, learning sessions, and networking opportunities greatly benefit MSPs. On average, DattoCon attendees achieve an increase of 41% year-over-year growth in MMR compared to those that failed to attend the conference.

TitanHQ will be on hand to provide MSPs with information on three cloud-based MSP solutions:

DattoCon19 attendees are encouraged to visit TitanHQ at booth 23 at the conference to:

  • Learn about TitanShield, TitanHQ’s exclusive partner program for MSPs
  • Find out about the TitanHQ technology that provides the web security layer for Datto D200 and DNA boxes
  • Discover TitanHQ solutions for MSPs
    • SpamTitan Cloud – Spam filter offering phishing and malware protection
    • WebTitan Cloud – DNS Filter for content control and protection from web-based attacks
    • ArcTitan – Email archiving for compliance
  • Find out how to better protect Office 365 from email-based attacks
  • Discover the considerable benefits switching from Cisco Umbrella to WebTitan
  • Benefit from DattoCon19 show pricing

TitanHQ will also be running a daily raffle to win a bottle of vintage Irish whiskey and will be co-hosting two parties at DattoCon19: GasLamp District Takeovers on Monday 6/17 and Wednesday 6/19.

Rocco Donnino, Executive Vice President-Strategic Alliances, TitanHQ will be a panel member at the Datto Select Avendors!! Event on Monday June 17, between 3PM and 5PM.

This new event aims to solve some of the most pressing MSP problems with a panel of experts on hand to offer potential solutions.

TitanHQ Vintage Whiskey Raffle Winners

DattoCon Details

DattoCon19 will be taking place in San Diego, California on June 17-19, 2019
If you are not yet registered for the event you can do so here.

TitanHQ will be at booth 23

Contact the TitanHQ team in advance:

  • Rocco Donnino, Executive Vice President-Strategic Alliances, LinkedIn
  • Eddie Monaghan, MSP Alliance Manager, LinkedIn
  • Marc Ludden, MSP Alliance Manager, LinkedIn

TitanHQ Ranks Top in G2 Best Software Companies in EMEA 2019 List

The global user review website G2 has produced a list of the best software companies in EMEA in 2019, highlighting the companies that are the most loved by users of their products.

G2 is a business software and services review website that allows confirmed users of software products and services to give their honest feedback on the products and services that they use at their place of work on a day to day basis.

The G2 website now covers more than 80,000 products, has more than 750,000 user reviews, and is used by millions of business users to help them make smarter purchasing decisions.

“G2’s ever-expanding breadth and depth of product, review, and traffic coverage provide over 5 million data points to help buyers navigate the complex world of digital transformation”, said G2 CEO Godard Abel. “In our Best Software Companies in EMEA list, we leverage this data to identify the companies our users tell us are best helping them reach their potential”.

The list was compiled after assessing more than 66,000 user reviews and examining more than 900 companies. Thanks to overwhelming positive feedback by users of its products, TitanHQ has earned top spot in the Q2 Best Software Companies in EMEA 2019 List.

“TitanHQ earned its place on the list thanks to the value our customers place on the uncompromised security and real-time threat detection we provide,” said Ronan Kavanagh, CEO, TitanHQ. “The overwhelmingly positive feedback from on G2 Crowd is indicative of our commitment to ensuring the highest levels of customer success.”

Free Bart Ransomware Decryptor Made Available

Bitdefender has created a free Bart ransomware decryptor that permits victims to unlock their files without meeting a ransom demand.

Bart Ransomware was first discovered in June 2016. The ransomware variant stood out from the others due to its ability to encrypt files even without an Internet connection. Most ransomware variants rely on a link to their command and control server to generate public-private key pairs; however, Bart ransomware does not. Only the decryption process needs an Internet connection to transfer the ransom payment and get the decryption key.

Bart ransomware posed a major threat to corporate users. Command and control center communications could possibly be prevented by firewalls preventing encryption of files. However, without any C&C contact, corporate users were in danger.

Bart ransomware was thought to have been developed by the gang behind Locky and the Dridex banking Trojan. Bart ransomware shared a large portion of code with Locky, was distributed in the same manner and used a ransom message very similar to that implemented by Locky.

As with Locky, Bart ransomware encrypted a wide variety of file types. While early versions of the ransomware variant were fairly uncomplicated, later versions saw flaws addressed. Early versions of the ransomware variant prevented access to files by locking them in password-protected zip files.

The initial method of locking files was ‘cracked’ by AVG, although only by guessing the password using brute force tactics. In order for the brute force method to work, a copy of an encrypted file along with its unencrypted original was necessary. In later versions of the ransomware, the use of zip files was ended and AVG’s decryption technique was rendered ineffective. The encryption process used in the more recent versions was much stronger and the ransomware had no known weaknesses.

Until Bitdefender developed the most recent Bart Ransomware decryptor, victims had two choices – recover encrypted files from backups or pay the attackers’ ransom demand.

Luckily, Bitdefender was able to create a Bart Ransomware decryptor from keys supplied by Romanian police which were obtained during a criminal review. The Bart ransomware decryptor was created by Bitdefender after working with both the Romanian police and Europol.

From April 4, 2017, the Bart ransomware decryptor has been made available for free installation from the No More Ransom website. If your files have been encrypted by ransomware, it is possible to see if the culprit is Bart from the extension added to encrypted files. Bart uses the .bart, .perl, or bart.zip extensions.

Bart ransomware may be thought to have links to Locky, although there is no indication that keys have been obtained that will permit a Locky ransomware decryptor to be created. The best form of security against attacks is blocking spam emails to stop infection and ensuring backups of all sensitive data have been put in place.

Web Filtering – DNS Based

DNS based web filtering employs cloud technology to send an Internet content filtering service equally as effective as hardware or software solutions, but without the capital spending and high maintenance overheads of either. As with most cloud-based technologies, DNS based web filtering software is convenient and reliable, and –vital for many businesses these days – scalable.

Additionally, in order to be fully effective against online threats, any Internet filtering solution has to have SSL inspection in order to review the content of encrypted web pages. Whereas SSL inspection can drain CPU resources and memory when incorporated in hardware and software solutions, with DNS based web filtering the inspection process is done in the cloud – thus enhancing network performance.

In order to filter Internet content through a Domain Name Server (DNS), you need to sign up for a web filtering service. The service provider gives you a browser-based account you sign into, add your external IP address and set your web filtering policy. Then you simply send your DNS system settings to the service provider´s web filtering service.

If you have multiple web filtering policies for different roles within your group, tools are in place to integrate management tools such as LDAP and Active Directory with the web filtering service. It is also possible to implement a DNS proxy for per user reporting and select from a number of predefined reports. Alternatively, it is a simple process to customize your own reports.

Because of the way in which DNS based web filtering works, it is compatible with every type of network and operating system. Multiple locations and domains can be managed from one management portal, and – due to the SSL inspection process being conducted in the cloud – end users will not experience the latency usually associated with hardware and software solutions.

The two most recorded reasons given for putting in place an Internet content filter are to safeguard the company from web-borne threats and to enforce acceptable use policies. DNS based web filtering achieves both these targets by using a three-tier mechanism for filtering Internet content. The three tiers work together to maximize the company’s security and stop users accessing material that could hinder productivity or cause offense.

The first tier includes SURBL and URIBL filters. These are commonly referred to as blacklists and they compare each request to visit a website against IP addresses from which malware downloads, phishing attacks and spam emails are known to have spawned from. When matches are found, the request to visit the website is denied.  Blacklists are supplied and updated by your service provider.

Behind the blacklists, category filters and keyword filters provide the second and third lines of security. These can be applied by system administrators to stop users visiting websites within certain categories (social networking for instance), or those likely to contain material that would be inappropriate for an office setting. Keyword filters can also be used to prevent users obtaining specific content or web applications, or downloading files with extensions most associated with malware.

Exemptions to general policies can be applied to user or user group if access to a website or web application is required by a department within the company. For instance, you may not want your employees to engage in personal Internet banking during working hours, but it is likely vital your finance department has access to online banking services. Similar exemptions could be made (say) if your marketing department needed view to the company´s Facebook or Twitter accounts.

SpamTitan offers businesses a choice of DNS based web filtering solutions – WebTitan Cloud for companies with fixed networks, and WebTitan Cloud for WiFi for companies supplying a wireless service to end users. Both DNS based web filtering solutions have been created with maximum ease of use, maximum granularity and maximum defense against web-borne threats.

Along with being versatile and effective DNS based web filtering solutions, both WebTitan Cloud and WebTitan Cloud for WiFi are packed full of features to safeguard your company. Both solutions have best-in-class malicious URL detection, phishing protection and antivirus software – all of which is updated automatically. We also update our filtering mechanisms in real time – including the categorization of new websites as they are released.

Our service grows in line with your company, so you never have to be concerned about adding new users or even multiple networks. WebTitan Cloud and WebTitan Cloud for WiFi are infinitely scalable, with no bandwidth restrictions, and no latency issues. Unless you advise them, your users will never know they are being protected from web-borne threats until they try to visit an unsafe or inappropriate web page.

Benefits

  • No capital outlay or high maintenance overheads.
  • Convenient, trustworthy and infinitely scalable.
  • SSL inspection carried out in the cloud.
  • Enhanced network performance.
  • Supports unrestricted web filtering policies.
  • Compatible with every operating system.
  • Centralized, Internet-based management.
  • Can be used on fixed and wireless networks.
  • No bandwidth restrictions or latency problems.

If you would like to get a feel for the benefits of DNS based web filtering for free, do not hesitate to get in touch with us. We are offering firms the chance to try WebTitan Cloud or WebTitan Cloud for WiFi for free, with no set up costs or credit cards required, no contracts to complete, and no commitment to continue using our service at the end of the thirty-day trial time duration.

To discover more about this opportunity, talk with one of our Sales Technicians today. They will answer any questions you have about DNS based web filtering and guide you through the process of establishing your free account. If you later require any help redirecting your DNS or navigating the management portal, we are always here to assist you.

Email Retention Legislation in the U.S.

Email retention laws in the United States require companies to maintain copies of emails for many years. There are federal laws applying to all companies and groups, data retention laws for specific industries, and a swathe of email retention laws in the United States at the individual state level. Ensuring compliance with all the proper email retention laws in the United States is vital. Non-compliance can prove incredibly expensive Multi-million-dollar fines await any group found to have breached federal, industry, or state regulations.

All electronic files must be retained by U.S groups, which extends to email, in case the information is required by the courts. eDiscovery requests often require massive volumes of data to be provided for use in lawsuits and the failure to provide the data can land a group in serious trouble. Not only are heavy fines issued, groups can face criminal proceedings if certain data is erased.

For decades, U.S groups have been required to store documents. Document retention laws are included in numerous legislative acts such as the Civil Rights Act of 1964, the Executive Order 11246 of 1965, the Freedom of Information Act of 1967, the Occupational Safety and Health Act of 1970, and the Reform and Control Act of 1986; however, just over 10 years ago, data retention laws in the United States were updated to grow the definition of documents to include electronic communications such as emails and email attachments.

To enhance awareness of the many different email retention laws in the United States, a summary has been included in this article. Please remember that this is for information purposes only and does not constitute legal advice. For legal counsel on data retention laws in the United States, we recommend you get in touch with your legal representatives. Industry and federal electronic data and email retention legislation in the United States are also subject to amendment. Up to date information should be sought from your legal team.

As you can see from the list here, there are several federal and industry-specific email retention pieces of legislation in the United States. These laws apply to emails received and shared, and include internal as well as external emails.

Email retention legislation Who it is applicable to How long emails must be kept
IRS Regulations All companies 7 Years
Freedom of Information Act (FOIA) Federal, state, and local agencies 3 Years
Sarbanes Oxley Act (SOX) All public companies 7 Years
Department of Defense (DOD) Regulations DOD contractors 3 Years
Federal Communications Commission (FCC) Regulations Telecommunications companies 2 Years
Federal Deposit Insurance Corporation (FDIC) Regulations Banks 5 Years
Food and Drug Administration (FDA) Regulations Pharmaceutical firms, food manufacturers, food storage and distribution firms, manufacturers of biological products Minimum of 5 years rising to 35 years
Gramm-Leach-Bliley Act Banks and Financial Institutions 7 Years
Health Insurance Portability and Accountability Act (HIPAA) Healthcare groups (Healthcare providers, health insurers, healthcare clearinghouses and business associates of covered bodies) 7 Years
Payment Card Industry Data Security Standard (PCI DSS) Credit card businesses and credit card processing groups 1 Year
Securities and Exchange Commission (SEC) Regulations Investment banks, investment advisors, brokers, dealers, insurance agents & securities companies Minimum of 7 years up to a lifetime

 

Email retention legislation in the United States that are applied by each of the 50 states are beyond the reach of this article.  There area also European Union laws, such as the GDPR email requirements.

Storing emails for a few years is not likely to take up masses of storage for a small company with a couple of members of staff. However, the more employees a group has, the greater the need for extensive resources just to store emails. The average size of a business email may only be 10KB, but multiply that by 123 – the average number of emails sent and received each day by an average company user in 2016 (Radicati email statistics report 2015-2019), and by 365 days in each year, and by the number of years that those emails need to be maintained, and the storage requirements become massive.

If any emails ever need to be obtained, it is vital that any email archive or backup can be searched. In the case of standard backups, that is likely to be an incredibly long process. Backups were not created to be searched. Finding the right backup alone can be almost impossible, let along finding all emails sent to, or received from, a specific company or person. Backups have their uses, but are not suitable for companies for email retention purposes.

For that, an email archive is necessary. Email archives contain structured email data that can easily be reviewed and searched. If ever an eDiscovery order is received, finding all email correspondence is a quick and simple task. Since many email archives are cloud based, they also do not require large storage resources. Emails are stored in the cloud, with the space provided by the service supplier.

ArcTitan is a cost-effective, quick and easy-to-manage email archiving solution supplied by TitanHQ that meets the needs of all businesses and enables them to adhere with all email retention laws in the United States.

ArcTitan includes a variety of security protections to ensure stored data is kept 100% secure and confidential, with email data encrypted in transit and storage. As opposed to many email archiving solutions, ArcTitan is fast. The solution can process 200 emails per second from your email server and archived emails can be retrieved instantly though a a browser or Outlook (using a plugin). Emails can be archived from any location, whether in the office or on the go via a laptop or tablet. There are no restrictions on storage space or the number of users. The solution can be scaled up to meet the needs of companies of all shapes and sizes.

To find out more about ArcTitan, get in touch with the TitanHQ team today.

Campaigns Delivering Marap and Loki Bot Malware Using CO and IQY Spam Files

A spam email campaign is being carried out aimed at corporate email accounts to share Loki Bot malware. Loki Bot malware is an information stealer that can obtain passwords saved on browsers, obtaining email account passwords, FTP client logins, cryptocurrency wallet passwords, and passwords used for messaging applications.

In addition to obtaining saved passwords, Loki Bot malware has can complete keylogging and download/run executable files. All data  captured by the malware is sent to the hacker’s C2 server.

Kaspersky Lab security experts recorded an increase in email spam activity targeting corporate email accounts, with the campaign found to be used to share Loki Bot malware. The malware was sent hidden in a malicious email attachment.

The intercepted emails included an ICO file attachment. ICO files are duplicates of optical discs, which are usually mounted in a virtual CD/DVD drive to open. While expert software can be implemented to open these files, most modern operating systems can access the contents of the files without the need for any other software.

In this instance, the ICO file includes Loki Bot malware and double clicking on the file will lead to the installation of the malware on operating systems that support the files (Vista and later).

It is relatively unusual for ICO files to be used to send malware, although not unheard of. The unfamiliarity with ICO files for malware delivery may see end users try to open the files.

The campaign included a wide variety of lures including spoof purchase orders, speculative enquiries from businesses including product lists, fake invoices, bank transfer details, payment requests, credit notifications, and payment confirmations. Well-known businesses such as Merrill Lynch, Bank of America, and DHL were just some of the emails.

Half a Million Routers Infected by VPNFilter Malware

What is believed to be a nation-state sponsored hacking group has managed to infect around half a million routers with VPNFilter malware.

VPNFilter is a modular malware that can carry out various functions, including the reviewing all communications, beginning attacks on other devices, theft of credentials and data, and even destroying the router on which the malware has been placed. While the majority of IoT malware infections – including those used to create large botnets for DDoS attacks – are not capable of surviving a reboot, VPNFilter malware can survive a reset like this.

The malware can be downloaded on the type of routers often used by small companies and consumers such as those produced by Netgear, Linksys, TP-Link and MikroTik, as well as network-attached storage (NAS) devices from QNAP, according to security experts at Cisco Talos who have been monitoring infections over the last while.

The ultimate target of the hackers is unknown, although the infected devices could potentially be used for a wide variety of malicious activities, including major cyberattacks on critical infrastructure, such as disrupting power grids – as happened with BlackEnergy malware.

Since it is possible for the malware to turn off Internet access, the threat actors to blame for the campaign could easily stop large numbers of individuals in a targeted region from going online.

While the malware has been placed on routers around the world – infections have been seen in 54 countries – the majority of infections are in Ukraine. Infections in Ukraine have increased greatly in recent weeks.

While the investigation into the campaign is still current, the decision was taken to go public due to a huge increase in infected devices over the past three weeks, together with the incorporation of advanced capabilities which have made the malware a much more major threat.

While the security expert researchers have not blamed Russia directly, they have found parts of the code which are identical to that used in BlackEnergy malware, which was implemented in many attacks in Ukraine. BlackEnergy has been linked to Russia by some security experts. BlackEnergy malware has been deployed by other threat actors not believed to be tied to Russia to the presence of the same code in both forms of malware is not solid proof of any link to Russia.

The FBI has gone an additional step by attributing the malware campaign to the hacking group Fancy Bear (APT28/Pawn Storm) which has links to the Russian military intelligence agency GRU. Regardless of any nation-state backing, the complex nature of the malware means it is the work of a particularly advanced hacking group.

Most of the infiltrated routers are aging devices that have not received firmware updates to address known flaws and many of the attacked devices have not had default passwords changed, leaving them vulnerable to attack. It is not entirely obvious how devices are being infected although the exploitation of known flaws is most probable, rather than the use of zero-day exploits; however, the latter has not been eliminated.

There had been Some progress has been made disrupting the VPNFilter malware campaign. The FBI has seized and sinkholed a domain in use by the malware to send information to the threat group behind the campaign. Without that domain, the hackers cannot manage the infected routers and neither identify new devices that have been infected.

Making sure a router is updated and has the most recent version of firmware will offer some degree of protection, as will changing default passwords on vulnerable devices. Sadly, it is not easy to tell if a vulnerable router has been infected. Carrying out a factory reset of a vulnerable router is strongly recommended as a precautionary measure.

Resetting the device will not remove he malware, but it will succeed in removing some of the additional code installed on the device. However, those additional malware components could be installed again when contact is re-established with the device.

Zyklon Malware Spam Campaign Discovered

Hackers are focusing on the insurance, telecoms, and financial service sectors with Zyklon malware. A large-scale spam email campaign has been discovered that leverages three separate Microsoft Office vulnerabilities to install the malicious payload.

Zyklon malware has been seen before. The malware variant was first seen at the beginning of 2016, but it stopped being seen soon after and was not extensively used until the start of 2017.

Zyklon malware is a backdoor with a wide variety of malicious functions. The malware behaves as a password harvester, keylogger, and data scraper, obtaining sensitive data and obtaining credentials for further attacks. The malware can also be implemented to complete DoS attacks and mine cryptocurrency.

The most recent variant of Zyklon malware can install and run various plugins and additional malware variants. It can spot, decrypt, and steal serial keys and license numbers from over 200 software packages and can also hijack Bitcoin addresses.  All told, this is a strong and particularly nasty and damaging malware variant that is best avoided.

While the most recent campaign uses spam email, the malware is not shared as an attachment. A zip file is attached to the email that includes a Word document. If the document is extracted, opened, and the embedded OLE object run, it will lead to the download of a PowerShell script, using one of three Microsoft Office weaknesses.

The first vulnerability is CVE-2017-8759: A Microsoft NET vulnerability that was addressed in a patch released by Microsoft in October.

The second ‘vulnerability’ is Dynamic Data Exchange (DDE) – a protocol part of Office that allows data to be shared via shared memory. This protocol is used to deliver a dropper that will download the malware payload. This vulnerability has not been addressed with a patch, although Microsoft has released guidance on how to disable the feature to prevent exploitation by hackers.

The third vulnerability is much older. CVE-2017-11882 is a remote code execution flaw in Microsoft Equation Editor that has been in existence  in 17 years. The flaw was only recently identified and patched by Microsoft in November.

The next stage of infection – The PowerShell script – serves as a dropper for the Zyklon malware payload.

According to the FireEye security experts who identified the campaign, the malware can remain unseen by hiding communications with its C2 using the Tor network. “The Zyklon executable contains another encrypted file in its .Net resource section named tor. This file is decrypted and injected into an instance of InstallUtiil.exe, and functions as a Tor anonymizer.”

Campaigns like this highlight the importance of applying patches quickly. Two of the vulnerabilities were patched in the Autumn of 2017, yet many groups have yet to apply the patches and remain vulnerable. If patches are not run, it will only be a matter of time before vulnerabilities are targeted.

FireEye researchers have warned that while the campaign is currently only focusing on three industry sectors, it is probable that the campaign will grow to target other industry sectors in the near future.

The advice is to put in place an advanced cloud-based anti-spam service such like SpamTitan to identify and quarantine malicious emails,  and ensure that operating systems and software is kept updated.

SpamTitan Named Leader in G2 Crowd Secure Email Gateway Performance Report

SpamTitan from TitanHQ has been named the leader in the Spring 2019 G2 Crowd Secure Email Gateway Performance Report.

Chicago, Illinois-based G2 Crowd was formed in 2012 to help businesses make the right software purchasing decisions. The company runs a peer-to-peer review platform that amalgamates software reviews to give business professionals an accurate picture of the usability of software solutions and how they match up to expectations.

Finding a software solution that ticks all the right boxes is one thing. Finding a solution that works in practice and is easy to use is another matter entirely. Many businesses only discover that a poor purchasing decision has been made after licenses have been purchased and a product has been implemented, by which time it is too late to change.

The G2 Crowd platform informs purchasing decisions and allows business professionals, investors, and buyers to make the right choice first time. The platform incorporates more than 500,000 user reviews and attracts more than 1.5 million visitors a month.

In addition to the website, G2 Crowd compiles and published a series of Grid reports each quarter. The grid reports are based on customer satisfaction and market presence and let businesses know the best software solutions to purchase.

In order to be included in the Spring 2019 G2 Crowd Secure Email Gateway Performance Report, secure email gateway solutions had to have the following capabilities:

  • Ability to scan incoming messages for potentially malicious content
  • Scan for malware, viruses and other malicious code and filter out those messages
  • Allow whitelisting or blacklisting to control suspicious accounts
  • Securely encrypt communications
  • Incorporate email archiving functionality for compliance.

The secure email gateway solutions assessed for the report were offerings from TitanHQ, Cisco, McAfee, SolarWinds, Barracuda, Barracuda Essentials, Proofpoint, Symantec, MobileIron, Sophos, Security Gateway, and Mimecast.

Each solution was assessed and assigned a position in the G2 Crowd Grid. Niche solutions had a small market presence and low customer satisfaction level, Contenders had strong market presence but low customer satisfaction level. High Performers had low market presence but scored highly for customer satisfaction, and the Leaders quadrant contained products that scored highly for customer satisfaction with a strong market presence.

SpamTitan was the out and out leader, scoring highest for customer satisfaction across all categories under assessment: Quality of support, ease of use, meets requirements, and ease of administration. Scores in those categories ranged from 90% to 94%.

TitanHQ the leader in business email security, today announced it has been recognized as a leader in the G2 Crowd Grid? Spring 2019 Report for Email Security.

97% of users of SpamTitan gave the product a score of 4 or 5 stars out of 5 and 92% said they would recommend SpamTitan to other businesses.

TitanHQ’s web security gateway was also rated in the Spring 2019 G2 Crowd Secure Web Gateway Performance Report, and was named a Strong Contender, achieving a score of 94% compared to the average of 87%.

“Our customers value the uncompromised security and real-time threat detection. The overwhelmingly positive feedback from SpamTitan users on G2 Crowd is indicative of our commitment to ensuring the highest levels of customer success” said Ronan Kavanagh, CEO, TitanHQ.

Webinar: New SpamTitan Updates and How They Protect Against Zero-Day and Email Impersonation Attacks

TitanHQ has been developing cybersecurity solutions for SMBs, SMEs, and MSPs for more than 25 years. During that time, the threat landscape has changed dramatically, which has called for regular updates to its cybersecurity solutions to ensure they continue to protect against the latest threats.

In the past couple of years, the number of email attacks being conducted on businesses have skyrocketed and the methods used to spread malware and phish for sensitive information have become much more sophisticated.

TitanHQ regularly performs updates to its cybersecurity solutions to respond to the changing tactics of cybercriminals and the latest update to SpamTitan has seen even more powerful features added to take protection against email threats to the next level: Sandboxing and DMARC authentication.

The sandboxing feature serves as a secure container where suspicious email attachments can be analysed in detail to determine whether they perform any malicious actions. The Bitdefender-powered sandbox is used to execute suspicious files where they can cause no harm, and monitor for C2 calls, and suspicious and malicious actions.

This new feature helps to ensure that more genuine email messages and attachments are delivered, and zero-day malware threats are detected and eradicated from the email system.

DMARC authentication has also been incorporated, which provides greater protection against email impersonation attacks which spoof legitimate senders. It has become increasingly common for cybercriminals to spoof domains to make phishing emails appear genuine and bypass standard email filtering controls. By using DMARC to verify the sender of the domain, detection of phishing and spear phishing emails has been greatly improved.

TitanHQ will be explaining these two new features, how they work, and their benefits for SMBs, SMEs, and MSPs that serve the SMB/SME market in an upcoming webinar.

If you are a current SpamTitan customer and would like to learn more about these new features, an MSP looking for a powerful email security solution to protect your clients, or you work at an SMB/SME and want to improve your email defenses, register for the webinar and find out more about the new and improved SpamTitan.

Webinar Information:

Date:     Thursday, April 4, 2019

Time:    12pm, EST

The webinar will last 30 minutes, and advance registration is necessary.

Ransomware CryptXXX Emails Discovered

CryptXXX has quickly become one of the main strains of ransomware, although until recent times infection was only possible via malicious websites. Now I.T. experts Proofpoint have discovered CryptXXX ransomware emails. The group behind the attacks have created a new attack vector. CryptXXX ransomware emails include a Word document containing a malicious macro. If the macro is permitted to run it will load a VB script into the memory which will use Powershell to make contact with the attackers’ command and control server. Once a connection has been established, CryptXXX will be installed onto the victim’s computer. Authors have realized the benefits to be obtained from implementing an affiliate model to help infect machines and now a number of new players have joined the ransomware market.

If a “ransomware kit” is supplied, individuals with little hacking expertise can carry out own ransomware campaigns. The ransomware authors can charge a nominal amount for supplying the kit, and can also take a share on the back end. When an affiliate infects a computer and a ransom is given, the authors receive a cut of the payment. This model works well and there is no shortage of hackers willing to try their hand at running ransomware campaigns. The CryptXXX ransomware emails are being shared by an affiliate (ID U000022) according to Proofpoint.

Spotting CryptXXX Ransomware Emails

The CryptXXX ransomware emails are being transmitted with a subject line of “Security Breach – Security Report #Randomnumber.” The emails include only basic details about a supposed security breach that has happened. The security report is sent as an attached Word document. The body of the email includes the date, time of the attack, the provider, location, IP address, and port. The email recipient is told to open the file attachment to view details of the attack and find out about the actions that should be implemented.

The file attachment titled like “info12.doc” according to Proofpoint. If the attached Word file is downloaded, a Microsoft Office logo is displayed. The user is told that the document has been created in a newer version of Microsoft Office. The content of the document will only be shown if macros are enabled. Enabling the macros will lead to the VB script being loaded. Then ransomware will then be installed and users’ files encrypted.

There is no remedy action if files are encrypted. The victim must pay the ransom or lose their files. Once an infection has taken place, files can only be rescued from backups if the victim does not pay the ransom requested.

CryptXXX Ransomware Still Being Sent by Neutrino

Since the demise of the Angler exploit kit, CryptXXX was transferred to Neutrino. There was a dramatic drop in infections as activity temporarily stopped; however, Invincea recently reported a surge in activity via compromised company websites. The SoakSoak botnet is being implemented to scan the Internet for vulnerable websites. The websites being hit run the WordPress Revslider slideshow plugin. Scripts are appended to the slideshow that send visitors to a malicious site including Neutrino.

CryptXXX will only be installed if the endpoint lacks specific security tools that would detect an installation. If Wireshark, ESET, VMware, Fiddler, or a Flash debugging utility is present, the ransomware will not be installed.

TitanHQ Adds DMARC Authentication and Sandboxing to SpamTitan

TitanHQ Adds DMARC Authentication and Sandboxing to SpamTitan

TitanHQ is pleased to announce that the SpamTitan email security solution for SMBs and managed service providers (MSPs) has been updated and has two brand new features to improve detection rates of zero-day malware, advanced persistent threats (APTs), and sophisticated phishing attacks.

From today, users of SpamTitan and all new customers will benefit from DMARC email authentication for incoming messages and advanced protection from new malware threats with a new sandboxing feature. Both of these new features have already been rolled out and have been made available at no extra cost.

SpamTitan has already become the gold standard for email security for SMBs and MSPs serving the SMB market. With SpamTitan in place, all incoming messages are subjected to checks using award-winning anti-malware technologies. Static analysis and advanced behavior detection technologies ensure a catch rates in excess of 99.9% and a low false positive rate of just 0.03%. The new sandboxing feature will improve catch rates and reduce false positives further.

When emails pass SpamTitan’s checks, files attached to the emails will be sent to the sandbox for in-depth analysis. The sandbox is a quarantine area from which there is no escape. When files are detonated in the sandbox, their actions can be studied without causing any harm.

All actions of the files are recorded, including attempts to evade detection. The Bitdefender-powered sandbox leverages purpose-built, advanced machine learning algorithms, conducts aggressive behavior analysis, and studies anti-evasion techniques. A memory snapshot comparison is also conducted to detect previously unknown threats.

The sandbox is used for testing application files, executable files, and documents for malicious actions. The results of the analysis are then checked against online repositories to identify potentially malicious actions. If the files are determined to be malicious, they are quarantined and the threat intelligence is passed to Bitdefender’s cloud threat intelligence service. All Bitdefender and SpamTitan users will then be automatically protected if that threat is encountered again.

The new sandboxing feature takes SpamTitan threat protection to the next level and provides superior protection against elusive threats in the pre-execution stage, including targeted attacks, obfuscated malware, custom malware, ransomware, and APTs.

DMARC is the gold standard for protecting against email impersonation attacks. These attacks impersonate known contacts, government agencies, and well-known brands, with email messages appearing to have been sent from their trusted domains. DMARC authentication allows these email impersonation attacks to be detected and blocked.

These two new features have been provided at no extra cost and are immediately available to current users of SpamTitan products to provide even greater protection against the most difficult to detect threats.

Should You Block File Sharing Websites to Stop Malware Infecting Your Network?

There are some very valid reasons why you should block access to file sharing websites. These websites are mainly used to share pirated software, music, films, and TV shows. It would be improbable that the owner of the copyright would take action against an employer for failing to stop the illegal sharing of copyrighted material, but this is an unnecessary legal danger.

However, the chief risk from using these websites comes in the form of malware. Research completed by IDC in 2013 indicated that out of 533 tests of websites and peer-2-peer file sharing networks, the downloading of pirated software lead to spyware and tracking cookies being downloaded to users’ computers 78% of the time. More concerning is the fact that Trojans were downloaded with pirated software 36% of the time.

A survey carried out on IT managers and CIOs at the time showed that malware was downloaded 15% of the time with the software.  IDC found that overall there was a 33.3% chance of infecting a machine with malware by using pirated software.

Even browsing on torrent sites can be harmful. This week Malwarebytes said that visitors to The Pirate Bay were shown malicious adverts. An advertiser used a pop-under to silently redirect users to a malicious site that had the Magnitude exploit kit which was used to install Cerber ransomware onto users’ devices.

A study completed by UC San Diego involved testing pirated software downloads using VirusTotal. VirusTotal reviews files against the databases of 47 different anti-virus services. The research team found that 50% of pirated files were infected with malware.

Dealing with malware from pirated software was found to take around 1.5 billion hours per year. For companies the cost can be considerable. IDC estimated the cost to enterprises to be around $114 billion in 2013 alone. And that was just for the clean-up. The cost of data breaches caused by illegal software installations was calculated at around $350 billion.

Groups can monitor devices and check for unauthorized software downloads on individual devices; however, by the time a software installation has been identified, malware is likely to already have been downloaded. A recent report by Verizon indicates that on average, hackers are able to extract data within 28 minutes of obtaining access to a system.

One of the simplest ways to manage risk is to block file sharing websites including P2P and torrent sites. A web filter can be easily set up to block file sharing websites and stop them from being accessed. Many web filters can also be set up to block specific file types from being installed, including keygens and other executables.

By preventing access to file sharing websites organizations can ensure that copyright-violating activities are stopped and malware risk is effectively handled. Additionally, web filters can be used to block web-borne threats including phishing websites, compromised webpages, spam and botnets, adware, malware, ransomware, and anonymizers.

Choosing not to block file sharing websites could turn out to be expensive for a company. It is far better to block possibly dangerous websites and online activities than to have to cover the cost of removing malware infections and managing with data breaches.

Practical Approach Vital for Network Security

The best security against malware, spam, hacker attacks, policy breaches and other email and web threats is a layered set of defenses in which software, services, hardware and policies are incorporated to safeguard data and other assets at the network, system and application tiers. However, an obvious – but often-disregarded – layer in this cake of protection is the common sense of your staff – one of the critical layers to stop threats from gaining a foothold. As the picture says ‘just because you can, doesn’t mean you should’, this is where common sense is important.

Spear phishing is an increasing issue where a targeted false email that seems to be legitimate is sent to individuals or a company in order to obtain data. For instance e, by looking at a Facebook page of someone with whom I am not connected. I can see that she is a realtor, has listed a home at 657 Noble in [city name withheld], was born on January 26th, has a cat named Lou, is a member of the Agent Leadership Council at a southern California realty organization, likes ice skating, resides in Thousand Oaks, speaks French, and took a vacation to Orlando on February 11th. If I was a hacker intent on sending her a spearphishing email – perhaps with the intent of infecting her PC with Zeus – I could use these details to craft an email that she would be likely to click on. For example, an email with the title “Need to schedule a vet appointment for Lou” or “We mistakenly overcharged you on your recent trip to Orlando”, or maybe even a LinkedIn invitation that includes personal details, would likely get her attention and increase the possibility of her becoming a victim of a spear phisher. This is not to say that this Facebook customer lacks common sense, but the details she has posted could be used against her and her company and needs to be looked at in that light.

Spam filtering technology is successful at preventing spam emails that include links to malware sources (albeit with some spam filters more effective than others). The RSA exploit in April 2011, in which some staff members received an email with an Excel attachment, was due to spearphishing emails that were effectively quarantined by spam filtering technology, but later opened by staff members from the quarantine. A spearphishing email at the Oak Ridge National Laboratory in April 2011 was received by 530 workers, 11% of whom clicked on a malicious link. Many users are not adequately when asked for information. For instance, before last year’s royal wedding between Prince William and Kate Middleton, a Facebook hacking scam was doing the rounds asking respondents to create their royal wedding guest name. This name consisted of one grandparent’s name, the name of a first pet, and the name of the street on which the victim lived when they were younger – all likely responses to security questions one might get asked when resetting a password.

TitanHQ 2019 Schedule of MSP Roadshow Events

TitanHQ kickstarted its 2019 MSP roadshow program on February 14 with events in London and Florida. The 2019 season will see the TitanHQ team attend 15 roadshows and conferences in Ireland, Canada, the Netherlands, the UK, and the USA and meet new and prospective MSP partners, Wi-Fi providers, and ISPs.

In the summer of 2018, TitanHQ formed a strategic alliance with Datto which saw WebTitan Cloud and WebTitan Cloud for WiFi web filtering solutions incorporated into the Datto networking range. TitanHQ has been working closely with Datto MSPs ever since and has been helping them add web filtering to their security stacks and start providing their clients with world-class web filtering services.

Following on from a highly successful series of Datto roadshows in 2017, the TitanHQ team is back on the road and will be attending 7 Datto roadshow events over the coming 5 months, finishing off at DattoCon in June. The campaign started today at the TitanHQ-sponsored Datto Roadshow in Tampa, Florida. TitanHQ Alliance Manager Patrick Regan attended the roadshow and has been meeting with MSP to explain about WebTitan Cloud, WebTitan Cloud for WiFi, SpamTitan, and ArcTitan, and how they can benefit MSPs an help them build a high margin security practice.

For two years now, TitanHQ has been a member of the IT Nation community and has been helping MSPs get the most out of TitanHQ products to better serve the needs of their clients. It has been a great learning experience and a thoroughly enjoyable couple of years. The first of three IT Nation event took place today – The IT Nation Q1 EMEA Meeting in London. The event was attended by TitanHQ Alliance Manager Eddie Monaghan, who will be helping MSPs discover TitanHQ email security, DNS filtering, and email archiving solutions all week.

TitanHQ Alliance Manager, Eddie Monaghan.

If you were unable to attend either of these events, there are plenty more opportunities to meet with TitanHQ over the coming months. The full schedule of events that will be attended by members of the TitanHQ team are detailed below. We look forward to meeting you at one of the upcoming roadshow events in 2019.

TitanHQ 2019 MSP Roadshow Dates

February 2019

Date Event Location
February 14, 2019 IT Nation (HTG) Q1 EMEA Meeting London, UK
February 14, 2019 Datto Roadshow Tampa, FL, USA

March 2019

Date Event Location
March 5, 2019 CompTIA UK Channel Community Manchester, UK
March 7, 2019 Datto Roadshow EMEA Dublin, IE
March 11, 2019 CompTIA Community Forum Chicago, IL, USA
March 12, 2019 Datto Roadshow NA Norwalk, CT, USA
March 19, 2019 Datto Roadshow EMEA London, UK
March 26, 2019 Datto Roadshow EMEA Houten, Netherlands
March 26, 2019 Datto Roadshow NA Toronto, Canada

April 2019

Date Event Location
April 25, 2019 Datto Roadshow Long Island, NY, USA
April 29, 2019 IT Nation Evolve (HTG 2) Dallas, TX, USA

May 2019

Date Event Location
May 6, 2019 Connect IT Global (Kaseya Connect) Las Vegas, NV, USA
May 13, 2019 IT Nation (HTG) Q1 EMEA Meeting Birmingham, UK
May 14, 2019 Wifi Now Washington DC, USA

June 2019

Date Event Location
June 17, 2019 DattoCon San Diego, CA, USA

New Ovidiy Stealer Password Stealing Malware Priced to Boost Sales

The malware known as ‘Ovidiy Stealer’ is password stealing software that will capture login details and send the information to the hacker’s C2 server. As with most other password stealers, information is captured as it is entered into websites such as banking portals, web-based email accounts, social media accounts and other online services.

However, even if a device is infected, the Ovidiy Stealer will not capture information entered via Internet Explorer or Safari. The malware is also not persistent and if the computer is rebooted the malware will stop trying to complete its task.

Sadly, if you use Chrome or Opera, your confidential personal data is likely to be compromised. Other browsers known to be supported include Orbitum, Torch, Amigo and Kometa. However, sd the malware is being regularly updated it is likely other browsers will come online soon.

Ovidiy Stealer is a new malware, first identified only a month ago. It is chiefly being implemented in attacks in Russian-speaking regions, although it is possible that multi-language versions will be developed and attacks will soon be seen in other regions.

Proofpoint Researchers, who first detected the password stealing malware, are of the opinion that email is the primary attack vector, with the malware packaged in an executable file shared as an attachment. Proofpoint also thinks that rather than email attachments, links to download pages are also being implemented. Samples have been seen bundled with LiteBitcoin installers and the malware is also being sent through file-sharing websites, in particular via Keygen software cracking programs.

New password stealers are regularly being released, but what make the Ovidiy Stealer different and makes it particularly dangerous is it is being made available online at a particularly low price. Just $13 (450-750 Rubles) will get one build bundled into an executable ready for delivery using a spam email campaign. Due to the low cost there are likely to be many malicious actors carrying out campaigns to spread the malware, hence the range of attack vectors.

Would be hackers willing to part with $13 are able to see the number of infections using a web control panel complete with login. using the control panel they can control their account, view the number of infections, build more stubs and review the logs generated by the malware.

Safeguarding against malware such as Ovidiy Stealer demands caution as it requires time before new malware are discovered by AV solutions. Some AV solutions are already identifying the malware, but not all of them. As ever, when receiving an email from an unknown sender, do not click on attachments or visit hyperlinks.

Threat of Exposure with Multiple Malware Infections Visible in Sextortion

Sextortion scams have been in the rise in the last six months and these scams normally implement the technique of threatening to expose a user’s online activities (pornography habits, dating/adultery site usage) to all their contacts and friends/family unless a payment is completed.

A number of the recent sextortion scams have boosted their credibility by claiming to have users’ passwords. However, new sextortion scams have been discovered that are using a different tactic to get users to pay up. The email template seen in this scam is similar to other recent sextortion scams. The scammers say that they have a video of the victim viewing adult content. The footage was captured using the victim’s webcam and has been spliced with screenshots of the content that was being looked at.

In the new campaign the email includes the user’s email account in the text of the email, a password (probably an old password compromised in a previous breach), and a hyperlink that the victim is asked to click to download the video that has been created and see exactly what will soon be shared via email and social media networks.

Clicking the link in the video will lead to the downloading of a zip file. The compressed file includes a document including the text of the email and the supposed video file. That video file is really an information stealer – The Azorult Trojan.

This type of scam is even more likely to be successful than past campaigns. Many people who receive a sextortion scam email will see it as fake. However, the a link to download a video  being included may lead to many people downloading the file to see if the threat is real.

If the zip file is downloaded and the Azorult Trojan executed, it will silently gather data from the user’s computer – similar information to what the hacker claims to have already obtained: Cookies from websites the user has visited, chat histories, files stored on the computer, and login information entered through browsers such as email account and bank details.

The Azorult Trojan will also install a secondary payload: GandCrab ransomware. Once data has been gathered, the user will have their personal files encrypted: Documents, spreadsheets, digital photos, databases, music, videos, and more. Recovery will only be possible if these files having been backed up and not also encrypted by the ransomware. Apart from permanent file loss, the only other option will be to pay a sizeable ransom for the key to decrypt the files.

If the email was issued to a business email account, or a personal email account that was accessed at work, files on the victim’s work computer will also be encrypted. As a record of the initial email will have been extracted on the device, the reason why the malware was downloaded will be made clear to the IT department.

The key to not being tricked is to disregard any threats sent using email and never click links in the emails or click on email attachments.

B

Worst Passwords of 2018 Revealed

A recent Virginia Tech study of commonly used passwords by Dashlane/Virginia Tech has unveiled what some of the worst passwords of 2018 were.

For the study,  researchers supplied Dashlane with an anonymized copy of 61.5 million passwords. The password list was established using 107 individual lists of passwords available on forums and in data archives, many of which have come from previous data breaches.

The analysis of the list showed many common themes. These include the names of local sports teams: In the UK, common password choices witnessed were liverpool, chelsea and arsenal – the leading soccer teams in the Premier League.

Commercial brand names were also selected, such as cocacola, snickers, mercedes, skittles, mustang, and playboy. MySpace and LinkedIn were also common choices, alarmingly, to secure accounts on those websites.

Music and film references were often used, with Spiderman, superman, starwars, and pokemon all typical choices as were expressions of frustration – a**hole, bull****, and f***you were repeatedly chosen.

The Dashlane report indicates that despite warnings about the risk of using easy-to-remember passwords, end users are still opting for weak passwords. One very worrying trend is the use of seemingly safe passwords, which are anything but secure.

1q2w3e4r5t6y and 1qaz2wsx3edc may seem to be relatively secure passwords; however, how they are set up makes them easy to guess. They are certainly stronger than “password” or letmein” but not by much.

The passwords are formulated by a process that Dashlane calls password walking – the use of letters, numbers, and symbols beside each other on a keyboard. Simpler variations on this theme are qwerty and asdfghjk. To get around password rules, the same method is used with the incorporation of capital letters and symbols.

The study reveals that even though many firms require end users to set strong passwords, employees ignore password guidance or opt for passwords that pass security checks but are really not that secure.

What Makes a Strong Password?

A strong password will not be in the dictionary, will not implement sequential numbers or be created by walking fingers along a keyboard. Brand names and locations should also be avoided. Passwords should be at least 8 characters and should be unique – never used previously by the user, and never reused on a different platform.

Passwords should have at least one capital letter, lowercase letter, symbol and number. If all lowercase letters are used, each letter in the password could be one of 26 different letters. Include capitals and the possible options double to 52. There are 10 digits, growing the options to 62, and let’s say 32 special characters, bringing the total up to 94 options. With so many options and possible combinations, randomly generated passwords are particularly difficult to decipher. However, randomly generated passwords are also very difficult to remember.

Recently, that issue has been recognized by the National Institute of Standards and Technology (NIST), which has refreshed its guidance on passwords (See special publication 800-63B).

While the implementation of random strings of characters and symbols makes passwords very difficult to guess and more resilient to hackers’ brute force password guessing tactics, end users have difficulty remembering their passwords and that leads to particularly dangerous behaviors such as writing the password down or keeping it in a browser.

NIST now advises the use of longer passphrases instead of passwords – Iboughtacarwithmyfirstpaypacket or ifihadahorseIwouldcallitDave– for instance. Passphrases are more user-friendly and easier to remember, but are still safe – provided a adequate number of characters are used. If passphrases are encouraged instead of difficult to remember passwords, end users will be less inclined to set passwords that meet strong password guidelines but are not particularly secure – LetMeIn! for example.

The shortest number of characters can be set by each group, but rather than restricting the characters at 16, companies should consider growing this to at least 64. They should also accept all printable ASCII characters, including spaces, and UNICODE characters.

Since some end users will try to put in place weak passwords, it is vital to incorporate controls that prevent commonly used passwords from being used. Each password choice should be reviewed against a blacklist before it can be implemented.

 

Schools Using Web Filtering

Web filtering for schools has been a requirement in order to qualify for E-Rate discounts on telecommunications and Internet services since the Children´s Internet Protection Act (CIPA) was passed in 2000.

Following this, many states have also passed their own legislation making it a requirement for schools to filter the Internet to ensure children are safeguarded from harmful website content. So far, 24 states have developed legislation to stop children from accessing harmful images including pornography in schools and libraries.

Even in those states where web filtering for schools is not obligatory, lobby groups and parents’ associations have asked for more stringent controls in relation to the content that can be accessed on school computers and through school networks. Web filtering for schools a requirement rather than an option.

While the chief purpose of web filtering for schools is to prevent access to obscene or harmful website content, many schools have opted to put in place a content filtering solution as a cybersecurity tactic. Web filters are used to stop malware downloads and obstructing phishing attacks.

Previously, web filtering required a physical appliance to be placed on a firewall. Appliance based web filters have a number of weaknesses. Appliances are not cheap and need to be updated and maintained by IT support staff. They also restrict the number of users that can access the Internet. When capacity needs to be strengthened, new hardware needs to be bought.

Now a rising number of schools are choosing a lower cost solution. Cloud based web filtering for schools does not necessitate the purchasing of any additional hardware, saving schools thousands of dollars in equipment investment. There is also no obligation for IT teams to be on site. When using a cloud-based solution, everything is cloud based and no software installations are required. DUe to this the entire system can be managed remotely. In order to begin all that you need is for a simple change to be made to the DNS to point it to the solution provider’s servers. That process usually takes just a very short period of time.

Is DNS Filtering an Effective Solution?

If you are browsing online and you will be have to tackle a wide range of threats, some of which could lead to your bank account being emptied or sensitive information being exposed and your accounts being compromised. Then there is ransomware, which could be used to prevent you from accessing your files should you not have backups or opt not to pay the ransom.

The majority of websites now being created are malicious websites, so how can you stay safe online? One solution deployed by businesses and ISPs is the use of a web filter. A web filter can be set up to restrict access to certain categories of Internet content and block most malicious websites.

While it is possible for companies or ISPs to purchase appliances that are located between end users and the Internet, DNS filters allow the Internet to be filtered without having to buy any hardware or install any software. So how is DNS filtering operated?

How is DNS Filtering Operated?

DNS filtering – or Domain Name System filtering to give it its full tname – is a technique of preventing access to certain websites, webpages, or IP addresses. DNS is what permits easy to remember domain names to be used – such as Wikipedia.com – rather than typing in IP addresses – such as 198.35.26.96. DNS maps IP addresses to domain names.

When a domain is bought from a domain register and that domain is hosted, it is given a unique IP address that allows the site to be found. When you try to access a website, a DNS query will be carried out. Your DNS server will look up the IP address of the domain/webpage, which will permit a connection to be made between the browser and the server where the website is hosted. The webpage will then be opened.

So how does DNS filtering operate? With DNS filtering set up, rather than the DNS server returning the IP address if the website exists, the request will be subjected to certain security measures. If a particular webpage or IP address is recognized as malicious, the request to access the site will be denied. Instead of connecting to a website, the user will be sent to a local IP address that will display a block page explaining that the site cannot be opened.

This control could be implemented at the router level, via your ISP, or a third party – a web filtering service provider. In the case of the latter, the user – a business for example – would point their DNS to the service provider. That service provider keeps a blacklist of malicious webpages/IP addresses. If a site is known to be malicious, access to malicious sites will be prevented.

Since the service provider will also group webpages, the DNS filter can also be implemented to block access to certain categories of webpages – pornography, child pornography, file sharing websites, gambling, and gaming sites for example. Provided a business sets up an acceptable usage policy (AUP) and sets that policy with the service provider, the AUP will be live. Since DNS filtering is low-latency, there will be next to no delay in logging onto safe websites that do not breach an organization’s acceptable Internet usage policies.

Can a DNS Filter Prevent Access to All Malicious Websites?

Sadly, no DNS filtering solution will stop access to all malicious websites, as in order for this to be accomplished, a webpage must first be identified as malicious. If a cybercriminal creates a brand-new phishing webpage, there will be a delay between the page being set up and it being reviewed and added to a blocklist. However, a DNS web filter will prevent access to the majority of malicious websites.

Can DNS Filtering be Avoided?

Proxy servers and anonymizer sites could be deployed to mask traffic and bypass the DNS filter unless the chosen solution also prevents access to these anonymizer sites. An end user could also manually amend their DNS settings locally unless they have been locked down. Determined persons may be able to find a way to bypass DNS filtering, but for the majority of end users, a DNS filter will block any effort to access forbidden or harmful website material.

No single cybersecurity solution will let you to block 100% of malicious websites but DNS filtering should definitely form part of your cybersecurity operations as it will allow most malicious sites and malware to be blocked.

 

Case Study: Data Breach Cost Home Depot $179 Million

When pondering how much to spend on cybersecurity defenses, be sure to consider the cost of a retail data breach. Ill-advised security practices and a lack of  proper cybersecurity defenses can cost a company quite a bit.

A data breach of the scale of that which impacted Home Depot in 2014 will cost hundreds of millions of dollars to address. The home depot data breach was huge. It was the largest retail data breach involving a point of sale system that has been seen so far. Malware had been downloaded that allowed cyber criminals to obtain over 50 million credit card numbers from home depot customers and around 53 million email addresses.

The attack was completed using stolen credentials from one of the retailer’s vendors. Those credentials were used to obtain access to the network. Those privileges were subsequently elevated, the Home Depot network was explored, and when access to the POS system was obtained, malware was downloaded to record credit card details. The malware infection went unnoticed for five months between April and September 2014.

Last year, Home Depot agreed to pay out $19.5 million to customers that had been impacted by the breach. The payout included the costs of providing credit monitoring services to those affected by the breach. Home Depot has also paid out a minimum of $134.5 million to credit card companies and banks. The latest settlement amount will permit banks and credit card companies to submit claims for $2 per compromised credit card without having to show proof of losses suffered. If banks can show losses, they will have up to 60% of losses compensated.

The total cost of the retail data breach is approximately $179 million, although that figure does not incorporate all legal fees that Home Depot must pay, and neither does it include undisclosed settlements. The final cost of the retail data breach will be much bigger. It is already getting closer to the $200 million mark.

Then there is the reputation damage due to the breach. Following any data breach, customers often take their business to a different company. Many consumers impacted by the breach have chosen to shop elsewhere. A number of studies have been carried out on the fallout from a data breach. One HyTrust study states that companies may lose 51% of customers following a breach of sensitive data.

 

Software for Cloud-Based Web Filtering

The next step in the evolution from hardware-based and software-based solutions for filtering Internet content is cloud-based web filtering software. Similar to the majority of cloud-based technologies, cloud-based web filtering software is convenient, trustworthy and scalable. It does not have the high costs of hardware-based solutions nor the high maintenance overheads of software-based programmes; and, although all three solutions pretty much operate the same way, cloud-based web filtering software has its benefits.

Cloud-Based Web Filtering Software

Cloud-based web filtering software is operated from in the cloud rather than physically attached to – or downloaded to – your network. In order to log on to the service, you simply need to redirect your DNS server settings to point to our servers. The cloud-based software then implements itself automatically, and you can either begin filtering the Internet using the software´s default settings, or set up and apply your own user policies via the web-based management portal.

As with most solutions for filtering Internet content, cloud-based web filtering software deploys a three-tier mechanism to enhance defenses against online threats, improve productivity and stop users accessing inappropriate material:

  • The first line of defense is SURBL and URIBL filters. These look at each request to visit a web page against lists of IP addresses known to lead to malware downloads, phishing attacks and spam emails. When a match is identified, the request to visit the web page is not allowed. The lists of IP addresses are automatically updated as new threats are spotted.
  • Behind the “blacklists”, category filters can be used to stop users looking at websites in certain categories. Administrators may want to stop users visiting websites known to have a high likelihood of harboring malware (pharmaceutical and travel websites), those likely to affect productivity (gaming and social networking) or those including inappropriate material.
  • Keyword filters can be employed used to fine-tune the category filters and stop users looking at websites containing exact word matches, specific apps or specific file extensions. This fine-tuning mechanism adds granularity to the Internet filtering process to set up Internet filtering without obstructing workflows.

Category filters and keyword filters can be switched on by individual users, user-group or company-wide according to your existing user policies. Most products for filtering Internet content can be integrated with management tools such as Active Directory in order to speed up the process of applying roles. Thereafter, administrators can review web activity in real-time via the management portal, or schedule customized reports by user, user-group, organization-wide, bandwidth usage, category or time.

Improve Network Performance with Cloud-Based Web Filtering Software

One unexpected benefit of cloud-based web filtering software is how it enhances network performance – or, strictly speaking, how it reduces the workload put on servers by other solutions for filtering Internet content. This is due to way in which encrypted web pages are reviewed by cloud-based web filtering software to deduce the nature of their content.

Most software for filtering Internet content use a process called SSL inspection to decrypt, review, and re-encrypt the content of “secure” web pages. SSL inspection is now an obligatory part of Internet filtering because hackers have been able to obtain fake SSL certificates and their malware payloads would avoid detection if it were not for SSL inspection.

A heavy workload is put on servers by hardware and software solutions for filtering Internet content is because there is such a high volume of encrypted web pages that need inspecting. Since Google revelead it would enhance the rankings of encrypted websites in search engine results pages, more than 50% of the most-visited web pages in the world are encrypted.

The decryption, inspection and re-encryption of half the world´s most-visited Internet pages place an incredible strain on servers. Often it will lead to delays in some web-based activities – i.e. email – or users will find Internet access is temporarily unavailable. Although cloud-based web filtering software also utilizes SSL inspection to figure out the content of encrypted web pages, the process is carried out on the cloud – eliminating the workload on network servers and allowed an Internet service with excellent latency.

 

Homebuyers and Sellers Targeted ub Solicitor Email Scam

Home purchasers and real estate agents in the United Kingdom and Ireland are being targeted by cybercriminals using a new solicitor email campaign. The scam, which includes mimicking a solicitor, is costing victims thousands. Additionally, there have some cases seen where cybercriminals are contacting solicitors emails claiming to be their clients and asking for changes in their bank details. Any pending transfers are then sent to the criminals’ accounts.

As funds for home purchases are sent to solicitors’ accounts before being shared with the sellers, if cybercriminals can amend the bank details for the transfers, the funds for the purchase will be paid straight into their bank accounts.

While email spoofing is not unusual, this solicitor email scam often includes the hacking of solicitors’ email accounts. Once access has been obtained, cybercriminals search for emails shared from buyers and sellers of homes to identify possible targets.  While the hacking of email accounts is taking place, there have also been instances where emails between buyers, sellers and their solicitors have been captured. When bank details for a transfer are sent, the hackers amend the bank information in the email to their own and then send the email on.

The solicitor email scam is sophisticated and communications are monitored until the crucial point in the purchasing process when a bank transfer is about to be completed. Since the possible rewards are considerable, cybercriminals are willing to invest the time and effort into the scam and be patient. Buyers, vendors and solicitors are well researched and the emails appear authentic.

This conveyancing scam has been on the rise in recent months and it has now become the most common cybercrime impacting the legal sector. The Law Society, a representative organization for solicitors in the UK, has issued a warning about the conveyancing scam due to an rising number of complaints, although it is currently unclear how many fraudulent transfers have been completed.

The simple way to prevent such a scam from being successful is to contact the homebuyer or seller before any transfer is made and to verbally confirm the bank details. Additionally policies can be developed requiring bank account information to only be sent via postal mail.

The Solicitors Regulation Authority has issued guidance that advises against the use of email for property transactions due to the potential for cybercriminals to intercept and spoof messages. Email may be simple, but with such large sums being transferred it pays to use an abundance of caution.

While this solicitor email scam has been seen in many places across the UK and Ireland, legal firms in the United States should also use caution.

Ryuk Ransomware Suspected in Newspaper Cyberattack

The end of 2018 has seen a major newspaper cyberattack take place in the United States that has disrupted production of several newspapers published by Tribune Publishing.

The attacks were malware-based and affected the Saturday editions of the Los Angeles Times, the San Diego Union-Tribune, the Chicago Tribune, the New York Times, the Wall Street Journal, and a number of others. The malware attack took place on Thursday, December 27, and caused major issues throughout Friday.

All of the impacted newspapers shared the same production platform, which was infiltrated by the malware infection. While the sort of malware used in the attack has not been publicly confirmed, several insiders at the Tribune have reported that the attack utilized Ryuk ransomware.

Ransomware is a type of malware that encrypts critical files stopping them from being accessed. The main goal of attackers is usually to obtain ransom payments in exchange for the keys to decrypt the encrypted files. It is also a regular occurrence for ransomware to be deployed after network access has been obtained and sensitive information has been stolen, either to mask a data breach or in an attempt to make an attack even more profitable. It is also not unknown for ransomware attacks to be carried out to cause disruption. It is thought that this newspaper cyberattack was conducted primarily to disable infrastructure.

The sort of ransomware used in an attack is usually easy to notice. After encrypting files, ransomware changes file extensions to an (often) unique extension. In this instance of Ryuk ransomware, extensions are changed to .ryk.

The Los Angeles Times has blamed threat actors based outside the United States, although it is  not clear which group was behind the cyberattacks. If the attack was carried out to disable infrastructure it is probable that this was a nation-state sponsored attack.

The first Ryuk ransomware cyberattacks took place in August. Three U.S. companies were attacked, and the attackers were paid a minimum of $640,000 for the keys to unlock the data. A review of the ransomware revealed it shared code with Hermes malware, which had previously been connected to the Lazarus Group – An APT group with links to North Korea.

While many ransomware campaigns utilized mass spamming tactics to spread the ransomware and infect as many end users as possible, the Ryuk ransomware attacks were much more targeted and involved major reconnaissance and extensive network mapping before the ransomware is finally deployed. As is the case with SamSam ransomware attacks, the campaign is carried out manually.

Several tactics are used to obtain access to networks, although earlier in 2018 a warning about Ryuk ransomware was issued by the U.S. Department of Health and Human Services (HHS) claiming email to be one of the main attack vectors, emphasising the importance of email security and end user training to help staff recognize email-based threats.

Threat of Exposure with Multiple Malware Infections Combined in Recent Sextortion Scams

Sextortion scams have been very popular with cybercriminals during 2018. A well written email and an email list are all that is needed for this to be successful. The latter can easily be bought almost nothing via darknet marketplaces and hacking forums. No expertise is required to run sextortion scams and as scammers’ Bitcoin wallets show, they are successful.

Many sextortion scams threaten to reveal a user’s online activities (pornography habits, dating/adultery site usage) to all their contacts and friends/family unless a payment is completed. Some of the recent sextortion scams have increased credibility by claiming to have users’ passwords. However, new sextortion scams have been discovered in the past few days that are using a different tactic to get users to pay the ransome.

The email template used in this scam is very like those in other recent sextortion scams. The scammers say that they have a video of the victim viewing adult content. The footage was captured through the victim’s webcam and has been spliced with screenshots of the content that was being looked at.

In the new campaign the email includes the user’s email account in the copy of the email, a password (most likely an old password accessed in a previous breach), and a hyperlink that the victim is encouraged to click to download the video that has been created and see what will soon be distributed via email and social media networks.

VIsiting the link in the video will trigger the downloading of a zip file. The compressed file includes a document including the text of the email along with the supposed video file. That video file is really an information stealer – the Azorult Trojan.

This sort of the scam is even more likely to be successful than past campaigns. Many individuals who receive a sextortion scam email will see know what it is: A mass email including an empty threat. However, the inclusion of a link to download a video could lead to many individuals download the file to find out if the threat is authentic .

If the zip file is downloaded and opened and the Azorult Trojan executed, it will quietly gather information from the user’s computer – similar information to what the hacker claims to have already obtained: Cookies from websites the user has seen, chat histories, files stored on the computer, and login information entered through browsers such as email account and bank details.

However, it doesn’t stop there. The Azorult Trojan will also install a secondary payload: GandCrab ransomware. Once information has been gathered, the user will have their personal files encrypted: Documents, spreadsheets, digital photos, databases, music, videos, and more. Recovery will depend on those files having been backed up somewhere else and not also encrypted by the ransomware. Aside from permanent file loss, the only other option will be to pay a sizeable ransom to decrypt the hacked files.

If the email was sent to a company email account, or a personal email account that was logged onto at work, files on the victim’s work computer will be encrypted. As a record of the original email will have been extracted on the device, the reason why the malware was downloaded will be made clear to the IT department.

The key to not being tricked is to ignore any threats sent using the email and never click links in the emails nor open unexpected email attachments.

Companies can tackle the threat by using cybersecurity solutions such as spam filters and web filters. The former stops the emails from being sent while the latter blocks access to sites that host malware.

Ryuk Ransomware Suspected in Newspaper Cyberattack

The final weekend of 2018 has seen a significant newspaper cyberattack in the United States that has disrupted production of several newspapers published by Tribune Publishing.

The attacks were malware-related and impacted the Saturday editions of the Los Angeles Times, the San Diego Union-Tribune, the Chicago Tribune, the New York Times, the Wall Street Journal, and others. The malware attack occurred on Thursday, December 27, and caused major issues throughout Friday.

All of the impacted newspapers shared the same production platform, which was disrupted by the malware infection. While the sort of malware used in the attack has not been publicly revealed, several insiders at the Tribune have reported that the attack involved Ryuk ransomware.

Ransomware is a sort of malware that encrypts critical files stopping them from being accessed. The main goal of hackers is normally to obtain ransom payments in exchange for the keys to decrypt the encrypted files. It is also typical for ransomware to be deployed after network access has been obtained and sensitive information has been stolen, either to mask a data breach or in an effort to make an attack even more profitable. It is also not unknown for ransomware attacks to be carried out to cause disruption. It is suspected that this newspaper cyberattack was conducted chiefly to disable infrastructure.

The sort of ransomware used in an attack is normally easy to identify. After encrypting files, ransomware changes file extensions to an (often) unique extension. In the case of Ryuk ransomware, extensions are amended to .ryk.

The Los Angeles Times has attributed it to threat actors based external to the United States, although it is unclear which group was behind the cyberattacks. If the attack was carried out to disable infrastructure it is probable that this was a nation-state sponsored attack.

The initial Ryuk ransomware cyberattacks happened in August. Three U.S. companies were hacked, and the attackers were paid at least $640,000 for the keys to unlock the data. An analysis of the ransomware showed it shared code with Hermes malware, which had previously been connected to the Lazarus Group – An APT group with links to North Korea.

While many ransomware campaigns used mass spamming tactics to share the ransomware and infect as many end users as possible, the Ryuk ransomware attacks were much more focused and involved considerable reconnaissance and extensive network mapping before the ransomware is finally sent out. As is the case with SamSam ransomware attacks, the campaign is run manually.

Several tactics are used to obtain access to networks, although earlier this year a warning about Ryuk ransomware was broadcasted by the U.S. Department of Health and Human Services saying that the email to be one of the main attack vectors, highlighting the importance of email security and end user training to help staff recognize email-based threats.

FTC Warning Netflix After Phishing Scam

A new Netflix phishing scam has been discovered that tries to trick Netflix subscribers into disclosing their login details and other sensitivedata such as Social Security numbers and bank account numbers.

This Netflix phishing scam is similar to others that have been seen over the past few months. A major campaign was discovered in October and another in November. The latest Netflix phishing scam confirms that the threat actors are now beginning large-scale phishing attacks on a monthly basis.

The number of recent Netflix scams and the scale of the campaigns has lead to the U.S. Federal Trade Commission (FTC) to issue a warning to increase awareness of the threat.

The latest campaign was first noticed by an officer in the Ohio Police Department. As with past campaigns, the hackers use a tried and tested method to get users to click on the link in the email – the threat of account closure due to issues with the user’s billing details.

In order to stop closure of the user’s Netflix account a link in the email must be clicked on. That will send the user to the Netflix site where login details and banking information must be entered. While the web page looks authentic, it is hosted on a domain controlled by the hackers. Any information entered on that web page will be accessed by the threat actors behind the scam.

The emails appear realistic and contain the correct logos and color schemes and are almost identical to the official emails shared with users by Netflix. Netflix also includes links in its emails, so unwary users may click without first checking the authenticity of the email.

FTC Warning Netflix After Phishing Scam

There are indications that the email is not what it seems. The email incorrectly begins “Hi Dear”; British English is used, even though the email is sent to U.S. citizens; the email is sent from a domain that is not used by Netflix; and the domain to which the email sends users is similarly suspect. However, the scam is sure to trick many users who fail to carefully review emails before taking any action.

Consumers need to use caution with email and should carefully review messages before responding, no matter how urgent the call for action is. It is a good idea to always visit a website directly by entering in the domain into the address bar of a web browser, rather than clicking a link in an email.

If the email is found to be a scam, it should be reported to the appropriate authorities in the country in which you live and also to the company the scammers are pretending to be. In the case of Netflix phishing scams, emails should be sent to phishing@netflix.com.

While this Netflix phishing scam aims for consumers, companies are also at risk. Many similar scams attempt to get users to part with business login credentials and bank account data. Businesses can reduce the risk of data and financial losses to phishing scams by making sure all members of the company, from the CEO down, are given regular security awareness guidance and are taught cybersecurity best practices and are made aware of the most recent threats.

An advanced spam filtering solution is also strongly advisable to ensure the vast majority of these scam emails are obstructed and do not reach inboxes. SpamTitan for instance, stops more than 99.9% of spam and phishing emails and 100% of known malware.

For additional information on anti-phishing solutions for companies, get in touch with the TitanHQ team today.

 

Gift Card Scams Warning Issued for Holiday Season

Giving gift vouchers as Christmas presents is always popular and this year is no exception. Many gift card-themed scams were detected over Thanksgiving weekend that offered free or cheap gift cards to lure online shoppers into parting with their credit card details.

2018 has seen a surge in business email compromise (BEC) style tactics, with emails seeming to have been sent from within a company. The emails purport to have been sent from the CEO (or another executive) asking for accounts and administration staff purchase gift cards for clients or requesting gift cards be purchased to be used for charitable donations.

To minimize the risk from gift card scams and other holiday-themed phishing emails, companies must ensure they have strong spam filtering technology in place to block the emails at source and prevent them from landing in inboxes.

Consumers can be tricked into parting with credit card details, but businesses too are in danger. Most of these campaigns are carried out in order to gain access to login credentials or are used to install malware. If an end user responds to such a scam while at work, it is their employer that will be hit with the cost of being hacked.

2018 has seen many businesses targeted with gift card scams. The latest reports from Proofpoint suggest that out of the organizations that have been targeted with email fraud attacks, almost 16% had witnessed a gift card-themed attack: Up from 11% in Q2, 2018.

Many corporations businesses have Office 365 installed, but even Microsoft’s anti-phishing security has allowed phishing emails to slip through the net, especially at businesses that have not paid extra for advanced phishing protection. Even with the advanced anti-phishing security measures, emails still make it past Microsoft’s filters.

To obstruct these malicious messages, an advanced third-party spam filter is necessary.

Office 365 Phishing Emails Look like as Non-Delivery Alerts

A new phishing campaign was discovered by ISC Handler Xavier Mertens and the campaign seems to still be active.

The phishing emails look very like legitimate Office 365 non-delivery alerts and include Office 365 branding. As is the case with official non-delivery alerts, the user is warned that messages have not been delivered and told that action is required.

The Office 365 phishing emails state that “Microsoft found Several Undelivered Messages” and attributes the non-delivery to “Server Congestion.” The emails request the sender to retype the recipient’s email address and send the message again, although conveniently they include a Send Again button.

If users use the Send Again button, they will be sent to a website that closely resembles the official Office 365 website and includes a login box that has been auto-populated with the user’s email address.

If the password is typed, a JavaScript function sends both the email address and password to the hacker. The user will then be sent to the genuine outlook.office365.com website where they will be shown a real Office 365 login box.

While the Office 365 phishing emails and the website look genuine, there are signs that all is not what it seems. The emails are well composed and the sender’s email – postmaster@us.ibm.com – looks official but there is irregular capitalization of the warning message: Something that would not happen on an official Microsoft notification.

The clearest indication that this is a phishing scam is the domain to which users are sent if they click on the Send Again button. It is not an official Microsoft domain (agilones.com).

While the mistake in the email may be overlooked, users should notice the domain, although some users may proceed and type passwords as the login box is identical to the login on the official Microsoft site.

The campaign shows just how vital it is to carefully check every message before taking any action and to always review the domain before disclosing any sensitive data.

Hackers use Office 365 phishing emails because so many companies have signed up to use Office 365. Mass email campaigns therefore have a high chance of reaching an Outlook inbox. That said, it is easy to target office 365 users. A business that is using Office 365 broadcasts it using their public DNS MX records.

Firms can improve their resilience to phishing attacks through mandatory security awareness training for all workers. Employees should be told to always review messages carefully and should be guided how to identify phishing emails.

Companies should also ensure they have an advanced spam filtering solution set up. While Microsoft does offer anti-phishing protection for Office 365 through its Advanced Threat Protection (APT) offering, companies should consider using a third-party spam filtering solution with Office 365.

SpamTitan supplies superior protection against phishing and zero-day attacks, an area where APT is not proficient.

POS Data Stealing Capabilities Added to TrickBot Malware

A new module has been attached to TrickBot malware that allows point-of-sale (POS) data collection capabilities.

TrickBot is a modular malware that is being developed. In early November, TrickBot was refreshed with with a password stealing module, but the latest update has made it even more dangerous, mostly for hotels, retail outlets, and restaurants: Companies that process large volumes of card payments.

The new module was discovered by security experts at Trend Micro who note that, at present, the module is not being used to capture POS data such as credit/debit card numbers. Currently, the new TrickBot malware module is only gathering data about whether an infected device is part of a network that supports POS services and the types of POS systems implemented. The experts have not yet determined how the POS information will be used, but it is highly likely that the module is being used for intelligence. Once targets with networks supporting POS systems have been discovered, they will likely be subjected to further intrusions.

The new module, labelled psfin32, is like a previous network domain harvesting module, but has been developed specifically to spot POS-related terms from domain controllers and basic accounts. The module achieves this by using LDAP queries to Active Directory Services which search for a dnsHostName that includes strings such as ‘pos’, ‘retail’, ‘store’, ‘micros’, ‘cash’, ‘reg’, ‘aloha’, ‘lane’, ‘boh’, and ‘term.’

The timing of the update suggests the threat actors are planning to use the increase in holiday trade and are gathering as much data as possible before the module is used to gather POS data.

The recent updates to TrickBot malware have been accompanied by a malicious spam email campaign (discovered by Brad Duncan) which is targeting companies in the United States. The malspam campaign uses Word documents including malicious macros that download the TrickBot binary.

Protecting against TrickBot and other data stealing malware requires a defense-in-depth approach to cybersecurity. The main attack vector used by the threat actors to blame TrickBot is spam email, so it is vital for an advanced anti-spam solution to be deployed to stop malicious messages from being sent to end users’ inboxes. End user training is also important to ensure employees are made aware of the danger of opening emails from unknown senders, launching suspicious email attachments, and clicking hyperlinks in those emails.

Antivirus solutions and endpoint security measures should also be deployed to identify and quarantine potentially malicious files in case malware makes it past perimeter security.

New Variant of Dharma Ransomware Discovered

A new Dharma ransomware variant has been created that is currently evading detection by most of antivirus engines.

Heimdal Security say that the most recent Dharma ransomware variant captured by its researchers was only identified as malware by one of the 53 AV engines on VirusTotal.

Dharma ransomware (also known as CrySiS) first was seen in 2006 and is still being developed. This year, many new Dharma ransomware variants have been made available, each using new file extensions for encrypted files (.bip, .xxxxx, .like, java, .arrow, .gamma, .arena, .betta, and .tron to name but a few). In the past two months alone four new Dharma ransomware variants have been discovered.

The threat actors to blame for Dharma ransomware have claimed many victims in recent months. Successful attacks have been seen recently by Altus Baytown Hospital in Texas, the Arran brewery in Scotland, and the port of San Diego.

While free decryptors for Dharma ransomware have been created, the constant evolution of this ransomware threat rapidly renders these decryptors obsolete.  Infection with the most recent variants of the ransomware threat only give victims three options: pay a sizeable ransom to recover files, restore files from backups, or face permanent file loss.

The latter is not a solution given the extent of files that are encrypted. Restoring files from backups is not always an option as Dharma ransomware can also encrypt backup files and can erase shadow copies. Payment of a ransom is not a solution as there is no guarantee that files can or will be decrypted.

Safeguarding against ransomware attacks requires a combination of policies, processes, and cybersecurity solutions. Dharma ransomware attacks are mostly carried out via two attack vectors: The exploitation of Remote Desktop protocol (RDP) and via email malspam campaigns.

The most recent Dharma ransomware variant attacks involve an executable file being sent using a .NET file and HTA file. Infections happen using RDP-enabled endpoints using brute force attempts to guess passwords. Once the password is obtained, the malicious payload is activated.

While it is not exactly obvious how the Arran brewery attack happened, a phishing attack is suspected. Phishing emails had been received just before file encryption. Arran Brewery’s managing director Gerald Michaluk said: “We cannot be 100 percent sure that this was the vector that infection occurred through, but the timing seems to be more than coincidental”.

To safeguard against RDP attacks, RDP should be disabled unless it is absolutely necessary. If RDP is a requirement, access should only be possible through a VPN and strong passwords should be established. Rate limiting on login attempts should be set to block login attempts after a set number of failures.

Naturally, good backup policies are vital. They will ensure that file recovery is possible without meeting a ransom. Multiple copies of backups should be made with one copy held securely off site.

To safeguard against email-based attacks, an advanced spam filter is needed. Spam filters that rely on AV engines may not notice the latest ransomware variants. Advanced analyses of incoming messages are vital.

SpamTitan can enhance protection for businesses through combination of two AV engines and predictive techniques to prevent new types of malware whose signatures have not yet been installed on AV engines.

For more information on SpamTitan and safeguarding your email gateway from ransomware attacks and other threats, contact TitanHQ’s security experts today.

Flash Player Vulnerability Being Actively Exploited via Spear Phishing Campaign

Adobe has released an unscheduled update to correct vulnerabilities in Adobe Flash Player, including a zero-day flaw that is currently being targeted in the wild by an APT threat group on targets in Russia. One target was a Russian healthcare center that supplies medical and cosmetic surgery services to high level civil servants of the Russian Federation.

The zero-day flaw is a use-after-free weakness – CVE-2018-15982 – which enables arbitrary code execution and privilege execution in Flash Player. A malicious Flash object operates malicious code on a victim’s computer which gives command line access to the system.

The vulnerability was noticed by security researchers at Gigamon ATR who reported the vulnerability to Adobe on November 29. Researchers at Qihoo 360 discovered a spear phishing campaign that is being used to send a malicious document and linked files that exploit the weakness. The document used in the campaign was a forged staff questionnaire.

The emails included a .rar compressed file attachment which included a Word document, the vulnerability, and the payload. If the .rar file is unpacked and the document viewed, the user is shown a warning that the document may damage the computer. If the content is activated, a malicious command is run which extracts and initiates the payload – a Windows executable file named backup.exe that is hidden as an NVIDIA Control Panel application. Backup.exe acts as a backdoor into a system. The malicious payload gathers system data which is sent back to the hackers via HTTP POST. The payload also downloads and runs shell code on the infected device.

Qihoo 360 researchers have labelled the campaign Operation Poison Needles due to the identified target being a healthcare center. While the attack seems to be politically motivated and highly targeted, now that details of the vulnerability have been made public it is likely that other threat groups will use exploits for the vulnerability in more and more attacks.

It is therefore vital for companies that have Flash Player installed on some of their devices to update to the most recent version of the software as soon as they can. That said, removing Flash Player, if it is not required, is a better option given the number of vulnerabilities that are identified in the software each month.

The vulnerability is Flash Player 31.0.0.153 and all previous versions. Adobe has addressed the flaw together with a DLL hijacking vulnerability in version 32.0.0.101.

Office 365 Phishing Emails Masquerade as Non-Delivery Notifications

A phishing campaign was recently discovered by ISC Handler Xavier Mertens and it seems as though the campaign is still  active.

The phishing emails look like legitimate Office 365 non-delivery notifications and include Office 365 branding. As is the case with official non-delivery alerts, the user is warned hat messages have not been delivered and told that action must be taken.

The Office 365 phishing emails claim that “Microsoft found Several Undelivered Messages” and attributes the non-delivery to “Server Congestion.” The emails direct the sender to retype the recipient’s email address and share the message again, although conveniently they have a Send Again button.

If users use the Send Again button, they will be directed to a website that closely looks like official Office 365 website and includes a login box that has been pre-filled-out with the user’s email address.

If the password is handed over, a JavaScript function sends both the email address and password to the hacker. The user will then be sent to the actual outlook.office365.com website where they will be shown a real Office 365 login box.

While the Office 365 phishing emails and the website look genuine, there are signs that all is not what it seems. The emails are well composed and the sender’s email – postmaster@us.ibm.com – looks official but there is irregular capitalization of the warning alert: Something that would not be included on an official Microsoft notification.

The most obvious sign that this is a phishing scam is the domain to which users are directed if they click on the Send Again button. It is not an authentic Microsoft domain (agilones.com).

While the mistake in the email may be missed, users should notice the domain, although some users may proceed and enter passwords as the login box is the exact same as the login on the official Microsoft site.

The campaign shows just how vital it is to carefully check every message before taking any action and to always review the domain before disclosing any sensitive data.

Hackers use Office 365 phishing emails because so many companies have signed up to use Office 365. Mass email campaigns therefore have a high probability of reaching an Outlook inbox. Even so, it is easy to target office 365 users. A business that is using Office 365 broadcasts it through their public DNS MX records.

Companies can bolster their resilience to phishing attacks through mandatory security awareness training for all staff. Employees should be told to always review messages carefully and should be taught how to spot phishing emails.

Companies should also make sure they have an advanced spam filtering solution implemented. While Microsoft does provide anti-phishing protection for Office 365 via its Advanced Threat Protection (APT) offering, businesses should think about using a third-party spam filtering solution with Office 365.

SpamTitan supplies protection against phishing and zero-day attacks, an area where APT experiences difficulty.

ArcTitan Offers Lightning-Fast, Enterprise-Class Microsoft Exchange Email Archiving for your Business

Is your business looking for a lightning-fast, enterprise-class method of email archiving? Nowadays, it is a requirement in business to have an email archiving solution in order to ensure that emails are not lost, emails can be retrieved on demand and storage space is kept to a minimum. Although native Microsoft Exchange Email Archiving is already available, most businesses will find the archiving options are not up to standard. The only alternative is to adopt a third-party email archiving solution. This will provide all the features required by businesses, as well improve efficiency and save on cost. In order to improve efficiency and meet the requirements of businesses, TitanHQ developed ArcTitan: A secure, fast, cloud-based email archiving solution.

What Email Archiving is and its Importance

Businesses have been required by federal, state, and industry regulations to retain emails for many years. Often a considerable amount of storage space is taken up through storing emails, especially when you consider the number of emails that are typically sent and received by employees daily. Although it suffices for businesses to store emails in backups to meet legal requirements, backups are not searchable. When a business needs to recover a certain email, it needs to be recovered quickly. This is simply not possible with backups, they are not searchable. The solution to this problem is an email archive. In comparison to backups, email archives are searchable and messages can be retrieved quickly and with minimal effort.

Email Archiving Necessary for eDiscovery and GDPR Compliance

An email archiving solutions for eDiscovery is essential. There have been a number of cases where, as part of the eDiscovery process, businesses have received heavy fines for the failure to produce emails. An example of this can be seen in the Zubulake v. USB Warburg case where the plaintiff was awarded $29 million as a result of the failure to produce emails.

In order to comply with GDPR legislation, email archives are now vital. Since May 25, 2018, when the EU’s General Data Protection Regulation came into effect, companies have been required on request to produce (and delete) every element of an individual’s personal data, including personal data contained in emails. This can be incredibly time consuming without an email archive and may result in data being unlawfully retained since backups are not searchable. The fines for GDPR compliance failures can reach as high as €20 million or 4% of global annual revenue, whichever is more substantial.

Native Microsoft Exchange Email Archiving Drawbacks

Native Microsoft exchange email archiving provides businesses with journaling and personal archive functions, but there are drawbacks to each. While the functions meet some business requirements such as freeing up space in mailboxes, they lack the full functions of a dedicated archive and do not meet all eDiscovery requirements.

When using native Microsoft Exchange email archiving, end users have too much control over the information that is loaded into an archive and they can’t delete emails unless a legal hold is activated. For admins, retrieving emails can be complicated and extremely time consuming.

With native Microsoft Exchange email archiving, functions fail to meet the needs of a lot of businesses particularly those in highly regulated industries. Although the native Microsoft Exchange email archiving functions have improved over the years, the limitations remain with most product versions and archiving can be complex with certain email architectures.

Any business that uses multiple email systems alongside Microsoft Exchange will require a third-party email archiving solution. This is due to Microsoft Exchange not supporting the archiving of emails from other platforms.

There has been an improvement in email archiving with Office 365. SMBs that use Office 365 already have email archiving functionality included in their plans, but it is only free of charge with E3-E5 plans. Additional plans charge around $3 per user, which is more expensive than custom-built archiving solutions such as ArcTitan.

Native Microsoft Exchange email archiving is an option for businesses, but Microsoft Exchange was not developed specifically for email archiving. However, despite the improvements that have been made by Microsoft, a third-party solution for email archiving on Microsoft Exchange is still required.

A third-party email archiving solution will make managing your email archiving significantly more efficient. It will save your IT department a considerable amount of time trying to locate old messages, especially for the typical requests that are received which are light on detail. The advanced search options in ArcTitan make search and retrieval of messages much faster and easier.

ArcTitan: Lightning-Fast, Enterprise-Class Email Archiving

ArcTitan has been specifically developed for email archiving making it more specialised than competitors. ArcTitan has been designed to meet all the archiving needs of businesses and allow managed service providers to offer email archiving to their clients.

The benefits of ArcTitan include extremely fast email archiving and message retrieval, secure encrypted storage and compliance with industry regulations such as HIPAA, SOX, FINRA, SEC and GDPR. ArcTitan allows businesses meet eDiscovery requirements without having to pay for additional eDiscovery services from Microsoft. ArcTitan also maintains an accurate audit trail. This allows businesses to have near instant access to all of their emails. ArcTitan serves as a black box recorder for all email to meet the various eDiscovery requirements and ensures compliance with federal, state, and industry regulations.

ArcTitan Features

ArcTitan requires no hardware or software, is quick and easy to install, and slots in to the email architecture of businesses with ease. The solution is highly scalable (there are no limits on storage space or users), it is easy to use, lightning fast and stores all emails safely and securely.

Businesses that have not yet implemented a Microsoft Exchange email archiving solution typically save up to 75% storage space. Costs are also kept to a minimum with a flexible pay as you go pricing policy, with subscriptions paid per live user.

  • Unlimited cloud based email archiving including inbound/outbound/internal email, folders, calendars and contacts
  • A full data retention and eDiscovery policy
  • HIPPA, SOX (and more) standard compliance and audited access trail
  • SuperFast Search™ – email is compressed, zipped, uses message de-duplication and attachment de-duplication ensuring the fast search and retrieval
  • Web console access with multi-tiered and granular access options – You decide user access permissions
  • No hardware / software installation required
  • Works with all email servers including MS Exchange, Zimbra, Notes, SMTP/IMAP/Google/PO
  • Secure transfer from your email server
  • Encrypted storage on AWS cloud
  • Instantly searchable via your browser – You can find archived emails in seconds
  • Maintains a complete audit trail
  • Optional Active Directory integration for seamless Microsoft Windows authentication
  • Optional Outlook email client plugin

If you have not yet implemented an email archiving solution, if you are unhappy with the native Microsoft Exchange email archiving features, or if you are finding your current archiving solution too expensive or difficult to use, contact TitanHQ today to find out more about the benefits of ArcTitan and the improvements it can offer to your business.

California Wildfire Scam Email Warning Issued

A California wildfire scam is underway that asks for donations to help those impacted by the recent wildfires. The emails seem to come from the CEO of a company and are aimed at its staff members in the accounts and finance sections.

It should come as no shock that hackers are taking advantage of yet another natural disaster and are trying to con people into giving donations. Scammers often move swiftly following natural disasters to pull on the emotions and defraud businesses. Similar scams were carried out in the wake of the recent hurricanes that hit the United States and caused widespread harm.

The California wildfire scam, discovered by Agari, is a business email compromise (BEC) attack. The emails seem to have been sent by the CEO of a company, with his/her email address used to transmit messages to company staff. This is often accomplished by spoofing the email address although in some instances the CEO’s email account has been compromised and is used to broadcast the messages.

The California wildfire scam includes one major red flag. Rather than ask for a monetary donation, the scammers request money in the form of Google play gift cards. The messages ask for the redemption codes to be sent back to the CEO by reply.

The emails are sent to staff members in the accounts and finance departments and the emails ask that the money be donated in 4 x $500 denomination gift cards. If these are returned to the CEO, he/she will then forward them on to company clients that have been impacted by the California wildfires.

The reason Google play gift cards are asked for is they can easily be exchanged on darknet forums for other currencies. The gift cards are almost impossible to trace back to the hacker.

The messages include lots of grammatical errors and incorrect spellings. Even so, it is another indication that the messages are not authentic. However, scams like this are sent because they are successful. Many people have been tricked by similar scams previously.

Safeguarding against scams like this requires a combination of technical controls, end user training and company policies. An advanced spam filtering solution should be be put in place – SpamTitan for instance – to stop messages such as these from arriving in inboxes. SpamTitan checks all incoming emails for spam signatures and uses complex techniques such as heuristics, machine learning and Bayesian analysis to spot advanced and never-before-seen phishing campaigns.

End user training is vital for all staff, especially those with access to corporate bank accounts. Those workers are usually targeted by scammers. Policies should be put in place that require all requests for changes to bank accounts, unusual payment requests, and wire transfers above a certain threshold to be confirmed by phone or in person before they are given approval.

A combination of these tactics will help to secure businesses from BEC attacks and other email scams.

Web Filtering Software for Schools

Although the aims of the Children´s Internet Protection Act (CIPA) – and later state legislation relating to web filters for schools – were undoubtedly well-intentioned, some educational institutions have been reluctant to adapt school web filtering software.

Some of the reasons for this reluctance are logical. Over-zealous web filters for schools can stop students from accessing educational material and teenage support groups, while students from lower-income families without home Internet can be hindered by “digital deprivation” in an over-filtered environment.

It is sometimes the case that school web filtering software is responsible for an over-filtered environment. Depending on the extent of the software, it may have a high maintenance overhead or lack the versatility to account for students of different ages studying a wide range of topics.

In these instances, it is easier for system managers to apply the maximum security settings to ensure compliance with federal and state laws. This is when the issues are seen. Now, there is a solution from SpamTitan that can resolve these issues quickly and simply – WebTitan Cloud.

WebTitan Cloud is cloud-based school web filtering software that is quick to put in place and easy to configure. Being a cloud-based solution, there is no hardware to buy or software to be installed – so no technical skills are required and there are no upfront costs to consider.

Once active, WebTitan Cloud uses a three-tier mechanism to review each request to visit a website against its filtering parameters, providing the level of granularly web filters for schools should have in order to be effective in a multi-age, multi-cultural environment.

The filtering parameters can be created according to age, by user, by class, or by year – and password protected – to ensure each student is able to access the educational and age-appropriate material they need to become digitally literate and in order to be able to seek help from support groups if needed.

Along with its versatility, WebTitan Cloud provides a safe barrier against online content prohibited by CIPA and protects networks and users´ devices against malware, adware, spyware and ransomware. Our school web filtering software also has security measures to prevent students trying circumnavigate the filtering parameters. With WebTitan Cloud schools can:

  • Restrict access to VPNs and proxy websites.
  • Set up multilingual filter settings.
  • Stop access to cached website pages.
  • Filter out numerical IP addresses.

For schools that supply a wireless network for students, WebTitan Cloud for WiFi is equally as versatile and safe. Our school web filtering software for wireless networks allows schools to manage the content students can access from their mobile devices, and supplies a deep analysis of network activity – right down to the online activity of each individual user.

In states where parents have the right to state the level of Internet access their children can have at school, the versatility of WebTitan Cloud for WiFi prevents the scenario in which every child has to adhere to the wishes of the strictest parent. The detailed level of oversight also helps to identify students who may be using the Internet inappropriately and who are then vulnerable to online attacks.

Our WiFi web filters for schools can be deployed to filter Internet content from a single hotspots or multiple hotspots. It safeguards users´ devices as well as the school´s network without affecting the speed at which web content is sent. They also have a very useful bandwidth-restricting function that can stops students consuming a school´s bandwidth by streaming sports, films and music videos.

Our school web filtering software for both fixed networks and wireless networks has been created to be effective against online threats, compliant with federal and states laws, easy to use and sufficient versatile to resolve issues about stopping students from accessing educational material and teenage support groups. Now we ask you to test our web filters for schools for free.

If your school has been reluctant to put in place school web filtering software due to worries regarding an over-filtered environment, we invite you to contact us and discuss your concerns. Our team of Sales Technicians will reply to any questions you have about web filters for schools and invite you to have a free trial of WebTitan Cloud or WebTitan Cloud for WiFi – whichever is the most proper solution for your specific circumstances.

There are no set up expenses to address, no credit cards are required and there are no contracts to complete order to take advantage of our offer. Our free trial is intended to give you the chance to evaluate the merits of school web filtering in your own environment and there is no obligation on you to go on using our service once the free trial has ended. Call us now and your school could be safeguarding your students from online dangers and inappropriate content within 15 minutes.

Emotet Malware Being Spread Using Thanksgiving Themed Spam Emails

There has been a rise in malspam campaigns spreading Emotet malware in recent times, with many new campaigns initiated that spoof financial institutions – the modus operandi of the threat group behind the attacks.

The Emotet malware campaigns use Word documents including malicious macros. If macros are turned on, the Emotet malware payload is installed. The Word documents are either sent as email attachments or the spam emails contain hyperlinks which direct users to a website where the Word document is installed.

Various social engineering tricks have been used in these recent campaigns. One new tactic that was spotted by Cofense is the wrapping of malicious hyperlinks in Proofpoint’s (PFPT) TAP URL Defense wrapping service to make the email seem benign.

According to Cofense, the campaign shares Emotet malware, although Emotet in turn installs a secondary payload. In past campaigns, Emotet has been sent along with ransomware. First, Emotet steals details, then the ransomware is used to steal money from victims. In the most recent campaign, the secondary malware is the banking Trojan named IcedID.

A additional campaign has been seen that uses Thanksgiving-themed spam emails. The messages seem to be Thanksgiving greetings for employees, and similarly include a malicious hyperlink or document. The messages claim the document is a Thanksgiving card or greeting. Many of the emails have been personalized to help with the deception and include the user’s name. In this campaign, while the document downloaded seems to be a Word file, it is actually an XML file.

A new version of Emotet malware has been updated recently. Along with stealing credentials, a new module has been added that harvests emails from an infected user. The previous six months’ emails – which include subjects, senders, and message content – are illegally taken. This new module is thought to have been added to enchance the effectiveness of future phishing campaigns, for corporate espionage, and data theft.

The latest increase in Emotet malware campaigns, and the wide variety tactics used by the threat actors behind these campaigns, highlight the importance of implementing a defense in depth strategy to block phishing emails. Organizations should not rely on one cybersecurity solution to provide security against email attacks.

Phishing campaigns aim for a weak link in security defenses: Staff members. It is therefore vitaal to ensure that all employees with corporate email accounts are taught how to spot phishing threats. Training needs to be constant and should cover the latest tactics used by cybercriminals to spread malware and steal details. Staff are the last line of defense. Through security awareness training, the defensive line can be greatly strengthened.

As a frontline defense, all businesses and groups should deploy an advanced spam filtering solution. While Office 365 email includes a basic level of protection against phishing attacks, a powerful third-party anti-phishing and spam filtering solution is needed to provide protection against more complex email attacks.

SpamTitan is an advanced email filtering solution that employs predictive techniques to supply provide superior protection against phishing attacks, zero-day attacks, and new malware variants that bypass signature-based defenses.

Along with scanning message content, headers, attachments, and hyperlinks for spam and malware signatures, SpamTitan uses heuristics, machine-based learning, and Bayesian analysis to discover emerging threats. Greylisting is used to identify and block bigger spam campaigns, such as those typically carried out by the threat actors spreading banking Trojans and Emotet malware.

How SpamTitan Spam Filtering Works

 

Lion Air Spear Phishing Campaign Shares Stealthy Cannon Trojan

A newly created malware variant, callede Cannon Trojan, is being used in focused attacks on government agencies in the United States and Europe. The new malware threat has been connected to a threat group known under many titles – APT28, Fancy Bear, Sofacy, Sednet, Strontium – that has links to the Russian government.

The Cannon Trojan is being used to gather data on potential targets, collatting system information and capturing screenshots that are sent back to APT28. The Cannon Trojan is also an installer capable of loading further malware variants onto a compromised system.

The new malware threat is stealthy and uses a range of tricks to avoid detection and hide communications with its C2. Rather than communicating over HTTP/HTTPS, like other malware variants used by APT28, the Cannon Trojan communicates through email over SMTPs and POP3S.

Once downloaded, an email is shared through SMTPS through port 465 and another two email addresses are obtained through which the malware communicates with its C2 using the POP3S protocol to receive instructions and share back data. While the use of email for communicating with a C2 is not unknown, it is relatively unusual. One advantage provided by this method of communication is it is more difficult to spot and block that HTTP/HTTPS.

The Cannon Trojan, like the Zebrocy Trojan which is also being used by APT28, is being shared via spear phishing emails. Two email templates have been captured by Palo Alto Networks’ Unit 42 team, one of which takes advantage of interest in the Lion Air plane crash in Indonesia.

The Lion Air spear phishing campaign seems to provide data on the victims of the crash, which the email claims are listed in an attached Word document titled Crash List (Lion Air Boeing 737).docx. The user must Enable Content to see the contents of the document. It is alleged that the document was created in an earlier version of Word and content must be turned on for the file to be displayed. Opening the email and enabling content would trigger the macro to run, which would then silently install the Cannon Trojan.

Instead of the macro running and downloading the payload immediately, as an anti-analysis mechanism, the hackers use the Windows AutoClose tool to slow the completion of the macro routine until the document is shut. Only then is the Trojan installed. Any sandbox that analyzes the document and exits before closing the document would be unlikely to view it as malicious. Further, the macro will only run if a link with the C2 is established. Even if the document is opened and content is enabled, the macro will not run without its C2 channel open.

The techniques employed by the hackers to obfuscate the macro and hide communications make this threat difficult to spott. The key to stopping infection is blocking the threat at source and preventing it from arriving at inboxes. The provision of end user training to assist employees identify threats such as emails with attachments from unknown senders is also vital.

HookAds Malvertising Campaign Sending People to Trojans, Info Stealers and Ransomware Websites

One of the ways that threat actors download malware is using malvertising. Malvertising is the positioning of malicious adverts on legitimate websites that send visitors to websites where malware is installed. The HookAds malvertising campaign is one such example and those responsible for the campaign have been particularly active recently.

The HookAds malvertising campaign has one aim – to direct people to a website hosting the Fallout exploit kit. An exploit kit is malicious code that operates when a visitor arrives on a web page. The visitor’s computer is explored to determine whether there are any flaws – unpatched software – that can be exploited to silently download files.

In the case of the Fallout exploit kit, users’ devices are explored for several known Windows vulnerabilities. If one is discovered, it is exploited and a malicious payload is installed. Several malware variants are currently being shared via Fallout, including data stealers, banking Trojans, and ransomware.

According to threat analyst nao_sec, two different HookAds malvertising campaigns have been identified: One is being used to broadcast the DanaBot banking Trojan and the other is sending two malware payloads – The Nocturnal data stealer and GlobeImposter ransomware via the Fallout exploit kit.

Exploit kits can only be implemented to deliver malware to unpatched devices, so businesses will only be under threat from of this web-based attack vector if they are not 100% up to date with their patching. Sadly, many businesses are slow to run patches and exploits for new vulnerabilities are frequently uploaded to EKs such as Fallout. Due to this, a security solution is needed to obstruct this attack vector.

The threat actors responsible for the HookAds malvertising campaign are taking advantage of the low prices for advertising blocks on websites by low quality ad networks – those often utilized by owners of online gaming websites, adult sites, and other types of websites that should not be logged onto by employees. While the site owners themselves are not actively working with the threat actors behind the campaign, the malicious adverts are still displayed on their websites along with legitimate ads. The use of a web filter is advisable to mitigate this threat.

Emotet Malware Spread Using Thanksgiving Themed Spam Emails

There has been a rise in malspam campaigns spreading Emotet malware in recent time, with many new campaigns initiated that spoof financial institutions – the operating methods of the threat group responsible for the campaigns.

The Emotet malware campaigns use Word documents which have malicious macros. If macros are enabled, the Emotet malware payload is installed. The Word documents are either shared as email attachments or the spam emails include hyperlinks which bring users to a website where the Word document is installed.

Various social engineering tricks have been implemented in these campaigns. One new tactic that was spotted by Cofense is the wrapping of malicious hyperlinks in Proofpoint’s (PFPT) TAP URL Defense wrapping service to make the email seem benign.

According to Cofense, the campaign sends Emotet malware, although Emotet in turn installs a secondary payload. In previous campaigns, Emotet has been sent along with ransomware. First, Emotet steals details, then the ransomware is used to steal money from victims. In the most recent campaign, the secondary malware is the banking Trojan named IcedID.

Another campaign has been discovered that uses Thanksgiving themed spam emails. The messages seem to be Thanksgiving greetings for employees, and similarly include a malicious hyperlink or document. The messages say that the document is a Thanksgiving card or greeting. Many of the emails have been personalized to help with the deception and include the user’s name. In this campaign, while the document downloaded seems to be a Word file, it is actually an XML file.

Emotet malware has been refreshed recently. In addition to stealing details, a new module has been incorporated which harvests emails from an infected user. The past six months’ emails – which include subjects, senders, and message content – are stolen. This new module is thought to have been added to enhance the effectiveness of future phishing campaigns, for corporate espionage, and data theft.

The recent rise in Emotet malware campaigns, and the highly varied tactics implemented by the threat actors behind these campaigns, emphasise the importance of adopting a defense in depth strategy to block phishing emails. Groups should not rely on one cybersecurity solution to provide protection against hacking attacks.

Phishing campaigns aim for a weak link in security defenses: Staff members. It is therefore wise to ensure that all employees with corporate email accounts are trained how to recognize phishing threats. Training needs to be constant and should cover the latest tactics used by hackers to spread malware and steal details. Staff members are the last line of defense. Through security awareness training, the defensive line can be significantly enhanced.

As a frontline defense, all businesses and groups should use an advanced spam filtering solution. While Office 365 email includes a basic level of protection against phishing attacks, a powerful third-party anti-phishing and spam filtering solution is needed to provide security against more complex email attacks.

SpamTitan is an advanced email filtering software that uses predictive techniques to supply superior protection against phishing attacks, zero-day attacks, and new malware variants that bypass signature-based security.

Along with scanning message content, headers, attachments, and hyperlinks for spam and malware signatures, SpamTitan employs heuristics, machine learning, and Bayesian analysis to spot emerging threats. Greylisting is used to spot and obstruct large scale spam campaigns, such as those usually carried out by the threat actors spreading banking Trojans and Emotet malware.

Easy Way to Win Business and Boost Revenue for MSPs With Email Archiving

Email archiving is a great way for a company to win business and boost revenue. Although it is often an overlooked service, it can add value and improve profits for MSPs. Email archiving has a high margin, generates regular additional income, is easy to implement and manage and is an easy sell to clients.

Email Archiving in SMBs

Email archiving is now essential for organisations of all sizes, from SMBs to the largest enterprises. Large numbers of emails are sent and received on a daily basis by companies. Copies of those emails need to be stored, saved, and often retrieved. Storage of emails in mailboxes can often pose problems. Emails and attachments often need a considerable amount of storage, which means hardware must be purchased and maintained. Storing large volumes of emails in mailboxes is not a secure way of storing emails.

Although storing emails in backups is an option, it is far from ideal. Space is still needed and recovering emails when they are required is not a straightforward task as backup files are not indexed and searching for messages can take a considerable amount of time.

An email archive, in comparison, is indexed and searchable and therefore emails can be retrieved on demand quickly and with ease. If there is a legal dispute or when an organisation needs to demonstrate compliance (with GDPR or HIPAA for example) businesses need to be able to recover emails in an efficient manner. Additionally, an email archive also provides a clear chain of custody, which is also required to comply with a lot of regulations.

Cloud-based archives offer secure storage for emails and have no restrictions on storage space. The cloud storage offered is also highly scalable and emails can be easily retrieved, regardless of the location.

In summary, email archiving can enhance security, lower costs, improve efficiency and is an invaluable compliance tool.

Email Archiving in MSPs

Due to the benefits of email archiving it should be an easy sell for MSPs, either as Office 365 archiving-as-a-service as an add-on or incorporated into existing email packages. This is in order to offer greater value and make your packages unique compared to those of your competitors.

Office 365 archiving-as-a-service will generate regular income for very little effort as an add-on service. It will also improve the meagre returns from simply offering Office 365 to your clients. Overall, it can help you to attract more business when put as part as a package.

Email Archiving Made Simple Made Simple for MSPs by ArcTitan

TitanHQ is a leading provider of cloud-based security solutions for MSPs. TitanHQ products such as SpamTitan, WebTitan and ArcTitan SaaS email archiving have all been developed from the group up to specifically meet the various needs of MSPs.

ArcTitan has been developed by TitanHQ to be easy to implement and manage. It seamlessly integrates into MSPs service stacks, allowing them to provide greater value to clients and make email services a much more lucrative offering. As a result of this, TitanHQ is able to offer generous margins on ArcTitan for MSPs.

Benefits of ArcTitan for MSPs

  • Easy implementation
  • Software downloads not necessary
  • No hardware requirements
  • Secure, cloud-based storage
  • Easy to operate centralised management system
  • Increases profitability of Office 365
  • Highly scalable email archiving
  • Easy set up for MSPs
  • Usage easy for clients
  • Improved margins for MSPs
  • Full suite of APIs supplied for simpler integration
  • Multiple hosting options: TitanHQ Cloud, dedicated private cloud, or host the solution in your own data centre
  • Fully rebrandable (ArcTitan can be supplied in white-label form ready for your own branding)
  • Usage-based pricing and monthly billing available
  • World class customer service and support

If you are yet to start offering email archiving to your clients or if you are unhappy with your current provider, contact the TitanHQ MSP team today for full ArcTitan product information, pricing details and further information on our MSP Program.

New Variant of Dharma Ransomware Discovered

A new Dharma ransomware variant has been created that is evading detection by most antivirus engines. Heimdal Security has said that his most recent Dharma ransomware variant captured by its researchers was only discovered to b malware by one of the 53 AV engines on VirusTotal.

Dharma ransomware (also referred to as CrySiS) was first spotted in 2006 and is still being developed. 2018 several new Dharma ransomware variants have been made public, each using new file extensions for encrypted files (.bip, .xxxxx, .like, java, .arrow, .gamma, .arena, .betta, and .tron to name but a few). In just the past two months four new Dharma ransomware variants have been discovered.

Those to blame for Dharma ransomware have claimed many victims in recent months. Successful attacks have been made public recently by Altus Baytown Hospital in Texas, the Arran brewery in Scotland, and the port of San Diego.

While free decryptors for Dharma ransomware have been created, the constant evolution of this ransomware threat rapidly makes these decryptors obsolete.  Infection with the latest variants of the ransomware threat only allows victims three options: pay a sizeable ransom to recover files, restore files from backups, or face permanent file deletion.

The latter is not viable given the extent of files that are encrypted. Rescuing files from backups is not always possible as Dharma ransomware can also encrypt backup files and can erase shadow copies. Payment of a ransom should not be completed as there is no guarantee that files can or will be decrypted.

Safeguarding against ransomware attacks requires a combination of policies, procedures, and cybersecurity solutions. Dharma ransomware attacks are mostly carried out via two attack vectors: The exploitation of Remote Desktop protocol (RDP) and through email malspam campaigns.

The most recent Dharma ransomware variant attacks involve an executable file being dropped by a .NET file and HTA file. Infections take place via RDP-enabled endpoints using brute force attempts to guess passwords. Once the password is stolen, the malicious payload is deployed.

While it is not yet known how the Arran brewery attack occurred, a phishing attack is suspected. Phishing emails had been received just prior to file encryption. “We cannot be 100 percent sure that this was the vector that infection occurred via, but the timing seems to be more than coincidental,” said Arran Brewery’s managing director Gerald Michaluk.

To safeguard against RDP attacks, RDP should be turned off unless it is absolutely necessary. If RDP is required, access should only be possible through a VPN and strong passwords should be put in place. Rate limiting on login attempts should be set up to block login attempts after a set number of failures.

Due to this, good backup policies are essential. They will mean that file recovery is possible without payment of a ransom. Multiple copies of backups should be made with one copy held securely off site.

To safeguard against email-based attacks, an advanced spam filter is necessary. Spam filters that rely on AV engines may not spot the latest ransomware variants. Advanced reviews of incoming messages are vital.

SpamTitan can enhance protection for companies through combination of two AV engines and predictive techniques to block new types of malware whose signatures have not yet been installed on AV engines.

For additional information on SpamTitan and safeguarding your email gateway from ransomware attacks and other threats, contact TitanHQ’s security experts today.

New WebTitan and ArcTitan Integrations as Z Services Expands Partnership with Titan HQ

TitanHQ has recently expanded its partnership with Z Services, the leading SaaS provider of cloud-based cybersecurity solutions in the MENA region, which will result in new WebTitan and ArcTitan integrations.

Z Services operates 17 secure data centers in the UAE (base location), Qatar, Egypt, Saudi Arabia, Morocco, Jordan, Kuwait, Oman, Bahrain, and Kuwait. It is the only company in the Middle East and North Africa to offer a multi-tenant, cloud-based, in-country, cybersecurity architecture.

Z Services partnered with TitanHQ in February of 2017 and integrated TitanHQ’s award-winning email filtering technology into its service stack. Through doing this, it enabled Z Services to start offering SpamTitan-powered Z Services Anti-Spam SaaS to its clients. TitanHQ’s email filtering technology now also enables Z Services’ clients to filter out spam email and protect against sophisticated email-based threats such as malware, viruses, ransomware, botnets, phishing and spear phishing.

Due to the integration proving to be such a great success for Z Services, the firm has now decided to take its partnership with Titan HQ to the next level by integrating two new TitanHQ-powered SaaS solutions into its service stack. WebTitan – TitanHQ’s award-winning web filtering technology and ArcTitan – its innovative email archiving solution, have now both been incorporated Z Services’ MERALE SaaS offering. MERALE has been specifically developed to meet the needs of small to medium sized enterprises, such as cybersecurity, threat protection, and compliance solutions.

“With cybersecurity growing as a critical business concern across the region, there is a clear need to make security an operational rather than a capital expense. Hence the paradigm shift in the delivery of effective security solutions from the traditional investment and delivery model to an agile SaaS model through the primary connectivity provider of SMEs – the ISPs,” explained Z Services’ President for the Middle East and North Africa, Nidal Taha. “MERALE will be a game-changer in how small and medium businesses in the region ensure their protection, and as a subscription-based service, it removes the need for heavy investments and long-term commitments.”

Speaking from Titan HQ’s point of view, CEO Ronan Kavanagh said “We are delighted to continue our successful partnership with Z Services and share their vision for serving the SME segment with leading edge SaaS based security solutions. With this development Z Services is strengthening its leadership position as an innovative cloud-based cybersecurity solutions provider in the Middle East and North Africa.”

TitanHQ’s cloud-based cybersecurity solutions have been developed specifically to meet the needs of Managed Service Providers. More than 7,500 businesses worldwide are currently using the email filtering, web filtering, and email archiving solutions supplied by TitanHQ and more than 1,500 MSPs are now offering TitanHQ solutions to their clients.

When compared to many other cybersecurity solution providers, TitanHQ offers its products with a range of hosting options (including within an MSP’s own infrastructure), as full white label solutions ready for MSPs to apply their own branding. Through offering their clients TitanHQ solutions MSPs are able to significantly reduce costs related to support and engineering. They achieve this by blocking a wide range of cyber threats at source. MSPs also benefit from generous margins and world class customer service and support.

If you are an MSP and have not yet incorporated email filtering, web filtering, and email archiving solutions into your service stack, if you are unhappy with your current providers, or are looking to increase profits significantly while also ensuring your clients have the best protection against email and web-based threats, contact TitanHQ today for further information.

Chinese and English Speakers Targeted New RaaS Variant of FilesLocker Ransomware

FilesLocker, a new ransomware threat has been discovered is currently being offered as ransomware-as-a-service (RaaS) via a TOR malware forum. FilesLocker ransomware is not a extremely sophisticated ransomware variant, but it still poses a major threat.

FilesLocker ransomware is a dual language ransomware variant that shows ransom notes in both Chinese and English. MalwareHunterTeam has found a Chinese forum on TOR where it is being offered to affiliates to distribute for a percentage of the ransom payments.

Unless advertised more widely, the number of affiliates that sign up may be restricted, although it may prove popular. There are a number of features which could see the ransomware variant favored over other RaaS offerings, notably a sliding scale on commissions. The developers are offering a 60% cut of ransoms, which will go up by 75% if sufficiently high numbers of infections can be generated.

While relatively straightforward, FilesLocker ransomware still uses an RSA 2048+AES algorithm to lock files and it erases Windows shadow copies to hamper efforts to recover files without paying the ransom. FilesLocker is also capable of file encryption in a broken network environment.

No server is needed and the ransomware is working on all Windows versions later than XP plus 32-bit and 64-bit Windows Server. Users are also able to easily keep an eye for infections through a tracking feature which displays infections by country.

There is no free decryptor for FilesLocker ransomware in existence. Recovery can only be completed by restoring files from backups.

While news of a new RaaS offering is never welcome, there has at least been some good news on the ransomware front this recently at least for some victims.

GandCrab ransomware is another RaaS offering that has been for sale since January 2018. It has been widely adopted, with many affiliates using it to distribute the ransomware over the past 10 months.

A GandCrab ransomware decryptor was designed by Bitdefender in February that was able to unlock files encrypted by version 1.0 and v1.1 of GandCrab ransomware. The decryptor was developed after private keys were released online. However, it didn’t take long for v2.0 to be released, for which no free decryptor is available. There have been a number of further updates to GandCrab ransomware over the past few months, with v5.0 of the ransomware variant released in late September.

This week, Bitdefender has revealed that after collaboration with the Romanian Police, Europol and other law enforcement bodies, a new decryption tool has been developed that permits GandCrab ransomware victims to decrypt files for free, provided they have been hacked with version 1, 4, or 5 of the ransomware.

The version can be deduced by the extension used on encrypted files. V1=GDCB; v2/3=CRAB; v4=KRAB; and v5 uses a completely random 10-character extension.

The free GandCrab ransomware decryptor has been placed to the NoMoreRansom Project website. Bitdefender is currently attempting to put in plsvr on a free decryptor for v2 and v3 of GandCrab ransomware.

Recipe Unlimited Ryuk Ransomware Attack Leads to Restaurant Closures

What is thought to have been a Ryuk ransomware attack on Recipe Unlimited, a group of some 1,400 restaurants in Canada and North America, has forced the chain to shutdown computers and temporarily close the doors of some of its restaurants while IT teams try to address the attack.

Recipe Unlimited, previously known as Cara Operations, operates pubs and restaurants under many different titles, including Harvey’s, Swiss Chalet, Kelseys, Milestones, Montana’s, East Side Mario’s, Bier Markt, Prime Pubs, and the Landing Group of Restaurants. All of these  pub and restaurant brands have been impacted by the Recipe Unlimited ransomware attack.

While only a relatively small number of restaurants were forced to close, the IT outage caused widespread issues, stopping the restaurants that remained open from taking card payments from customers and using register systems to complete orders.

While it was at first unclear what caused the outage, a ransomware attack on Recipe Unlimited was later confirmed. A staff member at one of the impacted restaurants provided CBC News with a copy of the ransom note that had appeared on the desktop of one of the infected computers.

The ransom note is the same sent by the threat actors behind Ryuk ransomware. They say that files were encrypted with “military algorithms” which cannot be decrypted without a key that is only available from them. While it is unclear exactly how much the hackers asked for payment to decrypt files, they did threaten to increase the cost by 0.5 BTC (Approx. $4,000 CAD) per day until contact was made. The Recipe Unlimited ransomware attack is thought to have taken place on September 28. Some restaurants remained closed on October 1.

The ransomware attack on Recipe Unlimited is just one of the recently witnessed attacks involving Ryuk ransomware. The hackers are understood to have gathered more than $640,000 in ransom payments from companies who have had no other option other than to pay for the keys to unlock their files. The ransomware attack on Recipe Unlimited did not push up that total, as Recipe Unlimited conducted regular backups and expects to be able to restore all systems and data, although naturally that will take some time.

Ransomware attacks on restaurants, businesses, healthcare suppliers, and cities are extremely common and can be incredibly costly to address. The recent City of Atlanta ransomware attack caused widespread disruption due to the massive scale of the attack, involving thousands of computers.

The cost of addressing the attack, including making upgrades to its systems, is likely to cost around $17 million, according to estimates from city officials. The Ransomware attack on the Colorado Department of Transportation is estimated to cost $1.5 million to resolve.

There is no straightforward solution that will block ransomware attacks, as many different vectors are used to download the malicious file-encrypting software. Preventing ransomware attacks requires defense in depth and multiple software solutions.

Spam filtering solutions should be used to stop email delivery of ransomware, web filters can be set up to prevent access to malicious websites where ransomware is downloaded, antivirus solutions may detect infections in time to block attacks, and intrusion detection systems and behavioral analytics solutions are useful to quickly identify an attack in progress and limit the harm inflicted.

All operating devices and software must be kept fully up to date, strong passwords should be implemented, and end user must receive training to make them aware of the danger posed by ransomware. They should be trained in security best practices and trained how to identify threats. Naturally, robust backup policies are necessary to ensure that in the event of disaster, files can be rescued without having to meet the ransom demand.

New Sextortion Scam: Emails Appear to Have Been Sent from User’s Email Account

A new sextortion scam has been discovered that tries to fool the recipient of the message into believing their email account has been compromised and that their computer is under full control of the hacker.

The hackers trick he user’s email address so that it appears that the message has been issued from the user’s email account – The sender and the recipient names are the exact same.

A quick and simple check that can be performed to deduce whether the sender name shown is the actual account that has been used to send the email is to click forward. When this is completed, the display name is shown, but so too is the actual email address that the message has been broadcast from. In this instance, that check does not work making it seem that the user’s email account has actually been compromised.

The messages used in this campaign try to extort money by suggesting the hacker has obtained access to the user’s computer by means of a computer virus. It is alleged that the virus gives the attacker the ability to review the user’s internet activities in real time and use the computer’s webcam to record the user.

The hacker claims that the virus was placed to the computer due to the user viewing an adult website and that while viewing internet pornography the webcam was active and recording. “Your tastes are so weird,” states the hacker in the email.

The hacker claims that they will synch the webcam footage with the content that the user was looking at and send a copy of the video to all the user’s partner, friends, and relatives. It is said that all the user’s accounts have been compromised. The message also has an example of one of the user’s passwords.

While it is very unlikely that the password given in the email is valid for any of the user’s account, the message itself will still be worrying for some individuals and will be enough to get them to make the requested payment of $800 to have the footage erased.

However, this is a sextortion scam where the hackers have no leverage as there is no virus and no webcam footage. However, it is clear that at least some recipients were not willing to take a risk.

According to security experts SecGuru, who received a version of the email in Dutch and found a similar English language version, the Bitcoin account used by the hacker had received payments of 0.37997578 Bitcoin – $3,500 – in the first two days of the attack.  Now 7 days after the first payment was completed, the earnings have grown to 1.1203 Bitcoin – $6,418 – with 15 people having paid.

A similar sextortion scam was carried out in the summer which also had an interesting twist. It implemented an old password for the account that had been downloaded from a data dump. In that instance, the password was real, at least at some point in the past, which made the scam seem authentic.

 

California Wildfire Scam Alerts Issued

A California wildfire scam is underway that asks for financial donations to help the victims of the recent wildfires. The emails look like they are being sent from the CEO of a company and are directed at its employees in the accounts and finance department.

It should come as no shock that hackers are taking advantage of yet another natural disaster and are trying to con people into giving donations. Hackers often take advantage of natural disasters to pull on the heart strings and defraud companies. Similar scams were carried out following the recent hurricanes that hit the United States and caused widespread damage.

The California wildfire scam, discovered by Agari, is a form of business email compromise (BEC) attack. The emails look like they have been sent by the CEO of a company, with his/her email address used to send messages to company staff. This is often achieved by spoofing the email address although in some instances the CEO’s email account has been compromised and is used to share the messages.

The California wildfire scam have one major red flag. Instead of seeking for a monetary donation, the scammers ask for Google play gift cards. The messages seek the redemption codes be sent back to the CEO by return.

The emails are sent to staff in the accounts and finance sections and the emails request that the money be sent in 4 x $500 denomination gift cards. If these are returned to the CEO, he/she will then forward them on to company clients that have been impacted by the California wildfires.

The reason Google play gift cards are sought is because they can easily be exchanged on the darknet for other currencies. The gift cards are virtually impossible to trace back to the hacker.

The messages are full of grammatical mistakes. However, scams such as this are conducted because they work. Many people have been fooled by similar scams previously.

Safeguarding against scams such as this requires technical controls, end user training and strong company policies. An advanced spam filtering solution should be implemented – SpamTitan for instance – to prevent messages such as these from landing in inboxes. SpamTitan reviews all incoming emails for spam signatures and uses advanced methods such as heuristics, machine learning, and Bayesian analysis to identify advanced and never-before-seen phishing campaigns.

End user training is vital for all staff, especially those with access to corporate bank accounts. Those people are regularly targeted by hackers. Policies should be introduced that mean all requests for changes to bank accounts, atypical payment requests, and wire transfers above a certain threshold to be approved by phone or in person before they are authorized.

 

Stealthy sLoad Downloader Performs Extensive Reconnaissance Before Delivering Payload

In recent months there have been new, versatile malware downloaders discovered that gather a significant amount of data about users’ systems before deploying a malicious payload. That payload is placed on the users’ system.

Marap malware and Xbash are two notable recent instances. Marap malware fingerprints a system and is capable of installing additional modules based on the results of the initial reconnaissance. XBash also reviews the system, and determines whether it is the best system for cryptocurrency mining or a ransomware attack and deploys its payload accordingly.

A further versatile and stealthy malware variant, name sLoad downloader, can now be placed on that list. SLoad was first discovered in May 2018, so it predates both of the above malware variants, although its use has been increasing.

The main aim of sLoad appears to be reconnaissance. Once installed on a system, it will figure out the location of the device based on the IP address and performs several checks to calculate the type of system and the software that is running and will determine whether it is on a real device or in a sandbox environment. It checks the processes operating on the system, compares against a hardcoded list, and will exit if certain security software is downloaded to avoid detection.

Once the system is suitable, a full scan of all running processes will be completed. The sLoad installer will search for Microsoft Outlook files, ICA files associated with Citrix, and other system information. sLoad is capable of capturing screenshots and searches the browser history looking for specific banking domains. All of this data is then fed back to the hackers’ C2 server.

Once the system has been fingerprinted, further malware variants are installed, primarily banking Trojans. Geofencing is used widely by the threat actors using sLoad which helps to ensure that banking Trojans are only placed on systems where they are likely to be effective – if the victim uses one of the banks that the Trojan is targeting.

In most of the campaigns seen so far, the banking Trojan of choice has been Ramnit. The attacks have also been very focused on specific countries including Canada, and latterly, Italy and the United Kingdom – Locations which are currently being attacked by Ramnit. Other malware variants linked to the sLoad downloader include the remote desktop tool DarkVNC, the Ursnif information stealer, DreamBot, and PsiBot.

The sLoad downloader is almost exclusively sent through spam email, with the campaigns often containing personal information such as the target’s name and address. While there have been many email subjects used, most commonly the emails relate to purchase orders, shipping notifications and missed packages.

The emails include Word documents with malicious macros in ZIP files, or alternatively embedded hyperlinks which will install the ZIP file if clicked.

The sLoad installer may be stealthy and versatile, but preventing the threat is possible with an advanced spam filter. End user training to condition staff never to click on hyperlinks from unknown senders or open attachments or allow macros will also help to stop infection.  Web filtering solutions supply an additional layer of protection to prevent attempts to download malicious files from the Internet.