Emotet Trojan Being Spread Using New Windows Update Lure

The Emotet Trojan is one of the most widespread forms of malware attack in use at present to try an infiltrate database.

This Trojan is usually broadcasted via spam email campaigns in conjunction with a range of lures to convince users to download the Trojan file. These spam emails are generated by the Emotet botnet – an army of zombie devices that have been infiltrated by the Emotet Trojan. The Trojan takes over the victim’s email account and uses it to send duplicates of itself to the victim’s company contacts using the email addresses in victims’ contacts list.

Emotet emails typically have a corporate theme, since it is company users that are targeted by the Emotet users. Campaigns often use proven phishing lures including fake invoices, purchase orders, shipping notices, and CVs, with the messages often including restricted text and an email attachments that the recipient is required to open to view additional details.

In a lot of cases word documents are send containing malicious macros which install the Emotet Trojan on the victim’s computer. In order for the macros to be enable, the user is required to ‘Enable Content’ when they download the email attachment.

Users are advised in the attached documents to turn on content using a range of different tricks, lots of the time the documents say that the Word document has been created on an IoS or mobile device, and content needs to be switched on to permit the content to be accessed or that the contents of the document have been protected and will not be displayed unless content is turned on.

Earlier this month, a new lure was used by the Emotet actors. Spam emails were sent explaining a Windows update needed to be installed to upgrade apps on the device, which were preventing Microsoft Word from displaying the document contents. Users were told to Enable Editing – thus disabling Protected View – and then Enable Content – which allowed the macro to run.

The Emotet Trojan does not just include devices to a botnet and use them to begin more phishing campaigns. One of the main uses of Emotet is to install other malware variants onto infected devices. The operators of the Emotet botnet are sponsored by other threat actors to share their malware payloads, such as the TrickBot Trojan and QBot malware.

at first the TrickBot Trojan was a banking Trojan that first cam on the scene during 2016, but the modular malware has been regularly amended over the past few years to include a range of new functions. TrickBot still behaves like a banking Trojan, but is also a stealthy information stealer and malware installer, as is QBot malware.

As is the case with Emotet, once the operators of these Trojans have met their targets, they send a secondary malware payload. TrickBot has been widely used to share Ryuk ransomware, one of the biggest ransomware threats around at present. QBot has linked up with another threat group and sends Conti ransomware. From just one phishing email, a victim could therefore receive Emotet, TrickBot/QBot, and then be hit with a ransomware attack.

For these reasons it it crucial for companies to select an effective spam filtering solution to block the initial malicious emails at source and stop them from being sent to their corporate inboxes. It is also important to supply security awareness training to staff members to help them identify malicious messages such as phishing emails in case a danger is not blocked and reaches employees’ inboxes.

Groups that depend on the default anti-spam defenses that come with Office 365 licenses should think about configuring an extra spam filtering solution to improve protection against Emotet and other malware and phishing campaigns. Phishing emails often slip past Office 365 defenses and are sent to inboxes. With a powerful, advanced spam filtering solution such as SpamTitan layered on top of Office 365 anti-spam protections, users will be better protected.

To see more details the full package that comes with SpamTitan and how the solution protects businesses from threats such as malware, ransomware, phishing, and spear phishing attacks, call the SpamTitan team now.

 

Remote Workforce Ideally Suited for Cloud-Based Email Solutions

Universities and other higher education establishments are at risk of data breaches and possible malware threats , the same as all big organisations. From any cyber criminals perspective, schools and universities represent a big target. Personal and financial data within university data systems are very valuable to cyber criminals. 

The possibilities of all data thefts are huge – reputational, legal , economic and operational. Future funding could be affected as well as a possible loss of student fees and associated income in the future. 

Prosecution and other penalties could also arrive, or losing sensitive data. Even the infrastructure could sustain significant damage that damages the activities of the institution.

A malware attack was so vicious a Minnesota ah lol had to shut down completely for a full day. Repairing this could take weeks and it could have been avoided.

A crypto-ransomware attack encrypted the entirety New Jersey school network very recently. The source the this infection is still unclear but it may have been that a someone opened a malicious email attachment or an unsafe app or even just visited a website with malicious advertisements.

The nature of the university campus and network is the huge differences between higher-education establishments and the corporate network. Made up of a lot of dispersed networks and the university network infrastructure is so often complex. There are certain environments where the concept of tight data security has traditionally been unhelpful or, in some cases , unwanted. When a big institute thrives on the free exchange of data and ideas, it isn’t easy to apply the same high tech security measures larger companies can. 

In the cases of cyber criminals targeting educational organisations timing is critical. The new school year always means scammers are segmenting their email data bases to launch calculated and planned attacks as soon as students and employees come back online. Every year scammers launch new spam and phishing campaigns , fake welcome emails , password reset emails, and banking noticifations are just a small amount of ways spammers use to infiltrate your data. 

The internet has provided the education sector with some great and unique opportunities and some major headaches. Educators continue to come up with the best way to help kids use the internet to do with school whilst protecting them from an array of online dangers. 

And blocking inappropriate content doesn’t have to block learning too. As students spend a lot more time connected to the web ensuring this time is spent safely is vital. By scanning the page content , WebTitan’s content engine can keep up with the ever changing nature of the web. 

Educational Institutions need to filter for the following reasons:

  • Student safety  – protection from dangerous, inappropriate or illegal sites
  • Network security
  • Identify  cyberbullying
  • CIPA compliance
  • Application of  Acceptable internet Usage Policies
  • Control bandwidth 
  • Ability to monitor

It is your vital duty as an education establishment to provide a safe and effective learning environment. Schools are legally obliged to demonstrate reasonable and proper measures to control access to the internet. There is a fine balance on what has to be allowed and what possible security measures can be put in place. Security in all organisations, commercial of academic is a trade off between the likelihood and possible impact of an attack and the financial cost or loss of utility thay age incurred in defence.

Malware Attacks Being Used by Cybercriminals to Target Schools

Universities and other higher education establishments are at risk of data breaches and possible malware threats , the same as all big organisations. From any cyber criminals perspective, schools and universities represent a big target. Personal and financial data within university data systems are very valuable to cyber criminals. 

The possibilities of all data thefts are huge – reputational, legal , economic and operational. Future funding could be affected as well as a possible loss of student fees and associated income in the future.  Prosecution and other penalties could also arrive, or losing sensitive data. Even the infrastructure could sustain significant damage that damages the activities of the institution.

A malware attack was so vicious a Minnesota ah lol had to shut down completely for a full day. Repairing this could take weeks and it could have been avoided.

A crypto-ransomware attack encrypted the entirety New Jersey school network very recently. The source the this infection is still unclear but it may have been that a someone opened a malicious email attachment or an unsafe app or even just visited a website with malicious advertisements.

The nature of the university campus and network is the huge differences between higher-education establishments and the corporate network. Made up of a lot of dispersed networks and the university network infrastructure is so often complex. There are certain environments where the concept of tight data security has traditionally been unhelpful or, in some cases , unwanted. When a big institute thrives on the free Exchange of data and ideas, it isn’t easy to apply the same high tech security measures larger companies can. 

In the cases of cyber criminals targeting educational organisations timing is critical. The new school year always means scammers are segmenting their email data bases to launch calculated and planned attacks as soon as students and employees come back online. Every year scammers launch new spam and phishing campaigns , fake welcome emails , password reset emails, and banking notifications are just a small amount of ways spammers use to infiltrate your data. 

The internet has provided the education sector with some great and unique opportunities and some major headaches. Educators continue to come up with the best way to help kids use the internet to do with school whilst protecting them from an array of online dangers. 

And blocking inappropriate content doesn’t have to block learning too. As students spend a lot more time connected to the web ensuring this time is spent safely is vital. By scanning the page content , WebTitan’s content engine can keep up with the ever changing nature of the web. 

The following are the main reasons for mitigating these attacks:

  • Student safety  – protection from dangerous, inappropriate or illegal sites
  • Network security
  • Identify  cyberbullying
  • CIPA compliance
  • Application of  Acceptable internet Usage Policies
  • Control bandwidth 
  • Ability to monitor

 

It is your vital duty as an education establishment to provide a safe and effective learning environment. Schools are legally obliged to demonstrate reasonable and proper measures to control access to the internet. There is a fine balance on what has to be allowed and what possible security measures can be put in place. Security in all organisations, commercial of academic is a trade off between the likelihood and possible impact of an attack and the financial cost or loss of utility thay age incurred in defence. 

Infrastructure Takedown Hinders TrickBot Phishing Campaigns

The majority of modern businesses have put in place a hybrid workforce model, where employees can carry out their duties whether based in the office or working from home. This working model is ideal for msot companies due to the flexibility it provides.

Recent research produced by Gartner has revealed that, since the beginning of the coronavirus pandemic, 88% of companies made remote working mandatory. This quicke shift from an office-based to remote workforce caused major issues for IT departments, but it has allowed business to continue to operate as close to normal as possible. There have been productivity issues and technical obstacles to overcome. Most importantly workers are able to remain in touch and collaborate by implementing online using chat platforms, videoconferencing, and the telephone and some companies have even recorded enhances productivity levels using these communication methods.

Due to the increase in the number of methods being used for collaborating and maintaining contact, remote working has resulted in companies and their staff being dependent on email to a much greater extent. This higher reliance on email means it is now crucial to make sure that emails can be accessed come what may, even if email servers are compromised that would see work come to a halt.

The majority of companies use emails to hold vital information and much of the data in emails is not held in any other location. A report from from IDC states that approximately 60% of business-critical data resides in emails and email attachments and that was before the pandemic took hold.

There is a lot of legislation and regulations governing business data, including at the federal, state, and industry level. There are set stated times required for specific types of data, regardless of where the data is held. If the information is stored in emails, then that information must be safeguarded protected and secured against accidental or deliberate deletion until the retention period is ended.

Backups of emails can be carried out to meet certain regulations, but there are issues when it comes to retrieving emails. Locating emails in backups can be a time-consuming task that can take days or weeks. Even locating the appropriate backup media can be a major issues before you can search for emails within it.

The best method for ensuring privacy, security, and meet compliance obligation and ensure that emails and attachments never go missing is to configure an email archiving service. Email archives are established for long term data storage. Email archives can be simply searched, so when emails need to be located and retrieved, the task takes seconds or minutes. A tamper-proof record of all emails is retained for compliance purposes and to protect against data loss and ensure business continuity in the event of something unwelcome happening.

Most companies have configured an on-premises email archive, but this is far from ideal in a world where almost all staff members are working remotely. After the pandemic is ended, many staff member will go back to the office, but remote working looks set to remain. The ideal option is therefore to use an email archiving solution that perfectly suits the remote working or hybrid working system.

Cloud-based email archives centralize disparate email servers and hold all emails safely in the cloud where they can be quickly and simply retrieved by any authorized individual, from any location. As many companies now use cloud-based email, sending emails to a cloud-based archive makes more sense than using on-site archives. Sending emails to the archive and recovering emails will be far faster from a cloud service to a cloud service.

If you have an on-site email archive, moving to a cloud-based service can save time and money. There is no need to manage hardware, perform software updates, and the archive is automatically backed up to see to it that emails can always be retrieved and storage space will never be an issue due to the scalability of the cloud based solution.

10 Reasons Why Archiving Email Is Important for Your Business

Any possibility of losing email would be detrimental to the workings of a modern company. The vast majority of the information held in old emails is, typically, not saved elsewhere so losing emails due to a technology issues or having it stolen/locked by a hackers is not a desirable course of events.

Along with the inconvenience of business interruption there are also regulatory issues to take into account as you could be fined if a breach takes place. in addition to this email may be need in the event of an official investigation and not maintaining them on your databases could result in a costly mistake to make. Even though the majority of companies complete backups in order to be prepared for a disaster, there can be issues with this solution. These backups are not searchable in the same way that archives are. The best solution for backing up you emails is to establish a relaiable archives. here we have listed the 10 reasons for doign this.

10 Reasons Why Businesses Should Archive Emails

  1. Stopping Data Loss: Emails are placed in your archive for long term, safe storage. Emails can be easily retrieved from here should an employee accidentally accidentally remove something important from their inbox.
  2. Mail Server Performance: As emails make up so much of the correspondence that your company handles they place a massive strain on email servers. Moving a lot of email to the archive will release this pressure and can result in servers that are working better.
  3. Litigation and eDiscovery: In the event of a lawsuit, you are likely to be required to produce emails related to the case and you will only have a short period of time in which to respond. Finding emails in PST files and backups can be an extraordinarily time-consuming process, and you may have to search through several years of email data to find all the emails you need. You must also ensure that the messages are original and have not been altered in any way. An email archive makes responding to eDiscovery requests and finding and producing emails a quick and simple process.
  4. Less work for IT Departs: If employees delete or lose important emails, the IT support desk will be the point of call for addressing this. Placing emails in an archive eliminates email storage issues and makes the work that they have to do much easier, especially if staff members can access their own email archives.
  5. Recovery during Disaster: Email data can easily be lost if there is an issue with hardware or the theft of a device. When emails are moved to the archive they can be swiftly and simply retrieved.
  6. Regulatory Compliance: An email archive assists with all regulatory compliance tasks. Data can be categorized and retention periods can be created with emails automatically erased when the legal retention period is ended.
  7. Data Access and Right to be Forgotten Requests: The General Data Protection Regulation (GDPR) and other laws allow people the right to have access to all data that a company holds on them. If a request for access to personal data is registered, the data must be produced promptly. An email archive allows you to quickly review for email data and process right-of-access and right-to-be-forgotten requests.
  8. Internal Audits: An email archive makes the internal review process quick and simple and negates the need to include the IT department.
  9. Business Continuity: No matter what happens you can simply access old emails with the advanced search capability of an email archiving solution, you will be able to ensure business can continue as you always were.
  10. Addressing Costs: Looking for lost emails, managing email servers, answering eDiscovery requests, and producing email data for audits can take a massive amount of time. An email archive will cut the amount of time that needs to be dedicated to these issues and allow you avoid unnecessary expense.

Solution: Use ArcTitan

ArcTitan is a strong, safe, cloud-based email archiving solution provided by TitanHQ that means emails will never be lost. Quick searches can be completed when you need to find old emails, with emails sent to the archive automatically at a rate of 200 emails a second with searches of 30 million emails taking less than one single second. There are no restrictions on storage space, no onsite hardware needed and you only pay for the number of active mailboxes. Companies that use ArcTitan normally save up to 80% of email storage space.

 

CISA Issues Alert Regarding Rise in LokiBot Malware Attacks

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has released a public warning in relation to a marked rise in LokiBot malware activity was recorded in the two months.

Also known as Lokibot, Loki PWS, and Loki-bot, LokiBot initially came to the fore during 2015. it is a complex data stealer, used to obtain credentials and other protected data from victim devices. The malware attacks Windows and Android operating systems and uses a keylogger to spy on usernames and passwords and monitors browser and desktop actions. LokiBot can capture log in credentials from a range of different applications and data sources such as Safari, Chrome, and Firefox web browsers, along with log in details for email accounts, FTP and sFTP clients.

The malware can also record other important data and cryptocurrency wallets and can set up backdoors in infiltrated devices to permit ongoing access, allowing the operators of the malware to deliver additional malicious downloads.

The malware is able to establish a connection with its Command and Control Server and steals data using HyperText Transfer Protocol. The malware has been captured employing a process where it places itself in authentic Windows processes such as vbc.exe to avoid being discovered. The malware can also create a duplicate of itself, which is saved to a hidden file and directory on an infiltrated device.

The malware may be quite simple but that has made it an useful tool for a wide range of cybercriminals and it is being deployed is used in a wide variety of data compromise use attacks.  Since July, CISA’s EINSTEIN Intrusion Detection System tracked a huge spike in LokiBot activity.

LokiBot is typically deployed with a malicious attachment; however, since July, the malware has been distributed shared in a range of different fashions, including links to websites hosting the malware being transmitted via SMS and using text messaging software.

Data stealers have been en vogue since the beginning of the COVID-19 pandemic, particularly LokiBot. In order to tackle attacks like this your group should use a strong e-security solution like SpamTitan and WebTitan

SpamTitan is a robust security solution that attacks phishing emails at source, stopping dangerous messages from landing in mailboxes. WebTitan is a DNS filtering package that is used to manage the web pages that can be accessed on wired and wireless networks, restricting access to web pages that are deployed for phishing and malware delivery.

WebTitan and SpamTitan can be used as part of a free TitanHQ trial.

Phishers Using Fake GDPR Compliance Reminders for CyberAttacks

A GDPR-related smap campaign has been identified that involves phishers send out false fake GDPR compliance reminders as they attempt to trick unsuspecting recipients into handing over log in credentials.

This campaign was initially identified by the cybersecurity group Area 1 Security researchers. They detailed how an attack involves phishers sharing an alert notification to a distribution list of companies emails that they possibly purchased from a vendor on the black market.

An Area One representative stated: “The attacker lures targets under the pretense that their email security is not GDPR compliant and requires immediate action. For many who are not versed in GDPR regulations, this phish could be merely taken as more red tape to contend with rather than being identified as a malicious message.”

They went one: “On the second day of the campaign the attacker began inserting SMTP HELO commands to tell receiving email servers that the phishing message originated from the target company’s domain, when in fact it came from an entirely different origin. This is a common tactic used by malicious actors to spoof legitimate domains and easily bypass legacy email security solutions.”

If one of the recipients was to visit the website included in the email they would be brought to a web page loaded to malware and phishing lures. This website would steal their log in credentials and allow access to their company email address. After this email addresses can be leveraged to share the campaign further within that company, resulting in even more cyber crime. The phishing website is hosted on a compromised, outdated WordPress webpage.

Another characteristic of this type of campaign is that the URL has a degree of personalization as as the email address of the recipient (target) is auto-completed in a HTML form on the malicious webpage. In addition to this the username field and the correct email field address (found in the URL’s “email” parameter) are also filled out. Such precision can presuade the recipients of the email think that the website they are viewing is genuine and result in them supplying log in details.

To prevent attacks like this you should install a cybersecurity solution like SpamTitan. SpamTitan is a powerful cybersecurity package that stop phishing emails at source, stopping dangerous messages from landing in mailboxes. WebTitan and SpamTitan can be used as part of a free trial of SpamTitan.

Media and Finance Attacked in Palmerworm Espionage Malware Targeting Campaign

A recent Symantec has indicated that Palmerworm attacked are on the rise for the first time since 2013.

It was recently discovered that the malware has had more persistent activity in 2020 and even remained on an unnamed corporate network for almost six months. Hackers behind Palmerworm have added new malware to the advanced persistent threat (APT) aimed at mainstream media and financial groups in the US, Japan, Taiwan, US, and China.

Even though Symantec was unable to discover the initial attack vector, it is thought that these attacks have begun with a phishing campaign. Palmerworm uses a unique approach to fooling users into running malicious content. Included in the malware is stolen signed certificates making users believe that the software is genuine.

Code-signing is a way to inform operating systems and users who developed the software. When users attempt to download software, the operating system shows the publisher. The publisher employs a signing method using specific keys only available to the publisher. An example of a code-signing message is included here:

 

In this image, the user can see that the publisher is Microsoft and will allow the program to be installed. Palmerworm authors use stolen code-signing keys to sign software, which makes it highly likely that users will install the malware.

Palmerworm uses custom malware and some freely available software to send the payload. The malware is a group of backdoors giving the hackers access to the network and allows them to remain on a corporate network even after administrators think that it’s been deleted.

The custom malware sent with Palmerworm are:

  • Backdoor.Consock
  • Backdoor.Waship
  • Backdoor.Dalwit
  • Backdoor.Nomri

The software included that assist Palmerworm install and scan the network includes:

  • Putty – gives hackers remote access
  • PSExec – used to run commands on a Windows network
  • SNScan – Scans the network to find other possible targets.
  • WinRAR – archiving tool to transfer data to the hacker, hide malware and extract it to a new target.

The backdoor malware gives hackers a high level of access across devices. Once an attacker has full management of one device, the malware can be shared across other devices on the network.  The network reconnaissance and administration tools assist the hacker find additional vulnerable devices so that backdoors and remote control can be created.

Palmerworm is not a new advanced persistent threat. It has been inexistence since 2013, so strong anti-malware programs can detect and prevent the backdoors from downloading to a device. Groups with enterprise-level anti-malware should have it downloaded on all devices including desktops and mobile devices.

As it’s presumed that Palmerworm starts with a phishing campaign, it’s even more important than ever to use email filters. Content filters will also prevent users from accessing malicious sites where hackers could host Palmerworm malware and trick users into installing it. Email filters will prevent malicious emails with attachments that could contain Palmerworm malware or macros that will download it form an hacker-controlled server.

Training users on the dangers of phishing and identifying red flags linked with phishing also helps. Users with adequate education are less likely to install malicious content or open attachments. They will also be aware of suspicious links from unknown senders.

TitanHQ supplies a cloud-based solution for email filters that blocks Palmerworm and other advanced persistent attacks. By implementing the cloud-based WebTitan platform, your organization will be safeguarded from Palmerworm and other web-based attacks that need users to initially access a hacker-controlled site where malware can be downloaded and downloaded.

 

HMRC Phishing Scam Sees UK Businesses Targeted

Uk companies are the victims of a recent scamming campaign where cybercriminals are pretending to be agents of Her Majesty’s Revenue and Customs. There have been a number of spamming campaigns identified over the past weeks that are taking advantage of the measures implemented by the UK government to help companies through the COVID-19 pandemic and the forced lockdowns that have stopped companies from operating or have meant that they had to scale back operations seriously.

The HMRC scams have been widespread and differing, focusing on companies, the self-employed, furloughed workers and others using email, telephone, and SMS messages. A number of the attack include threats of arrest and jail time as a result of the underpayment of tax, demanding payment over the phone to prevent court action or arrest.

One scam focused on clients of Nucleus Financial Services and used an authentic communication from the firm as a template. The authentic email looks like it was obtained from a third-party hacked email account. The email warned recipients that they were entitled to a tax refund from HMRC. A link is given that the recipient is directed to click on in order to be sent their refund. In order to apply for the refund the user must hand over sensitive information via the website, which is captured by the hackers.

A separate campaign has been discovered that pretends to be the HMRC and similarly seeks sensitive data information such as bank account and email details. To address these attacks, the UK government kicked off a scheme to help businesses by allowing them to defer their VAT payments between March and June 2020, until June 2021 to help ease the financial impact of the nationwide lockdown. Many companies took advantage of the scheme and applied to have their Value Added Tax (VAT) payments pushed back.

The campaign deploys emails that spoof HMRC and advise form companies that their application to have their VAT payments deferred has been rejected as the company is in arrears. The emails incorporate an attachment with further information and a report on their application. The document is password safeguarded and the password is supplied in the email to allow the file to be opened.

A hyperlink is given that will take the user to a website where they are asked to provide sensitive information including their bank account details and email address and password, which are captured by the hackers.

COVID-19 has resulted in scammers identifying a host of new opportunities to fool businesses into disclosing sensitive information. Many of the lures used in the emails, calls, and text messages are believable, the messages are well composed, and the hacker have gone to lengths to make their phishing websites look like the entities they are pretending to be.

Companies should be on high alert and be particularly wary of phishing scams. They should warm their staff to use extra care with any request that requires the disclosure of sensitive details.

Technical controls should also be implemented to block phishing emails at source and prevent visits to malicious websites. TitanHQ can help with this. TitanHQ offers two anti-phishing solutions for companies and MSPs to help them prevent phishing attacks: SpamTitan and WebTitan.

 

Higher Incidence of Exploit Kit Activity on Adult Ad Networks Reported

Malwarebytes has recently released a report that show a campaign is being carried out using the Fallout exploit kit to distribute Racoon Stealer using popular adult websites.

This cyber attack was made known to the ad network and the malicious advert was taken down. However, it was soon replaced with an advert bringing visitors to a site hosting the Rig exploit kit. Following this a separate campaign was discovered where another threat, renowned for targeting various adult ad networks. The malicious adverts were served via a wide range of different adult websites, including one of the most popular adult websites that boasts more than 1 billion page views monthly.

The threat actor had filed bids for users of Internet Explorer only, as the exploit kit included an exploit for an unpatched IE flaw. The flaw exploited were CVE-2019-0752 and CVE-2018-15982, the former is an IE vulnerability and the latter is a vulnerability in Adobe Flash Player. In this campaign, Smoke Loader malware was shared, along with Racoon Stealer and ZLoader.

For an exploit kit to be effective, a computer must have an unpatched flaw, an exploit for which must be included in the EK. Prompt patching is almost always one of the most effective methods for ensuring that these attacks are not successful. It is important to stop using Internet Explorer and Flash Player. Vulnerabilities in each are frequently attacked.

These campaigns can also be simply prevented by using a web filter. Unless your business is working in the adult entertainment sector, access to adult content on work devices should be prevented. A web filter permits your business to block access to all adult websites, and other categories of web content that employees should not be accessing in the office.

A cloud-based web filter such as WebTitan is cost effective option to address this that can safeguard against a web-borne attacks such as exploit kits and drive-by malware downloads, while also helping companies to improve productivity by stopping staff members from viewing websites that have no work purpose. Web filters can also reduce legal liability by preventing employees from participating in illegal online activities, such as copyright infringing file installations.

Once configured – a quick process – access to specific categories of website can be blocked with the click of a mouse and staff will be stopped from viewing websites known to host malware, phishing kits, and other potentially dangerous malicious websites.

For more details on WebTitan and protecting your company from web-based attacks contact TitanHQ now.

Webinar Sept 22, 2020 – How Email Archiving Can Ensure Business Continuity with a Remote Workforce

Businesses have been forced to change their working practices as a result of COVID-19. The lockdowns introduced by governments around the world have meant businesses have had to rapidly change from an office-based workforce to having virtually everyone working remotely.

The restrictions on office work may have now eased, and employees are starting to be encouraged to return to working from the office, but remote working to some extent is now here to stay.

Most businesses have coped well with the new remote working environment. Many report that their employees have been just as productive, if not more productive, working from home. However, remote working is not without its challenges. Many businesses are concerned about how to ensure compliance with regulations with a remote workforce and how to ensure business and email continuity.

On Tuesday, September 22, 2020, TitanHQ is hosting a webinar to discuss some of the key challenges faced by businesses with a remote workforce and to introduce a solution to keep businesses moving forward when employees are working remotely and ensure business continuity.

During the webinar TitanHQ experts will discuss the following topics:

  • The Current 2020 Technology Landscape
  • Security & Compliance in a time of Global Remote Working
  • Increase in Companies Relying Solely on Office 365
  • Protecting Business Critical Data
  • The Importance of Continuity in the Era of Remote Working

Attendees will also be given a live demo of TitanHQ’s cloud email archiving solution, ArcTitan.

Webinar Information

Title:       How to Ensure Business Continuity with Email Archiving for your Remote Workforce

Date:     Tuesday, September 22, 2020

Time:    London/Dublin: 5:00 pm (GMT +1)  ¦  USA:      12:00 pm ET; 09:00 am PT

Hosts:     James Clayton, ArcTitan Product Specialist  ¦  Derek Higgins, Engineering Manager, TitanHQ

 

Click Here to Register for the Webinar

New Phishing Campaign Spoofs Security Awareness Training Company

A new spoofing campaign has been discovered that attacked businesses in a bid to steal their Microsoft Outlook credentials. The campaign is spoofing KnowBe4, a company that provides security awareness training for staff – Training that helps companies train their employees how to recognize a phishing attack.

The emails warn the recipient that the coming expiration of a security awareness training module is getting close. The recipient is informed that they only have one day left to finish the training. Three links are given in the email that look like, at face value, a genuine KnowBe4 URL; however, they bring the user to a phishing page on a compromised website where Outlook credentials and personal information are stolen using a realistic login page for the Outlook Web App.

Guidelines are given for conducting the training outside of the network, with the user instructed to supply their username and password before clicking the sign in button. Doing so, it is claimed, will bring the user to the training module. While the site to which the phishing email links is realistic, the giveaway sign that this is a scam is the domain. Many different URLs across a range of different sites have been used in this campaign, all of which are not linked to the security awareness training provider. However, busy employees may fail to check the URL before disclosing their details.

It is a brave move to spoof a cybersecurity company dedicated to phishing prevention; one that may trick staff into believing the email is genuine.  Any company can be spoofed in a phishing campaign. Just because the company provided services to tackle phishing does not mean that the email should not be subjected to the usual checks to prove its validity, which is something that should be emphasized in employee security awareness training modules.

Cofense, the group which reviewed the websites, report that the compromised sites have recently hosted a web shell that allowed the hackers to upload and edit files. The websites had been impacted since at least April 2020, unbeknown to the site owners. The phishing kit implemented in this campaign has been installed onto at least 30 different websites since the campaign commenced in mid-April.

Employees are sent hundreds of emails each week and spotting all phishing emails can be a complex task, especially when many phishing emails are realistic and are very similar to genuine emails that staff members are sent every day. Security awareness training is crucial, but it is also important to configure an advanced spam filtering solution that is capable of blocking virtually all (in excess of 99.9%) malicious emails.

With an advanced spam filtering solution like SpamTitan configured these emails can be stopped at source and will not be sent to end users’ inboxes, negating the danger posed.

How to Spot a Phishing Email

Despite the fact that there are some very straightforward way to uncover a phishing email that is sent to your network it still happens that workers are tricked into replying or clicking on links.

Phishing campaigns can be conducted cheaply, little skill is required, phishing can be very profitable, and the attacks often succeed. It is no surprise that more than two thirds of data breaches start with a phishing email, according to the Verizon Data Breach Investigations Report.

Spotting a Phishing Email

There is a strong possibility that a phishing email could land in your inbox in many different ways. Hackers change their tactics to try and fool staff members into handing over vital information or granting access to databases. You should use these steps, and advise your staff to do the same.

  1. Double Check who sent the Email: You need to make sure that the email you received didn’t come from a spoofed email. It might look like it came from a trusted company when there is actually one character changed so as to trick you. Place your mouse arrow on top of the display name and you will be able to see what the real URL is.
  2. Beware of Spelling Mistakes: Review closely for spelling mistakes If anything seems unusual then you should reconsider how you treat it. In some cases they are intentionally included so as to identify who is easily fooled. Later they will be sent another spam email to try and take advantage of them.
  3. Urgency is Typically Used by Phisher: ibn a phishing email t is likely that you will be implored to complete an action within a stated deadline before you become aware that the sender is not genuine. Urgency is one of the main tools employed by phishers to get people to hand over information. It is vital to take a few seconds extra to verify that the email is from some genuines and not a hacker.
  4. Beware of URLs: The aim of most phishing emails is to obtain access credentials or other valuable data. To do so they will try and get you to click on a URl that brings you to a website which hosts malware and can track all your online activity. In order to avoid this from happening take a few seconds longer to make sure that the website address is genuine.
  5. Thread Carefully with Email Attachments: Another way that phishers try to infiltrate your device it to include a file in an email that appear to be authentic. However, it will really be downloading tracking software to your device that will steal all sorts of information or lock access to your network until you pay a large ransom.

Business Anti-Phishing Solutions

There are many different option that you can choose and TitanHQ has created a couple of strong anti-phishing services to help secure your network. The spam detection rate reported by its SpamTitan service has reached a 99.97% level. This is done using a range of of checks such as RBL checks, Bayesian analysis, heuristics, machine learning methods to spot zero-day attacks, and sender policy frameworks to prevent email impersonation campaigns. Dual antivirus engines are deployed in order to spot malware and sandboxing is put to use in order to discover dangerous email attachments. Their other solution, WebTitan, is a DNS filtering solution that has the ability to prevent all web-based phishing attacks by blocking staff from viewing prohibited web pages and attempts to install malware.

 

Crucial Security Measures for All Companies

All companies must be aware of the constant danger posed by phishers and hackers regardless of how big they are or how much profits they report. Phishing is when an email attack takes place using a lure to trick the recipient and a direction to to get the user to complete an action – such as downloading a file or visiting a link.

Phishing protection measures should be deployed to block both of these components. First, you need a solution that stops the phishing attack at source and prevents phishing emails from being delivered to inboxes. You should also have security measures in place to prevent information from being handed over to the attackers at the web stage of the attack. As an additional protection, in case both of those measures fail, you need to prevent stolen credentials from being used to gain access to the account.

Four Crucial Phishing Protection Security Tactics

In order for your company to successfully block phishing attacks you need to use four different modes of security:

  1. Web filtering: Hackers are always coming up with new tactics in order to try and trick people into handing over valuable information or allowing you to access databases. Spam filters (see below) can be implemented to prevent these attacks from being successful but you need to be conscious that some of the attacks will slip through the net almost every day. if you use a web filtering will refer to a range of  blacklists to ensure that the websites your are trying to visit are safe and free from malware and phishing lures.
  2. Spam filtering: Your initial attempts to block these emails must be a spam filters as these can prevent 99.9% of spam, phishing, and malware-laced attacks via email. Using a range of different spam filters  and blacklists of known hackers and origins of attack they can obstruct lots of different types of hacking attempts.
  3. Multi-factor authentication: in the unfortunate event of an attack taking place successfully and your access details being stolen then it is important that you have implemented multi-factor authentication to stop your databases being infiltrated using the stolen details.
  4. End user training: An often-neglected security measure is end user training for your staff. You need to educate them as to how they can spot phishing emails and hacking attempts. This should conducted on an ongoing basis a number of times during each year. In addition to this phishing simulations are a good idea to test you security measures and properly prepare your group for any possible cyber attack.

TitanHQ Phishing Security Solutions

TitanHQ has developed two powerful cybersecurity solutions to help you protect against phishing and malware attacks: SpamTitan email security and the WebTitan web filter. Both of these solutions have multiple deployment options and are easy to implement, configure, and use. The solutions are consistently rated highly by end users for the level of protection provided, ease of deployment, ease of use, and for the excellent customer support if you ever have any problems or questions.

Along with that, the cost is very up front and compares well with markets rivals. To learn more, call TitanHQ now or register for a free trial now.

Case Study: Phishing Attack on a Security Awareness Training Group

Companies are always facing attacks from hackers using many different vector. Email is one of the main ways that they will target a company, typically using a lure email to get someone to download malware or visit a malicious URL that includes tacking cookies that will infiltrate your databases. Once a browser visits this site their information will be available to the hackers.

A recent attack took place on the SANS Institute, a leading information security training and certification group which specializes in anti-phishing guidance. However, in August 2020, the group made it public that one of its staff members had been taken in by a phishing attack and handed over their database access details. After stealing the details were stolen a new accounts was created and a mail forwarder was implemented to forward all emails to the hackers emails account. In total, 513 emails were forwarded that included some private data belonging to SANS account holders. Once the attack was discovers it was calculated that the private information of 28,000 SANS members was stolen. Now the attack is being used by the SANS Institute  to show people that no group or company is safe.

Even the best trained individual can be taken in by lures and hackers are constantly changing their methods of attack. A new style of attack may be even more authentic looking than anything that has eern been seen previously so you always need to be on your guard.

In most cases you can block phishing attacks by uses a number of different security steps. The reason for using so many tactics is that one will work if another one doesn’t. As the success of phishing attacks are constantly improving using a security solution that works like this has never been more important.

Along with conducting normal end user training and phishing simulation emails to enhance your staff’s awareness of cyber attacks you will need to deploy an advanced spam filter. Office 365 comes with a low entry level of protection that comes with the software called Exchange Online Protection (EOP). However you will need to add a third-party solution like SpamTitan to prevent more threats from infiltrating your systems. EOP prevents spam, recognized malware and vast majority of phishing emails, but SpamTitan will greatly improve security against more complex phishing attacks and zero-day malware.

You should also think about using a web filter to prevent the web-based component of phishing emails from hitting your databases successfully. When a staff members tries to view a malicious web page that is used to steal details and other sensitive data, a web filter can stop that website from being viewed.

using a spam filter, web filter, and end user training, means you will be fully secured, but you should also use two-factor authentication. If details are illegally obtained, two-factor authentication can stop those credentials from being used by the hacker to obtain access to the account.

 

Teleworkers Targets in New Vishing Campaign

An active voice phishing (vishing) campaign is being used to attacked those workers, form many different industries, who are currently working remotely.

The campaign sees threat actors pretending to be a trusted entity and try to leverage social engineering tactics to persuade victims to share access to their corporate Virtual Private Network (VPN).

A joint advisory about the attacks has been released by the Federal Bureau of Investigation (FBI) and the DHS Cybersecurity and infrastructure Security Agency (CISA). This type of attack has grown in popularity in recent times to the the huge increase in remote working during the COVID-19 pandemic.

The attack begins with the hacking group buying and registering domains that are used to host phishing pages that pretend to be the targeted company’s internal VPN login page and SSL certificates are obtained for the domains to make them appear real. Many naming schemes are used for the domains to make them appear real, such as [company]-support, support-[company], and employee-[company]. The cybercriminals then harvest data about company employees.

The range of information collected includes names, addresses, personal phone numbers, job titles, and length of time at the company. That information is then used to gain the trust of the targeted staff member.

Employees are then contacted from a voice-over-IP (VOIP) number. Initially the VOIP number was not revealed, but later in the campaign the hackers began spoofing the number to make it appear that the call was coming from a company office or another staff member in the firm. Employees are then told they will be sent a link that they need to click to login to a new VPN system. They are also told that they will need to answer any 2-factor authentication and one-time password communications shared to their phone.

The attackers capture the login information as it is entered into their fake website and use it to login to the proper VPN page of the company. They then capture and use the 2FA code or one-time password when the employee responds to the SMS message.

The hackers have also used SIM-swap to bypass the 2FA/OTP step, using information gathered about the employee to persuade their mobile telephone provider to port their phone number to the attacker’s SIM. This ensures any 2FA code is sent directly to the hacker. The threat actors use the details to access the company network to steal sensitive data to use in other attacks. The FBI/CISA say the end goal is to make profit from the VPN access.

The FBI/CISA recommend groups limit VPN connections to managed devices using mechanisms such as hardware checks or downloaded certificates, to restrict the hours that VPNs can be used to access the corporate network, to use domain monitoring tools to manage web applications for unauthorized access and anomalous activities.

A formal authentication procedure should also be created for employee-to-employee communications over the public telephone network where a second factor is required to authenticate the phone call before the disclosure of any sensitive data

Data should also monitor authorized user access and usage to spot anomalous activities and employees should be notified about the scam and instructed to report any suspicious calls to their security department.

 

Email Archiving Departmental Benefits

While it is widely recognized that there are many different business advantages to be gained by configuring an email archive in order to assist your organization achieving 100% compliance, there are a multitude of benefits to be gained for your individual departmentals.

When you install an email archive you will have an instant record of everything that happens on your email server, where it is located. Email retention is guaranteed and in place for compliance reasons should an audit be required to take place. Additionally, disaster recovery is much easier is the event of a physical disaster or a ransomware attacked resulting in the content of your email server being inaccessible. However, there are numerous other advantages to be gained by configuring an email archive including:

1. IT Staff Email Archiving Benefits

Your IT department will be very happy with the configuration of an email archive as it will mean that they have instant access to old mails as soon as they are required. This will make it much easier to process all staff requests for email recovery. You can also set some email archives to allow staff members their own access to their email archives. In the same manner human resource investigations become much more straightforward. The strain on servers is lower as there is not need to hold archives locally in PST files or on the mail server. This eliminates a huge security risk. Productivity is increased as less times will need to be spent on maintenance and performance of the network should be smoother with less pressure on bandwidth.

2. HR & Legal Departments Email Archiving Advantages

As stated previously HR investigations are easier to conduct suing an email archive. This investigations can be completed much quicker as IT staff can provide the necessary information in much less time. This will result in the outcomes of HR investigations being known much sooner. EDiscovery requests can also be completed much quicker and can be processed in a matter of hours rather than days. From a legal standpoints there is an immutable record of emails, which is crucial for all legal actions. Due to this the legal staff can be certain that no email have accidentally gone missing and can find everything using an audit trail.

3. Staff Advantages

Adobe have produced research that revealed staff dedicated massive amounts of time to managing email during 2019. found that employees spend a huge amount of their time on email, on average 5 hours on a daily basis.  This is a massive productivity drain. With an email archive nothing will be misplace so there will be no time spent searching for missing emails.

There is a 30-day free trial of ArcTitan emailing solution will which allow you to ascertain how this solution will assist your organization. If you are considering a change from your existing email archive provider than call the TitanHQ team now so we can go through the full range of advantages to be gained when you configure our solution.

 

SBA Loan Phishing Scams Warning Issued to Small Businesses

Many SBA loan phishing scams discovered in recent weeks that pretend to be the U.S. Small Business Administration in order to obtain personally identifiable information and login details for fraudulent aims.

As a result of the hardships suffered by companies due to the COVID-19 pandemic, the SBA’s Office of Disaster Assistance is making loans and grants available to small companies to help them weather the storm.

Hundreds of millions of dollars has been made available by the U.S government under the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) to help struggling individuals and firms during the pandemic. Hackers have been quick to develop campaigns to fraudulently obtain those funds, raid bank accounts, steal sensitive information, and spread malware and ransomware.

Many phishing campaigns have been initiated since April 2020 targeting businesses that are considering or have already applied for loans under the SBA’s Economic Injury Disaster Loan Program.

Phishing emails have been shared encouraging small businesses to apply for a loan. One such campaign confirms that the company is eligible for a loan and the loan has been pre-approved. The purpose of the scam is to obtain business information that allows the hackers to apply for a loan on behalf of the business and pocket the funds.

Another scam pretends the SBA and claims an application for a loan is complete and payment will be made once supporting documents have been submitted. The emails include an attached form that must be completed and submitted to the SBA website. The email attachment seems to be a .img file but has a hidden double extension and is actually a .exe executable. Double clicking and running the file will see GuLoader malware installed, which is a downloader that can deliver a variety of different malicious payloads.

The same email address used for that campaign was used in a different attack that featured a PDF form that requested bank account information and other sensitive data, which needed to be completed and installed to a spoofed SBA website.

In recent days, yet another SBA loan phishing scam has come to light. Phishing emails were sent to Federal Executive Branch, and state, local, tribal, and territorial government bodies. The phishing scam relates to an SBA application for a loan with the subject line “SBA Application – Review and Proceed.” The emails links to a cleverly spoofed SBA web page that indistinguishable from the authentic login page apart from the URL that attempts to steal details. The scam lead to the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) to releasing an emergency alert warning of the scam.

These SBA loan phishing scams use a range of lures and have multiple aims, but they can be avoided by following good cybersecurity best practices.

First and chiefly, you should have an advanced spam filtering solution configured such as SpamTitan. SpamTitan checks email headers and message content for the signs of spam, phishing and scams and uses DMARC and sender policy framework (SPF) to identify and prevent email impersonation attacks.

Dual antivirus engines spotted 100% of known malware and sandboxing is used to subject attachments to deep analysis to spot malicious code and malware that has not been seen before. Machine learning technology is also used to discover new phishing scams, along with multiple threat intelligence feeds to identify known phishing scams.

Before opening any downloaded document or file it should be reviewed using antivirus software that has up to date virus definitions. Check the properties of files to make sure they are what they claim to be and do not have a double extension.

Care should be applied opening any email or email attachment, even emails that are expected. Steps should be taken to prove the legitimacy of any request received via email, especially one that requires the provision of personally identifiable information or requests bank account and other highly sensitive data.

Emails and websites may look legitimate and have SBA logos, but that does not guarantee they are real. Always carefully review the sender of the email – Genuine SBA accounts end with sba.gov. The display name can simply be spoofed so click reply and carefully check the email address is the proper one. Care should be taken when visiting any website included in an email. Review the full URL of any website to make sure it is the proper domain.

CISA also recommends tracking users’ web browsing habits and restricting access to potentially malicious websites. The easiest way to do this is by using a web filtering solution such like WebTitan. WebTitan allows businesses to monitor Internet activity in real-time, send automatic alerts, block downloads of certain file types, and carefully control the types of website that can be accessed by staff members.

For additional details on spam filtering and web filtering solutions to protect your business from phishing and other cyberattacks, give the SpamTitan team a call now.

FBI Issue Netwalker Ransomware Warning

Cyberattacks involving Netwalker ransomware have become much more common, to the point that Netwalker is now one of the biggest ransomware threats of 2020.

Netwalker is a ransomware variant that was previously known as Mailto, which was initially seen a year ago in August 2019. The threat actors behind the ransomware rebranded their malware as Netwalker in late 2019 and in 2020 began advertising for affiliates to share the ransomware under the ransomware-as-a-service model. As opposed to many RaaS offerings, the threat group is being particularly choosy about who they identify to distribute the ransomware and has been trying to build a select group of affiliates with the ability to carry out network attacks on enterprises that have the means to pay large ransoms and the data to warrant such large payments if targeted.

Netwalker ransomware was implemented in an attack in February on Toll Group, an Australian logistics and transportation firm, which caused widespread disruption although the firm claims not to have paid the ransom. Like many other ransomware gangs, the Netwalker gang took advantage of the COVID-19 pandemic and was using COVID-19 lures in phishing emails to share the ransomware payload via a malicious email attachment, opting for a Visual Basic Scripting (.vbs) loader attachments.

Then came attacks on Michigan State University and Columbia College of Chicago, with the frequency of attacks growing during in June. The University of California San Francisco, which was carrying out research into COVID-19, was attacked and had little choice other than to pay the $1.14 million ransom demand to regain access to crucial research data that was encrypted in the attack. More recently Lorien Health Services, a Maryland operator of assisted living facilities, also had files encrypted by the Netwalker group.

The recent attacks have included a change in the style of attack, suggesting the attacks have been the work of affiliates and the recruitment campaign has been effective. Recent attacks have seen a variety of techniques used in attacks, including brute force attacks on RDP servers, exploitation of flaws in unpatched VPN systems such as Pulse Secure VPNs that have not had the patch applied to correct the CVE-2019-11510 vulnerability. Attacks have also been carried out exploiting user interface components of web apps, such as the Telerik UI vulnerability CVE-2019-18935, in addition to vulnerabilities in Oracle WebLogic and Apache Tomcat servers.

With the ransoms paid to date, the group is now far better funded and appears to have talented affiliates working at distributing the ransomware. Netwalker has now become one of the largest ransomware threats and has joined the ranks of Ryuk and Sodinokibi. Like those threat groups, data is stolen before file encryption and threats are issued to publish or sell the data if the ransom is not paid.

The rise in activity and skill of the group at gaining access to enterprise networks prompted the FBI to release a flash alert warning of the risk of attack in late July. The group seems to be focusing on government organizations, educational institutions, healthcare providers and entities involved in COVID-19 research, and the attacks are showing no sign of slowing, in fact they are more than likely to rise.

Securing yourself from the attacks requires a defense in depth approach and adoption of good cyber hygiene. An advanced spam filtering solution should be used to obstruct email attacks, end users should be taught how to recognize dangerous emails and shown what to do if a suspicious email is received. Vulnerabilities in software are being exploited so prompt patching is vital. All devices should be running the latest software versions.

Antivirus and anti-malware software should be implemented on all devices and kept up to date, and policies requiring strong passwords to be created should be enforced to stop brute force tactics from succeeding. Patched VPNs should be implemented for remote access, two-factor authentication should be implemented, web filters used for secure browsing of the internet, and backups should be performed as they become available. Backups should be stored on a non-networked device that is not accessible via the internet to ensure they too are not encrypted in an attack.

Phishing Warning Issued Follow Sports Industry Attacks

Football transfers involved huge amounts of money being shifted, often electronically, between clubs to bring in new players. If hackers were to place themselves into the communications between clubs, huge payments could easily be stolen.

This is exactly what happened recently when a scam was conducted against a Premier League football club in England. The hackers obtained access to the email account of the managing director of the club through a phishing campaign after directing the MD to a domain where Office credentials were gathered. Those details were then used to access the MD’s email account, and the scammers inserted themselves into and email conversation with another club looking to buy a player. Luckily, the scam was detected by the bank and a £1 million fraudulent payment was prevented.

This variety of scam starts with a phishing email but is referred to as a Business Email Compromise (BEC) scam. BEC scams are widespread and often successful. They range from straightforward scams to complicated multi-email communications between two parties, whether one party believes they are communicating with the real email account holder when they are actually communicating with the scammer. When the time comes to make payment, the scammer supplies their own account credentials. All too often, these scams are not detected until after payment is completed.

That is far from the only cyberattack on the sports sector in recent weeks and months. There have been numerous attempted cyberattacks which prompted to the UK’s National Cyber Security Center (NCSC) to release a warning advising the UK sports sector to be on high alert.

Before lockdown, a football club in the UK was hit with a ransomware attack that encrypted essential databases, including the computer systems that controlled the turnstiles, preventing them from working. A game nearly had to be called off due to the attack. The ransomware attack is suspected to have also begun with a phishing email.

The recent attacks are not restricted to football clubs. NCSC data show that 70% of sports institutions in the United Kingdom have suffered a cyberattack in the past year.

NCSC figures show around 30% of incidents lead to financial losses, with the average loss being £10,000, although one organization lost £4 million in a scam. 40% of the attacks involved the use of malware, which is often sent using spam email. 25% of attacks involved ransomware.

While malware and ransomware attacks are costly and disruptive, the main cause of losses is BEC attacks. Reports released by the FBI show these scams accounted for around 50% of all losses to cybercrime in 2019. $1.77 billion was lost to BEC attacks in 2019, with an average loss of $75,000 (£63,333). The true figure is likely to be even higher, as not all BEC attacks are reported. The FBI expects even greater losses this year.

While there are many different attack tactics, email remains the most common vector used in cyberattacks on companies. It is therefore vital to put in placea robust email security solution that can block malicious emails and stop them from being delivered to inboxes.

TitanHQ has created a powerful, advanced email security solution that can help businesses improve their email security measures and block phishing, spear phishing, BEC, malware, and ransomware attacks. SpamTitan incorporates many threat intelligence feeds, machine learning systems to identify phishing scams, dual anti-virus engines, and a sandbox to subject suspicious email attachments to in-depth analysis. SpamTitan also incorporates SPF and DMARC to identify and block email impersonation campaigns.

If you are worried about email security and want to improve your defenses against email dangers, call the TitanHQ team a call  now to discover more about SpamTitan and other security solutions that can help you defend your company from cyberattacks.

 

Phorpiex Botnet Activity Surges with Large-Scale Avaddon Ransomware Campaign

Recently there has been a rise in Phorpiex botnet activity. A botnet is a group of computers that have been infected with malware, placing them under the management f the botnet operator. Those computers are then used to share spam and phishing emails, often in the hope of distributing malware and ransomware. There are known to be approximately 500,000 devices in the Phorpiex botnet globally and the botnet has been in operation for around 10 years.

The Phorpiex botnet has previously been used for sharing sextortion emails, sharing cryptocurrency miners, and malware such as the Pony information stealer, GandCrab ransomware, and the XMRig cryptocurrency miner. In June, the Phorpiex botnet was deployed to conduct a huge Avaddon ransomware campaign that resulted in around 2% of companies being targeted globally.

Ransomware attacks have grown in recent times, with many ransomware gangs sharing ransomware manually after obtaining access to corporate networks by exploiting flaws in VPNs and other software or taking advantage of insecure default software configurations. There has also been a rise in ransomware attacks using email as the attack vector. Many ransomware variants are now being primarily shared by email, and Avaddon ransomware was one of the most serious email threats in June. One week in June resulted in over 1 million spam emails sent via the Phorpiex botnet, with most of those emails targeting U.S. firms.

Avaddon ransomware is a new ransomware variant that was first discovered in June. The operators of Avaddon ransomware are selling their malware as ransomware-as-a-service (RaaS) and have been identifying affiliates to distribute the ransomware for a cut of the profits.

In early June, an Avaddon ransomware campaign was detected that used JavaScript attachments in spam emails. The files had a double extension which made them look like JPG files on Windows computers. Windows computers hide file extensions by default, so the file attachment would appear to be labelled IMG123101.jpg on a Windows computer in the default configuration. If Windows had been changed to display known file extensions, the user would see the file was actually IMG123101.jpg.js. Clicking on the file would launch a PowerShell and Bitsadmin command that would trigger the install and execution of Avaddon ransomware.

More recently, a campaign was spotted that shared Avaddon ransomware using spam emails with Excel spreadsheet attachments with malicious Excel 4.0 macros. As opposed to JavaScript files, which will run when opened by users, Excel macros need user action to run, so they are less effective. Even so, users are instructed to enable the macros using a variety of social engineering techniques and they are still effective.

Avaddon ransomware searches for a variety of file types, encrypts those files and adds the .avdn extension. A ransom note is dropped, and a link is given for a Tor site along with a unique user ID to allow the victim to login to pay the ransom for the keys to unlock encrypted files. There is no free decryptor on the market for Avaddon ransomware. File recovery can on only be completed if the ransom is paid or if viable backups exist that have not also been encrypted by the ransomware.

Many subject lines have been inlcuded in the emails, such as “Your new photo?” and “Do you like my photo?”, with only a 😉 emoji in the body of the email. This tactic is simple, yet effective.

There are many steps that can be taken by companies to stop Avaddon and other email-based ransomware attacks. End user security awareness training should increase awareness of the threat and teach staff how to recognize phishing and malspam threats and condition them to report emails to their security department. If possible, macros should be disabled on all end user devices, although the email attachments used often change and disabling macros will not therefore always stop infection.

One of the strongest defenses against email threats such as phishing, malware and ransomware is to download a powerful anti-spam solution like SpamTitan. SpamTitan can work as a standalone anti-spam solution, but also as an extra tier of protection for Office 365 email, complementing Microsoft Exchange Online Protection (EOP) and providing an additional layer of security to prevent zero-day phishing and malware threats.

For more details on securing your group from ransomware and other email threats, give the TitanHQ team a call now.

Phishers Leverage Google Cloud Services to Capture Steal Office 365 Credentials

A new phishing campaign has been discovered that leverages Google Cloud Services to trick victims into handing over their Office 365 log in details. This new hacking campaign is part of an increasing trend of disguising phishing attacks using authentic cloud services.

The phishing attack begins like the majority of attacks in that an email containing a hyperlink is sent to the recipient who is then requested to click on it. If the user clicks the link in the email, they are taken to Google Drive where a PDF file has been placed. When the file is clicked on, users are asked to click a hyperlink in the document, which appears to be an invitation to open  a file hosted on SharePoint Online.

The PDF file asks the victim to visit  the link to sign in with their Office 365 ID. Clicking the link will bring the user to a landing page hosted using Google’s storage.googleapis.com. When the user vosots on the landing page, they are shown with an Office 365 login prompt that looks exactly like the real thing. After entering their details, they will be directed to a legitimate PDF whitepaper that has been obtained from a well-respected global consulting company.

The campaign has been created to make it look like the victim is simply being taken to a PDF file that has been shared via Sharepoint, and the actual PDF file is displayed after the victim has divulged their details. It is therefore possible that the victim will not realize that their Office 365 credentials have been phished. The only sign that this is a scam is the source code on the phishing page, which even tech-savvy people would be unlikely to check.

This campaign was discovered by experts at Check Point, but it is just one of many similar campaigns to have been identified over the past few months. Since these domains are authentic and have valid SSL certificates, they are difficult to detect as malicious. This campaign targeted Google Cloud Services, but several other campaigns have been detected using the likes of IBM Cloud, Microsoft Azure and others to add authenticity to the campaigns.

This campaign emphasises the importance of providing security awareness training to the workforce and warning employees about the risks of visiting links in unsolicited emails, even those that link to real domains. An advanced email security solution should also be put in place to prevent malicious emails and ensure the majority of malicious messages are not sent to inboxes. That is an area where TitanHQ can be of assistance.

Hackers Leveraging Inactive Domains to Attack Web Users

Hackers have begun using a new tactic to spread malware and conduct phishing attacks on unsuspecting internet users. They are hijacking inactive domains and using them to bring visitors to malicious websites in a form of malvertising attacks.

Malvertising classified as the use of malicious code in seemingly legitimate adverts, which are often displayed on high-traffic websites.  Website owners use third-party ad networks as a way to increase revenue from their websites. Most of these adverts are genuine and will bring users to a legitimate website, but hackers often sneak malicious code into these adverts. Visiting the link will result in the user being sent to a website hosting an exploit kit or phishing form. In some instances, ‘drive-by’ malware downloads take place without any user interaction, simply if the web content loads and the user has a susceptible device.

The new tactic leverages domains that have expired and are no longer active. These websites may still be listed in the search engine browser result pages for key search terms. When user enters a search and clicks the link or uses a link in their bookmarks to an earlier visited website, they will arrive at a landing page that explains that the website is no longer active. A lot of the time that page will include a series of links that will direct the visitor to related websites.

What often happens is these expired domains are put up for sale. They can be attractive for purchasers as there may already be many existing links to the website, which is better than starting a brand-new website from scratch. These expired domains are then sold to the highest bidder. Experts at Kaspersky found that cybercriminals have taken advantage of these auction-listed websites and have added links that bring visitors to malicious websites.

When a visitor lands on the site, instead of being directed to the auction stub, the stub is replaced with a link to a malicious website. The study showed that almost 1,000 domains that had been listed for sale on a popular auction site, which brought visitors to more than 2,500 unwanted URLs. In the majority of those cases, the URLs were ad-related pages, but 11% of the URLs were malicious and were mostly being used to spread the Shlayer Trojan via infected documents that the user is prompted to download. The Shlayer Trojan places adware on the user’s device. Several of the sites hosted malicious code on the site rather than redirecting the visitor to a different website.

These domains were once genuine websites, but are now being used for malicious purposes, which makes the threat hard to prevent. In some instances, the sites will display different content based on where the user is located and if they are using a VPN to log on the internet. These websites change content frequently, but they are indexed and categorized and if ruled to be malicious they are added to real time block lists (RBLs).

A web filtering solution like WebTitan can add protection from malvertising and redirects to malicious sites. If an attempt is made to send a user to a known malicious website, rather than being linked the user will be directed to a local block page, addressing the threat. WebTitan can also be configured to block downloads of risky file types from these web pages.

Many groups have put in place firewalls to prevent direct attacks by hackers, use antivirus software to block malware, and use an anti-spam solution to block attacks via email, but there is a vulnerability in their security protections and web-based threats are not effectively tackled. WebTitan allows groups to plug that gap and control the websites that can be accessed by staff.

For more information on WebTitan and filtering the internet, contact the TitanHQ.

Beware of new New Netflix Phishing Scam

Any widely-used platform is an lucrative target for cyber criminals, and with more than 167 million subscribers worldwide, the Netflix streaming service certainly falls into that area. While Netflix may not appear a main attraction for phishers, a successful attack could give scammers access to credit card and banking details.

Netflix phishing scams are popular, so it is not uncommon to see yet another scam kicked off, but one of the most recent uses a novel tactic to evade security solutions. By incorporating a CAPTCHA challenge, it is more difficult for security solutions to access the phishing websites and spot their malicious intent.

This Netflix phishing scam launches with an email like many other Netflix scams that came before. The emails look like they have been sent from the Netflix customer support team and advise the recipient there has been an issue with billing for the most recent monthly payment. As a result, the subscription will be suspended in the next day.

The Netflix user is given with a link to click and they are told they need to update their information on file. The emails also include a link to unsubscribe and amend communication preferences, although they are not operational.

As with the majority of phishing scams there is urgency and a threat. Update your details within 24 hours or you will lose access to the service. Clicking the link will bring the user to a fully functioning CAPTCHA page, where they are required to go through the normal CAPTCHA checks to verify they are not a bot. If the CAPTCHA challenge is passed, the user will be brought to a hijacked domain where they are presented with the standard Netflix sign-in page.

They must log-in, then they are asked to enter their billing address, along with their full name and date of birth, and then toy a second page where they are asked for their card number details, expiry date, CVV code, and optional fields for their bank sort code, account number, and bank name. If those details are provided they are told that they have correctly verified their information and they will be redirected to the real Netflix page, most likely unaware that they have given highly sensitive information to the phishers.

There have been many Netflix phishing emails captured over the past few months claiming accounts have been put on hold due to problems with payments. The emails are realistic and very closely resemble the emails sent out regularly by Netflix to service account holders. The emails include the Netflix logo, correct color schemes, and direct the recipients to authentic looking login pages.

What all of these emails have in common is they are connected to a domain other than Netflix.com. If you are sent that appears to be from Netflix, especially one that contains some sort of warning or threat, login to the site by typing the actual domain into the address bar and always make sure you are on the correct website before entering any sensitive details.

Trickbot/Qakbot Malware Campaign Signals Resumption of Emotet Botnet Activity

Emotet was the most dangerous malware botnet of 2018 and 2019, but the botnet disappeared from February 7, 2020 but it has reappeared is being used to spread Trojan malware.

The botnet was spotted as part of a malicious spam campaign on July 17 of at least 30,000 emails, mostly targeting groups in the United States and United Kingdom. The scale of the campaign has now grown to around 250,000 emails a day with the campaign now worldwide.

The Emotet botnet is a network of computers infected with Emotet malware and there are calculate to be around half a million infected Windows computers under the management of the botnet operators. Those infected devices are contacted through the hackers’ command and control (C2) servers and are sent instructions to send out spam emails distributing Emotet malware.

Once the malware is installed, the infected computer is placed to the botnet and is used to share spam emails. Emotet infections can also spread laterally within a group. When investigations are initiated following the detection of Emotet, it is common for other computers to have the malware installed.

What makes Emotet very dangerous is the operators of the botnet pair up with other threat groups and deliver other strains of malware. Emotet has been used to share a range of malware variants since its creation in 2014, but recently the malware payload of choice was the TrickBot Trojan. TrickBot is a banking trojan cum information harvester that also acts as a malware downloader. In addition to stealing sensitive data, the operators of TrickBot pair up with other malware developers, notably the creators of Ryuk ransomware.  Once TrickBot has stolen data, the baton is passed over to Ryuk, which will also steal data before encrypting files on network. The new Emotet campaign begins by distributing the TrickBot Trojan, although the payload has since changed to the QakBot banking Trojan.  QakBot also delivers ransomware as a secondary payload, with Prolock often used in the past.

Emotet emails use a range of lures to get recipients to click links to malicious websites or open infected email attachments. Emotet targets companies, so the lures used are business related, such as fake shipping notices, invoices, purchase orders, receipts, and job applications. The emails are typically personalized, and the threat actors known to hijack email threads and share responses with malicious documents included.

An Emotet infection is serious and should be dealt with the same urgency as a ransomware attack. Prompt action may permit Emotet to be removed before a secondary payload is sent.

Luckily, Emotet malware is shared using email so that gives companies the chancey to stop infections. By sharing an advanced spam filter like as SpamTitan that has sandboxing to subject email attachments to deep analysis, these malicious emails can be listed and then quarantined. Coupled with other email security steps such as end user training, businesses can mount a robust defense and prevent infections.

 

TitanHQ Upgrades to New ArcTitan Email Archiving Systems

TitanHQ has announced that the ArcTitan cloud email archiving service has benefited from a major upgrade which will greatly enhance performance and reliability. Customers in the EU and US are in the process of being migrated to the new email archiving systems and are being contacted to transfer their accounts to the new infrastructure.

The transfer process has been made as simple as possible for existing customers. TitanHQ will be in touch to provide details of the new ArcTitan account and will talk customers through reconfiguring their connector/mail server to point to the new server. Once the change has been made, all new emails will be sent to the account on the new server. TitanHQ will then verify mail flow and the original account will be closed off to new emails.

During the transition, customers may still need to access emails archived through the old account. Searches can still be performed, and historical mail can be searched and accessed as and when required. The next step involves transferring the old archive onto the new infrastructure. When TitanHQ completes the migration, the customer will be contacted and asked to verify that the archive has been transferred. Once verified, TitanHQ will delete the old account and the archived emails and customers will be able to access their full archive on the new server.

The new email archiving system has been introduced to improve performance and reliability and uses a high availability system that is self-maintaining, self-healing, and has improved scalability and ensures archiving can take place with minimal effort and zero downtime.

The new and improved ArcTitan email archiving service is delivered as a high availability Kubernetes structure, with multiple components working together in harmony. The new system ensures that each component is independently available, so should any component go down, due to a outage for example, all other components will still be available. The component that has gone down will be taken offline and automatically repaired, without any effect on the other components.

Archive searches and email recovery is lightning fast, as with the old system. Each email receives a unique identity for its entire lifespan and is fully indexed, including the message headers, subject line, body, sender/receiver, and email attachments. Customers can search millions of emails in seconds.  ArcTitan indices are distributed across Apache SoLr instances simultaneously and raw email data is encrypted and stored in Replicated Persistent Storage on Ceph storage clusters, with automated replication and fail over.

A high availability database Percona XtraDB MySQL cluster is deployed within Kubernetes for handling all database operations and ArcTitan uses tiered storage on Amazon S3 ensuring reliability, redundancy, and scalability. ArcTitan customers will also benefit from a new, intuitive GUI.

 

We are sure you will be happy with the changes and improved performance and reliability of the new ArcTitan email archiving system.  If you have any questions about the migration to the new ArcTitan systems, give the customer service team a call and they will be happy to answer your questions about the new system and the planned migration.

Preventing Cyberattacks for Managed Services Providers

Managed Service Providers are a lucrative victim for hackers. If a threat actor can obtain access to an MSP’s network, they can use the same remote management tools that MSPs use to carry out attacks on the MSPs clients.

Many businesses are now turning to MSPs for IT support and management services. This is typically the most cost-effective solution, especially when firms lack the in-house IT expertise to manage their networks, applications, and security. An MSP will typically supply IT management services for many different firms. A successful cyberattack on the MSP can result in a threat actor gaining access to the networks of all the MSPs clients, which makes the attack extremely worthwhile.

There was a marked rise in cyberattacks on managed service suppliers in 2019, in particular by ransomware gangs using GandCrab, Sodinokibi BitPaymer and Ryuk ransomware. The MSPs were attacked in a variety of ways, including phishing, brute force attacks on RDP, and exploitation of unpatched flaws.

Once access has been obtained to an MSP’s network, hackers search for remote management tools such as Webroot SecureAnywhere and ConnectWise which the MSP uses to access its clients’ networks to supply IT services. Several 2019 ransomware attacks on MSPs used these tools to access clients’ networks and install ransomware. MSPs such as PerCSoft, TrialWorks, BillTrust, MetroList, CloudJumper, and IT by Design were all attacked in 2019 and ransomware was deployed on their and their clients’ databases.

Kyle Hanslovan, CEO at Huntress Labs, told ZDNet in a recent telephone interview that his company had provided support to 63 MSPs that had been targeted in 2019 but believes the total number of attacks was likely to be more than 100. However, the number of MSPs that have been attacked is likely to be much higher. It is likely that many cyberattacks on MSPs are not even seen.

The attacks have shown no sign of dropping off. Recently the U.S. Secret Service issued a TLP Green alert warning MSPs of a rise in targeted cyberattacks. Compromised MSPs have been used to carry out business email compromise (BEC) attacks to get payments sent to hacker-controlled accounts. Attacks have been carried out on point-of-sale (POS) systems and malware has been deployed that intercepts and exfiltrates credit card data, and there have been several successful ransomware attacks.

Along with hackers, nation state-sponsored hacking groups have also been carrying out cyberattacks on MSPs, notably hacking groups connected with China. The National Cybersecurity and Communications Integration Center (NCCIC) issued an alert about the threat to MSPs from state-sponsored hacking groups in October 2019.

There are many best practices that can be implemented by MSPs to improve security and prevent these attacks. MSPs may currently be incredibly busy helping their clients deal with IT issues linked to the COVID-19 pandemic, but given the increase in focused cyberattacks on MSPs, time should be spent improving their own security, not just security for their clients.

The U.S Secret Service advises MSPs keep up to date on patching, especially patches for any remote administration tools they implement. ConnectWise issued a security advisory last month and patched a vulnerability in the ConnectWise Automate solution. The API vulnerability could be successfully targeted remotely by a threat actor to execute commands and/or modifications within an individual Automate instance. Vulnerabilities such as these are actively sought by hackers.

The principle of least privilege should be used for access to resources to restrict the damage inflicted in the event of a breach. It is also wise to have well-defined security controls that are fully compliant with industry standards.

Annual data audits should be completed along with regular scans to identify malware that may have been downloaded on systems. Logging should be turned on, and logs should be regularly checked to spot potentially malicious activity. MSPs should also ensure that their employees receive ongoing security awareness training to teach cybersecurity best practices and how to spot phishing and BEC scams.

Banking Credentials Targeted in iCalandar Phishing Scam

A new phishing campaign has been discovered that uses calendar invites to try and steal banking and email details. The messages in the campaign have an iCalendar email attachment which may trick employees as this is a rare file type for phishing. These attachments are therefore unlikely to have been included in security awareness training.

iCalendar files are the file types used to save scheduling and calendaring information including tasks and events. In this instance, the messages in the campaign have the subject line “Fault Detection from Message Center,” and have been issued from a legitimate email account that has been compromised by the attackers in a previous campaign.

As the email comes from a real account rather than a spoofed account, the messages will get around checks such as those conducted through DMARC, DKIM, and SPF, which identify email impersonation attacks where the true sender spoofs an account. DMARC, DKIM, and SPF check to see if the true sender of an email is authorized to send messages from a domain.

As with most phishing campaigns, the hackers use fear and urgency to get users to click without thinking about the legitimacy of the request. On this occasion, the messages include a warning from the bank’s security team that withdrawals have been made from the account that have been marked as suspicious. This campaign is aimed at mobile users, with the messages asking for the file to be opened on a mobile device.

If the email attachment is clicked on, the user will be presented with a new calendar entry titled “Stop Unauthorized Payment” which includes a Microsoft SharePoint URL. If that link is visited, the user will be directed to a Google-hosted website with a phishing kit that spoofs the login for Wells Fargo bank. Both of these websites have authentic SSL certificates, so they may not be marked as suspicious. They will also display the green padlock that shows that the connection between the browser and the website is encrypted and secure, as would be the case for the actual bank website.

The user is then asked to type their username, password, PIN, email address, email password, and account numbers. If the information is entered it is captured by the hacker and the information will be used to gain access to the accounts. To make it appear that the request is authentic, the user will then be directed to the legitimate Wells Fargo website once the information is handed over.

There are warning signs that the request is not authentic, which should be identified by security conscious people. The use of SharePoint and Google domains rather than a direct link to the Wells Fargo website are suspect, the request to only open the file on a mobile device is not explained. The phishing website also requests a lot of information, including email address and password, which are not relevant.

These flags should be enough to trick most users that the request is not real, but any phishing email that bypasses spam filtering defenses and is sent to inboxes is a danger.

Returning Office Workers Targeted by Phishing Scam

A new phishing campaign has been discovered that targets remote workers who will soon be going back to their place of work. The campaign emails claims to include information on coronavirus training. The campaign is one of the most genuine-looking phishing scams seen in recent weeks, as it is plausible that before returning to the office after lockdown would involve some changes to workplace procedures to ensure workers are safe.

This campaign focuses on Microsoft Office 365 users and tries to steal users’ Office 365 credentials under the guise of a request to register for COVID-19 training.  The emails include the Office 365 logo and are rprecise and to the point.

They state: “COVID-19 Training for Employees: A Certificate For Healthy Workspaces (Register) to participate in Covid-19 Office Training for Employees.”

The message includes a button to use to register, and the emails claim to be “powered by Microsoft Office 365 health safety measures.”

Visiting the link will direct the user to a malicious website where they are asked to enter their Office 365 credentials.

This campaign, like many others to have been seen over the past few weeks, closely follow world events. At the start of the pandemic, when there was little data available about COVID-19, phishers were offering new information about COVID-19 and the Novel Coronavirus. As more countries were impacted and cases were increasing, incorporation was being offered about local cases in the area. Now that most countries have passed the peak of infections and lockdowns have helped to bring the virus under control, tactics have been amended once again.

Campaigns have been discovered in the United Kingdom related to the new Track and Trace system being used by the NHS to help control infections warning users that they need to buy a COVID-19 test. Another campaign targeted parents who are suffering from financial difficulties due to COVID-19, asking for bank account information to allow them to receive a support payment from the government. Messages have also been seen about Free school dinners over the summer, now that the UK government has said that it will be supplying support to parents.

There have been many campaigns that have taken advantage of the popularity of the Black Lives Matter movement in their aftermath of the death of George Floyd. This campaign asked recipients of the email to register their opinions about Black Lives Matter and submit a review, with the campaign used to deliver the TrickBot Trojan.

What these phishing campaigns clearly show is the fluid nature of phishing campaigns, that are regularly changed to reflect global events to maximize the chance of the emails being opened. They show that users must to remain on their guard and be alert to the threat from phishing and always take time to consider the legitimacy of any request and to conduct a series of checks to determine whether an email is what it claims to be. This can be tackled through security awareness training, which should be given to employees regularly.

Of course, the best defense is to make sure that these emails are blocked and do not reach inboxes, which is why it is crucial to have layered defenses in place. An advanced spam filtering solution such as SpamTitan is required that uses machine learning and other advanced detection measures to ispotnew phishing scams along with measures to prevdiscover unseen malware variants. As an extra layer of protection, you should consider implementing a web filtering solution such as WebTitan that supplies time-of-click protection to block the web-based component of phishing attacks and stop drive-by malware installations. In tandem with security awareness training, these solutions will help you to mount a strong defense against phishing attacks.

Black Lives Matter Malspam Campaign Conducted by TrickBot Malware Operators

As the COVID-19 pandemic has clearly indicated, hackers are quick to adapt their phishing and malware campaigns in response to global and local happenings. New lures are quickly developed to maximize the probability of success.

In the initial stages of the pandemic, when very little was knowledge available regarding SARS-CoV-2 and COVID-19, there was huge public worry and hackers used this to their own advantage. The threat actors behind TrickBot malware, one of the most dangerous malware threats, regularly amend their lures in response to newsworthy events to increase the probability of emails and attachments being clicked on. The TrickBot gang adopted COVID-19 and coronavirus themed lures when the virus began to spread globally and there was a huge craving for knowledge about the virus and local clusters.

It is therefore no shock to see the TrickBot operators adopt a new lure linked to Black Lives Matter. There were huge protests in the United States after the death of George Floyd at the hands of a police officer, and those protests have spread around the world. In many countries the headlines have featured stories about Black Lives Matter protests and counter protests, and the public mood has presented another possibility for the gang.

The most recent TrickBot email campaign uses a subject line of “Leave a review confidentially about Black Lives Matter,” which has been designed to appeal to individuals both for and against the protests. The emails include a Word document attachment named e-vote_form_3438.doc, although several variations along this theme are possible.

The emails ask the user open and complete the form in the document to file their anonymous feedback. The Word document involves a macro which users are requested to turn on to allow their feedback to be provided. Doing so will trigger the macro which will install a malicious DLL, which installs the TrickBot Trojan.

TrickBot is mainly a banking Trojan but is modular and frequently updated with new functions. The malware gathers a range of sensitive information, can exfiltrate files, can move laterally, and also install other malware variants. TrickBot has been widely used to install Ryuk ransomware as a secondary payload when the TrickBot gang has achieved their main objective.

The lures implemented in phishing and malspam emails frequently change, but malspam emails distribute the same threats. Security awareness training can assist in enhancing resilience against phishing threats by conditioning employees how to treat unsolicited emails. Making employees aware of the latest tactics, techniques, procedures, and social engineering tactics being used to spread malware will help them to spot threats that land in their inboxes.

No matter what trick is used to get users to click, the best security measure against these attacks is to ensure that your technical defenses are up to scratch and malware and malicious scripts are spotted as such and are blocked and never land in end users’ inboxes. That is an area where TitanHQ can be of assistance.

SpamTitan Cloud is a strong email security solution that provides protection against all email attacks. Dual antivirus engines prevent all known malware threats, while predictive technologies and sandboxing supplies protection against zero-day malware and phishing attacks. No matter what email system you deploy, SpamTitan adds a vital extra layer of security to block threats before they land in inboxes.

For additional information on how you can enhance protection and block phishing, spear phishing, email impersonation, and malware and ransomware threats, give the TitanHQ team a call now.

Rockingham School District Emotet Malware Infection Cost $314,000 to Address

In November 2018 the Rockingham school district in North Carolina suffered an Emotet malware infection that cost a massive $314,000 to resolve.

The malware was first noticed being delivered using spam emails, which were sent to multiple users’ inboxes. The attack included an often-used ploy by hackers to get users to install malware.

The emails appeared to have been broadcast by the anti-virus supplier used by the school district, with the subject line ‘incorrect invoice’ and the correct invoice sent as an attachment. The emails were believable and looked like many other legitimate emails received on a daily basis.

The emails requested that the recipient to open and check the attached invoice; however, doing so would see malware downloaded and installed on the email recipient’s device.

Not long after those emails were received and opened, staff started to experience problems. Internet access seemed to have been disabled for some users. Reports from Google saying email accounts had been disabled due to spamming started to be received. The school district looked into the issue and discovered several devices and servers had been infected with malware.

Emotet malware is a network worm that can share itself across a network. Infection on one machine will result in the virus being sent to other vulnerable devices. The worm leaves a type of banking malware on infected devices that is used to steal victims’ credentials including online banking details.

Emotet is a very advanced malware variant that is difficult to spot and hard to address. The Rockingham school district discovered just how troublesome Emotet malware infections can be when attempts were made to remove the worm. The school district was able to successfully clean some infected machines by reimaging the devices; however, the malware simply re-infected those devices.

Addressing the attack required assistance from security experts. 10 ProLogic ITS engineers spent approximately around 1,200 on site reimaging machines. 12 servers and around 3,000 end points must be reimaged to remove the malware and stop reinfection. The cost of cleanup ran to $314,000.

Attacks such as this are far from not usual. Cybercriminals focus on a wide range of vulnerabilities to install malware on business computers and servers. In this case the attack took advantage of gaps in email defenses and a lack of security awareness of staff members. Malware can similarly be downloaded by exploiting unpatched flaws in software, or by drive-by downloads over the Internet.

To safeguard against Emotet malware and other viruses and worms layered defenses are necessary. An advanced spam filtering solution can ensure malicious emails are not sent, endpoint detection systems can detect unusual user behavior, antivirus solutions can potentially discover and stop infections, while web filters can block web-based attacks and drive-by installations. End users are the last line of defense and should therefore be shown how to recognize malicious emails and websites.

Only a combination of these and other cybersecurity measures can keep groups safe.

TitanHQ Secures Investment from UK Private Equity Firm Livingbridge

TitanHQ has announced the company has secured investment from Livingbridge, one of the UK’s leading mid-market private equity firms. Livingbridge has offices in UK, the US and Australia and invests in companies with a value of up to £200 million.

Livingbridge has been investing in firms for two decades, during which time more than 150 companies have benefited from investment and have thrived with the injection of capital. Many of the firms Livingbridge has invested in have gone on to become household names.

TitanHQ similarly has a history spanning two decades. The company was formed as Copperfasten Technologies in 1999 in Galway, Ireland where the company is still based. The firm started life selling spam filtering appliances to companies in its native Ireland and has since grown into a truly global company with its solutions used by companies in 150 countries around the world.

TitanHQ has developed three SaaS-based solutions – SpamTitan Email Security, WebTitan Web Security, and ArcTitan for email archiving. These solutions have multiple deployment options, with the cloud-based deployments hugely popular. The solutions have been adopted by more than 8,500 businesses around the world and they have been incorporated into the security stacks of more than 2,500 managed service providers (MSPs).

TitanHQ now has an ARR of $15 million and is the leading provider of cloud-based security solutions to managed service providers serving the SMB market. TitanHQ has recorded impressive, consistent growth and as more companies have adopted WFH initiatives, its security solutions have been in even greater demand.

Livingbridge identified TitanHQ as an attractive target for investment, thanks to the company’s strong growth and proven track record for delivering powerful and popular SaaS solutions.

Livingbridge used its Enterprise 3 fund, which is set aside to invest in fast-growing companies up to the value of £50 million. The funds will be used to accelerate TitanHQ’s ambitious growth plans and will be used to increase investment in product development and people.

“We are excited to be taking this next step in our growth journey with Livingbridge, a partner that understands the unique strengths of our business, shares our vision for success and has the experience and resources to help us to achieve it,” said Ronan Kavanagh, Chief Executive Officer of TitanHQ.

“We are delighted to be partnering with TitanHQ, a uniquely positioned business with a well-differentiated product portfolio operating in a fast-growing, attractive market that is benefiting from strong macro tailwinds,” said Nick Holder, Director at Livingbridge. “There is a tremendous opportunity for Titan HQ to accelerate its growth trajectory over the coming years and we look forward to working closely with the management team to fulfil the company’s potential.”

Bill Mc Cabe’s Oyster Technology Investments invested in TitanHQ at inception and will continue to maintain a significant stake in the business.

MVP GrowthFest: A Virtual MSP Event Featuring Magic Johnson and TitanHQ

The worldwide COVID-19 pandemic has forced businesses to make huge changes very quickly. Many managed service providers have shown resilience and met the challenge head on, showing that while we are now living in very uncertain times there are opportunities for expansion.

Efficient MSPs have not only adapted their business to ensure their survival, they have identified the opportunities and are gaining considerable growth momentum and have shown it is possible to prosper in spite of an very challenging economy.

At MVP GrowthFest on June 23, 2020 you will be able to discover how successful MSPs are turning adversity into growth and profit and will learn from an all-star line up of Channel experts in relation to the state of the Channel and what you must do to adapt to these challenging times. You will also be given guidance on the steps you can take now to ensure success and grow your business and prosper.

MVP GrowthFest is a 3-hour virtual event that will supply valuable insights and advice that can be used immediately to help you expand your business. The event is being headlined by a conversation with Earvin “Magic” Johnson Jr., the 3-time NBA MVP Award winner.

Matt Solomon, VP of Business Development at ID Agent, will be chatting to Magic Johnson, who will explain how he succeeded by overcoming obstacles during his lifetime, and how tenacity and commitment to the community were key to his success.

MVP GrowthFest will be celebrating the energy that powers growth and the drive to thrive during challenging times and, along with the interview, MSPs will hear from 15 Channel all-stars in four powerhouse panels.

TitanHQ is happy to announce that Sales Director Conor Madden will be leading the panel in the security session titled “Leading with Security through Education.” The key to selling products in your security stack is to inform your clients about the need for cybersecurity. Given the fact that cyber actors have been attacking companies with increased vigor during the pandemic, positioning your security stack front and central is the sensible step.

TitanHQ can provide web and email security solutions that will not only keep you and your clients safe, they can be efficiently set up in your security stack and can be easily packaged. Plus, a very competitive price point means they are affordable solutions for your clients and generous margins will help you improve your bottom line.

Also attending the security powerhouse are:

  • Jon Murchison – CEO, BlackPoint Cyber
  • Kevin Lancaster – CEO, ID Agent & GM Security, Kaseya
  • Jessvin Thomas – President & CTO, SKOUT

Attendees will also get to hear from Channel leaders in three additional Powerhouse sessions that will provide invaluable advice on how to grow your business and boost profits during the current crisis.

Managing Through Change

Featuring:

  • Dan Wensley – CEO, Warranty Master
  • Joe Alapat – CEO & Founder, Liongard
  • Ryan Walsh – Chief Channel Officer, Pax8

Establishing Trust in the New Normal

Featuring:

  • Dave Goldie – Vice President of Channel, Cytracom
  • Ted Roller – Channel Chief, ConnectBooster
  • Andra Hedden – CMO, Marketopia
  • Frank DeBenedetto – Founder, AudIT

Leading & Accelerating through the Recovery

Featuring:

  • Tim Conkle – Founder, The 20
  • Dennis O’Connell – Vice President, Taylor Business Group
  • Ted Roller – Channel Chief, Zomentum

Advance registration is mandatory.

 Click Here to Book Your Virtual Place at MVP GrowthFest

MVP GrowthFest: A Must Attend Virtual MSP Event Featuring TitanHQ and Magic Johnson

The Channel has shown considerable strength and resilience during the COVID-19 pandemic. Managed service providers have adapted to a new way of working during lockdown and now that the economy is opening up once again are looking to increase growth and boost profits.

Many MSPs have already gained growth momentum and, despite the uncertain times, are managing to grow their business and succeed even with an extremely challenged economy. MVP GrowthFest will help you become one of the MSP success stories of the pandemic.

On June 23, 2020 at MVP GrowthFest you will hear from Channel All-Stars who help you through these challenging times. They will provide insights into the current state of the channel, along with actionable advice that you can use to adjust your business to drive growth and succeed.

MVP GrowthFest celebrates the energy that powers growth and the drive to thrive during challenging times. The 3-hour virtual event is being headlined by none other than the 3-time NBA Most Valuable Player (MVP) Award winner, Earvin “Magic” Johnson Jr.,

Magic Johnson will be interviewed by Matt Solomon, VP of Business Development at ID Agent, and will explain how he has overcome many challenges throughout his life, and how his success came through a combination of talent, tenacity, and commitment to the community.

MVP GrowthFest provides a great opportunity for learning through four powerhouse panels consisting of 15 Channel all-stars. The first powerhouse panel – Security – is led by TitanHQ Sales Director, Conor Madden. Conor will be explaining the importance of “Leading with Security through Education.” Selling security through education is essential and should be first and foremost in the modern-day MSP tech stack.

TitanHQ has developed MSP-friendly web and email security solutions that can be efficiently implemented into your security stack and packaged easily with your existing security offerings. These solutions are affordable for clients, will keep them well protected from the increasing number of threats that have emerged during the pandemic, and they are offered with generous margins to help boost MSP profits.

At the security powerhouse, attendees will also hear from:

  • Jon Murchison – CEO, BlackPoint Cyber
  • Kevin Lancaster – CEO, ID Agent & GM Security, Kaseya
  • Jessvin Thomas – President & CTO, SKOUT

Three further Powerhouse sessions will be taking place at MVP GrowthFest to give you important insights into how successful MSPs are succeeding during the pandemic.

Managing Through Change

Featuring:

  • Dan Wensley – CEO, Warranty Master
  • Joe Alapat – CEO & Founder, Liongard
  • Ryan Walsh – Chief Channel Officer, Pax8

Establishing Trust in the New Normal

Featuring:

  • Dave Goldie – Vice President of Channel, Cytracom
  • Ted Roller – Channel Chief, ConnectBooster
  • Andra Hedden – CMO, Marketopia
  • Frank DeBenedetto – Founder, AudIT

Leading & Accelerating through the Recovery

Featuring:

  • Tim Conkle – Founder, The 20
  • Dennis O’Connell – Vice President, Taylor Business Group
  • Ted Roller – Channel Chief, Zomentum

Advance registration is required

 Click Here to Secure Your Place at MVP GrowthFest

Remote Workers Should Enhance Cybersecurity Now

As remote-working employees are being targeted by hackers the time has never been better for the enhancement of home-working cybersecurity measures.

The threat faced by companies that have quickly moved to a largely at-home workforce should not be underestimated. When most people are working in an office, within the protection of the corporate firewall, IT departments could keep hackers at bay. Any staff that were authorized to work from home could be given a laptop that had security protections appropriate for the heightened level of risk.

Moving the complete workforce from the office to attics, basements, kitchens, and spare rooms in a very short space of time has meant shortcuts need to be implemented. Many SMBs have had to shift quickly and have not had enough time to provide additional training to their at-home workers. The laptop computers now being used by their employees have had to be supplied quickly and they lack the security measures are working. Some companies are even allowing personal computers to be used out of necessity. Hackers have been rubbing their hands with glee at the new targets and the ease at which they can attack companies.

Lockdowns are now being removed and people are being encouraged to go back to work, but additional increases in cases are likely as a result and with social distancing in the office problematic for many companies, many employees will still need to work from home. To minimize the risk of those employees falling for a phishing scam or inadvertently installing malware or ransomware, additional cybersecurity measures should be put in place.

You will more than likely have an email security solution to prevent the most common attack vector, but extra layers of security will greatly enhance your security posture, one of the most important of which is a web filtering solution. A web filter stops your staff from visiting malicious websites, such as those used for phishing or malware distribution. When an effort is made to view a malicious website – through a link in a phishing email, a web redirect, or general web browsing – instead of being allowed to view the website, employees will be directed to a local block page that explains the site cannot be viewed as it breached your internet usage policies.

A web filter can also be used to stop staff from using their work laptop for personal use by blocking websites by category, and as a measure to tackle shadow IT and stop unauthorized software downloads.

WebTitan Cloud will permit you to enhance cybersecurity for remote workers without requiring any software installations and can be set up and protecting your office staff and remote workers quickly.

Fake Supreme Court Summons to Obtain Office 365 Credentials Used in Phishing Campaign

A U.S. Supreme Court phishing campaign has been discovered that sends a fake subpoena to appear in court as a lure to obtain Office 365 details.

The emails are customized and are addressed to the victim and claim to be a writ issued by the Supreme Court demanding the recipient attend a hearing. This is a targeted campaign and not a scattergun approach that attempts to obtain the credentials of high value targets such as C-Suite users.

The emails have a link that the recipient is asked to visit to view the subpoena. Clicking the link in the email directs the user to a malicious website where they are asked to enter their Office 365 credentials to view the subpoena.

The domain used has not been seen before and, as such, it is not recognized as malicious by many security solutions, including the default anti-phishing measures of Office 365. The scammers have also deployed  multiple redirects to hide the destination URL in another attempt to thwart anti-phishing defenses.

Before the user being directed to the phishing page, they are shown a CAPTCHA page. CAPTCHA is used to prevent web visits by bots, but in this instance, it may be used to add legitimacy to the phish to make the request appear authentic. The CAPTCHA page is real, and the user must properly select the images in order to proceed. The page also includes the name of the user, further adding a more genuine feel to the scam. The CAPTCHA may also be a additional attempt to make it difficult for the destination URL to be reviewed by security solutions.

This phishing campaign is realistic and uses urgency to trick the user to take action quickly, rather than stopping to think about the request. There are indications that this is a scam, such as the domain name which clearly has nothing to do with the U.S. Supreme Court, and a few grammatical and spelling errors which would not be expected of any Supreme Court request.

However, the sender name in the email was spoofed to make it look like it was sent by the “Supreme Court”, the request is certain to trick some recipients into clicking the link, and the landing page is sufficiently realistic to fool busy employees into sharing their login credentials.

Exchange Online protection (EOP), which is supplied by Microsoft free of charge with all Office 365 accounts, often fails to spot these zero-day attacks.

To enhance protection against new phishing campaigns, an anti-spam solution is required that uses predictive techniques, threat intelligence feeds, and machine learning algorithms. SpamTitan leverages these and several other layers of protection to identify zero-day phishing, malware, and ransomware campaigns and email impersonation campaigns.

SpamTitan can be placed on top of Microsoft’s Exchange Online Protection to serve as an extra layer to your email security defenses to ensure that more malicious emails are prevented and never land in end users inboxes.

For additional information on SpamTitan and how the solution can keep your group’s inboxes free from phishing threats, give the TitanHQ team a call as soon as you can.

Spike in Cyberattacks on Remote Workers During Coronavirus Lockdown

In the United Kingdom research published by Darktrace has indicated that the amount of malicious email traffic within six weeks, targeting remote workers has grown from 12% to 60%.

The range of malicious emails being broadcast to remote workers has varied greatly. Hackers are using all manner of lures to get remote workers to click links and share their details or open malicious attachments and trigger malware installations. Financial fraud has also grown with BEC gangs using the COVID-19 pandemic to fraudulently steal funds from company accounts.

At the beginning of the pandemic when information about the virus was scarce, emails were being sent offering important advice about preventing infection along with fake news on cases. As the pandemic progressed and the effects started to be felt, hackers started sending fake requests for donations to charities to help individuals adversely affected by COVID-19. As governments put in place furlough schemes and set up funds to help the employed and self-employed, campaigns were carried out that linked to websites that claimed to offer grants, permit workers to choose to be furloughed, or request financial support.

Attacks have focused on the tools that are being used by remote workers to connect to their offices and communicate with co-workers, with the likes of Zoom, Skype, GoToMeeting, and other corporate messaging systems being spoofed to infect users with malware. File sharing platforms have similarly been spoofed to trick workers to share their credentials. Darktrace’s data shows there has been a huge increase in spoofing attacks during lockdown, increasing from around 25% of attacks before lockdown to 60%.

It is not just cybercrime groups that are conducting attacks. State-sponsored hacking groups have similarly been taking advantage of the pandemic to take sensitive data, including the most recent COVID-19 research data on potential cures, vaccines, and treatments to enhance the response efforts in their own countries.

What is not always transparent from the new reports is how the increase in cyberattacks targeting remote workers has translated into genuine data breaches. Are these attacks working or are companies managing to thwart the attacks and keep the cybercriminals at bay?

There is a time difference between intrusions being discovered, breaches being confirmed, and announcements being made but it seems that many of these attacks are succeeding. In April, the International Association of IT Asset Managers released a warning that while a rise in data breaches was to be expected as a result of the pandemic, the amount of incidents was actually far higher than anticipated. It is also obvious that ransomware attackers have increased their efforts to attack businesses. Even groups on the frontline in the fight against COVID-19 have not been immune.

Threat actors have focused on the opportunities offered by the pandemic. It is up to companies to make sure their security measures are sufficient to address attacks. Tackling cyberattacks on remote workers requires additional security measures to be put in place. One measure that is often overlooked but can greatly enhance protection is DNS filtering.

A DNS filter provides security against the web-based component of cyberattacks and is an important measure to implement to enhance defenses against phishing and malware. Even with strong email security defenses in place, some messages will land in inboxes. A DNS filter provides an extra tier of protection by preventing users from visiting malicious website addresses in emails.

When a malicious link is visited, a DNS query is issued, and a DNS lookup is performed to find the IP address of the URL. DNS filtering ensures that the IP address is not returned if the URL is malicious. A DNS filter like WebTitan also permits IT teams to block malware installations, review internet activity, and carefully manage the types of websites their remote users can access on corporate devices.

If you have not yet put in pace a DNS filtering solution and would like more advice on how it can secure against cyberattacks on remote workers, give the TitanHQ team a call now

Benefits of a Third-Party Email Archiving Solution for Office 365

There are several reasons why a third-party email archiving solution for Office 365 is a wiser choice that using the email archiving function provided by Microsoft. Microsoft Office 365 is a superb productivity suite that combines many useful software programs into one convenient package, but one issue that is often raised is the email archiving options provided are somewhat basic. Email archiving is available, but the features and capabilities of that service fall well below third-party email archiving solutions.

Email archiving is a legal requirement and essential for modern businesses. Email is part of the corporate record and messages must be retained and produced during compliance audits, when there are legal disputes as part of eDiscovery requests, and to help resolve HR issues. The failure to provide emails can prove very costly. Regulatory fines have been issued in cases where important emails have not been retained and legal disputes can be easily lost if an accurate email record is not maintained.

Email archiving is not just a checkbox item than must be implemented for compliance. The email archive will need to be accessed and used, which is where the more comprehensive features of a third-party email archiving solution are required.

Searching for emails in an Office 365 email archive can be a pain. The search function is OK, but the search mechanism is nowhere near as efficient as third-party email archiving solutions such as ArcTitan. One of the main benefits of an email archive is the ability to rapidly search and retrieve emails, so search efficiency is important. The default search limit is 250 results with Office 365, which doesn’t lend itself to large scale searching.

Emails often do not contain the information you need in the message body or headers. Data is often stored in email attachments, and this is an area where Office 365 email archiving comes up short. The advanced search functionality of third-party solutions can greatly reduce the time and effort required to find the emails you need. If you need to find data in email attachments, Microsoft will only search in around 50 attachment types and there are many other types of attachments that may contain the data you need.

There are also issues with licensing. With Office 365, licenses are paid per mailbox so when a user leaves the company you need to maintain the mailbox and its associated archive, which is tied to the life of the mailbox. That means continuing to pay for that user and purchasing an additional license for the replacement employee. Over time, that means the cost of the solution can mount significantly, even if your total number of employees remains the same. If like many businesses you need to retain emails for 7 years, during that time a lot of staff may leave the company. Over time the cost of Office 365 archiving is likely to be far higher than you would pay with a third-party solution.

Importing legacy emails into Office 365 archives can be a pain and long-winded process and exporting files from the archive can also be problematic. Third-party solutions such as ArcTitan allow you to import legacy emails rapidly export email data in a wide variety of formats. If ever you decide to change email archiving provider, with ArcTitan this is simple.

ArcTitan supports comprehensive policy-based archiving, including message and attachment de-duplication for faster search and retrieval. You get customizable retention periods and policies for users, email content, and attachments, and lightening fast search and retrieval, with searches that can interrogate up to 30 million emails a second.

Office 365 is a great email solution, but there are disadvantages that are not found in solutions such as ArcTitan. It is a far better choice to opt for an archiving solution that has been developed by a company that specializes in email archiving, such as TitanHQ. You will get a much more comprehensive range of features that will save you time, effort, and money.

To find out more about ArcTitan, to discover how easy the solution is to configure and use and how much you can save over other solutions, give the TitanHQ team a call today. The team will be happy to schedule a product demonstration to show you the key benefits of the solution.

Popularity of Dating Apps During Lockdown Leads to Phishing Campaign

A phishing campaign that spreads a remote access trojan called Hupigon, a RAT that was first identified in 2010, is targeting higher education institutions in the United States.

The Hupigon RAT has previously been deployed by advanced persistent threat groups (APT) from China, although this campaign is not thought to have been operated by APT groups, instead the Hupigon RAT has been repurposed by hackers. While many industries have been targeted in the campaign, almost half of attacks have been conducted on colleges and universities.

The Hupigon RAT allows the operators to install other malware variants, steal passwords, and obtain access to the microphone and webcam. Infection could see the hackers take full management of an infected device.

The campaign uses online dating lures to trick users to install the Trojan. The emails show two dating profiles of supposed users of the platform, and the recipient is directed to select the one they find the most attractive. When the user makes their choice, they are brought to a website where an executable file is downloaded, which installs the Hupigon RAT.

The choice of lure for the campaign is no doubt influenced by the huge increase in popularity of dating apps during the COVID-19 pandemic. While there are not many actual dates taking place due to lockdown and social distancing measures now in place around the world, the lockdowns have seen many people with a lot of time on their hands. That, coupled with social isolation for many single people, has actually led to a rise in the use of online dating apps, with many users of the apps turning to Zoom and FaceTime to have virtual dates. Many popular dating apps have reported a rise in use during the COVID-19 pandemic. For instance, Tinder reports use has grown, with the platform having its busiest ever day, with over 3 billion profiles swiped in just one day.

As we have already seen with COVID-19 tricks in phishing attacks, which account for most lures during the pandemic, when there is interest in a particular event or news story, hackers will take advantage. With the popularity of dating apps surging, we can expect to see an rise in the number of online dating -themed lures.

The advice for higher education institutions and companies is to ensure that an advanced spam filtering solution is in place to prevent the malicious messages and ensure they do not land in end users’ inboxes. It is also crucial to ensure that security awareness training is still being conducted for staff, students, and remote employees to teach them how to spot the signs of phishing and other email threats.

TitanHQ can be os assistance. If you wish to better protect staff, students, and employees and keep inboxes free of threats, give the TitanHQ team a call as soon as you can. After registering, you can be protecting your inboxes in no time.

Benefits of an Email Archiving Service

In this post we will explain some of the important benefits of an email archiving service. If you are not currently archiving your email, we will explain how a small investment can actually save you a lot of money in the long run.

One of the most important reasons for setting up an email archive is to reduce the cost of long-term email storage. By sending a copy of your emails to an archive, you can significantly reduce mail server management costs. Businesses that use ArcTitan for email storage typically save up to 75% in email storage space, they eliminate the need for mailbox limits and significantly improve the performance of their mail servers. All emails sent and received by employees are automatically sent to the archive which means emails will never be lost or accidentally deleted.

All businesses need to comply with regulations concerning data storage and an email archive will helps to ensure compliance. Even if you are not in a regulated industry, it is still important to retain emails for legal purposes. An email archive is a tamperproof repository for all emails. In the event of a regulatory audit, eDiscovery request, or a customer dispute, you will be able to quickly find all relevant emails. It has been estimated that around 80% of U.S. companies are currently engaged in legal action. Email is part of the corporate record and emails must be produced in the event of legal action. You will also need to recover emails in any HR disputes. Email backups serve their purpose, but an email archive will ensure that all email can be recovered if disaster strikes, without any fear of data corruption.

One of the most important benefits of an email archiving service is fast message retrieval. If you need to recover emails from a backup, it could take days or even weeks to find the messages you need, as backups are not searchable. All emails sent to an archive are indexed, which means the archive can be searched and emails can be found and recovered in seconds, regardless of how many emails are in the archive and how long ago a message was sent.

With emails stored in a cloud archive, you will always have access to emails no matter where you are located. You can simply login to your archive using a web-based interface that can be accessed on any internet enabled device.

Creating an Email Archiving Policy

When you are creating your email archiving policy, there are two main approaches to take. The first is to set your policy for what types of emails need to be sent to the archive and then to leave it to your employees to follow that policy and archive all emails that need to be stored. The other option is to automate the process. While the first option will reduce the amount of storage space you need, it is a risky strategy. If an email that must be retained is not sent to the archive, the mistake could prove very costly if you are audited or receive an eDiscovery request and you cannot produce the email. The Financial Industry Regulatory Authority (FINRA) fined Scottrade $2.6 million in 2015 for failing to retain certain categories of outgoing emails.

The best approach to take is to set an email archiving policy and to automate the process. This will ensure that come what may, you will always be able to recover emails on demand. This option will require more storage space, but with ArcTitan, space is kept to a minimum. ArcTitan uses deduplication, which involves only storing one copy of a message. If you send an email to a distribution group internally, there is no need to store every copy of that message. ArcTitan will only store one copy of every unique message and all messages are compressed to further reduce storage space.

Whenever an email needs to be retrieved, ArcTitan performs lightning fast searches, and even allows you to quickly search inside common attachment types. Your employees can even access their archived emails through their mail client – Outlook for instance – which means they will not need to trouble your IT department when they accidentally delete an email from their inbox. A search can be performed, and the email can be retrieved instantly on demand.

Discover Why so Many Businesses are Using ArcTitan

TitanHQ has developed ArcTitan to make archiving emails an effortless process. ArcTitan works seamlessly with almost all corporate mail systems and ensures that all emails are stored securely in the cloud where they can be accessed on demand in seconds.

ArcTitan supports comprehensive policy-based archiving to ensure that you only store the emails that must be retained, and policies can be set to ensure that emails are securely deleted automatically at the end of the email retention period. ArcTitan gives you maximum flexibility and control, world class security, enterprise-grade resilience, and lightning fast retrieval of messages when you need them. Users benefit from an intuitive user interface and a significant range of features that are not present in the archiving offerings in Exchange and Office 365.

To find out more about ArcTitan call TitanHQ and to schedule a product demonstration, give the TitanHQ team a call today and find out the difference ArcTitan can make to your business.

Surge in Skype and Zoom Phishing Attacks Focusing on Remote Employees

The lockdown put in place as a result of COVID-19 has forced employees to leave the office and work from home, with contact taking place over communications solutions such as Skype, Slack, and Zoom. Unsurprisingly the huge increase in use of these platforms has led to an opportunity for cybercriminals, who are using fake alerts from these and other communication and teleconferencing platforms as lures in phishing campaigns on remote workers.

Many campaigns have been discovered that take advantage of the popularity of these platforms. One campaign has recently been discovered that uses Skype branding advising users that they have pending alerts. The emails are personalized and include the Skype username and feature a review button for users to click to review their alerts. These emails look extremely like the actual emails sent to users by Skype. The emails also appear, at first glance, to have been sent from an authentic email address.

The link given in the email takes the recipient to a hxxps website that has Skype in the domain name. Since the connection between the browser and the website is encrypted, it will show the green padlock to show that the connection is safe, as is the case on the genuine Skype domain. The webpage includes Skype branding and the logo of the company being targeted and says that the webpage has been set up for authorized use by employees of the business. The username of the victim is automatically added to the login page, so all that is needed is for a password to be entered.

This campaign was first noticed by Cofense, which received many reports from business users about the emails, which bypassed Microsoft Exchange Online Protection (EOP) and were delivered to Office 365 inboxes.

A Zoom campaign has also been discovered that uses similar tactics. Zoom is one of the most popular lockdown teleconferencing apps and has been recommended by many companies for use by employees to maintain contact during the lockdown. The platform has also been very popular with consumers and now has more than 300 million users.

In this campaign, Zoom meeting alerts are sent to targets. As is common with phishing campaigns, the hackers generate fear and urgency to get the targets to respond quickly without reviewing the messages. This campaign advises the recipients to login to a meeting with their HR department in relation to their job termination. Clicking the link will similarly bring users to a fake login page where they must enter their credentials. The landing page is a virtual carbon copy of the official Zoom login page, although the only parts of the page that work are the username and password fields. This campaign was discovered by Abnormal Security, which reports that around 50,000 of these messages were sent to Office 365 accounts and bypassed EOP.

The phishing emails are believable, the webpages that users are brought to look genuine, and many people will be tricked by the emails. Security awareness training will help to train employees to question emails such as these, but given the amount of messages that are bypassing Microsoft’s EOP, businesses should also think about adding an additional layer of email security to their Office 365 accounts.

This is an area where TitanHQ can be of assistance SpamTitan Cloud does not replace EOP for Office 365, it allows businesses to take advantage of an extra layer of protection on top to provide extra protection from zero-day attacks. SpamTitan Cloud prevents spam, phishing, and malware laced emails that would otherwise be sent to Office 365 inboxes.

SpamTitan Cloud is quick and simple to set up and you can safeguard your Office 365 accounts very quickly. Since the solution is available on a free trial, you will be able to consider the difference it makes and see how many malicious messages it blocks before committing to buying it.

To find out more about improving your phishing defenses, give the TitanHQ team a call now.

Webinar: How to Double Protection for Remote Workers During the COVID-19 Pandemic

Are you worried about the cybersecurity risks associated with a largely at-home workforce? Want to find out how you can improve protection for your remote workers and block malware, ransomware and phishing attacks?

On Thursday May 21, 2020 TitanHQ is hosting a webinar to explain how you can easily double protection for your remote workers. This webinar is ideal for current SpamTitan customers, prospective customers, Managed Service Providers and small- to medium-sized enterprises.

During the webinar you’ll find out why it is so important to protect against both the email- and web-based components of cyberattacks and you will discover more about an important layer that can be added to cybersecurity defenses that is often lacking at many SMBs and small- to medium-sized enterprises.

During the webinar TitanHQ will discuss how cybercriminals are exploiting COVID-19 to conduct cyberattacks and how you can better protect the remote workers that are being targeted by cyber actors. You will also discover the WebTitan features and security layers for managing user security at multiple locations with a deep dive into the features and benefits of the latest version of WebTitan Security.

  • Most cyberattacks have an email and web-based component – Find out how WebTitan serves as a vital layer of security to block phishing attacks, malware and ransomware downloads.
  • Learn why WebTitan is the leading web security option for the Managed Service Provider who service the SMB and SME market.

Join TitanHQ for the webinar, which will be attended by:

  • Derek Higgins, Engineering Manger TitanHQ
  • Eddie Monaghan, Channel Manager TitanHQ
  • Marc Ludden, Strategic Alliance Manager TitanHQ
  • Kevin Hall, Senior Systems Engineer at Datapac

Webinar Details

Title:     Keeping your Remote Workers TWICE as secure with SpamTitan & WebTitan

Date:     Thursday, May 21, 2020

Time:    11:00-11:30 CDT

Click Here to Register for the Webinar

Damage Caused by University Cyberattacks Revealed in UK Study

UK think tank Parliament Street has produced a report that uncovers has revealed the extent to which universities are being focused on by hackers and the sheer amount of spam and malicious emails that are sent to the inboxes of university staff and students.

Data related to malicious and spam email amounts was obtained by Parliament Street through a Freedom of Information request. The analysis of data from UK universities showed they are having to block millions of spam emails, hundreds of thousands of phishing emails, and tens of thousands of malware-laced emails every year.

Warwick University’s figures indicate that over 7.6 million spam emails were sent to the email accounts of staff and students in the last quarter of 2019 alone, which included 404,000 phishing emails and more than 10,000 emails including malware.

Bristol University encountered a similar level of focus withmore than 7 million spam emails over the same period, 76,300 of which included malware. Data from the London School of Hygiene and Tropical Medicine showed that more than 6.3 million spam emails were registered during 2019, which included almost 99,000 phishing emails and over 73,500 malware attacks. 12,773,735 spam and malicious emails were received in total for 2018 and 2019.

Data from Lancaster University showed that over 57 million emails were rejected for reasons such as spam, malware, or phishing, with 1 million emails marked as possible spam. The figures from Imperial College London were also worrisome, with almost 40 million emails intercepted during 2019.

Like attacks on firms, cyberattacks on universities are often conducted for financial profit. These attacks attempt to send malware and obtain credentials to obtain access to university networks to exfiltrate data to sell on the black market. Universities store huge amounts of sensitive student data, which is extremely valuable to hackers as it can be leveraged for identity theft and other types of fraud. Attacks are also conducted to send ransomware to steal money from universities.

Universities normally have high bandwidth to support tens of thousands of students and employees. Attacks are conducted to hijack devices and add them to botnets to conduct a range of cyberattacks on other targets. Email accounts are being hijacked and used to run spear phishing attacks on other targets.

Nation state-backed advanced persistent threat (APT) groups are focusing on universities to gain access to intellectual property and research data. Universities carry out cutting edge research and that information is extremely valuable to companies who can use the research data to develop products to gain a massive competitive advantage.

Universities are viewed as relatively soft targets compared to groups of a similar size. Cybersecurity defenses tend to be far less advanced, and the large networks and number of devices used by staff and students make defending networks complicated.

With the amount of cyberattacks on universities increasing, leaders of higher education institutions need to implement measures to enhance cybersecurity and prevent the attacks from succeeding.

The majority of threats are sent over email, so advanced email security defenses are essential, and that is an area where TitanHQ can be of assistance.

Independent tests confirm that SpamTitan blocks in excess of 99.97% of spam email, helping to keep inboxes free of junk email. SpamTitan uses dual anti-virus engines to block known threats, machine learning to spot new types of phishing attacks, and sandboxing to discover and block zero-day malware and ransomware threats. When email attachments get past initial tests, suspicious attachments are moved to the sandbox for in depth analysis to identify command and control center callbacks and other malicious actions. SpamTitan also uses SPF and DMARC controls to prevent email impersonation attacks, data loss prevention controls for outbound messages and controls to discover potential email account compromises.

If you wish to enhance cybersecurity defenses, begin with upgrading your email security defenses with SpamTitan. You may be shocked to learn  how little investment is required to majorly enhance your email security defenses. To discover more get in touch with TitanHQ now.

Module for Brute Force RDP Attacks Included in TrickBot Trojan

The TrickBot Trojan is a complex banking Trojan that was first identified in 2016. While the malware was first just an information stealer dedicated to stealing online banking credentials, the malware has evolved massively  over the past four years and several modules have been added that provide a host of other malicious capabilities.

The TrickBot Trojan’s information stealing capabilities have been greatly enhanced. In addition to banking credentials, it will steal system and network data, email credentials, tax data, and intellectual property. TrickBot is capable of moving laterally and silently infecting other computers on the network using authentic Windows utilities and the EternalRomance exploit for the SMBv1 vulnerability. The malware can place a backdoor for persistent access. TrickBot also acts as a malware installer and will download other malicious payloads, such as Ryuk ransomware.

The Trojan is often updated and new variants are regularly made available. The Command and Control infrastructure is also constantly changing. According to a review by Bitdefender, more than 100 new IPs are added to its C&C infrastructure each month with each having a lifespan of around 16 days. The malware and its infrastructure are highly complex, and while steps have been taken to dismantle the operation, the hackers are managing to stay one step ahead.

TrickBot is primarily shared using spam email through the Emotet botnet. Infection with Emotet sees TrickBot downloaded, and infection with TrickBot sees a computer added to the Emotet botnet. Once all useful data has been obtained from an infected system, the baton is passed over to the Ryuk ransomware operators with a reverse shell opened giving the Ryuk ransomware operators access to the netword.

A recent review of a variant captured by Bitdefender on January 30, 2020 has shown another method of distribution has been added to its arsenal. The Trojan now has a module for bruteforcing RDP. The brute force RDP attacks are mainly being carried out on organizations in the financial services, education, and telecom industries and are currently targeted on organizations in the United States and Hong Kong at this stage, although it is likely that the attacks will spread region-by-region over the coming weeks. The attacks are being conducted to steal intellectual property and financial data.

Since the TrickBot Trojan is modular, it can be always be updated with new features and the evolution of the malware so far, and its success, means it will go on being a threat for some time to come. Thankfully, it is possible to prevent infections by practicing good cyber hygiene.

Spam is still the main method of delivery for both the Emotet Trojan and TrickBot so an advanced spam filter is vital. Since new variants are constantly being made available, signature-based detection methods alone are not enough. SpamTitan incorporates a Bitdefender-powered sandbox to analyze suspicious email attachments for malicious activity. This ensures the malicious activity of completely new malware variants is identified and the emails are quarantined before they can cause any damage.

If you don’t require RDP, ensure it is turned off. If you do, ensure access is restricted and strong passwords are established Use rate restricting to block login attempts after a set number of failures and ensure multifactor authentication is implemented to prevent stolen credentials from being used.

For additional details on SpamTitan Email Security and to find out how you can enhance your defenses against email and web-based attacks, contact the TitanHQ team now.

 

COVID-19 Crisis Pandemic: Email Security & Home Working

The 2019 Novel Coronavirus pandemic has meant that many workers have had to self-isolate at home and an increasing number of employees wish to work from home to reduce risk of contracting COVID-19. Companies are under pressure to allow their workers to stay at home and use either company-issued or personal devices to log onto their networks and work remotely.

Cybercriminals are always changing their tactics, techniques, and procedures and they have jumped at the opportunity served up by the Novel Coronavirus. People are wary and rightly so. COVID-19 has a high mortality rate and the virus is spreading rapidly. People want information about cases in their local district, advice on how to safeguard themselves, and information about possible cures. Hackers have obliged and are conducting phishing campaigns that claim to offer all that information. Many campaigns have now been discovered from many different threat groups that attempt to obtain login credentials and spread malware. Since the start of January when the first major campaigns were detected, the volume of coronavirus and COVID-19 emails has increased majorly.

Campaigns are being run impersonating different governmental and non-governmental bodies on the Novel Coronavirus and COVID-19, such as the World Health Organization (WHO), the U.S. Centers for Disease Control and Prevention (CDC), the U.S. Department of Health and Human Services, and other government agencies. COVID-19-themed emails are being shared with remote workers that spoof HR departments warning about cases that have been detected within the group. Health insurers are being spoofed in campaigns that include invoices for information on COVID-19.

Since January, more in excess of 16,000 Coronavirus and COVID-19-themed domains have been registered which are being used to host phishing kits and distribute malware. Experts at CheckPoint Software report that those domains are 50% more likely to be malicious than other domains registered in the same length of time.

Email security and home working will naturally be a major worry for IT teams given the sheer number of home workers due to the Coronavirus pandemic and the volume of attacks that are now being conducted focusing on home workers. With so many devices now connecting to networks remotely, if cybercriminals do obtain credentials, it will be much more difficult for IT teams to identify threat actors connecting remotely. Luckily, there are steps that can be taken to improve email security and home working need not majorly increase risk.

You should see to it that your employees can only connect to your network and cloud-based services through a VPN. Enterprise VPNs can be set up to force all traffic through the VPN to reduce the potential for mistakes. Make sure that the VPN is set up to start automatically when the device is turned on up.

It is vital that all remote workers are protected by a strong and effective email security solution. It is not possible to stop hackers targeting remote workers, but it is possible to prevent phishing and malware threats from reaching inboxes.

To safeguard your employees against phishing attacks and malware, an advanced email security solution is vital. If you use Office 365 for email, do not use on Office 365 email security. You will need greater protection than Exchange Online Protection provides to safeguard against phishing, spear phishing, and zero-day threats.

SpamTitan has a number of different detection mechanisms to identify and block the full range of email threats. SpamTitan incorporates SPF and DMARC to put in place protection against email impersonation attacks, machine learning algorithms and predictive technology to safeguard from zero-day attacks, advanced phishing protection from whaling and spear phishing attacks by scanning inbound email in real-time, dual antivirus engines to prevent malware threats, and sandboxing for in depth analysis of suspicious attachments. SpamTitan also incorporates 6 specialist RBLs, supports whitelisting, blacklisting, and greylisting, and uses multiple threat intelligence feeds.

There is a higher risk of insider threats with remote workers. To supply protection and to prevent accidental policy breaches, SpamTitan has a data loss prevention filter to stop credit card numbers, Social Security numbers, and other data types from being sent over email.

No email security solution can 100% prevent all email threats from infiltrating your inbox, 100% of the time. It is therefore important to provide regular cybersecurity training to employees to make them knowledgeable of phishing threats, train them how to identify a phishing email or social engineering scam, and to condition remote employees how to react should a threat be received. Phishing simulation exercises are also helpful to see which employees require additional training and to identify possible gaps in training programs. IT security basic training refreshers should also be given to ensure employees know what can and cannot be completed with work devices.

Multi Factor authentication must be put in place on all applications and email accounts to add security in the event of an account compromise. If credentials are stolen and used from a previously unknown location or an unfamiliar device, a second authentication factor must be given before access is granted. You should also turn off macros on all user devices, unless a specific user needs to use macros for work reasons.

To discover more about how you can enhance email security for remote workers, give the TitanHQ team a call now. You can set up a demonstration to see SpamTitan in action and you can also register for a free trial to put SpamTitan to the test on your own network.

 

TitanHQ Presentating at Blackpoint Cyber’s Remote Reality LIVE

Blackpoint Cyber has unveiled its Remote Reality LIVE conference, which will take place over the Internet from April 8-9th.

The conference will provided insights on managed service providers (MSPs) and how they can stay secure, profitable, and resilient as the world increases remote operations during the COVID-19 pandemic – registration and attendance are free of charge. The two-day conference will include sessions by former leaders of the United States’ government cyber security and intelligence communities along with cyber security experts and business veterans from the MSP services and technology sector.

Jon Murchison, Blackpoint’s CEO and founder, and former US government cyber operations expert, saus of rthe  the conference’s objective: “IT services and infrastructure have become mission critical for organizations to survive in this new economic landscape brought on by COVID-19. MSPs are the key to our success and, especially during these times, a collective national asset to their respective countries. That’s why we are bringing together experienced government and industry leaders to help MSPs navigate the current economic and security environments. We’re excited to provide one of the first online and socially-distanced conferences dedicated to MSPs and cyber security.”

Blackpoint work with leading technology, service, and marketing firms for the conference, including:

  • Datto: leading global supplier of cloud-based software and technology solutions purpose-built for MSPs
  • Webroot: Cybersecurity Solutions Purpose-Built for MSPs and SMBs
  • Convergint: Global, Service-based Systems Integrator
  • Marketopia: Lead Generation and Marketing for Technology Companies
  • ID Agent: Dark Web and Identity Theft Protection
  • TitanHQ: Email and DNS Security
  • Compliancy Group: HIPAA Compliance-as-a-Service
  • Atlantic Data Forensics: Premier Incident Response and Forensics
  • ProSource Technology Solutions: Leading Managed Service Provider
  • Corporate Office Properties Trust (COPT): Premier Real Estate Investment Trust

Michael Morell, former Deputy Director and Acting Director CIA, is giving the keynote session on national security implications of the Coronavirus Pandemic. While he worked at the CIA, Mr. Morell was President George W. Bush’s daily intelligence briefer during the 9/11 attacks and was awarded the Distinguished Intelligence Medal, the CIA’s second highest honor.

Other expert speakers include: Bill Priestap, former FBI Assistant Director of Counterintelligence, Chris Inglis, Former Deputy Director of NSA, Dave Sears, retired Commander and Navy SEAL, and Kevin Donegan, former United States Navy Vice Admiral and previous commander of the US Navy’s 5th fleet out of Bahrain. Security and MSP sector leaders will also present informational sessions, such as lead generation in a virtual world, security in the MSP space, cyber security for commercial real estate, the threat landscape of remote workers, and more.

Matt Solomon, VP of Business Development & IT at ID Agent, said: “ID Agent is very excited to participate in one of the first virtual MSP events since in-person events have been taken off the schedule. MSPs still need education during this period and we are honored to be part of such an esteemed group of vendors.”

Along with learning how to stay safe and prosper, conference attendees will also be eligible for giveaways and prizes.

Participants may register here: Remote Reality Live – Free Registration

 

COVID-19 Crisis Remote Workers Security Awareness

The importance for security awareness for remote workers has been further emphasised of late as there have never been more people working from home as there are now during the COVID-19 pandemic.

Sadly, remote workers are now being actively targeted by hackers who see them as providing an easy way to obtain access to their corporate networks to steal sensitive data, and install malware and ransomware.

Companies may have already given their staff security awareness training to make sure they are made aware of the risks that they are likely to come across and to teach them how to recognize threats and respond. However, working from home introduces many more risks and those risks may not have been covered in security awareness training sessions designed for protecting office workers. It is also important to conduct training regularly and to reinforce that training. This is especially important for remote workers, as risk grows when employees are working remotely.

Better Security Awareness for Remote Workers Necessary as COVID-19 Crisis Worsens

Naturally, as an email security solution provider, we strongly advise the use of a strong email security solution and layered technical defenses to safeguard against phishing, but technical measures, while effective, will not stop all threats from reaching inboxes. It is all too simple to place too much reliance on technical security solutions for safeguarding email environments and work computers. The truth is that even with the best possible email security defenses configured, some threats will end up reaching inboxes.

The importance of conducting security awareness training to the workforce and the benefits of doing so have been highlighted by many studies. One benchmarking study, conducted by the security awareness training provider KnowBe4, showed that 37.9% of employees are tricked by phishing tests if they are not provided with security awareness and social engineering training. That figure has grew by 8.3% from the previous year. With security awareness training and phishing email simulations, the figure fell to 14.1% after 90 days.

During the COVID-19 pandemic, the amount of phishing emails being sent has grown significantly and campaigns are being conducted targeting remote workers. The focus of the phishing campaigns is to obtain login credentials to email accounts, VPNs, and SaaS platforms and to distribute malware and ransomware.

With so many staff now working from home, and the speed at which firms have had to transition from a largely office based workforce to having virtually everyone working from home may have resulted in security awareness training for remote workers put on the long finger. However, with the lockdown likely to go on for several months and attacks on the rise, it is important to make sure that training is conducted, and as soon as possible.

More COVID-19 Domain Registrations and Rise in Web-Based Attacks

Security awareness training for remote workers also should incorporate internet security as not all threats will arrive in inboxes. CMost phishing attacks have a web-based component, and malicious websites are being created for drive-by malware downloads. At present, the vast majority of threats are using COVID-19 and the Novel Coronavirus as bait to get remote workers to install malware, ransomware, or part with their login credentials.

Unsurprisingly, hackers have increased web-based attacks, which are being conducted using a plethora of COVID-19 and Novel-Coronavirus themed domains. By the end of March, around 42,000 domains related to COVID-19 and coronavirus had been set up. A review by Check Point Research showed those domains were 50% more likely to be malicious than other domains registered over the same period of time.

It is important to increase awareness of the dangers of using corporate laptops for personal use such as browsing the Internet. Steps should also be taken to restrict the websites that can be accessed by employees and, at the very least, a solution should be implemented and configured to prevent access to known malicious websites that are used for phishing, fraud, and malware distribution.

Shadow IT is a Major Security Danger

When employees are office based and logged onto to the network, identifying shadow IT – unauthorized software and hardware used by employees – is easier. The issue not only becomes harder to identify when employees work from home, the risk of unauthorized software being installed onto corporate-issued devices increases.

Software installed on work computers carries a risk of a malware infection and potentially offers an easy way to attack the user’s device and the corporate network. IT teams will have little knowledge of unauthorized software on users’ devices and whether it is running the most recent version and has been patched against known flaws. It is important to cover shadow IT in security awareness training for remote workers and to make it clear that no software should be downloaded to work devices and that personal USB devices should not be used on corporate devices without the go-ahead being given from the IT department.

The COVID-19 pandemic has seen many workers turn to teleconferencing software to communicate with the office, friends, and family. One of the most popular teleconferencing platforms is Zoom. Malicious installers have been identified that install the genuine Zoom client but have been bundled with malware. Installers have been discovered that also install adware, Remote Access Trojans, and Coinminers.

How TitanHQ Can Be Used

Many security awareness training firms have made resources available to businesses free of charge during the COVID-19 crisis to help them educate the workforce, such as the SANS Institute. Take advantage of these resources and share them with your workforce. If you are a small SMB, you may also be able to get access to free phishing simulation emails to test the workforce and reinforce training.

TitanHQ can’t help you with your cybersecurity awareness training but we can help by seeing to it tthat employees have to deal with fewer threats by protecting against email and web-based attacks.

SpamTitan is an advanced and powerful cloud-based email security solution that will safeguard remote workers from phishing, spear phishing, malware, virus, and ransomware attacks by blocking attacks at source and stopping the threats from reaching inboxes. SpamTitan features dual anti-virus engines to safeguard against known malware threats and sandboxing to block unknown (zero-day) malware threats. SpamTitan incorporate many real-time threat intelligence feeds to block current and emerging phishing attacks and machine learning technology detects and blocks previously unseen phishing threats. SpamTitan has been designed to work seamlessly with Office 365 to allow businesses to set up layered defenses, augmenting Microsoft’s protections and adding advanced threat detection and blocking capabilities.

WebTitan is a DNS filtering solution that will safeguard all workers from web-based attacks, no matter where they access the internet. WebTitan uses zero-minute threat intelligence and blocks malicious domains and webpages as soon as they are discovered. The solution can also be used to carefully manage the types of websites that remote workers can access on their corporate-owned devices, via keyword and category-based controls. WebTitan can also be set up to block the downloading of malicious files and software installers to manage shadow IT.

For more details on protecting your business during the COVID-19 crisis, to set up a product demonstration of SpamTitan and/or WebTitan, and to register for a free trial of either solution to allow you to start instantly protecting against email and web-based dangers get in touch with TitanHQ now!

 

Office 365 Credentials of Executives Stolen in PerSwaysion Spear Phishing Attacks

A new phishing campaign has been discovered that uses the Microsoft Sway file sharing service in a three-stage attack to steal the Office 365 credentials of high-level executives.Group IB experts identified the campaign and labelled it it PerSwaysion, although versions of the attack have been identified that have used OneNote and SharePoint. The campaign is highly focused and has been conducted on high-level executives at more than 150 firms. The individuals behind the campaign are believed to be based in Nigeria and South Africa, with the earliest traces of the attacks indicating the campaign has been operational since around the middle of last year.

The PerSwaysion attack begins with a spear phishing email sent to an executive in the targeted group. The phishing emails include a PDF file attachment with no malicious code embedded. The PDF file just includes a link that the user is must click to view the content of the file. The link brings the user to file on a Microsoft Sway page, which also requires them to click a link to view the content. Microsoft Sway allows the previewing of the document and shows the content without the user having to open the document. The document states the name of the sender – a known contact – and that individual’s email address with the message that a file has been shared for review and also a hyperlink with the text ‘Read Now’. Clicking the link directs the user to a phishing page with an Office 365 Single Sign-on login prompt.

The initial PDF file, Microsoft Sway page, and the login prompt on the phishing page all have Microsoft Office 365 logos, and it is easy to see how many victims would be fooled into sharing their credentials.

Once credentials have been gathered, they are used the same day to access the Office 365 account, email data is copied from the account, and it is then used to broadcast further spear phishing emails to individuals in the victim’s contact list. The sent emails are then erased from the victim’s sent folder to ensure the attack is not discovered by the victim.

The emails include the sender’s name in the subject line, and since they have not been sent from the account of a known contact, they are more likely to be clicked on. The lure used is simple yet successful, asking the recipient to open and review the shared document.

Many of the attacks have been targeted on individuals at companies in the financial services sector, although law firms and real estate companies have also fallen victim. Most attacks have been conducted in the United States and Canada, United Kingdom, Netherlands, Germany, Singapore, and Hong Kong.

It is possible that the cybercriminals  are still accessing the compromised emails accounts to take sensitive data. Since the campaign targets high level executives, the email accounts are likely to include valuable intellectual property. They could also be used for BEC scams to fool employees into completing fraudulent wire transfers.

SpamTitan v7.00 Included Bitdefender Anti-Virus Engine

A new version of TitanHQ’s cloud-based anti-spam service and anti-spam software was made available on March 5, 2018. SpamTitan version 7.00 incorporates patches for recently identified flaws in the ClamAV antivirus engine and a change to the primary AV engine used by the solution.

The main anti-virus engine of SpamTitan version 7.00 is supplied by the Romanian firm Bitdefender. Bitdefender is an award-winning antivirus engine that provides strong email protection against malware, viruses, and ransomware. Combined with the secondary AV engine – ClamAV – users take advantage of excellent protection against email-based malware and ransomware attacks. The dual AV engines see to it that malicious software is not delivered to end users’ inboxes via email attachments.

The change to Bitdefender was the obvious choice and TitanHQ is planning to further its strategic relationship with the Romanian cybersecurity business over the coming weeks and months. The amendment to the primary AV engine will be unnoticeable to existing users, who will still be protected from malicious threats.

The update to the most recent version will not happen automatically. Customers who have ‘prefetch of system updates’ enabled on their SpamTitan installations will be able to see the newest version in their list of available updates and can manually trigger the update to the new version. Customers who do not have that option turned on need to “check for updates” via their user interface.

Customers have been advised to review the documentation accompanying the latest version before installation as it includes important information on how the update should be applied. TitanHQ explains that it is not possible to update from v4 or v5 of the platform to SpamTitan version 7.00 without initially installing version 6 of the platform.

Customers should remember that the update must be applied before May 1, 2018 to ensure continued protection, as support for the Kaspersky AV engine – used in all versions of SpamTitan prior to v7 – will come to an end on that date. TitanHQ has also informed customers that support for v4 and v5 of SpamTitan will also cease from May 1, 2018.

SpamTitan v7.00 includes patches for the following flaws: CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377, CVE-2017-12379, CVE-2017-12380. All of those flaws exist in ClamAV. The most recent version also improves protection against DoS attacks and should be run as soon as possible. The update will take around 10-20 minutes to run.

 

TitanHQ Statement on Coronavirus (COVID-19) Pandemic

During this unprecedented time of uncertainty, the health and safety of our staff, clients, partners and their families is one of our main focuses and concerns. Team TitanHQ are dedicated to supporting our partners and customers. The advantages provided by our email and web security products are even more relevant and crucial now.

Our fantastic team has met at the challenge with vigor and we have mobilized our workforce so that it’s business as usual over this unusual period of time.  We are taking counsel from the government on best practice and have a task force in place to manage our work.

Customers and partners can be happy that support teams will continue to be available and product teams are working as normal. If you have any queries or concerns about products, or technical support, please contact us as you normally would  The support team has been trained to be aware of special customer concerns during this pandemic and will escalate any question to the relevant responsible person or department.

Our new documentation and set up resource has been extremely busy during the period.  You can access it here and as always our support team is available at https://www.titanhq.com/support-portal/

We are conscious that this is a sensitive time and we will do everything we can to make it easier for our customers. All of us at TitanHQ wish you good health and thank you for your continued business.