Email Threats

New Saint Bot Malware Dropper Shared using Phishing Emails

A new malware variant being referred to as Saint Bot malware is being shared using phishing emails that feature a Bitcoin-themed lure. As Bitcoin values continue surge upwards it is thought that the lure will be more effective than ever and fool many into clicking on the attached files to use the bitcoin wallet.

The phishing emails inform the recipient that a Bitcoin wallet in the included Zip file. The Zip file comes with a text file with instructions and a LNK file that has an embedded PowerShell script. A PowerShell downloader installs an obfuscated .Net dropper and downloader, which will then load a BAT script that disables Windows Defender and the Saint Bot malware binary. If someone should follows these instructions it will set off a process that will result in the Saint Bot malware being installed on the device.

A feature of the Saint Bot malware dropper is that is can deliver secondary payloads including information stealers, although it can be used to drop any possible strain of malware. This new strain was initially discovered by researchers at Malwarebytes. They found that there are no novel techniques at play with this malware. However, appears that the malware is being continually evolved. Currently, detections have been at a comparatively minimal but Saint Bot malware could grow into a serious threat for email users.

Once installed the malware can find out if it is in a controlled environment and will remove itself should that be the case. Conversely, should it not be a controlled environment the malware will communicate with its hard-coded command and control servers, send information collated from the infected system, and install secondary payloads to the infected device using Discord.

The malware is not characteristic of a particular threat group and could well be shared to multiple actors using darknet hacking forums, but it could well become a significant threat and be used in widespread campaigns to take advantage of the opportunity in the malware-as-a-service (MaaS) market created by the takedown of the Emotet Trojan.

Safeguarding your database from malware downloaders such as Saint Bot malware requires a defense in depth approach. The simplest method of preventing infections is to implement an advanced spam filtering solution such as SpamTitan to block the phishing emails that spread the malware. Antivirus software should also be configured on all endpoints and set to update automatically, and communication with the C2 servers should be tackled using firewall rules.

Along with technical security, it is crucial to conduct security awareness training to the workforce to help staff spot malicious emails and show them how to react when a possible threat is discovered.

IRS Phishing Scam Promising Tax Refunds targets Universities

The chance for cybercriminals to make massive profits by filing fake tax return submissions is significant, many time leasing to refunds of thousands of dollars being processed by the U.S. Internal Revenue Service (IRS). Every year tax workers being sent a range of IRS phishing messages that seek to steal sensitive data that can be leverage by the cybercriminals to illegally obtain identities and send in fraudulent tax returns using their victims detail.

In 2021 many tax season phishing scams have been uncovered including the subject lines such as “Tax Refund Payment” and “Recalculation of your tax refund payment” that tries to trick the recipient’s into opening the emails. The emails feature the authentic IRS logo and tells recipients that they qualify for an additional tax refund, but in order to be transferred the payment they must click a link and fill out a form. The form in question looks like a real IRS.gov form, with the page an exact replica of the IRS website, although the website on which the form is displayed is not an official IRS portal.

The form seeks a wide range of private personal information to be supplied so that the refund can be processed. The form requests the individual’s identity, birth data, Social Security information, driver’s license number, existing address, and electronic filing PIN. For extra realism, the phishing portal also shows a popup notification saying, “This US Government System is for Authorized Use Only”, which is the same warning message that is displayed on the genuine IRS website.

The cybercriminals look like they are focusing on universities and other educational bodies, both public and private, profit and nonprofit with many of the reported phishing emails from staff and students with .edu email addresses.

Educational agencies should employ measure to mitigate the chance of their staff and students being tricked by these scams. Warning all .edu account holders to warn them about the campaign is crucial, particularly as these messages are getting around Office 365 anti-phishing measures and are landing in inboxes.

Any educational entity that depends on Microsoft Exchange Online Protection (EOP) for preventing spam and phishing emails – EOP is the default protection provided free with Office 365 licenses – should strongly think about enhancing anti-phishing security with a third-party spam filter.

SpamTitan has been created to supply better protection for Office 365 environments. The solution used along with Office 365 and easily integrates with Office 365 email while greatly improving spam and phishing email security, dual antivirus engines and sandboxing provide excellent security from malware.

To find out more in relation to SpamTitan anti-phishing security for higher education institutions call Spam. You can avail of a free trial to allow you to assess the solutions prior to deciding to buy it.

2020 Witnessed Massive Surge in Healthcare Breaches

According to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) in early 2020, following the outbreak of COVID-19, a huge number of large healthcare data breaches registered, more than in any other year. The Tenable Research 2020 Threat Landscape Report reported that the largest data breach violated 22bn records of personal data in 2020 impacted the healthcare sector.  An article made available HIPAA journal in January, 2021 reported that:

  • Over 29 million healthcare records were impacted during 2020
  • A rate of 1.76 Healthcare related data breaches per day was recorded
  • Healthcare data breaches grew by 25% year-over-year
  • During 2020 642 healthcare data breaches of 500 or more records were discovered

In addition to this:

  • The total amount of healthcare data breaches has doubled since 2014 and tripled since 2010.
  • Over 3,700 breaches of 500 or more records have been reported since October 2009
  • Since 2009 the total number of exposed records is more than 78 million

How Data Breaches Occur

The database breaches are happened as a result of three main factors:

  • Cyber attacks – hacking attacks involving malicious hacking campaigns
  • Endpoint devices being stolen of lost
  • Unauthorized disclosure of personal healthcare information

The size of the breaches is worrying. One largest that focused on Dental Care Alliance was discovered on October 11 comprised the payment card numbers of more than 1 million patients.  The hackers initially obtained access to the DCA systems on September 18. A solution was not put in place until October 13. Along with payment card data, those responsible may have illegally taken patient names and contact information as well as medical information and insurance information.  Patients were made aware of the attack in early December and approximately 10% of the patients later reported a breach of their account numbers.

There are many factors that have led to the huge spike in attacks that took place over the last 14 months.  Like many sectors, the change to remote work systems and the worrying nature  of the COVID-19 pandemic on healthcare organizational leaders has been one of the main reasons. However money has been the main factor behind the rise of cyberattacks on the healthcare industry.  Patient records are valuable in the open market due to the personal and private data they contain.  While credit card information will only garner a few dollars on their own, patient data can be sold for up to $150 per record.  Sadly, an infiltrated record costs the victimized group an average of $499 last year, a 16% increase annually.

Healthcare bodies have a responsibility to secure their patient’s data from potential data theft. TitanHQ can assist healthcare bodies with a solution to stop hackers from obtaining sensitive data. Get in touch with TitanHQ now and learn how our award winning solutions will secure your business and patients.

IRS Phishing Scam Targets Universities Promising Tax Refunds

With the last minute rush to get taxes filed in the the United States before the April 15 deadline tax specialists  and tax filers are being focused on with a range of IRS phishing campaigns that are trying to steal sensitive data that can be leveraged by hackers to obtain identities and submit fraudulent tax returns as they pretend to be their victims.

These campaigns are popular with cybercriminals due to the chance to make substantial profits using the submission of fake tax returns and this is true for the 2021 tax season. A number of tax season phishing attacks have been uncovered this year using phishing lures linked to tax refund payments. The phishing emails include subject lines like “Tax Refund Payment” and “Recalculation of your tax refund payment” which are likely trick the recipient’s into opening the emails. They, the emails, feature the actual IRS logo and advise recipients that they qualify to receive an additional tax refund, but in order to receive the payment they must visit a link and fill out a form. The form looks like an authentic IRS.gov form, with the page an exact replica of the IRS website, although the website on which the form is hosted is not an authentic IRS domain.

The form requests very sensitive personal information to be handed over in order for the refund to be transferred. The form seeks the individual’s name, birth date, Social Security details, driver’s license information, present address, and electronic filing PIN. For extra realism, the phishing portal also shows a popup notification which says “This US Government System is for Authorized Use Only”, which is the same warning message that is displayed on the authentic IRS web page.

The attackers seem to be focusing on universities and other educational bodies, both public and private, profit and nonprofit with many of the reported phishing emails from staff and students with .edu emails.

Educational bodies must implement measures to mitigate the danger of their staff and students being fooled by these scams. Warning all .edu account holders about the campaign is crucial as these messages are getting past Office 365 anti-phishing measures and are landing in inboxes.

Any educational body that is dependent on Microsoft Exchange Online Protection (EOP) for preventing spam and phishing emails – EOP is the default protection supplied free with Office 365 licenses – should strongly think about enhancing their anti-phishing defenses with a third-party spam filter.

SpamTitan has been designed to put in pace stronger security for Office 365 environments. The solution is placed on top of Office 365 and easily works with Office 365 email. Along with significantly enhancing spam and phishing email protection, dual antivirus engines and sandboxing provide top of the range cybersecurity in the face of malware.

For more details about SpamTitan anti-phishing security for higher education, contact SpamTitan now. You can now protect your institution by add the SpamTitan solution. There is also free trial available to test SpamTitan.

Education Sector Targeted by Pysa Ransomware Group

During 2020 the healthcare sector has been constant focus of ransomware groups, but the education sector is also dealing with a rise in attacks, with the Pysa (Mespinoza) ransomware gang now aiming for the education sector.

Pysa ransomware is another strain of Mespinoza ransomware that was first seen in ransomware campaigns during October 2019. The threat group responsible for the attacks, like many other ransomware threat gangs, uses double extortion moves on targets. Files are encrypted and a ransom demand is shared for the keys to decrypt files, but to improve the chances of the ransom being paid, data is stolen before file encryption. The gang if trying to profit from selling the stolen data on the darkweb if the ransom is not paid. Many targeted groups entities have been forced to hand over the ransom demand even when they have backups to stop the sale of their data.

As of October 2019, the Pysa ransomware gang has focused on large companies, the healthcare sector, and local government bodies, but there has been a recent rise in attacks on the education sector. Attacks have been carried out on K12 schools, higher education institutions, and conference, with attacks being experienced in 12 U.S. states and the United Kingdom. The rise in attacks lead to the FBI to issue a Flash Alert in March 2020 warning the education sector about the heightened danger of attacks.

Reviews of attacks revealed the gang carries out network reconnaissance using open source tools like Advanced Port Scanner and Advanced IP Scanner. Tools including PowerShell Empire, Koadic, and Mimikatz are employed to obtain credentials, grow privileges, and move laterally inside networks. The gang spots and steals sensitive data before delivering and delivering the ransomware payload. The range of data stolen are those that can be used to force victims into paying and can easily be sold on the darkweb.

Discovering a Pysa ransomware attack in progress is tricky, so it is crucial for defenses to be hardened to prevent any access occurring. Many methods have been used to obtain access to networks, although in many cases it is not known how the attack began. In attacks on French firm and government agencies brute force tactics were used against management consoles and exposed Active Directory accounts. Some attacks have included exploitation of Remote Desktop Protocol flaws, with the gang is also known to use spam and phishing emails to obtain details to gain a foothold in databases.

As a range of methods are used for obtaining access, there is no one option that can be implemented to block attacks. Educational institutions need to use a combination of security solutions and cybersecurity best practices to improve their security measures.

Antivirus/antimalware solution is vital, as is ensuring it is kept updated. Since many attacks begin with a phishing email, an advanced email security gateway is also crucial. Picking a solution such as SpamTitan that uses dual AV engines and sandboxing will increase the chance of spotting malicious emails. SpamTitan uses machine learning methods to identify new types of email attacks.

Patches and security updates should be run quickly after they have been released to stop flaws from being targeted. You should employ the rule of least privilege for accounts, limit the use of administrative accounts as far as you can, and segment networks to limit the chance of lateral movement occurring. You should also be scanning your network for suspicious activity and create alerts to permit any potential infiltration to be quickly discovered. All redundant RDP ports should be shut down, and a VPN used for remote access.

It is crucial for backups to be created of all critical data to ensure that file recovery can take place without paying the ransom. Multiple backups of data should be set up, those backups should be tested to make sure file recovery can happen, and at least one copy should be stored safely on an air-gapped device.

Extensive Amount of Personal Information Sought in new PayPal Phishing Scam

A new PayPal phishing scam has been discovered that tries to steal an extensive amount of personal data from victims by pretending to be a PayPal security warning.

Fake PayPal Email Alerts

The emails seem to have been issued from PayPal’s Notifications Center and inform users that their account has been temporarily closed due to an attempt to log into their account from a previously unknown browser or device.

The emails feature a hyperlink that users are advised to click to log in to PayPal to verify their identity. A button is included in the email which users are told to visit a “Secure and update my account now !” link. The hyperlink is a shortened bit.ly address, that brings the victim to a spoofed PayPal page on a htacker-controlled domain using a redirect mechanism.

If the link is visited, the user is shown with a spoofed PayPal login. After entering PayPal account details, the victim is asked to enter a range of sensitive data to prove their identity as part of a PayPal Security check. The information must be provided to unlock the account, with the list of steps listed on the page along with the progress that has been made toward accessing the account.

AT first the hackers ask for the user’s full name, billing address, and phone number. Then they miust sharetheir credit/debit card details in full. The next page asks for the user’s date of birth, social security number, ATM or Debit Card PIN information, and finally the user is required to send a proof of identity document, which must be either a scan of a credit card, passport, driver’s license, or a government-issued photo Identification card.

Request for Excessive Data

This PayPal phishing campaign seeks an extensive amount of data, which should serve as an alert that all is not what it appears, especially the request to enter highly sensitive data including a Social Security number and PIN.

There are also indicators in the email that the request is not what it appears. The email is not sent from a domain linked with PayPal, the message begins with “Good Morning Customer” and not the account holder’s name, and the notice included at the bottom of the email advising the user to mark whitelist the sender if the email was sent to the spam folder is poorly composed. However, the email has been written to get the recipient to move quickly to prevent financial loss. As with other PayPal phishing campaigns, many users are likely to be tricked into sharing at least some of their personal data.

Consumers need to always be extremely careful caution and should never reply instantly to any email that warns of a security breach, instead they should stop and consider their next move prior to doing anything and carefully check the sender of the email and text. To review if there exists a genuine issue with the account, the PayPal website should be visited by viewing the proper URL into the address bar of the browser. URLs in emails should never be clicked on.

To discover more about current phishing campaigns and some of the key security measures you can put in place to enhance your protection from these campaigns, get in touch with the SpamTitan team now.