Tips to Avoid Holiday Season Spam Email Campaigns

In the rush to buy Christmas gifts online, security awareness often is disregarded and hackers are waiting to take advantage. Hidden among the countless emails sent by retailers to inform past customers of the most recent special offers and deals are a great many holiday season email scams. To an unskilled eye, these scam emails seem to be no different from those sent by authentic retailers. Then there are the phishing websites that record details and credit card numbers and websites hosting exploit kits that silently install malware.  It is a dangerous time to be using the Internet for shopping.

However if you are careful, you can avoid holiday season email scams, phishing websites, and malware this Christmas. To help you avoid strife, we have gathered some tips to avoid holiday season email scams, phishing websites and malware this festive season.

Guidelines to Stay Safe This Holiday Season

In the days before Christmas there will be scams aplenty. To stay safe online, remember the following:

Carefully check the URL of websites before parting with your card details every time

Spoofed websites often look just like like the genuine sites that they mimic. They use the same background and style, the same imagery, and the same branding as retail sites. The only thing not the same is the URL. Before filling in your card details or parting with any sensitive data, review the URL of the site and make sure you are not on a spoofed website.

Never permit retailers to hold your card details for future transactions

It is a service that makes for swift purchases. Sure, it is a pain to have to enter your card details each time you want to buy something, but by taking an extra minute to enter your card details each time you will reduce the chance of your account being emptied by scammers. Cyberattacks on retailers are common, and SQL injection attacks can give hackers access to retailer’s websites – and a treasure trove of stored credit card numbers.

Crazy deals are normally just that

You may find out that you have won a PlayStation 4 or the latest iPhone in a competition. While it is possible that you may have won a prize, it doubtful that this will happen if you haven’t actually entered a prize draw. Similarly, if you are offered a 50% discount on a purchase through email, there is a high probability that is a scam. Scammers take advantage of the fact that everyone loves a deal, and never more so than during holiday period.

If you purchase online, use your credit card

Avoid the holiday season crowds and buy presents online, but use your credit card for purchases instead of a debit card.  If you have been captured in a holiday season scam or your debit card details are stolen from a retailer, it is highly unlikely that you be able to recuperate stolen funds. With a credit card, you have better security measures and getting a refund is much more likely.

never Visit HTTP sites

Websites secured by the SSL protocol are safer. If a website address begins with HTTPS it means the connection between your browser and the website is encrypted. It makes it much more difficult for sensitive data to be intercepted. Never hand over your credit card details on a website that does not begin with HTTPS.

Carefully Check of order and delivery confirmations

If you order over the Internet, you will no doubt want to look over the status of your order and find out when your purchases will be delivered. If you your sent an email with tracking information or a delivery confirmation, treat the email as potentially dangerous. Always go to the delivery company’s website by entering in the URL into your browser, rather than visiting links sent through email. Fake delivery confirmations and parcel tracking links are common. The links can bring you to phishing websites and sites that install malware, while email attachments often contain malware and ransomware installers.

Holiday season is a hectic, but be careful online

One of the chief factor in holiday season being successful for email scams is because people are in a hurry and do not take the time to read emails carefully and check attachments and links are authentic. Scammers take advantage of busy individuals. Look over the destination URL of any email link before you click. Take time to consider things prior to taking any action online or respond to an email request.

Have different passwords for different websites

You may decide to purchase all of your Christmas gifts on Amazon, but if you need to sign up[ for a number of different multiple sites, never sue the same password for these websites. Password reuse is one of the main ways that hackers can capture access details for your social media networks and bank accounts. If there is a data breach at one retailer and your password is taken illegally, hackers will attempt to use that password on lots of other platforms.

 

Holiday Season Gift Card Scams on the Rise

Holiday season gift card scams are very common, and this year is no exception. Many gift card-themed scams were tracked during Thanksgiving weekend that offered free or cheap gift cards to lure online shoppers into sharing publicly their credit card information.

Everyone is a fan of a bargain and the offer of something for nothing may be too tempting. Many people are taken in by these scams which is why threat actors switch to gift card scams around Holiday season.

Consumers can be tricked into parting with credit card information, but companies are also at risk. Many of these campaigns are designed to obtain access to login credentials or are used to install malware. If an end user responds to such a scam during their work day, it is their employer that will likely pay the ultimate price.

This year has seen many businesses hit by gift card scam campaigns. Figures released by Proofpoint indicate that out of the organizations that have been targeted with email fraud attacks, almost 16% had experienced a gif card-themed attack: Up from 11% in Q2, 2018.

This year has also seen a heightened risk due to business email compromise (BEC) style tactics, with emails appearing to have been shared from within a company. The emsay that they have been sent from the CEO (or another executive) requesting accounts and administration staff purchase gift cards for clients or ask for gift cards be bought in order to use them for charitable donations.

To cut the risk from gift card scams and other holiday-themed phishing emails, firms need to see to it that they have powerful spam filtering technology in place to block the emails at source and prevent them from being sent to employee inboxes.

Advanced Anti-Phishing Security for Office 365

Many companies use Office 365, but even Microsoft’s anti-phishing security measure see many phishing emails slip through the security systems, especially at businesses that included the advanced phishing protection subscription. Even with the advanced anti-phishing measures, emails still make it past Microsoft’s filters.

If you wish to block these malicious messages, an advanced third-party spam filter is necessary. SpamTitan has been designed to work side by side with Office 365 to improved protection against malware, phishing emails, and more complex phishing attacks.

SpamTitan can deal with more than 99.9% of spam email, while dual antivirus engines prevent 100% of known malware. What really sets SpamTitan apart from other software is the level of protection it offers against new threats. A combination of Bayesian analysis, greylisting, machine learning, and heuristics help to identify zero-day attacks, which often get by Office 365 defenses.

If you want to enhance security from email-based attacks and reduce the amount of spam and malicious messages that are arriving in Office 365 inboxes, contact TitanHQ and book a product demonstration to see SpamTitan working.

Spam Campaigns Delivering Marap and Loki Bot Malware with ICO and IQY Files

A spam email campaign is being conducted focusing on targeting corporate email accounts to share Loki Bot malware. Loki Bot malware is a data stealer capable of obtaining passwords stored in browsers, obtaining email account passwords, FTP client logins, cryptocurrency wallet passwords, and passwords in placed for messaging apps.

Along with stealing saved passwords, Loki Bot malware has keylogging capabilities and is possibly capable of installing and running executable files. All data captured by the malware is transferred to the hacker’s C2 server.

Kaspersky Lab researchers identified an increase in email spam activity focusing on corporate email accounts, with the campaign discovered to be used to spread Loki Bot malware. The malware was sent hidden in a malicious email attachment.

The intercepted emails included an ICO file attachment. ICO files are duplicates of optical discs, which are usually mounted in a virtual CD/DVD drive to open. While specialist software can be used to open these files, the majority of modern operating systems have the ability to access the contents of the files without the need for any extra software.

In this instance, the ICO file includes Loki Bot malware and double clicking on the file will result in a downloading of the malware on operating systems that support the files (Vista and later).

It is relatively unusual for ICO files to be used to deliver malware, although not unheard of. The unfamiliarity with ICO files for malware delivery may see end users try to open the files.

The campaign included a wide variety of lures including fake purchase orders, speculative enquiries from companies including product lists, fake invoices, bank transfer details, payment requests, credit alerts and payment confirmations. Well-known businesses such as Merrill Lynch, Bank of America, and DHL were spoofed in some of the emails.

A different and unrelated spam email campaign has been discovered that is using IQY files to deliver a new form of malware known as Marap. Marap malware is a installer capable of downloading a variety of different payloads and additional modules.

During installation, the malware fingerprints the system and gathers data such as username, domain name, IP address, hostname, language, country, Windows version, details of Microsoft .ost files, and any anti-virus solutions detected on the infected computer. What happens next depends on the system on which it is downloads. If the system is of particular interest, it is earmarked for a more thorough extensive compromise.

Four separate campaigns involving millions of messages were discovered by experts at Proofpoint. One campaign included an IQY file as an attachment, one included an IQY file within a zip file and a third used an embedded IQY file in a PDF file. The fourth used a Microsoft Word document including a malicious macro. The campaigns seem to be targeting financial institutions.

IQY files are used by Excel to download web content straight into spreadsheets. They have been used in many spam email campaigns in recent weeks to install a range of different malware variants. The file type is proving popular with cybercriminals because many anti-spam solutions fail to recognize the files as malicious.

Since most end users would not have any need to open ICO or IQY files, these file types should be placed on the list of blocked file types in email spam filters to prevent them from being shared to end users’ inboxes.

Campaigns using WannaCry Phishing Emails Detected

hackers are using WannaCry phishing emails to conduct campaigns using the fear surrounding the global network worm attacks.

An email campaign has been discovered in the United Kingdom, with BT customers being focused on. The hackers have been able to spoof BT domains and made their WannaCry phishing emails look very realistic. BT branding is used, the emails are well composed and they claim to have been shared from Libby Barr, Managing Director, Customer Care at BT. A quick review of her name on Google will reveal she is who she claims to be. The WannaCry phishing emails are realistic, cleverly put together, and are likely to trick many customers.

The emails claim that BT is working on enhancing its security after the massive ransomware campaign that impacted over 300,000 computers in 150 countries on May 12, 2017. In the UK, 20% of NHS Trusts were impacted by the incident and had data encrypted and services majorly damaged by the ransomware attacks. It would be extremely hard if you live in the UK to have avoided the news of the attacks and the extent of the damage they have inflicted.

The WannaCry phishing emails provide a very good reason for taking quick action. BT is offering a security upgrade to stop its customers from being harmed by the attacks. The emails claim that in order to keep customers’ sensitive data secure, access to certain features have been turned off on BT accounts. Customers are told that to restore their full BT account functionality they need to confirm the security upgrade by selecting the upgrade box contained in the email.

Of course, visiting the link will not lead to a security upgrade being applied. Customers are required to share their login credentials to the hackers.

Other WannaCry phishing emails are likely to be issued claiming to be originating from other broadband service providers. Similar campaigns could be used to quietly install malware or ransomware.

Hackers often take advantage of global news events that are garnering a lot of media interest. During the Olympics there were many Olympic themed spam emails. Phishing emails were also prevalent during the U.S. presidential elections, the World Cup, the Zika Virus epidemic, and following every major news stories.

it is vital never to click on links sent in email from people you do not know, be extremely careful about visiting links sent from people you do know, and assume that any email you receive could be a phishing email or other malicious message.

Just one phishing email sent to a member of staff can lead to a data breach, email or network compromise. It is therefore crucial for employers to be careful. Employees should be provided with phishing awareness training and taught the giveaway signs that emails are not authentic.  It is also vital that an advanced spam filtering solution is employed to stop most phishing emails from landing in end users inboxes.

In relation to that, TitanHQ is here to help you out. get in touch with the team now to see how SpamTitan can protect your business from phishing, malware and ransomware campaigns.

Email Spam and Botnet Infection Levels Quantified

Although many reports seem to indicate that email spam is dropping, email spam and botnet infection is still a major danger for most U.S organizations and people – with criminal practices netting hacking gangs billions of dollars every year.

Estimating the infection levels and the amount of spam being sent was one of the chief aims of the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG). M3AAWG, is a global network tasked with promoting cybersecurity best practices and tackling organized internet crime. M3AAWG was created 10 years ago by a number of leading internet service providers, with the goal of enhancing collaboration and sharing knowledge to make it more complicated for criminals to spam account users. By reducing the impact of email spam on individuals and organizations, ISPs would be able to better secure users, IPS’s email platforms and their reputations.

It was noticed that quantifying email spam and botnet infection levels was an extremely difficult task; one that was only possible with collaboration between internet service suppliers. Arising out of this collaboration, the organization has produced reports on the global state of email spam and botnet infection. Its latest analysis suggests that approximately 1% of computer users are part of a botnet network.

The data gathered by M3AAWG involved assessing 43 million email subscribers in the United States and Europe.,The data analysis showed that IPS’s normally block from 94% to 99% of spam emails. The company’s report suggests that overall, IPS’s do a good job of blocking email spam.

The figures look good but, taking into account the huge scale of email spam, billions of spam emails are still making it through to users, with financial organizations and other companies now being regularly focused on with spam and malware.

Email spammers are well backed financially, and criminal organizations are using email spam as a means of getting hold of tens of billions of dollars annually from internet fraud. Spam emails are sent to phish for sensitive information, such as bank account information, credit card details and other highly sensitive data including Social Security numbers. Accounts can be cleaned out, credit cards maxed out and data used to carry outt identity theft; racking up tens of thousands of dollars of debts in the victims’ names.

In previous years, email spammers were dedicate to sending emails randomly to accounts with offers of cheap Rolexes, Viagra, potential brides and the opportunity to claim an inheritance from a long lost relative. Currently, spammers have realized there are far greater rewards to be gained, and emails are now sent containing links to malware-infected websites which can be used to gain access to users’ PCs, laptops and Smartphones, gaining access to highly sensitive data or locking devices and seeking ransoms.

Some emails may still be shared manually, but the majority are sent via botnets. Networks of infected machines that can be used to send huge volumes of spam emails, spread malware or organize increasingly complex attacks on individuals and organizations. The botnets are available via rental, with criminals able to rent botnet time and use them for any number of taks.

A large number of attacks are now coming from countries where there is little regulation and a very low risk of the perpetrators being caught. Africa states, as well as Indonesia and the Ukraine house huge volumes of scammers. They have even established call centers to deal with the huge amount of enquiries from criminals seeking botnet time to carry out phishing and spamming campaigns. Tackling the issue at the source is difficult, with corruption rife in the countries where the perpetrators live.

However, it is possible to lower spam level, and the danger of staff members being tricked by a scam or downloading malware by installing a robust email spam filter, reducing the potential for spam emails and phishing campaigns getting through to individual accounts.  A report from Verizon showed that 23% of users view phishing emails and 11% open attachments and visit links included. Making sure that the emails reaching users is therefore one of the most successful methods of defense against these attacks.

How to Create a Strong Security Awareness Program

Due to the ever evolving and more intricate nature of hacking, spamming and activity of cyber criminals, it is now vital that all companies, groups and organizations have an effective security awareness program and to make sure all employees, staff and workers know how to recognize email threats.

Threat actors are now creating very sophisticated tactics to download malware, ransomware, and obtain login credentials and email is the attack style of choice. Companies are being targeted and it will only be a matter of time before a malicious email is delivered to an worker’s inbox. It is therefore crucial that employees are trained how to identify email threats and told how they should respond when a suspicious email lands in their inbox.

If security awareness training is not made available for staff then there will be a huge hole in your security defenses. To assist yo in getting back on the right track, we have listed some vital elements of an effective security awareness strategy.

Vital Important Elements of an Strong Security Awareness Program

Have C-Suite Involved

One of the most vital starting points is to see to it that the C-Suite is on board. With board involvement you are likely to be able to dedicate larger budgets for your security training program and it should be simpler to get your plan adapted and followed by all departments in your organization.

In practice, getting the backing of executives to support a security awareness program can tricky. One of the most effective ways to increase the chance of success is to clearly explain the importance of developing a security culture and to back this up with the financial advantages that come from having a strong security awareness program. Provide data on the extent that businesses are being hit, the volume of phishing and malicious emails being shared, and the money that other businesses have had to cover to address email-based attacks.

The Ponemon Institute has completed several major surveys and provides annual reports on the expense of cyberattacks and data breaches and is a good source for facts and figures. Security awareness training companies are also good sources of figures. Current data indicates the benefit of the program and what you require to ensure it is a success.

Get Other Departments On Board

The IT department should not be the only one responsible for developing a strong security awareness training program. Other departments can supply help and may be able to offer additional materials. Try to get the marketing department to support this, human resources, the compliance department, privacy officers. Those outside of the security team may have some valuable input not only in terms of content but also how to provide the training to get the best results.

Create a Continuous Security Awareness Strategy

A one-time classroom-based training session conducted once annually may have once been enough, but due to the rapidly changing threat landscape and the volume of phishing emails now being sent, an annual training session is no longer adequate.

Training should be conducted an ongoing process provided during the year, with up to date information included on present and emerging threats. Each employee is different, and while classroom-based training sessions work for some, they do not work for all employees. Create a training program using a variety of training methods including annual classroom-based training sessions, constant computer-based training sessions, and use posters, games, newsletters, and email alerts to keep security issues to the fore of workers’ minds.

Provide Incentives and Gamification

Reward individuals who have finished training, alerted the group to a new phishing threat, or have scored well in security awareness training and tests. Try to establish competition between departments by publishing details of departments that have performed very well and have the highest percentage of employees who have finished training, have reported the most phishing threats, scored the highest in tests, or have correctly identified the most phishing emails in a round of phishing simulations.

Security awareness training should ideally be interesting. If the training is fun, employees are more likely to want to participate and retain knowledge. Use gamification methods and choose security awareness training providers that offer interesting and engaging content.

Test Knowledge with Phishing Email Simulations

You can conduct training, but unless you test your employees’ security awareness you will not know how effective your training program has been and if your staff have been paying attention.

Before you begin your training program it is important to have a baseline against which you can gauge success. This can be achieved using security questionnaires and completing phishing simulation exercises.

Running phishing simulation exercises using real world examples of phishing emails following training has been completed will highlight which employees are security titans and which need further training. A failed phishing simulation exercise can be transformed into a training opportunity.

Comparing the before and after results will let you see the advantages of your program and could be used to help get more funding.

Train your staff constantly and review their understanding and in a relatively short space of time you can create a highly effective human firewall that complements your technological cyber security security measures. If a malicious email breaks through your spam filter, you can be happy that your employees will have the skills to recognize the threat.