A spam email campaign is being conducted focusing on targeting corporate email accounts to share Loki Bot malware. Loki Bot malware is a data stealer capable of obtaining passwords stored in browsers, obtaining email account passwords, FTP client logins, cryptocurrency wallet passwords, and passwords in placed for messaging apps.
Along with stealing saved passwords, Loki Bot malware has keylogging capabilities and is possibly capable of installing and running executable files. All data captured by the malware is transferred to the hacker’s C2 server.
Kaspersky Lab researchers identified an increase in email spam activity focusing on corporate email accounts, with the campaign discovered to be used to spread Loki Bot malware. The malware was sent hidden in a malicious email attachment.
The intercepted emails included an ICO file attachment. ICO files are duplicates of optical discs, which are usually mounted in a virtual CD/DVD drive to open. While specialist software can be used to open these files, the majority of modern operating systems have the ability to access the contents of the files without the need for any extra software.
In this instance, the ICO file includes Loki Bot malware and double clicking on the file will result in a downloading of the malware on operating systems that support the files (Vista and later).
It is relatively unusual for ICO files to be used to deliver malware, although not unheard of. The unfamiliarity with ICO files for malware delivery may see end users try to open the files.
The campaign included a wide variety of lures including fake purchase orders, speculative enquiries from companies including product lists, fake invoices, bank transfer details, payment requests, credit alerts and payment confirmations. Well-known businesses such as Merrill Lynch, Bank of America, and DHL were spoofed in some of the emails.
A different and unrelated spam email campaign has been discovered that is using IQY files to deliver a new form of malware known as Marap. Marap malware is a installer capable of downloading a variety of different payloads and additional modules.
During installation, the malware fingerprints the system and gathers data such as username, domain name, IP address, hostname, language, country, Windows version, details of Microsoft .ost files, and any anti-virus solutions detected on the infected computer. What happens next depends on the system on which it is downloads. If the system is of particular interest, it is earmarked for a more thorough extensive compromise.
Four separate campaigns involving millions of messages were discovered by experts at Proofpoint. One campaign included an IQY file as an attachment, one included an IQY file within a zip file and a third used an embedded IQY file in a PDF file. The fourth used a Microsoft Word document including a malicious macro. The campaigns seem to be targeting financial institutions.
IQY files are used by Excel to download web content straight into spreadsheets. They have been used in many spam email campaigns in recent weeks to install a range of different malware variants. The file type is proving popular with cybercriminals because many anti-spam solutions fail to recognize the files as malicious.
Since most end users would not have any need to open ICO or IQY files, these file types should be placed on the list of blocked file types in email spam filters to prevent them from being shared to end users’ inboxes.
hackers are using WannaCry phishing emails to conduct campaigns using the fear surrounding the global network worm attacks.
An email campaign has been discovered in the United Kingdom, with BT customers being focused on. The hackers have been able to spoof BT domains and made their WannaCry phishing emails look very realistic. BT branding is used, the emails are well composed and they claim to have been shared from Libby Barr, Managing Director, Customer Care at BT. A quick review of her name on Google will reveal she is who she claims to be. The WannaCry phishing emails are realistic, cleverly put together, and are likely to trick many customers.
The emails claim that BT is working on enhancing its security after the massive ransomware campaign that impacted over 300,000 computers in 150 countries on May 12, 2017. In the UK, 20% of NHS Trusts were impacted by the incident and had data encrypted and services majorly damaged by the ransomware attacks. It would be extremely hard if you live in the UK to have avoided the news of the attacks and the extent of the damage they have inflicted.
The WannaCry phishing emails provide a very good reason for taking quick action. BT is offering a security upgrade to stop its customers from being harmed by the attacks. The emails claim that in order to keep customers’ sensitive data secure, access to certain features have been turned off on BT accounts. Customers are told that to restore their full BT account functionality they need to confirm the security upgrade by selecting the upgrade box contained in the email.
Of course, visiting the link will not lead to a security upgrade being applied. Customers are required to share their login credentials to the hackers.
Other WannaCry phishing emails are likely to be issued claiming to be originating from other broadband service providers. Similar campaigns could be used to quietly install malware or ransomware.
Hackers often take advantage of global news events that are garnering a lot of media interest. During the Olympics there were many Olympic themed spam emails. Phishing emails were also prevalent during the U.S. presidential elections, the World Cup, the Zika Virus epidemic, and following every major news stories.
it is vital never to click on links sent in email from people you do not know, be extremely careful about visiting links sent from people you do know, and assume that any email you receive could be a phishing email or other malicious message.
Just one phishing email sent to a member of staff can lead to a data breach, email or network compromise. It is therefore crucial for employers to be careful. Employees should be provided with phishing awareness training and taught the giveaway signs that emails are not authentic. It is also vital that an advanced spam filtering solution is employed to stop most phishing emails from landing in end users inboxes.
In relation to that, TitanHQ is here to help you out. get in touch with the team now to see how SpamTitan can protect your business from phishing, malware and ransomware campaigns.
Although many reports seem to indicate that email spam is dropping, email spam and botnet infection is still a major danger for most U.S organizations and people – with criminal practices netting hacking gangs billions of dollars every year.
Estimating the infection levels and the amount of spam being sent was one of the chief aims of the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG). M3AAWG, is a global network tasked with promoting cybersecurity best practices and tackling organized internet crime. M3AAWG was created 10 years ago by a number of leading internet service providers, with the goal of enhancing collaboration and sharing knowledge to make it more complicated for criminals to spam account users. By reducing the impact of email spam on individuals and organizations, ISPs would be able to better secure users, IPS’s email platforms and their reputations.
It was noticed that quantifying email spam and botnet infection levels was an extremely difficult task; one that was only possible with collaboration between internet service suppliers. Arising out of this collaboration, the organization has produced reports on the global state of email spam and botnet infection. Its latest analysis suggests that approximately 1% of computer users are part of a botnet network.
The data gathered by M3AAWG involved assessing 43 million email subscribers in the United States and Europe.,The data analysis showed that IPS’s normally block from 94% to 99% of spam emails. The company’s report suggests that overall, IPS’s do a good job of blocking email spam.
The figures look good but, taking into account the huge scale of email spam, billions of spam emails are still making it through to users, with financial organizations and other companies now being regularly focused on with spam and malware.
Email spammers are well backed financially, and criminal organizations are using email spam as a means of getting hold of tens of billions of dollars annually from internet fraud. Spam emails are sent to phish for sensitive information, such as bank account information, credit card details and other highly sensitive data including Social Security numbers. Accounts can be cleaned out, credit cards maxed out and data used to carry outt identity theft; racking up tens of thousands of dollars of debts in the victims’ names.
In previous years, email spammers were dedicate to sending emails randomly to accounts with offers of cheap Rolexes, Viagra, potential brides and the opportunity to claim an inheritance from a long lost relative. Currently, spammers have realized there are far greater rewards to be gained, and emails are now sent containing links to malware-infected websites which can be used to gain access to users’ PCs, laptops and Smartphones, gaining access to highly sensitive data or locking devices and seeking ransoms.
Some emails may still be shared manually, but the majority are sent via botnets. Networks of infected machines that can be used to send huge volumes of spam emails, spread malware or organize increasingly complex attacks on individuals and organizations. The botnets are available via rental, with criminals able to rent botnet time and use them for any number of taks.
A large number of attacks are now coming from countries where there is little regulation and a very low risk of the perpetrators being caught. Africa states, as well as Indonesia and the Ukraine house huge volumes of scammers. They have even established call centers to deal with the huge amount of enquiries from criminals seeking botnet time to carry out phishing and spamming campaigns. Tackling the issue at the source is difficult, with corruption rife in the countries where the perpetrators live.
However, it is possible to lower spam level, and the danger of staff members being tricked by a scam or downloading malware by installing a robust email spam filter, reducing the potential for spam emails and phishing campaigns getting through to individual accounts. A report from Verizon showed that 23% of users view phishing emails and 11% open attachments and visit links included. Making sure that the emails reaching users is therefore one of the most successful methods of defense against these attacks.
Due to the ever evolving and more intricate nature of hacking, spamming and activity of cyber criminals, it is now vital that all companies, groups and organizations have an effective security awareness program and to make sure all employees, staff and workers know how to recognize email threats.
Threat actors are now creating very sophisticated tactics to download malware, ransomware, and obtain login credentials and email is the attack style of choice. Companies are being targeted and it will only be a matter of time before a malicious email is delivered to an worker’s inbox. It is therefore crucial that employees are trained how to identify email threats and told how they should respond when a suspicious email lands in their inbox.
If security awareness training is not made available for staff then there will be a huge hole in your security defenses. To assist yo in getting back on the right track, we have listed some vital elements of an effective security awareness strategy.
Vital Important Elements of an Strong Security Awareness Program
Have C-Suite Involved
One of the most vital starting points is to see to it that the C-Suite is on board. With board involvement you are likely to be able to dedicate larger budgets for your security training program and it should be simpler to get your plan adapted and followed by all departments in your organization.
In practice, getting the backing of executives to support a security awareness program can tricky. One of the most effective ways to increase the chance of success is to clearly explain the importance of developing a security culture and to back this up with the financial advantages that come from having a strong security awareness program. Provide data on the extent that businesses are being hit, the volume of phishing and malicious emails being shared, and the money that other businesses have had to cover to address email-based attacks.
The Ponemon Institute has completed several major surveys and provides annual reports on the expense of cyberattacks and data breaches and is a good source for facts and figures. Security awareness training companies are also good sources of figures. Current data indicates the benefit of the program and what you require to ensure it is a success.
Get Other Departments On Board
The IT department should not be the only one responsible for developing a strong security awareness training program. Other departments can supply help and may be able to offer additional materials. Try to get the marketing department to support this, human resources, the compliance department, privacy officers. Those outside of the security team may have some valuable input not only in terms of content but also how to provide the training to get the best results.
Create a Continuous Security Awareness Strategy
A one-time classroom-based training session conducted once annually may have once been enough, but due to the rapidly changing threat landscape and the volume of phishing emails now being sent, an annual training session is no longer adequate.
Training should be conducted an ongoing process provided during the year, with up to date information included on present and emerging threats. Each employee is different, and while classroom-based training sessions work for some, they do not work for all employees. Create a training program using a variety of training methods including annual classroom-based training sessions, constant computer-based training sessions, and use posters, games, newsletters, and email alerts to keep security issues to the fore of workers’ minds.
Provide Incentives and Gamification
Reward individuals who have finished training, alerted the group to a new phishing threat, or have scored well in security awareness training and tests. Try to establish competition between departments by publishing details of departments that have performed very well and have the highest percentage of employees who have finished training, have reported the most phishing threats, scored the highest in tests, or have correctly identified the most phishing emails in a round of phishing simulations.
Security awareness training should ideally be interesting. If the training is fun, employees are more likely to want to participate and retain knowledge. Use gamification methods and choose security awareness training providers that offer interesting and engaging content.
Test Knowledge with Phishing Email Simulations
You can conduct training, but unless you test your employees’ security awareness you will not know how effective your training program has been and if your staff have been paying attention.
Before you begin your training program it is important to have a baseline against which you can gauge success. This can be achieved using security questionnaires and completing phishing simulation exercises.
Running phishing simulation exercises using real world examples of phishing emails following training has been completed will highlight which employees are security titans and which need further training. A failed phishing simulation exercise can be transformed into a training opportunity.
Comparing the before and after results will let you see the advantages of your program and could be used to help get more funding.
Train your staff constantly and review their understanding and in a relatively short space of time you can create a highly effective human firewall that complements your technological cyber security security measures. If a malicious email breaks through your spam filter, you can be happy that your employees will have the skills to recognize the threat.
Social media can be a key factor of a group’s marketing operations – it can also be the gateway for many online threats. Internet users who choose not to use unique passwords for their online activities, share their passwords, or willingly provide confidential information without due consideration for the security implications can be risking the online security of an entire group.
Instead of an employee threaten the integrity of your group’s online security, it is in your best interests to implement an Internet filtering solution from TitanHQ. An Internet filtering solution – and proper training about the risks of communicating confidential data online – can address the risk of your organization´s online defenses being compromised by an staff member’s carelessness or naivety.
Bitdefender has created a free Bart ransomware decryptor that permits victims to unlock their files without meeting a ransom demand.
Bart Ransomware was first discovered in June 2016. The ransomware variant stood out from the others due to its ability to encrypt files even without an Internet connection. Most ransomware variants rely on a link to their command and control server to generate public-private key pairs; however, Bart ransomware does not. Only the decryption process needs an Internet connection to transfer the ransom payment and get the decryption key.
Bart ransomware posed a major threat to corporate users. Command and control center communications could possibly be prevented by firewalls preventing encryption of files. However, without any C&C contact, corporate users were in danger.
Bart ransomware was thought to have been developed by the gang behind Locky and the Dridex banking Trojan. Bart ransomware shared a large portion of code with Locky, was distributed in the same manner and used a ransom message very similar to that implemented by Locky.
As with Locky, Bart ransomware encrypted a wide variety of file types. While early versions of the ransomware variant were fairly uncomplicated, later versions saw flaws addressed. Early versions of the ransomware variant prevented access to files by locking them in password-protected zip files.
The initial method of locking files was ‘cracked’ by AVG, although only by guessing the password using brute force tactics. In order for the brute force method to work, a copy of an encrypted file along with its unencrypted original was necessary. In later versions of the ransomware, the use of zip files was ended and AVG’s decryption technique was rendered ineffective. The encryption process used in the more recent versions was much stronger and the ransomware had no known weaknesses.
Until Bitdefender developed the most recent Bart Ransomware decryptor, victims had two choices – recover encrypted files from backups or pay the attackers’ ransom demand.
Luckily, Bitdefender was able to create a Bart Ransomware decryptor from keys supplied by Romanian police which were obtained during a criminal review. The Bart ransomware decryptor was created by Bitdefender after working with both the Romanian police and Europol.
From April 4, 2017, the Bart ransomware decryptor has been made available for free installation from the No More Ransom website. If your files have been encrypted by ransomware, it is possible to see if the culprit is Bart from the extension added to encrypted files. Bart uses the .bart, .perl, or bart.zip extensions.
Bart ransomware may be thought to have links to Locky, although there is no indication that keys have been obtained that will permit a Locky ransomware decryptor to be created. The best form of security against attacks is blocking spam emails to stop infection and ensuring backups of all sensitive data have been put in place.