Email Threats

Email Sextortion Scams are on the Rise

Email is commonly used by threat actors for initial contact with victims and while most attacks attempt to steal credentials or distribute malware distribution, another type of scam has been steadily increasing. Sextortion scams have increased by 178% year over year according to data from ESET and are proving to be lucrative.

Email sextortion scams involve sending unsolicited emails threatening to expose the sexual activities of victims. The threat actor claims to have obtained compromising images or videos of a victim confirming that the individual is seeking sexual gratification or has been recorded engaging in sexual acts. The threat actor typically threatens to share the images and videos with the victim’s partner, family members, friends, social media contacts, and even their employer; however, the embarrassment and exposure can be avoided if the attacker’s demands are met. These scams have proven to be lucrative for threat actors, with many individuals paying to have the non-existent videos and images deleted. The amount charged by threat actors varies but is often in the region of $500 to $1,000.

One of the recently identified scams impersonates the adult website YouPorn. The messages claim that a sexually explicit video has been uploaded to the site and payment is required to have the video removed. If payment is not made, the video will be published on the website in 7 days. The user is told that they do not need to take any action if they have approved the use of the video on the website, but says that if the upload was not approved, it can be removed free of charge; however, there is no free option. The individual must pay and sign up for privacy protection, with the options offered costing from $199 to $1,399.

Scammers have also diversified from the standard sextortion scams and are conducting a range of scams using similar tactics. These include the impersonation of law enforcement agencies that claim illegal activity has been detected and payment is required to bring an investigation to a close, or pending legal action that can be avoided if payment is made. Some scammers have claimed to be hitmen and say the contract can be canceled if payment is made.

These scams can cause considerable stress and fear and many victims pay up due to the fear of the consequences should the threats be real. The best thing to do if you receive one of these emails is to simply delete it and not engage with the scammer as these are empty threats. There are no videos or images.

A worrying new type of sextortion scam is gaining traction where the threats issued are real and the consequences can be devastating for victims. Individuals are targeted and extorted with threats issued to publish explicit material that has been created using deepfake technology, where the victim’s face has been added to legitimate pornographic content. The images used for these scams are often obtained from social media profiles, and according to a recent warning from the Federal Bureau of Investigation (FBI), are also obtained by scammers who convince people to send them sexually explicit photographs. While these types of sextortion scams are much less common there are fears that they could increase as deepfake technology becomes more accessible and affordable. Once this material has been uploaded to online sites it can be very difficult for it to be removed. If you are targeted with one of these scams it is vital that you report it to law enforcement.

Fake AI Chatbots Used for Phishing and Malware Distribution

There is growing evidence that cybercriminals are leveraging AI chatbots for nefarious purposes such as phishing. AI chatbots such as ChatGPT are capable of generating content that is grammatically correct, and free of spelling mistakes, and they are capable of generating convincing content for social engineering and phishing. AI-generated phishing and social engineering content can be very difficult to identify as malicious, as the emails lack many of the tell-tale signs of a phishing email. While AI chatbots certainly have the potential to change the phishing landscape, that is not the only way that cybercriminals are using AI chatbots for phishing.

Chatbots such as ChatGPT have proven incredibly popular, and many companies have rushed to release their own AI chatbots. With multiple chatbots available and high demand for these tools, phishers have been taking advantage and have been creating websites offering fake AI chatbots. These websites claim that their AI chatbot is even more advanced than ChatGPT and can be used by anyone to get rich quick or can be used by businesses for handling customer service inquiries, eliminating the need for expensive human labor.

Links to these websites are sent out in phishing emails that promote these new tools. If the link is clicked, the user is directed to a website where they are asked to register and disclose sensitive information or download a chatbot app. The latter includes Trojan malware that provides the attacker with access to the victim’s device, spyware or a keylogger that can steal personal information and credentials, or other forms of malware.

AI chatbots are incredibly expensive to develop and train, with analysts estimating that the cost of training these AI tools is at least $4 million, and the running costs of ChatGPT have been estimated to be around $700,000 per day. AI chatbots are also attracting a lot of media attention, so the release of a new chatbot, especially one that is better than ChatGPT, is unlikely to fly under the radar. If you receive an email offering a new AI chatbot, it likely is a scam.

You could perform a check of the website to see when it is registered, see if there is any contact information on the site, or do a quick Google search to see if there has been any news coverage. The best thing to do, however, is to simply delete the email or report it to your security team. If you want to use an AI chatbot, use one of the reputable chatbots such as ChatGPT, Microsoft’s Bing, or Google’s Bard.

Cybercriminals can use other methods to drive traffic to their malicious websites, including malicious Google Ads. There has been an increase in ‘malvertising’ for malware delivery and phishing in recent months, where malicious ads are used to drive traffic to attacker-controlled websites. While these adverts are often rapidly identified and taken down by Google, they do not have to be active for long to drive huge amounts of traffic to malicious websites. Businesses can protect against these attacks by using a web filter such as WebTitan. For consumers, the same advice applies as to phishing. Be very cautious and if there is an offer that seems too good to be true, it is most likely a scam.

Due to the popularity of AI chatbots, businesses should consider adding chatbot-related lures to their phishing simulations to see how many employees click these links. This is easy to do with the SafeTitan security awareness training and phishing simulation platform. Any employee that clicks the link in the email will be automatically provided with training content relevant to that threat. By providing intervention training, the next time a similar email is received, employees will be more likely to recognize the scam and avoid it. For more information on SafeTitan, give the TitanHQ team a call.

TitanHQ Announces Addition of Predictive Threat Detection to SpamTitan Plus

SpamTitan Plus from TitanHQ has the most extensive coverage of any anti-phishing product. It now also has enhanced predictive capabilities to block automated bot campaigns and personalized phishing URLs.  

In December 2021, TitanHQ launched SpamTitan Plus – the most advanced anti-phishing solution released to date. SpamTitan Plus is an AI-driven solution that independent tests have shown to have better coverage than any other anti-phishing product. SpamTitan Plus is fed massive clickstream traffic from more than 600 million endpoints worldwide and has 100% coverage of all current market-leading anti-phishing feeds. Users of the solution get significantly faster detection of phishing threats than any other solution. Independent tests have shown SpamTitan Plus delivers 1.5x more phishing detections than other leading products and up to 1.6x faster phishing detection than any of the current market-leading anti-phishing solutions. Every day, SpamTitan Plus blocks more than 10 million new, unique, never-before-seen phishing and malicious URLs, and it takes just 5 minutes from the detection of a new malicious URL for all users of the solution to be protected.

The solution rewrites all URLs and provides click time protection against malicious links. If a link is initially benign, which allows it to evade email security defenses, and is then turned malicious, most anti-phishing solutions would not block the threat. Click-time protection ensures SpamTitan Plus does identify and block the threat. SpamTitan Plus follows all redirects, identifies spoofed sites in real-time, scans for phishing kits and login pages, and prevents users from visiting malicious websites that are used for phishing and malware distribution.

TitanHQ has recently performed an upgrade of SpamTitan Plus to enhance its capabilities further still to significantly improve its predictive phishing threat capabilities. Phishers are constantly changing their tactics, techniques, and procedures to evade security solutions, and one of the new tactics is to use personalized URLs. Rather than use the same URL for each email in a phishing campaign, programmatically the URLs are made unique for each victim at the path or parameter level. Since each URL is unique, standard anti-phishing solutions are ineffective at detecting the URLs as malicious. When a URL is detected as malicious and is blocked for all users of the anti-phishing solution, they will not be protected as all other emails in the campaign use a different URL.

The latest predictive functionality added to SpamTitan Plus detects and blocks automated bot phishing campaigns and personalized URL attacks. “With predictive phishing detection, SpamTitan Plus can now combat automated bot phishing. At TitanHQ we always strive to innovate and develop solutions that solve real-security problems and provide tangible value to our customers. The end goal is to have our partners and customers two or three steps ahead of the phishers and cybercriminals’ said Ronan Kavanagh, CEO, TitanHQ.

European & US Banks Under Attack from SharkBot Android Banking Trojan

SharkBot, a new Android banking Trojan, has been discovered in campaigns created to steal money from bank accounts and cryptocurrency services in locations including the United States, United Kingdom, and Italy, and targets 27 financial institutions – 22 banks and 5 cryptocurrency apps.

This new Android malware is different from other mobile banking Trojans due to its use of an Automatic Transfer System (ATS) tactic that enables the bypassing of multi-factor authentication measures and automates the stealing of money from victims’ accounts. This does not require any human input as SharkBot auto-completes fields required for completing financial transactions.

SharkBot can capture text messages, such as those sending financial institution multi-factor authentication codes, and can mask those SMS messages to make it seem as if they were never received. SharkBot can also conduct overlay attacks, where a benign pop-up is shown over an application to fool a user into performing tasks, such as alocatting access authorizations. SharkBot is also a keylogger and can capture and exfiltrate sensitive information such as details to the hacker’s command and control server and bypasses the Android doze component to ensure it stays logged on to its C2 servers.

During the configuration process, the user is bombarded with popups to allocate the malicious app the permissions it requires, with those popups only ending when the user shares the required authorizations, such as enabling Accessibility Services. When the malicious app is downloaded, the app’s icon is not shown on the home screen. Users are stopped from removing the malware via settings by abusing Accessibility Services.

The ATS technique deployed by the malware allows it to redirect payments. When a user tries to complete a financial transaction, information is auto-filled to direct payments to an hacker-managed account, with the recipient being aware of it.

The malware was examined by experts at Cleafy, who identified no similarities with any other malware strains. Since the malware has been created from scratch, it currently has a low detection rate. The experts believe the malware is still in the initial stages of development, and new capabilities could well be added to make it even more dangerous.

One of the main issues for developers of malware attacking Android devices is how to get the malware downloaded on a device. Google carries out checks of all apps available before including them in the Google Play Store, so getting a malicious app on the Play Store is tricky. On occasions when they do make it to the store, Google is quick to identify and delete malicious apps.

SharkBot has been witnessed pretending to be a range of apps such as an HD media player, data recovery app, and live TV streaming app, which is delivered via sideloading on rooted devices and by using social engineering tactics on compromised or hacker-owned websites to trick victims to install the fake app.

SharkBot is able to avoid detection and analysis, such as obfuscation to hide malicious commands, by virtue of downloading malicious modules once it has been installed, and by encrypting all communications between the malware and the C2 servers.




900% in Ransomware Attacks During First Six Months of 2021

2021 has borne witness to a massive spike in the number of ransomware campaigns being initiated.

According to research data produced by CybSafe‘s, there has been a 900% growth in this type of attack during the first half of 2021 when compared with the same time period from 2020. In tandem with this there has also been significant increases in cost of the cybersecurity required to keep organization safe from this type of attack and the cybercriminals have also been demanding larger ransoms be paid in order to release the locked data.

So far in 2021 there have been major ransomware attacks on many healthcare service providers, including the Health Service Executive, resulting in concerns related to the impact this might have on the provision of patient care. The attack in Ireland took place after one person replied to an email from the Conti ransomware group, allowing them to encrypt files. Recovery of the files took up to nine months, however it is not believed that the $20m ransom demand was met.

There has been a measure of success in relation to holding ransomware groups to account for their crimes. The U.S. government has elevated this type of crime to the same status as that of terrorist attacks and dedicated more manpower to dealing with them. Some Of The success encountered so far include:

  • Taking down the REvil ransomware infrastructure
  • Dismantling the Darkside operation and BlackMatter
  • Arresting suspected members of the Clop ransomware group

Additional in Europe authorities apprehended twelve people believed to be working on the LockerGoga, MegaCortex, and Dharma ransomware campaigns. These successes will have an impact in the short term but it will not be long before some group, or new strain of ransomware, fills the vacuum that has been created. This is why steps are required in order to address the potential for organizations being infiltrated by the cybercriminals responsible. 

Companies face a daunting challenge to protect themselves from attacks like this due to the wide variety of tactics that hackers can use. The starting point should be ensuring that phishing emails are being tackled head on as they are the point of origin for the vast majority of ransomware attacks. This email will be used to deploy malware or steal the credentials needed to access corporate networks and databases.

A cybersecurity solution like SpamTitan will route out malicious messages and stop them from landing in the inboxes of unsuspecting staff members. While staff training can help it will always need to be backed up with a technical solution like this. SpamTitan, for instance, completes an in-depth analysis of all email content and can spot malicious links and email attachments which will be placed in a quarantine folder where they can be reviewed. This means security teams can see how these types of threats are aiming to take advantage of the organization. Additionally, it means that false positives to be identified so filtering rules can be amended appropriately. This solution uses dual antivirus engines, sandboxing that allows suspicious attachments to be analyzed to identify new malware strains, and machine learning technology to ensure that spam filtering learns more the longer that it is used.

In the background, a huge variety of reviews and controls see to it that malicious messages are removed. Managers can control this via a clean, easy-to-use interface that requires no technical skills to navigate and use. All information and controls are simple to learn and control.

Contact the TitanHQ team now to find out more about using this solution.TitanHQ solutions can be trialled for free.


Chromium-Based Web Browsers Vulnerable to Updated Magnitude Exploit Kit

After they were first created during 2006, exploit kits have evolved into the main weapon of choice for automated malware delivery.

These kits are composed of programs that can be installed on web portals in order to identify and take advantage of recognised vulnerabilities. This takes place when a browser comes onto the portal and triggers a scan by the exploit kit to identify specific software vulnerabilities that have yet to be addressed with an update or patch. Once this is found the exploit kit will be able to install a malware payload without any further interaction from the browser. 

This method of attack was widely witnessed from 2010-2017, after which the use of this method dropped somewhat. However they are still very much an active threat when it comes to cybersecurity. Some of the best-known exploit kits are constantly refreshed to add new exploits for known vulnerabilities. In recent times these kits have been mainly deployed in order to install malware that can activate ransomware. One of these is the Fallout exploit kit that was used to share Maze Locker ransomware, and the Magnitude EK which was deployed to spread ransomware in the Asia Pacific region from 2013 onwards. 

Typically, exploit kits are placed on authentic web portals that have been hacked, in addition to malicious hacker-owned websites laced with malware. Due to this it can be the case that someone visits these web portals without realizing it.

One of the most popular kits currently is the Magnitude EK. Previously it was only deployed on Internet Explorer. Recently it has been discovered that the exploit kit has now been updated to be installed using Chromium-based web browsers on Windows PCs.

Anti-virus expert group Avast has revealed that the Magnitude EK has recently added two new exploits. One aimed to take advantage of a vulnerability in Google Chrome – CVE-2021-21224 – and the other focused on the Windows kernel memory corruption vulnerability labelled CVE-2021-31956. A cybercriminal could obtain system privileges using the remote code execution vulnerability Google Chrome bug or the Windows bug that allows bypassing the Chrome sandbox.

Google and Microsoft have made patches available to mitigate these vulnerabilities. The onus is on users to run these updates. If not it will only be a matter of time before Magnitude EK takes advantage of the weaknesses to install malware. For businesses an additional layer of cybersecurity to prevent this type of attack would be using a web filter. These are similar to spam filters in that they stop malware delivery from malicious websites and are one of the strongest anti-phishing measures you can use.

WebTitan, one of the best web filters available, was created by TitanHQ to keep companies safe in the face of these cyberattacks and manage web access levels for office-based and remote workers – a key feature for tools designed to prevent browsers visiting malicious websites. This web filter solution is DNS-based and is very straightforward to configure, so much so that it is in operation on the databases of more than 12,000 companies and MSPs to complete tasks for content filtering, malware prevention and to provide an extra obstacle for phishers.

In order to enhance your cybersecurity protection measures with WebTitan and block malware contact the TitanHQ experts as soon as you can. There is also a 100% free 14-day trial for you to avail of so you can test the solution in your own environment.