How to Tackle Vishing and Smishing Attacks

Hacker use many tactics to steal details that they then use to remotely log onto corporate accounts, cloud services, and obtain access to business databases. Phishing is the most witnessed method, which is most commonly carried out over email.

Hackers design emails using a range of tricks to fool the recipient into visiting a malicious website where they must hand over credentials that are recorded and used by the hackers to remotely access the accounts.

Companies are now realizing the advantages of configuring an advanced spam filtering solution to prevent these phishing emails at source and ensure they do not land in inboxes. Advanced anti-spam and anti-phishing solutions will prevent practically all phishing attacks, so if you have yet to put in place such a solution or you are depending on Microsoft Office 365 protections, we urge you to get in touch and give SpamTitan a trial.

Phishing is not only carried out using email. Rather than using email to share the hook, many threat collectives use SMS or instant messaging services and increasing numbers of phishing campaigns are now being managed by telephone and these types of phishing attack are harder to prevent.

When phishing takes place via SMS messages it is known as Smishing. Instead of email, an SMS message is shared with a link that users are instructed to visit. Instant messaging platforms like WhatsApp are also used. A range of lures are in play, but it is typical for security alerts to be shared that warn the recipient about a fraudulent transaction or other security threat that depends on them them logging in to their account.

In December 2019, the U.S. Federal Bureau of Investigation (FBI) discovered a campaign where hackers were carrying out phishing campaigns using telephones – called vishing. Since then, the number of instances of vishing attacks has grown, leading to the FBI and the Cybersecurity and Infrastructure Security Agency to release a joint alert in the summer about a campaign aiming for remote workers. This month, the FBI has released another alert following a spike in vishing attacks on companies.

Hackers often target users with high levels of privileges, but not always. There has been an increasing trend for hackers to target every credential, so all users are in danger. Once one set of details is captured, efforts focus on elevating privileges and reconnaissance is carried out identify targets in the company with the level of permissions they need – I.e. permissions to perform email updates.

The hackers make VoIP calls to workers and convince them to view a webpage where they need to login. In one attack, a staff member of the firm was identified in the company’s chatroom, and was contacted and convinced to login to their group’s VPN on a fake VPN page. Credentials were obtained and used to carry outer connaissance.

How to Deal with Smishing and Vishing

Dealing with these types of phishing attacks requires a range of processes. As opposed to email phishing, these threats cannot be easily stopped at source. It is therefore crucial to cover these threats in security awareness training classes as well as warning about the dangers of email phishing.

A web filtering solution is ideal for preventing attempts to visit the malicious domains where the phishing pages are hosted. Web filters such as WebTitan can be used to manage the websites that staff members can access on their company phones and mobile devices and will supply protection no matter where an employee uses the Internet.

It is also crucial to configure multi-factor authentication to stop any stolen credentials from being implemented by hackers to remotely log on to accounts. The FBI also advises allowing network using the rule of least privilege: ensuring users are only allowed access to the resources they need for work projects. The FBI also advises regularly scanning and auditing user access rights allocated and reviewing any amendments in permissions.

Hackers Focused on Healthcare & Retail Sectors During 2020

During 2020, the healthcare sector was strongly concentrated on by groups of hackers who gained a benefit due to the pandemic as they attacked those dealing with hospitals administering care to those suffering from the disease.

A massive ransomware campaign targeted one of the biggest healthcare suppliers in the United States. Universal Health Services, an American Fortune 500 company which has a staff of 90,000 people and runs 400 acute care hospitals, was impacted by a huge ransomware attack in September which damaged all of its hospitals. Staff were forced to work using pen and paper for three weeks while it repaired the damage by the attack.

Another illegal infiltration of the University of Vermont Medical Center databases during October impacted over 5,000 hospital computers and laptops and 1,300 servers. All devices had to be have their data removed and have software and data installed again, with the healthcare provider suffering downtime for longer than two months. During the retrieval process around $1.5 million was being lost per day to attack-linked expenses and lost business, with the total costs thought to be more than $64 million.

Ransomware attacks on the healthcare sector increased during September and October and continued to be an issue for the sector for the rest of the year. A research study by Tenable found that ransomware attacks accounted for 46% of all healthcare data breaches in 2020, displaying the extent to which the industry was focused on.

Most of these attacks included the exploitation of unpatched flaws, most commonly flaws in the Citrix ADC controller and Pulse Connect Secure VPN. Patches had been made available the beginning of the year to fix the vulnerabilities, but the patches had not been applied swiftly. Phishing emails also gave ransomware groups the access to healthcare networks they needed to carry out ransomware attacks. Check Point’s research shows there was a 45% increase in cyberattacks on the industry from the start of November to the conclusion of the year.

Another industry heavily targeted by hackers in 2020 was retail. As many different governments issued directives for citizens to remain home to curb the spread of the virus, online retailers saw a sales surge as shoppers made their purchases online rather than in physical stores. Experts at Salesforce saw that digital sales grew by 36% in 2020 compared to the previous year, and cybercriminals took advantage of the increase in digital sales.

Many methods were used to obtain access to retailers’ systems and websites, with the most witnessed tactic being web application attacks, which increased by 800% in 2020 according to the CDNetworks State of Web Security H1 2020 Report. Hackers also used details illegally taken in previous data breaches to attack online retail outlets in credential stuffing attacks, which Akamai’s tracking revealing the retail sector was the most focused on sector industry using this attack technique, account for around 90% of attacks.

As is typical every year, the large amounts of shoppers that head online to complete purchases in the run up to Black Friday and Cyber Monday were exploited, with phishing attacks linked to these shopping events increasing thirteenfold in the six-week time period before Black Friday. In November, 1 in every 826 emails was an online shopping related phishing campaign, as opposed to 1 in 11,000 in October, according to Check Point. Content management systems used by retailers were also targeted, and attacks on retail APIs also grew during 2020.

As 2021 begins, both sectors are likely to go on being heavily focused on. Ransomware and phishing attacks on healthcare suppliers could well grow now that vaccines are being rolled out, and with many consumers still choosing to buy online rather than in person, the retail sector looks set to have another bad 12-month period.

Luckily, by using cybersecurity best practices it is possible to obstruct most of these attacks. Patches need to be applied quickly, especially any flaws in remote access software, VPNs, or popular networking equipment, as those vulnerabilities are rapidly targeted.

An advanced anti-phishing solution needs to be configured to prevent phishing attacks at source and ensure that malicious messages do not land in inboxes. Multi-factor authentication should also be put in place on email accounts and remote access solutions to obstruct credential stuffing attacks.

A web filter is vital for preventing the web-based component of phishing and cyberattacks. Web filters stop staff members from accessing malicious websites and block malware/ ransomware installations and C2 callbacks. And for retail in particular, the use of web application firewalls, safeguard transaction processing, and the proper use of Transport Layer Security across a website (HTTPS) are crucial.

By adhering to cybersecurity best practices, healthcare suppliers, retailers, and other targeted sectors will make it much harder for hackers to gain a profit. TitanHQ can help with SpamTitan Email Security and WebTitan Web Security to safeguard against email and web-based attacks in 2021. To find out more on these two products and how you can use them to safeguard your databases, call TitanHQ now.

MineBridge Backdoor Being Installed in Phishing Campaign Targeting Windows Finger Utility

A phishing campaign has been discovered that targets the Windows Finger command to install a malware strain titled called MineBridge.

The Finger command in Windows can be launched by a local user to gather a list of users on a remote machine or, alternatively, to collect data in relation to a specific remote user. The Finger utility began in Linux and Unix operating systems but is also incorporated in Windows. The utility permits allows commands to be completed to see if a particular user is logged on, although this is now rarely employed.

There are also security issues with the finger utility, and it has been taken advantage of previously to ascertain basic information about users that can be targeted in social engineering attacks. Weaknesses in the finger protocol have also been exploited in the past by some malware strains.

Recently, security experts discovered Finger can be deployed as a LOLBin to install malware from a remote server or to remove data without resulting in security alerts being generated. Finger is now being used in at least one phishing campaign to install malware.

MineBridge malware is a Windows backdoor composed in C++ that has previously been deployed in attacks on South Korean businesses. The malware was initially discovered in December 2020 by experts at FireEye and in January 2020 many different campaigns were identified spreading the malware via phishing emails with malicious Word files.

The most recent campaign sees the hackers pretend to be a recruitment business. The email is a recommendation of an individual for consideration for a position at the targeted company. The sender recommends even if there are no current vacancies, the CV should be reviewed, and the individual considered. The email is well written and seems genuine.

As is typical in phishing attacks, if the document is clicked on a message will be shown that tells the user the document has been set up in an older version of Windows and to review the content the user must ‘enable editing’ and then ‘enable content’. Doing so will run the macro, which will gather and install a Base64 encoded certificate using the Finger command. The certificate is a malware installer that leverages DLL hijacking to sideload the MineBridge backdoor. Once in place, MineBridge will give the hacker control over an infected device and allow a range of malicious actions to be carried out.

It is simplest to prevent attacks like this by configuring an advanced spam filtering solution to block the dangerous emails and stop them from reaching inboxes. As an extra security measure against this and other campaigns that target the Finger.exe utility in Windows, admins should thin about turning off disabling finger.exe if it is never employed.

 

Most Impersonated Brand in Phishing Attacks is Microsoft

Is can be tricky for staff members to spot phishing scams as the attacks typically give a plausible reason for performing an action like downloading an update, so much so that the web portals provdied are practically indistinguishable from the real websites that the scammers spoof and credentials are commonly stolen.

The pandemic has seen growing numbers of employees working from home and logging onto their company’s cloud applications remotely. Companies are now much more dependent on email for communication than when staff members were all office based. Hackers have been taking advantage and have been targeting remote workers with phishing scams and many of these attacks have been profitable.

Staff members are often given more training on cybersecurity and are warned to be wary of emails that have been sent from unrecognized people, but many still open the emails and take the desired action. The emails often pretend to bean individual that is known to the recipient, which increases the chances of that email being opened. It is also common for well known companies to be impersonated in phishing attacks, with the hackers leveraging trust in that brand.

A recent review of phishing emails by Check Point showed that the most commonly impersonated brand in phishing attacks over the past quarter is Microsoft, which is not surprising given the number of businesses using Office 365. The study revealed 43% of phishing attempts that mimic brands pretend to be Microsoft.

Microsoft details are then recorded in these attacks and are used to remotely log onto accounts. The data stored in a just one email account can be massive. There have been many healthcare phishing campaigns that have seen a single account compromised that included the sensitive data of tens of thousands or even hundreds of thousands of clients. These phishing emails are often only the first step in a multi-stage attack that gives the threat actors the base they need for a much more in depth attack on the organization, often resulting in the theft of large amounts of data and ending with the sharing of ransomware.

Microsoft is far from the only brand impersonated. The review showed that DHL is the second most impersonated brand. DHL-based phishing attacks use failed delivery alerts and shipping notices as the lure to get individuals to either share sensitive information such as login details or open malicious email attachments that install malware. 18% of all brand impersonation phishing attacks involve the impersonation of DHL. This makes sense as the phishers target companies and especially during a pandemic when there is increased reliance on courier businesses.

Other well-known companies that are commonly impersonated include PayPal and Chase to obtain account details. LinkedIn to permit professional networking accounts to be infiltrated, and Google and Yahoo are commonly impersonated to obtain account details. Attacks spoofing Amazon, Rakuten, and IKEA also feature in the top 10 most spoofed brand list.

Phishers mostly aim for company users as their credentials are far more profitable. Businesses therefore need to ensure that their phishing security measures up to date. Security awareness training for employees is important but given the realistic danger of phishing emails and the plausibility of the lures deployed, it is crucial for more reliable measures to be implemented to prevent phishing attacks.

To better secure your company from phishing campaigns, a third-party spam filter should be layered on top of Office 365. SpamTitan has been designed to supply enhanced protection for businesses that use Office 365. The solution implements easily with Office 365 and the solution is easy to configure and manage. The result will be far better security from phishing campaigns and other malicious emails that employees struggle to recognize.

For more details on SpamTitan, to sign up for a free trial, and for details of pricing, give the TitanHQ team a call now.

QRAT Malware Being Delivered by Trump-Themed Phishing Emails

The Qnode Remote Access Trojan (QRAT) is currently being distributed via a Trump-themed phishing campaign, masked as a video file that claims to be a Donald Trump sex tape.

A Java-based RAT, QRAT was initially witnessed during 2015 that has been used in many different phishing campaigns over the years, with a vast increase in distribution witnessed since August 2020. Interestingly, the malicious file attachment – titled “TRUMP_SEX_SCANDAL_VIDEO.jar” – bears no resemblance to the phishing email body and subject line, which provides a loan offer for an investment for a dream project or business strategy. The subject line is “GOOD LOAN OFFER,” and the sender claims a loan will be supplied if there is a good return on the investment and between $500,000 and $100 million can be provided. It is not mentioned whether a mistake has been made and the wrong file attachment was placed in the email or if this was a deliberate mismatching of a malicious .jar file. While the emails are trick to fool many end users, there may be sufficient interest in the video to spark the interest of some recipients.

The phishing campaign seems to be poorly composed, but the same cannot be said of the malware the campaign is trying to infiltrate networks with. The recent version of QRAT shared in this campaign is more sophisticated than earlier witnessed versions, with several enhancements made to bypass security solutions. For example, the malicious code deployed as the QRAT downloader is obfuscated and split across many different buffers inside the .jar file.

Phishing campaigns often aim for interest in topical new stories and the Presidential election, claims of election fraud, and recent events at Capitol Hill have seen President Trump trending. It is possible that this will not be the only Trump-themed phishing campaign to be carried out over the coming days and months.

This campaign seems to be concentrated on companies, where the potential profits from a malware infection is likely to be far greater than an attack on consumers. Blocking threats such as this is simplest with an advanced email security solution capable of detecting known and new malware strains.

SpamTitan is an strong, inexpensive spam filtering for businesses and the leading cloud-based spam filter for managed service providers for the SMB sector. SpamTitan uses dual anti-virus engines to spot known malware threats, and a Bitdefender-powered sandbox to spot zero-day malware. The solution also supports the blocking of dangerous file types such as JARs and other executable files.

SpamTitan is excellent for preventing phishing emails without malicious attachments, including emails with hyperlinks to malicious web pages. The solution has many threat detection features that can spot and block spam and email impersonation attacks and machine learning technology and different multiple threat intelligence feeds that provide protection against zero-minute phishing campaigns.

One of the chief reasons why the solution is such as popular option for SMBs and MSPs is simple installation, use, and management. SpamTitan removes the complexity from email security to permit IT teams to focus on other key duties.

SpamTitan is the most highly rates solution on review sites such as Capterra, GetApp and Software Advice, is a top three solution in the three email security classifications on Expert Insights and has been a market  leader in the G2 Email Security grids for 10 consecutive quarters.

If you would like a spam filtering solution that is strong and simple to deploy, give the TitanHQ team a call to set up a free trial of SpamTitan.

Emotet Botnet Springs Back to Life and Delivers TrickBot Christmas Present

The Emotet botnet is back up and running, after an right-week absences, and has been witnessed carrying out a phishing email campaign that is sharing between 100,000 and 50,0000 emails to recipients daily.

Emotet was first tracked during 2014 and began life as a banking Trojan; however, over the years the malware has evolved. While Emotet remains a banking Trojan, it is now famous as a malware downloader that is used to send a range of secondary payloads. The malware payloads it sends also act as malware downloaders, so infection with Emotet often leads to multiple malware infections, with ransomware often shared as the final payload.

Once Emotet is downloaded on an endpoint it is added to the Emotet botnet and is used for spam and phishing attacks. Emotet sends copies of itself using email to the user’s contacts along with other self-propagation mechanisms to infiltrate other computers on the network. Emotet can be complex to remove from the network. Once one computer is managed, it is often reinfected by other infected computers on the network.

Emotet often goes inactive for many weeks or even months, but even with long gaps in operations, Emotet is still the chief malware threat. Emotet went dormant around February 2020, with activity back live five months later in July. Activity continued until late October when activity stopped once again until Tuesday this week when it came back in time for Christmas. In 2020, Emotet has been observed delivering TrickBot and other payloads like as Qakbot and ZLoader.

During the periods of inactivity, the threat actors responsible for the malware are not necessarily inactive, they just halt their distribution campaigns. During the breaks they update their malware and came back with a new and improved version that is more effective at evading security measures.

The most recent campaign uses similar tactics to past campaigns to maximize the probability of end users clicking on a malicious Office document. The phishing emails are usually personalized to make them look more authentic, with Emotet using hijacked message threats with malicious content included. Since the emails appear to be responses to past conversations between colleagues and contacts, there is a better chance that the recipient will open the email attachment or click a malicious URL.

This campaign targets password-protected files, with the password to open the file supplied in the message text of the email. Since email security solutions cannot open these files, it is more likely that they will be sent to inboxes. The malicious documents shared in this campaign contain malicious macros. If the macros are turned on – which the user is told is necessary to view the content of the document – Emotet will be installed, after which the TrickBot Trojan will be delivered, usually followed by a ransomware variant like as Ryuk.

Earlier campaigns have not shown any additional content when the macros are turned on; however, this campaign displays an error message after the macros have been enabled instructing the user that Word experienced an mistake opening the file. This is likely to make the user think that the Word document has been corrupted. A variety of themes are used for the emails, with the most recent campaign using holiday season and COVID-19 related lures.

A review by Cofense identified several changes in the most recent campaign, including switching the malware binary from an executable (.exe) file to a Dynamic Link Library (.dll) file, which is executed using rundll32.exe. The command-and-control infrastructure has been amended and now uses binary data rather than plain text, both of which make the malware harder to spot

Firms need to be particularly careful and should act swiftly if infections are detected and should take steps to ensure their networks are safeguarded with anti-virus software, security policies, spam filters, and web filters.