Is DNS Filtering an Effective Solution?

If you are browsing online and you will be have to tackle a wide range of threats, some of which could lead to your bank account being emptied or sensitive information being exposed and your accounts being compromised. Then there is ransomware, which could be used to prevent you from accessing your files should you not have backups or opt not to pay the ransom.

The majority of websites now being created are malicious websites, so how can you stay safe online? One solution deployed by businesses and ISPs is the use of a web filter. A web filter can be set up to restrict access to certain categories of Internet content and block most malicious websites.

While it is possible for companies or ISPs to purchase appliances that are located between end users and the Internet, DNS filters allow the Internet to be filtered without having to buy any hardware or install any software. So how is DNS filtering operated?

How is DNS Filtering Operated?

DNS filtering – or Domain Name System filtering to give it its full tname – is a technique of preventing access to certain websites, webpages, or IP addresses. DNS is what permits easy to remember domain names to be used – such as Wikipedia.com – rather than typing in IP addresses – such as 198.35.26.96. DNS maps IP addresses to domain names.

When a domain is bought from a domain register and that domain is hosted, it is given a unique IP address that allows the site to be found. When you try to access a website, a DNS query will be carried out. Your DNS server will look up the IP address of the domain/webpage, which will permit a connection to be made between the browser and the server where the website is hosted. The webpage will then be opened.

So how does DNS filtering operate? With DNS filtering set up, rather than the DNS server returning the IP address if the website exists, the request will be subjected to certain security measures. If a particular webpage or IP address is recognized as malicious, the request to access the site will be denied. Instead of connecting to a website, the user will be sent to a local IP address that will display a block page explaining that the site cannot be opened.

This control could be implemented at the router level, via your ISP, or a third party – a web filtering service provider. In the case of the latter, the user – a business for example – would point their DNS to the service provider. That service provider keeps a blacklist of malicious webpages/IP addresses. If a site is known to be malicious, access to malicious sites will be prevented.

Since the service provider will also group webpages, the DNS filter can also be implemented to block access to certain categories of webpages – pornography, child pornography, file sharing websites, gambling, and gaming sites for example. Provided a business sets up an acceptable usage policy (AUP) and sets that policy with the service provider, the AUP will be live. Since DNS filtering is low-latency, there will be next to no delay in logging onto safe websites that do not breach an organization’s acceptable Internet usage policies.

Can a DNS Filter Prevent Access to All Malicious Websites?

Sadly, no DNS filtering solution will stop access to all malicious websites, as in order for this to be accomplished, a webpage must first be identified as malicious. If a cybercriminal creates a brand-new phishing webpage, there will be a delay between the page being set up and it being reviewed and added to a blocklist. However, a DNS web filter will prevent access to the majority of malicious websites.

Can DNS Filtering be Avoided?

Proxy servers and anonymizer sites could be deployed to mask traffic and bypass the DNS filter unless the chosen solution also prevents access to these anonymizer sites. An end user could also manually amend their DNS settings locally unless they have been locked down. Determined persons may be able to find a way to bypass DNS filtering, but for the majority of end users, a DNS filter will block any effort to access forbidden or harmful website material.

No single cybersecurity solution will let you to block 100% of malicious websites but DNS filtering should definitely form part of your cybersecurity operations as it will allow most malicious sites and malware to be blocked.

 

Main Top Phishing Lures of 2018

Phishing is the most serious one security threat faced by companies. It is a tried and tested social engineering tactic that is favored by hacker as it is very effective.

Phishing emails can be used to trick device users into installing malware or disclosing their login credentials. It is an easy way for hackers to gain a foothold in a network to conduct further phishing attacks on a company.

Phishing works because it targets the most vulnerable link in security defenses: End users. If an email is sent to an inbox, there is a good chance that the email will be opened. Messages range a variety of sneaky tricks to fool end users into taking a specific action such as opening a malicious email attachment or visiting an embedded hyperlink.

Listed here are the main phishing lures of 2018 – Tte messages that have proven to be the most successful at getting end users to divulge sensitive information or download malware.

Main Phishing Lures of 2018

Identifying the top phishing lures is not straightforward. Many groups are obligated to publicly disclose data breaches to comply with industry regulations, but details of the phishing lures that have tricked employees are not usually made available for public consumption.

Instead, the best way to identify the top phishing lures is to study data from security awareness training companies. These companies have developed platforms that companies can use to conduct phishing simulation exercises. To obtain reliable data on the most effective phishing lures it is necessary to analyze huge amounts of data. Since these phishing simulation platforms are used to share millions of dummy phishing emails to employees and record responses, they are useful for identifying the most effective phishing lures.

In the recent weeks, two security awareness training businesses have released reports detailing the top phishing lures of 2018: Cofense and KnowBe4.

Main Phishing Lures on the Cofense Platform

Cofense has developed two lists of the top phishing lures of 2018. One uses the Cofense Intelligence platform which collates data on real phishing attacks and the second list is compiled from reactions to phishing simulations.

Both lists mainly feature phishing attacks involving fake invoices. 70% of the most effective phishing campaigns of 2018 mentioned invoice in the subject line. The other three were also linked to finance: Payment remittance, statement and payment. This makes sense as the finance department is the primary target in phishing attacks on companies.

The list of the main phishing lures from phishing simulations were also heavily dominated by fake invoices, which outnumbered the second most clicked phishing lure by double.

Rank Phishing Subject/Theme Number of Reported Emails
1 Attached Invoice 4,796
2 Payment Notification 2,267
3 New Message in Mailbox 2,088
4 Online Order (Attachment) 679
5 Fax Message 629
6 Secure Message (MS Office Macro) 408
7 Online Order (Hyperlink) 399
8 Confidential Scanned document (Attachment) 330
9 Conversational Wire transfer (BEC Scam) 278
10 Bill Copy 251

 

Main Phishing Lures on the KnowBe4 Platform

KnowBe4 has published two lists of the main phishing lures of Q3, 2018, which were created using responses to simulated phishing emails and real-world phishing attempted on companies that were reported to IT security departments.

The most common real-world phishing attacks recorded in Q3 were:

Rank Subject
1 You have a new encrypted message
2 IT: Syncing Error – Returned incoming messages
3 HR: Contact information
4 FedEx: Sorry we missed you.
5 Microsoft: Multiple log in attempts
6 IT: IMPORTANT – NEW SERVER BACKUP
7 Wells Fargo: Irregular Activities Detected on Your Credit Card
8 LinkedIn: Your account is at risk!
9 Microsoft/Office 365: [Reminder]: your secured message
10 Coinbase: Your cryptocurrency wallet: Two-factor settings changed

 

The most commonly clicked phishing tricks in Q3 were:

Rank Subject % of Emails Clicked
1 Password Check Required Immediately 34%
2 You Have a New Voicemail 13%
3 Your order is on the way 11%
4 Change of Password Required Immediately 9%
5 De-activation of [[email]] in Process 8%
6 UPS Label Delivery 1ZBE312TNY00015011 6%
7 Revised Vacation & Sick Time Policy 6%
8 You’ve received a Document for Signature 5%
9 Spam Notification: 1 New Messages 4%
10 [ACTION REQUIRED] – Potential Acceptable Use Violation 4%

 

Blocking Phishing Attacks at their Source

If login details for email accounts, Office 365, Dropbox, and other cloud services are obtained by scammers, the accounts can be plundered. Sensitive information can be illegally taken and Office 365/email accounts can be used for further phishing attacks on other workers. If malware is downloaded, scammers can gain full control of infected devices. The cost of addressing these attacks is massive and a successful phishing attack can seriously harm a company’s reputation.

Due to the damage that can be inflicted through phishing, it is essential for companies of all sizes to train staff how to identify phishing threats and put in place a system that allows suspicious emails to be reported to security teams swiftly. Resilience to phishing attacks can be greatly enhanced with an effective training program and phishing email simulations. It is also essential to implement an effective email security solution that blocks threats and ensures they do not land in inboxes.

SpamTitan is once such solution. It is an easy to configure email filtering solution that prevents more than 99.9% of spam and phishing emails and 100% of known malware through dual anti-virus engines (Bitdefender and ClamAV). With SpamTitan securing inboxes, businesses are less reliant on their employees’ ability to spot phishing threats.

SpamTitan rigorously checks every incoming email to determine if a message is genuine and should be delivered or is potentially malicious and should be prevented. SpamTitan also carries out checks on outbound emails to see to it, should an an email account is compromised, it cannot be used to end spam and phishing emails internally and to clients and contacts, thus helping to safeguard the reputation of the business.

Strengthen Office 365 Email Security with SpamTitan

There are in excess of 135 million subscribers to Office 365, and such high numbers make Office 365 a big target for scammers. One of the chief ways that Office 365 credentials are obtained is via phishing. Emails are designed to get around Office 365 defenses and hyperlinks are used to direct end users to fake Office 365 login pages where details are harvested.

Companies that have configured Office 365 are likely to still see a huge rise in the number of malicious emails delivered to inboxes. To strengthen Office 365 security, a third-party email filtering control is needed. If SpamTitan is set up with Office 365, a higher percentage of phishing emails and other email threats can be prevented at source.

To discover more about SpamTitan, including details of pricing and to register for a free trial, get in touch with the TitanHQ team today.

HookAds Malvertising Campaign Bringing Users to Website with Banking Trojans, Info Stealers & Ransomware

One of the main tactics that cybercriminals install malware with is malvertising – the displaying of malicious adverts on legitimate websites that send visitors to websites where malware is installed. The HookAds malvertising campaign is one such example and the threat actors responsible for the campaign have been particularly active recently.

The HookAds malvertising campaign has one aim: To bring browsers to a website hosting the Fallout exploit kit. An exploit kit is malicious code that operates when a visitor lands on a web page. The visitor’s computer is searched to determine whether there are any flaws – unpatched software – that can be exploited to silently download files.

In the case of the Fallout exploit kit, users’ devices are reviewed for many known Windows flaws. If one is found, it is exploited and a malicious payload is installed. Several malware variants are currently being sent through Fallout, including information stealers, banking Trojans, and ransomware.

According to threat analyst nao_sec, two different HookAds malvertising campaigns have been discovered: One is being used to send the DanaBot banking Trojan and the other is sending two malware payloads – The Nocturnal information stealer and GlobeImposter ransomware through the Fallout exploit kit.

Exploit kits can only be used to send malware to unpatched devices, so companies will only be at risk of this web-based attack vector if they are not 100% up to date with their patching. Sadly, many companies are slow to apply patches and exploits for new vulnerabilities are frequently installed to EKs such as Fallout. Due to this, a security solution is required to block this attack vector.

HookAds Malvertising Campaign Emphasises Importance of a Web Filter

The threat actors to blame for the HookAds malvertising campaign are taking advantage of the low prices offered for advertising blocks on websites by low quality ad networks – those frequently utilized by owners of online gaming websites, adult sites, and other types of websites that should not be viewed by employees. While the site owners themselves are not actively engaging with the threat actors responsible for the campaign, the malicious adverts are still served on their websites along with legitimate ads. Luckilu, there is an easy solution that blocks EK activity: A web filter.

TitanHQ has created WebTitan to allow companies to carefully manage employee Internet access. Once WebTitan has been installed – a quick and simple process that takes just a few minutes – the solution can be set up to quickly enforce acceptable Internet usage policies. Content can be blocked by category in seconds.

Access to websites that host adult and other NSFW content can be quickly and easily blocked. If an employee tries to visit a category of website that is blocked by the filter, they will be redirected to a customizable block screen and will be advised why access has been prohibited.

WebTitan makes sures that employees cannot access ‘risky’ websites where malware can be installed and blocks access to productivity draining websites, illegal web content, and other sites that have no work basis

For more information on WebTitan, pricing, reserving a product demonstration, or register for a free trial, get in touch with the TitanHQ team now

Main Phishing Lures of 2018

Phishing is the main security threat faced by companies and detailed here are the main phishing lures of 2018. These lures have proven to be the most effective at getting end users to divulge sensitive information or install malware.

Deducing the top phishing lures is not simple. Many groups are required to publicly share details of data breaches to adhere with industry regulations, but details of the phishing lures that have fooled employees are not usually made public.

Instead, the best method to deduce the top phishing lures is to use data from security awareness training companies. These businesses have created platforms that businesses can use to run phishing simulation exercises. To obtain reliable data on the most effective phishing lures it is necessary to review huge volumes of data. Since these phishing simulation platforms are used to send millions of dummy phishing emails to employees and track responses, they are useful for finding out the most successful phishing lures.

In the past couple of weeks, two security awareness training businesses have released reports detailing the top phishing lures of 2018: Cofense and KnowBe4.

Cofense has established two lists of the top phishing lures of 2018. One is based on the Cofense Intelligence platform which gathers data on real phishing attacks and the second list is put together using responses to phishing simulations.

Both lists feature phishing attacks that include fake invoices. Seven out of the ten most effective phishing campaigns of 2018 referred to invoice in the subject line. The other three were also finance linked: Payment remittance, statement and payment. This make sense. The finance department is the primary target in phishing attacks on companies.

The list of the top phishing lures from phishing simulations also heavily featured fake invoices, which outnumbered the second most visitied phishing lure by 2 to 1.

Rank Phishing Subject/Theme Number of Reported Emails
1 Attached Invoice 4,796
2 Payment Notification 2,267
3 New Message in Mailbox 2,088
4 Online Order (Attachment) 679
5 Fax Message 629
6 Secure Message (MS Office Macro) 408
7 Online Order (Hyperlink) 399
8 Confidential Scanned document (Attachment) 330
9 Conversational Wire transfer (BEC Scam) 278
10 Bill Copy 251

 

Main Phishing Lures on the KnowBe4 Platform

KnowBe4 has created and shared two lists of the top phishing lures of Q3, 2018, which were compiled from responses to simulated phishing emails and real-world phishing campaigns targeting businesses that were reported to IT security departments.

The most common real-world phishing attacks witnessed during Q3 were:

Rank Subject
1 You have a new encrypted message
2 IT: Syncing Error – Returned incoming messages
3 HR: Contact information
4 FedEx: Sorry we missed you.
5 Microsoft: Multiple log in attempts
6 IT: IMPORTANT – NEW SERVER BACKUP
7 Wells Fargo: Irregular Activities Detected on Your Credit Card
8 LinkedIn: Your account is at risk!
9 Microsoft/Office 365: [Reminder]: your secured message
10 Coinbase: Your cryptocurrency wallet: Two-factor settings changed

 

The most commonly phishing lures witnessed in Q3 were:

Rank Subject % of Emails Clicked
1 Password Check Required Immediately 34%
2 You Have a New Voicemail 13%
3 Your order is on the way 11%
4 Change of Password Required Immediately 9%
5 De-activation of [[email]] in Process 8%
6 UPS Label Delivery 1ZBE312TNY00015011 6%
7 Revised Vacation & Sick Time Policy 6%
8 You’ve received a Document for Signature 5%
9 Spam Notification: 1 New Messages 4%
10 [ACTION REQUIRED] – Potential Acceptable Use Violation 4%

 

If login credentials to email accounts, Office 365, Dropbox, and other cloud services are stolen by hackers, the accounts can be plundered. Sensitive date can be stolen and Office 365/email accounts can be used for other phishing attacks on other staff members. If malware is downloaded, hackers can gain full control of infected devices. The cost of addressing these attacks is considerable and a successful phishing attack can seriously damage a company’s business reputation.

Due to the damage that can be inflicted by phishing, it is essential for companies of all sizes to train staff how to identify phishing threats and put in place a system that allows suspicious emails to be reported to security teams quickly. Resilience to phishing attacks can be greatly enhanced with an good training program and phishing email simulations. It is also vital to use an effective email security solution that blocks threats and ensures they are not sent to inboxes.

SpamTitan is a highly effective, easy to put in place email filtering solution that blocks more than 99.9% of spam and phishing emails and 100% of known malware using dual antivirus engines (Bitdefender and ClamAV). With SpamTitan safeguarding inboxes, companies are less reliant on their employees’ ability to identify phishing dangers.

SpamTitan uses a barrage of checks on each incoming email to  to determine if a message is real and should be delivered or is potentially malicious and should be blocked. SpamTitan also conducts checks on outbound emails to ensure that in the event that an email account is infiltrated, it cannot be used to end spam and phishing emails internally and to clients and contacts, thus helping to safeguard the reputation of the firm.

” alt=”” aria-hidden=”true” />

To discover more about SpamTitan, including details of pricing and to sign up for a free trial, contact the TitanHQ team today. During your free trial you will see how much better SpamTitan is at preventing phishing attacks than standard Office 365 anti-spam measures.

Case Study: Data Breach Cost Home Depot $179 Million

When pondering how much to spend on cybersecurity defenses, be sure to consider the cost of a retail data breach. Ill-advised security practices and a lack of  proper cybersecurity defenses can cost a company quite a bit.

A data breach of the scale of that which impacted Home Depot in 2014 will cost hundreds of millions of dollars to address. The home depot data breach was huge. It was the largest retail data breach involving a point of sale system that has been seen so far. Malware had been downloaded that allowed cyber criminals to obtain over 50 million credit card numbers from home depot customers and around 53 million email addresses.

The attack was completed using stolen credentials from one of the retailer’s vendors. Those credentials were used to obtain access to the network. Those privileges were subsequently elevated, the Home Depot network was explored, and when access to the POS system was obtained, malware was downloaded to record credit card details. The malware infection went unnoticed for five months between April and September 2014.

Last year, Home Depot agreed to pay out $19.5 million to customers that had been impacted by the breach. The payout included the costs of providing credit monitoring services to those affected by the breach. Home Depot has also paid out a minimum of $134.5 million to credit card companies and banks. The latest settlement amount will permit banks and credit card companies to submit claims for $2 per compromised credit card without having to show proof of losses suffered. If banks can show losses, they will have up to 60% of losses compensated.

The total cost of the retail data breach is approximately $179 million, although that figure does not incorporate all legal fees that Home Depot must pay, and neither does it include undisclosed settlements. The final cost of the retail data breach will be much bigger. It is already getting closer to the $200 million mark.

Then there is the reputation damage due to the breach. Following any data breach, customers often take their business to a different company. Many consumers impacted by the breach have chosen to shop elsewhere. A number of studies have been carried out on the fallout from a data breach. One HyTrust study states that companies may lose 51% of customers following a breach of sensitive data.

 

Phishing Attack Discovered in Major San Diego School District

A major phishing attack has been discovered in a San Diego School District. The phishing attack is different from the many similar phishing attacks on schools due to the range of accounts that were compromised, the amount of data that was potentially stolen, and the length of time it took for the data breach to be discovered.

According to a recent breach announcement, the login credentials of around 50 district staff members were obtained by the hacker. It is not unusual for a number of different accounts to be breached in school phishing attacks. Once access is obtained to one account, it can be used to send internal phishing emails to other staff members. Since those emails come from within, they are more likely to be trusted and less likely to be detected. Investigations into similar phishing attacks often reveal many more email accounts have been compromised than was first thought, although 50 sets of compromised details is very high.

Those accounts were infiltrated over a period of 11 months. The San Diego School District phishing attack was first discovered in October 2018 after staff warned the district’s IT department to phishing emails that had been received. Multiple reports tipped off the IT department that an ongoing cyberattack was taking place and there may have been a data breach.

The investigation showed the credentials obtained by the hacker provided access to the district’s network services, which included access to the district’s database of employees and student records. The school district is the second biggest in California and serves over 121,000 students annually. The database included records going back to the 2008/2009 school year. Overalll, the records of more than 500,000 individuals were potentially obtained by the cybercriminal. Given the duration of time that the hacker had access to the network, data theft is highly probable.

The data potentially obtained was massive. Student information stolen included names, addresses, dates of birth, telephone numbers, email addresses, enrollment and attendance information, discipline incident information, health data, legal notices on file, state student ID numbers, emergency contact data, and Social Security numbers. Impacted staff data also included salary information, health benefits data, paychecks and pay advices, tax data, and details of bank accounts used for direct deposits.

Data could be obtained from January 2018 to November 2018. While it is normal for unauthorized access to be immediately prevented upon discovery of a breach, in this case the investigation into the breach was conducted before shutting down access. This permitted the identity of the suspected hacker to be determined without warning the hacker that the breach had been discovered. The investigation into the breach is ongoing, although access has now been blocked and affected people have been notified. Extra cybersecurity controls have now been implemented to restrict future attacks.

School district phishing attacks are typical. School districts often lack the resources of large companies to dedicate to cybersecurity. Due to this, cyberattacks on school districts are much simpler to pull off. Schools also store large amounts of sensitive data of staff and students, which can be used for a wide variety of malicious purposes. The relative simplicity of attacks and a potential big payday for hackers and phishers make schools an attractive target.

The San Diego School District phishing attack is just one of many attacks like this that have been reported this year. During tax season at the beginning of 2018, many school districts were focused on by phishers seeking the W-2 forms of employees.

 

Software for Cloud-Based Web Filtering

The next step in the evolution from hardware-based and software-based solutions for filtering Internet content is cloud-based web filtering software. Similar to the majority of cloud-based technologies, cloud-based web filtering software is convenient, trustworthy and scalable. It does not have the high costs of hardware-based solutions nor the high maintenance overheads of software-based programmes; and, although all three solutions pretty much operate the same way, cloud-based web filtering software has its benefits.

Cloud-Based Web Filtering Software

Cloud-based web filtering software is operated from in the cloud rather than physically attached to – or downloaded to – your network. In order to log on to the service, you simply need to redirect your DNS server settings to point to our servers. The cloud-based software then implements itself automatically, and you can either begin filtering the Internet using the software´s default settings, or set up and apply your own user policies via the web-based management portal.

As with most solutions for filtering Internet content, cloud-based web filtering software deploys a three-tier mechanism to enhance defenses against online threats, improve productivity and stop users accessing inappropriate material:

  • The first line of defense is SURBL and URIBL filters. These look at each request to visit a web page against lists of IP addresses known to lead to malware downloads, phishing attacks and spam emails. When a match is identified, the request to visit the web page is not allowed. The lists of IP addresses are automatically updated as new threats are spotted.
  • Behind the “blacklists”, category filters can be used to stop users looking at websites in certain categories. Administrators may want to stop users visiting websites known to have a high likelihood of harboring malware (pharmaceutical and travel websites), those likely to affect productivity (gaming and social networking) or those including inappropriate material.
  • Keyword filters can be employed used to fine-tune the category filters and stop users looking at websites containing exact word matches, specific apps or specific file extensions. This fine-tuning mechanism adds granularity to the Internet filtering process to set up Internet filtering without obstructing workflows.

Category filters and keyword filters can be switched on by individual users, user-group or company-wide according to your existing user policies. Most products for filtering Internet content can be integrated with management tools such as Active Directory in order to speed up the process of applying roles. Thereafter, administrators can review web activity in real-time via the management portal, or schedule customized reports by user, user-group, organization-wide, bandwidth usage, category or time.

Improve Network Performance with Cloud-Based Web Filtering Software

One unexpected benefit of cloud-based web filtering software is how it enhances network performance – or, strictly speaking, how it reduces the workload put on servers by other solutions for filtering Internet content. This is due to way in which encrypted web pages are reviewed by cloud-based web filtering software to deduce the nature of their content.

Most software for filtering Internet content use a process called SSL inspection to decrypt, review, and re-encrypt the content of “secure” web pages. SSL inspection is now an obligatory part of Internet filtering because hackers have been able to obtain fake SSL certificates and their malware payloads would avoid detection if it were not for SSL inspection.

A heavy workload is put on servers by hardware and software solutions for filtering Internet content is because there is such a high volume of encrypted web pages that need inspecting. Since Google revelead it would enhance the rankings of encrypted websites in search engine results pages, more than 50% of the most-visited web pages in the world are encrypted.

The decryption, inspection and re-encryption of half the world´s most-visited Internet pages place an incredible strain on servers. Often it will lead to delays in some web-based activities – i.e. email – or users will find Internet access is temporarily unavailable. Although cloud-based web filtering software also utilizes SSL inspection to figure out the content of encrypted web pages, the process is carried out on the cloud – eliminating the workload on network servers and allowed an Internet service with excellent latency.

 

 

Homebuyers and Sellers Targeted ub Solicitor Email Scam

Home purchasers and real estate agents in the United Kingdom and Ireland are being targeted by cybercriminals using a new solicitor email campaign. The scam, which includes mimicking a solicitor, is costing victims thousands. Additionally, there have some cases seen where cybercriminals are contacting solicitors emails claiming to be their clients and asking for changes in their bank details. Any pending transfers are then sent to the criminals’ accounts.

As funds for home purchases are sent to solicitors’ accounts before being shared with the sellers, if cybercriminals can amend the bank details for the transfers, the funds for the purchase will be paid straight into their bank accounts.

While email spoofing is not unusual, this solicitor email scam often includes the hacking of solicitors’ email accounts. Once access has been obtained, cybercriminals search for emails shared from buyers and sellers of homes to identify possible targets.  While the hacking of email accounts is taking place, there have also been instances where emails between buyers, sellers and their solicitors have been captured. When bank details for a transfer are sent, the hackers amend the bank information in the email to their own and then send the email on.

The solicitor email scam is sophisticated and communications are monitored until the crucial point in the purchasing process when a bank transfer is about to be completed. Since the possible rewards are considerable, cybercriminals are willing to invest the time and effort into the scam and be patient. Buyers, vendors and solicitors are well researched and the emails appear authentic.

This conveyancing scam has been on the rise in recent months and it has now become the most common cybercrime impacting the legal sector. The Law Society, a representative organization for solicitors in the UK, has issued a warning about the conveyancing scam due to an rising number of complaints, although it is currently unclear how many fraudulent transfers have been completed.

The simple way to prevent such a scam from being successful is to contact the homebuyer or seller before any transfer is made and to verbally confirm the bank details. Additionally policies can be developed requiring bank account information to only be sent via postal mail.

The Solicitors Regulation Authority has issued guidance that advises against the use of email for property transactions due to the potential for cybercriminals to intercept and spoof messages. Email may be simple, but with such large sums being transferred it pays to use an abundance of caution.

While this solicitor email scam has been seen in many places across the UK and Ireland, legal firms in the United States should also use caution.

Ryuk Ransomware Suspected in Newspaper Cyberattack

The end of 2018 has seen a major newspaper cyberattack take place in the United States that has disrupted production of several newspapers published by Tribune Publishing.

The attacks were malware-based and affected the Saturday editions of the Los Angeles Times, the San Diego Union-Tribune, the Chicago Tribune, the New York Times, the Wall Street Journal, and a number of others. The malware attack took place on Thursday, December 27, and caused major issues throughout Friday.

All of the impacted newspapers shared the same production platform, which was infiltrated by the malware infection. While the sort of malware used in the attack has not been publicly confirmed, several insiders at the Tribune have reported that the attack utilized Ryuk ransomware.

Ransomware is a type of malware that encrypts critical files stopping them from being accessed. The main goal of attackers is usually to obtain ransom payments in exchange for the keys to decrypt the encrypted files. It is also a regular occurrence for ransomware to be deployed after network access has been obtained and sensitive information has been stolen, either to mask a data breach or in an attempt to make an attack even more profitable. It is also not unknown for ransomware attacks to be carried out to cause disruption. It is thought that this newspaper cyberattack was conducted primarily to disable infrastructure.

The sort of ransomware used in an attack is usually easy to notice. After encrypting files, ransomware changes file extensions to an (often) unique extension. In this instance of Ryuk ransomware, extensions are changed to .ryk.

The Los Angeles Times has blamed threat actors based outside the United States, although it is  not clear which group was behind the cyberattacks. If the attack was carried out to disable infrastructure it is probable that this was a nation-state sponsored attack.

The first Ryuk ransomware cyberattacks took place in August. Three U.S. companies were attacked, and the attackers were paid a minimum of $640,000 for the keys to unlock the data. A review of the ransomware revealed it shared code with Hermes malware, which had previously been connected to the Lazarus Group – An APT group with links to North Korea.

While many ransomware campaigns utilized mass spamming tactics to spread the ransomware and infect as many end users as possible, the Ryuk ransomware attacks were much more targeted and involved major reconnaissance and extensive network mapping before the ransomware is finally deployed. As is the case with SamSam ransomware attacks, the campaign is carried out manually.

Several tactics are used to obtain access to networks, although earlier in 2018 a warning about Ryuk ransomware was issued by the U.S. Department of Health and Human Services (HHS) claiming email to be one of the main attack vectors, emphasising the importance of email security and end user training to help staff recognize email-based threats.

Threat of Exposure with Multiple Malware Infections Combined in Recent Sextortion Scams

Sextortion scams have been very popular with cybercriminals during 2018. A well written email and an email list are all that is needed for this to be successful. The latter can easily be bought almost nothing via darknet marketplaces and hacking forums. No expertise is required to run sextortion scams and as scammers’ Bitcoin wallets show, they are successful.

Many sextortion scams threaten to reveal a user’s online activities (pornography habits, dating/adultery site usage) to all their contacts and friends/family unless a payment is completed. Some of the recent sextortion scams have increased credibility by claiming to have users’ passwords. However, new sextortion scams have been discovered in the past few days that are using a different tactic to get users to pay the ransome.

The email template used in this scam is very like those in other recent sextortion scams. The scammers say that they have a video of the victim viewing adult content. The footage was captured through the victim’s webcam and has been spliced with screenshots of the content that was being looked at.

In the new campaign the email includes the user’s email account in the copy of the email, a password (most likely an old password accessed in a previous breach), and a hyperlink that the victim is encouraged to click to download the video that has been created and see what will soon be distributed via email and social media networks.

VIsiting the link in the video will trigger the downloading of a zip file. The compressed file includes a document including the text of the email along with the supposed video file. That video file is really an information stealer – the Azorult Trojan.

This sort of the scam is even more likely to be successful than past campaigns. Many individuals who receive a sextortion scam email will see know what it is: A mass email including an empty threat. However, the inclusion of a link to download a video could lead to many individuals download the file to find out if the threat is authentic .

If the zip file is downloaded and opened and the Azorult Trojan executed, it will quietly gather information from the user’s computer – similar information to what the hacker claims to have already obtained: Cookies from websites the user has seen, chat histories, files stored on the computer, and login information entered through browsers such as email account and bank details.

However, it doesn’t stop there. The Azorult Trojan will also install a secondary payload: GandCrab ransomware. Once information has been gathered, the user will have their personal files encrypted: Documents, spreadsheets, digital photos, databases, music, videos, and more. Recovery will depend on those files having been backed up somewhere else and not also encrypted by the ransomware. Aside from permanent file loss, the only other option will be to pay a sizeable ransom to decrypt the hacked files.

If the email was sent to a company email account, or a personal email account that was logged onto at work, files on the victim’s work computer will be encrypted. As a record of the original email will have been extracted on the device, the reason why the malware was downloaded will be made clear to the IT department.

The key to not being tricked is to ignore any threats sent using the email and never click links in the emails nor open unexpected email attachments.

Companies can tackle the threat by using cybersecurity solutions such as spam filters and web filters. The former stops the emails from being sent while the latter blocks access to sites that host malware.

Ryuk Ransomware Suspected in Newspaper Cyberattack

The final weekend of 2018 has seen a significant newspaper cyberattack in the United States that has disrupted production of several newspapers published by Tribune Publishing.

The attacks were malware-related and impacted the Saturday editions of the Los Angeles Times, the San Diego Union-Tribune, the Chicago Tribune, the New York Times, the Wall Street Journal, and others. The malware attack occurred on Thursday, December 27, and caused major issues throughout Friday.

All of the impacted newspapers shared the same production platform, which was disrupted by the malware infection. While the sort of malware used in the attack has not been publicly revealed, several insiders at the Tribune have reported that the attack involved Ryuk ransomware.

Ransomware is a sort of malware that encrypts critical files stopping them from being accessed. The main goal of hackers is normally to obtain ransom payments in exchange for the keys to decrypt the encrypted files. It is also typical for ransomware to be deployed after network access has been obtained and sensitive information has been stolen, either to mask a data breach or in an effort to make an attack even more profitable. It is also not unknown for ransomware attacks to be carried out to cause disruption. It is suspected that this newspaper cyberattack was conducted chiefly to disable infrastructure.

The sort of ransomware used in an attack is normally easy to identify. After encrypting files, ransomware changes file extensions to an (often) unique extension. In the case of Ryuk ransomware, extensions are amended to .ryk.

The Los Angeles Times has attributed it to threat actors based external to the United States, although it is unclear which group was behind the cyberattacks. If the attack was carried out to disable infrastructure it is probable that this was a nation-state sponsored attack.

The initial Ryuk ransomware cyberattacks happened in August. Three U.S. companies were hacked, and the attackers were paid at least $640,000 for the keys to unlock the data. An analysis of the ransomware showed it shared code with Hermes malware, which had previously been connected to the Lazarus Group – An APT group with links to North Korea.

While many ransomware campaigns used mass spamming tactics to share the ransomware and infect as many end users as possible, the Ryuk ransomware attacks were much more focused and involved considerable reconnaissance and extensive network mapping before the ransomware is finally sent out. As is the case with SamSam ransomware attacks, the campaign is run manually.

Several tactics are used to obtain access to networks, although earlier this year a warning about Ryuk ransomware was broadcasted by the U.S. Department of Health and Human Services saying that the email to be one of the main attack vectors, highlighting the importance of email security and end user training to help staff recognize email-based threats.

FTC Warning Netflix After Phishing Scam

A new Netflix phishing scam has been discovered that tries to trick Netflix subscribers into disclosing their login details and other sensitivedata such as Social Security numbers and bank account numbers.

This Netflix phishing scam is similar to others that have been seen over the past few months. A major campaign was discovered in October and another in November. The latest Netflix phishing scam confirms that the threat actors are now beginning large-scale phishing attacks on a monthly basis.

The number of recent Netflix scams and the scale of the campaigns has lead to the U.S. Federal Trade Commission (FTC) to issue a warning to increase awareness of the threat.

The latest campaign was first noticed by an officer in the Ohio Police Department. As with past campaigns, the hackers use a tried and tested method to get users to click on the link in the email – the threat of account closure due to issues with the user’s billing details.

In order to stop closure of the user’s Netflix account a link in the email must be clicked on. That will send the user to the Netflix site where login details and banking information must be entered. While the web page looks authentic, it is hosted on a domain controlled by the hackers. Any information entered on that web page will be accessed by the threat actors behind the scam.

The emails appear realistic and contain the correct logos and color schemes and are almost identical to the official emails shared with users by Netflix. Netflix also includes links in its emails, so unwary users may click without first checking the authenticity of the email.

FTC Warning Netflix After Phishing Scam

There are indications that the email is not what it seems. The email incorrectly begins “Hi Dear”; British English is used, even though the email is sent to U.S. citizens; the email is sent from a domain that is not used by Netflix; and the domain to which the email sends users is similarly suspect. However, the scam is sure to trick many users who fail to carefully review emails before taking any action.

Consumers need to use caution with email and should carefully review messages before responding, no matter how urgent the call for action is. It is a good idea to always visit a website directly by entering in the domain into the address bar of a web browser, rather than clicking a link in an email.

If the email is found to be a scam, it should be reported to the appropriate authorities in the country in which you live and also to the company the scammers are pretending to be. In the case of Netflix phishing scams, emails should be sent to phishing@netflix.com.

While this Netflix phishing scam aims for consumers, companies are also at risk. Many similar scams attempt to get users to part with business login credentials and bank account data. Businesses can reduce the risk of data and financial losses to phishing scams by making sure all members of the company, from the CEO down, are given regular security awareness guidance and are taught cybersecurity best practices and are made aware of the most recent threats.

An advanced spam filtering solution is also strongly advisable to ensure the vast majority of these scam emails are obstructed and do not reach inboxes. SpamTitan for instance, stops more than 99.9% of spam and phishing emails and 100% of known malware.

For additional information on anti-phishing solutions for companies, get in touch with the TitanHQ team today.

 

Digimine Malware Transforms Infected Devices into Cryptocurrency Miners

Digimine malware is a new danger that was first discovered from a campaign in South Korea; however, the attacks have now been witnessed worldwide.

Ransomware is still a popular tool that allows havers to get a quick payout, but increased awareness of the threat means more companies are being more careful. Ransomware security has been improved and frequent backups are made to ensure files can be recovered without meeting the ransom. Not only is it now much harder to infiltrate systems with ransomware, speedy detection means large-scale attacks on companies are stopped. It’s difficult to get a big payday and the ability to restore files from backups mean fewer groups are paying up.

The rise in popularity of cryptocurrency, and its rapid rise in value, have given cybercriminals with another lucrative chance. Rather than distribute ransomware, they are developing and sharing cryptocurrency miners. By infecting a computer with a cryptocurrency miner, hackers do not need to rely on a victim paying a ransom.

Instead of locking devices and encrypting files, malware is downloaded that starts mining (creating) the cryptocurrency Monero, a different option to Bitcoin. Mining cryptocurrency is the verification of cryptocurrency transactions for digital exchanges, which includes using computers to solve complex numeric problems. For verifying transactions, cryptocurrency miners earn coins, but cryptocurrency mining requires a great deal of processing power. To make it profitable, it must be carried out on an industrial scale.

The processing power of hundreds of thousands of devices would make the operation highly profitable for hackers, a fact that has certainly not been lost on the developers of Digimine malware.

Infection with Digimine malware will see the victim’s device impacted, as its processing power is being used up mining Monero. However, that is not all. The campaign sharing this malware variant works via Facebook Messenger, and infection can see the victim’s contacts targeted, and could potentially lead to the victim’s Facebook account being hijacked.

The Digimine malware campaign is being shared using the Desktop version of Facebook Messenger, through Google Chrome rather than the mobile app. Once a device is infected, if their Facebook account is set to login automatically, the malware will send links to the victim’s contacts. Clicking those links will lead to installation of the malware, the generation of more messages to contacts and more infections, building up an army of hijacked devices for mining Monero.

Infections were first discovered in South Korea; however, they have now shared throughout east and south-east Asia, and beyond to Vietnam, Thailand, Philippines, Azerbaijan, Ukraine, and Venezuela, according to Trend Micro.

A similar campaign has also been noticed by FortiGuard Labs. That campaign is being carried out by the actors behind the ransomware VenusLocker, who have similarly switched to Monero mining malware. That campaign also began in South Korea and is spreading rapidly. Rather than employ Facebook Messenger, the VenusLocker gang is using phishing emails.

Phishing emails for this campaign contain malicious email attachments that install the miner. One of the emails claims the victim’s details have been accidentally exposed in a data breach, with the attachment containing details of the attack and instructions to follow to address risk.

These attacks seem to mark a new trend and as ransomware defenses continue to get better it is likely that even more gangs will alter  tactics and change to cryptocurrency mining.

Gift Card Scams Warning Issued for Holiday Season

Giving gift vouchers as Christmas presents is always popular and this year is no exception. Many gift card-themed scams were detected over Thanksgiving weekend that offered free or cheap gift cards to lure online shoppers into parting with their credit card details.

2018 has seen a surge in business email compromise (BEC) style tactics, with emails seeming to have been sent from within a company. The emails purport to have been sent from the CEO (or another executive) asking for accounts and administration staff purchase gift cards for clients or requesting gift cards be purchased to be used for charitable donations.

To minimize the risk from gift card scams and other holiday-themed phishing emails, companies must ensure they have strong spam filtering technology in place to block the emails at source and prevent them from landing in inboxes.

Consumers can be tricked into parting with credit card details, but businesses too are in danger. Most of these campaigns are carried out in order to gain access to login credentials or are used to install malware. If an end user responds to such a scam while at work, it is their employer that will be hit with the cost of being hacked.

2018 has seen many businesses targeted with gift card scams. The latest reports from Proofpoint suggest that out of the organizations that have been targeted with email fraud attacks, almost 16% had witnessed a gift card-themed attack: Up from 11% in Q2, 2018.

Many corporations businesses have Office 365 installed, but even Microsoft’s anti-phishing security has allowed phishing emails to slip through the net, especially at businesses that have not paid extra for advanced phishing protection. Even with the advanced anti-phishing security measures, emails still make it past Microsoft’s filters.

To obstruct these malicious messages, an advanced third-party spam filter is necessary.

Office 365 Phishing Emails Look like as Non-Delivery Alerts

A new phishing campaign was discovered by ISC Handler Xavier Mertens and the campaign seems to still be active.

The phishing emails look very like legitimate Office 365 non-delivery alerts and include Office 365 branding. As is the case with official non-delivery alerts, the user is warned that messages have not been delivered and told that action is required.

The Office 365 phishing emails state that “Microsoft found Several Undelivered Messages” and attributes the non-delivery to “Server Congestion.” The emails request the sender to retype the recipient’s email address and send the message again, although conveniently they include a Send Again button.

If users use the Send Again button, they will be sent to a website that closely resembles the official Office 365 website and includes a login box that has been auto-populated with the user’s email address.

If the password is typed, a JavaScript function sends both the email address and password to the hacker. The user will then be sent to the genuine outlook.office365.com website where they will be shown a real Office 365 login box.

While the Office 365 phishing emails and the website look genuine, there are signs that all is not what it seems. The emails are well composed and the sender’s email – postmaster@us.ibm.com – looks official but there is irregular capitalization of the warning message: Something that would not happen on an official Microsoft notification.

The clearest indication that this is a phishing scam is the domain to which users are sent if they click on the Send Again button. It is not an official Microsoft domain (agilones.com).

While the mistake in the email may be overlooked, users should notice the domain, although some users may proceed and type passwords as the login box is identical to the login on the official Microsoft site.

The campaign shows just how vital it is to carefully check every message before taking any action and to always review the domain before disclosing any sensitive data.

Hackers use Office 365 phishing emails because so many companies have signed up to use Office 365. Mass email campaigns therefore have a high chance of reaching an Outlook inbox. That said, it is easy to target office 365 users. A business that is using Office 365 broadcasts it using their public DNS MX records.

Firms can improve their resilience to phishing attacks through mandatory security awareness training for all workers. Employees should be told to always review messages carefully and should be guided how to identify phishing emails.

Companies should also ensure they have an advanced spam filtering solution set up. While Microsoft does offer anti-phishing protection for Office 365 through its Advanced Threat Protection (APT) offering, companies should consider using a third-party spam filtering solution with Office 365.

SpamTitan supplies superior protection against phishing and zero-day attacks, an area where APT is not proficient.

New Dharma Ransomware Strain Discovered

A new strain of Dharma ransomware variant has been created that is currently not being detected by most antivirus engines. According to Heimdal Security, the most recent Dharma ransomware variant captured by its researchers was only discovered as malware by one of the 53 AV engines on VirusTotal.

Dharma ransomware (also known as CrySiS) first came to light in 2006 and is still evolving. Recently, many new Dharma ransomware variants have been released, each using new file extensions for encrypted files (.bip, .xxxxx, .like, java, .arrow, .gamma, .arena, .betta, and .tron to name but a few). In the past two months alone four new Dharma ransomware variants have been spotted.

The threat actors behind Dharma ransomware have claimed many victims over the last few weeks. Successful attacks have been reported recently by Altus Baytown Hospital in Texas, the Arran brewery in Scotland, and the port of San Diego.

While free decryptors for Dharma ransomware have been created, the constant evolution of this ransomware threat rapidly renders these decryptors moot.  Infection with the most recent variants of the ransomware threat only give victims three options: pay a sizeable ransom to recover files, restore files from backups, or face unrecoverable file loss.

The latter is not a viable solution given the extent of files that are encrypted. Restoring files from backups is not always possible as Dharma ransomware can also encrypt backup files and can erase shadow copies. Payment of a ransom is not wise as there is no guarantee that files can or will be decrypted.

Safeguarding against ransomware attacks requires a combination of policies, procedures, and cybersecurity solutions. Dharma ransomware attacks are mostly managed using two attack vectors: The exploitation of Remote Desktop protocol (RDP) and via email malspam campaigns.

The most recent Dharma ransomware variant attacks involve an executable file being dropped by a .NET file and HTA file. Infections take place via RDP-enabled endpoints using brute force efforts to guess passwords. Once the password is obtained, the malicious payload is deployed.

While it is not known how the Arran brewery attack occurred, a phishing attack is the likely culprit. Phishing emails had been received just before file encryption. “We cannot be 100 percent sure that this was the vector that infection occurred through, but the timing seems to be more than coincidental,” said Arran Brewery’s managing director Gerald Michaluk.

To safeguard against RDP attacks, RDP should be turned off unless it is absolutely necessary. If RDP is needed, access should only be possible through a VPN and strong passwords should be established. Rate restricting on login attempts should be configured to block login attempts after a set number of failures.

Naturally, good backup policies are vital. They will ensure that file recovery is possible by meeting a ransom demand. Many copies of backups should be made with one copy stored securely off site.

To safeguard against email-based attacks, an advanced spam filter is necessary. Spam filters that are dependent on AV engines may not detect the latest ransomware variants. Advanced analyses of incoming messages are crucial.

SpamTitan can enhance protection for businesses through combination of two AV engines and predictive methods to block new types of malware whose signatures have not yet been installed to AV engines.

For additional information on SpamTitan and securing your email gateway from ransomware attacks and other dangers, speak to TitanHQ’s security experts now.

500 Million Guests IMpacted in Marriott Hotels Data Breach

A Marriott Hotels data breach has been discovered which could impact up to 500 million customer who previously made bookings at Starwood Hotels and Resorts. While the data breach is not the biggest ever reported – the 2013 Yahoo breach exposed up to  3 billion records – it is the second largest ever side by side with the 2014 Yahoo data breach that also impacted around half a billion users.

The Marriott data breach may not have impacted as many Internet users as the 2013 Yahoo data breach but due to the range of information stolen it is arguably more serious. Almost 173 million individuals have had their name, mailing address, email address stolen and around 327 million customers have had a combination of their name, address, phone number, email address, date of birth, gender, passport number, booking data, arrival and departure dates, and Starwood Guest Program (SPG) account numbers illegally taken. Additionally, Marriott also believes credit card details may have been illegally taken. While the credit card numbers were encrypted, Marriott cannot outright confirm whether the two pieces of data required to decrypt the credit card numbers was also taken by the hacker.

Along with to past guests at Starwood Hotels and Resorts and Starwood-branded timeshare properties, guests at Sheraton Hotels & Resorts, Westin Hotels & Resorts, W Hotels, St. Regis, Aloft Hotels, Element Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, and Four Points by Sheraton have been infiltrated, along with guests at Design Hotels that registered for the SPG program.

The data breach was discovered by Marriott on September 8, 2018, following an attempt by an unauthorized person to access the Starwood database. The investigation showed that the cybercriminal behind the attack first gained access to the Starwood database in 2014. It is currently not public knowledge how access to the database was obtained.

The Marriott hotels data breach is extremely serious and will prove massively expensive for the hotel group. Marriott has already offered U.S. based victims free enrollment in WebWatcher, has paid for third party experts to review and help address the data breach, and the hotel group will be strengthening its security and phasing out Starwood databases.

Even though the Marriott hotels data breach has only just been made public, two class action lawsuits have already been filed. One of the lawsuits seeks damages totaling $12.5 billion – $25 per person impacted.

There is also the chance that a E.U. General Data Protection Regulation (GDPR) fine. Fines of up to €20 million can be sanctioned, or 4% of global annual revenue, whichever is greater. That could place Marriott at risk of a $916 million (€807 million) penalty. The UK’s Information Commissioner’s Office – the GDPR supervisory authority in the UK – has been made aware of the breach and is making enquiries.

Danger of Marriott Data Breach Related Phishing Attacks

A phishing attack has sent email notifications have been shared with to those impacted by the breach by Marriott. They were sent from the domain: email-marriott.com. Rendition Infosec/FireEye researchers bought the domains email-marriot.com and email.mariott.com just after after the announcement to keep them out of the hands of hackers. Other similar domains may be bought up by less scrupulous individuals to be used for phishing attacks.

A breach of this extent is also ideal for speculative phishing attempts that spoof the email domain owen by Marriott. Mass email campaigns will likely to be shared randomly in the hope that they will reach breach victims or individuals that have stayed at a Marriott hotel or one of its associated brands on a previous occasion.

 

TrickBot Malware Updated with POS Data Stealing Capabilities

A never before seen module has been added to TrickBot malware that implements point-of-sale (POS) data collection functionality

TrickBot is a modular malware that is being actively created. In early November, TrickBot was updated with a password stealing capability, but the most recent update has made it even more dangerous, especially for hotels, retail outlets, and restaurants: Businesses that process large amounts of card payments.

The new module was discovered by security experts at Trend Micro who note that, at present, the module is not being deployed to record POS data such as credit/debit card details. At present, the new TrickBot malware module is only gathering data about whether an infected device is part of a network that supports POS services and the types of POS systems in use. The experts have not yet discovered how the POS information will be used, but it is highly probable that the module is being used for reconnaissance. Once targets with networks supporting POS systems have been selected, they will likely be subjected to further intrusions.

The new module, titled psfin32, is like a previous network domain harvesting module, but has been developed specifically to identify POS-related terms from domain controllers and basic accounts. The module achieves this by deploying LDAP queries to Active Directory Services which search for a dnsHostName that contains strings such as ‘pos’, ‘retail’, ‘store’, ‘micros’, ‘cash’, ‘reg’, ‘aloha’, ‘lane’, ‘boh’, and ‘term.’

The timing of the update, so near to the holiday period, implies that the threat actors are planning to take advantage of the busy holiday trade and are gathering as much information as possible before the module is used to collect POS data.

The recent updates to TrickBot malware have come along with a malicious spam email campaign (identified by Brad Duncan) which is focusing on companies in the United States. The malspam campaign uses Word documents containing malicious macros that install the TrickBot binary.

Securing from TrickBot and other data stealing malware requires a defense-in-depth approach to cybersecurity. The main attack way that threat actors use TrickBot is spam email, so it is essential for an advanced anti-spam solution to be deployed to stop malicious messages from being delivered to end users’ inboxes. End user training is also important to ensure employees are made aware of the danger of opening emails from unknown senders, launching suspicious email attachments, and visiting hyperlinks in those messages.

Antivirus solutions and endpoint security measures should also be used to identify and quarantine potentially malicious files in case malware infiltrated databases successfully.

How to Strengthen the Office 365 Spam Filter

Office 365 has many advantages over competing software, so it is no shock that it is proving so popular with businesses, but one typical complaint is the number of spam and malicious emails that get through Microsoft’s defenses. If you have an issue with spam and phishing emails, there is an easy answer to enhance the Office 365 spam filter.

Office 365 Email Security

Over 135 million commercial users are now on Office 365. Unfortunately, the popularity of Office 365 has made it the focus of hackers. Microsoft has been proactively implementing measures to improve the Office 365 spam filter to make it more effective at blocking spam and phishing efforts. Office 365 phishing protections have been enhanced and more malicious emails are now being prevented; however, even with the recent anti-phish enhancements, many businesses still have to address spam, phishing emails, and other dangerous messages.

Companies using Office 365 as a hosted email solution are likely to have their email filtered using Exchange Online protection or EOP. EOP does provide a good level of protection and blocks spam, phishing emails, and malware. Osterman Research stated that EOP cuts out 100% of known malware and blocks 99% of spam email but struggles with the last 1%. Many companies have found that EOP blocks basic phishing attacks but comes up short at blocking more sophisticated email threats such as spear phishing and advanced persistent threats.

To strengthen the Office 365 spam filter, you should upgrade to Advanced Threat Protection, the second level of security offered with Office 365. The level of security is much better, although Advanced Threat Protection cannot identify zero-day threats and falls short of many third-party solutions on preventing other advanced threats. A SE Labs study in the summer of 2017 found that even with the extra level of protection, which is only available in the Office 365 E5 license tier, protection only ranked in the low-middle of the market.

The number of cases of hackers targeting vulnerabilities in Office 365 and the volume of direct attacks on Office 365 users has seen an rising number of businesses looking for a way to improve the Office 365 spam filter further.

Companies that want to further strengthen the Office 365 spam filter (and those looking for an Office 365 Advanced Threat Protection alternative) need to think about implementing a third-party anti-spam solution.

Luckily, there is a solution that will not only enhance Office 365 spam filtering, it is quick and easy to put in place, needs no software installations, and no hardware purchases are required. In fact, it can be implemented, configured, and be up and running quickly.

SpamTitan is a strong cloud-based email security solution that has been created to provide superior security against spam, phishing, malware, zero-day attacks, and data loss through email.

As opposed to Office 365, SpamTitan uses predictive measures such as Bayesian analysis, machine learning, and heuristics to block zero-day attacks, advanced persistent dangers, new malware variants, and new spear phishing methods.

SpamTitan reviews email headers, analyzes domains, and scans email content to spot phishing threats. Embedded hyperlinks, including shortened URLs, are reviewed in real time and subjected to URL multiple reputation checks, while dual antivirus engines scan and block 100% of known malware.

SpamTitan also uses data loss prevention tools for emails and attachments, which are not available with EOP. Users can establish tags for keywords and data elements such as Social Security numbers to secure against theft by insiders. SpamTitan also acts as a backup for your mail server to ensure business continuity.

With SpamTitan you get a higher level of security from spam and malicious emails, a higher spam catch rate (over 99.9%), improved granularity, better control over outbound email, and better business continuity protections.

If you have changed to Office 365 yet are still having issues with spam, phishing, and other malicious emails or if you are an MSP that wants to offer clients enhanced Office 365 email security, get in touch the TitanHQ team today.

The TitanHQ team can schedule a product demonstration and assist you putting SpamTitan through the paces in your own environment in a no-obligation free trial.

POS Data Stealing Capabilities Added to TrickBot Malware

A new module has been attached to TrickBot malware that allows point-of-sale (POS) data collection capabilities.

TrickBot is a modular malware that is being developed. In early November, TrickBot was refreshed with with a password stealing module, but the latest update has made it even more dangerous, mostly for hotels, retail outlets, and restaurants: Companies that process large volumes of card payments.

The new module was discovered by security experts at Trend Micro who note that, at present, the module is not being used to capture POS data such as credit/debit card numbers. Currently, the new TrickBot malware module is only gathering data about whether an infected device is part of a network that supports POS services and the types of POS systems implemented. The experts have not yet determined how the POS information will be used, but it is highly likely that the module is being used for intelligence. Once targets with networks supporting POS systems have been discovered, they will likely be subjected to further intrusions.

The new module, labelled psfin32, is like a previous network domain harvesting module, but has been developed specifically to spot POS-related terms from domain controllers and basic accounts. The module achieves this by using LDAP queries to Active Directory Services which search for a dnsHostName that includes strings such as ‘pos’, ‘retail’, ‘store’, ‘micros’, ‘cash’, ‘reg’, ‘aloha’, ‘lane’, ‘boh’, and ‘term.’

The timing of the update suggests the threat actors are planning to use the increase in holiday trade and are gathering as much data as possible before the module is used to gather POS data.

The recent updates to TrickBot malware have been accompanied by a malicious spam email campaign (discovered by Brad Duncan) which is targeting companies in the United States. The malspam campaign uses Word documents including malicious macros that download the TrickBot binary.

Protecting against TrickBot and other data stealing malware requires a defense-in-depth approach to cybersecurity. The main attack vector used by the threat actors to blame TrickBot is spam email, so it is vital for an advanced anti-spam solution to be deployed to stop malicious messages from being sent to end users’ inboxes. End user training is also important to ensure employees are made aware of the danger of opening emails from unknown senders, launching suspicious email attachments, and clicking hyperlinks in those emails.

Antivirus solutions and endpoint security measures should also be deployed to identify and quarantine potentially malicious files in case malware makes it past perimeter security.

New Variant of Dharma Ransomware Discovered

A new Dharma ransomware variant has been created that is currently evading detection by most of antivirus engines.

Heimdal Security say that the most recent Dharma ransomware variant captured by its researchers was only identified as malware by one of the 53 AV engines on VirusTotal.

Dharma ransomware (also known as CrySiS) first was seen in 2006 and is still being developed. This year, many new Dharma ransomware variants have been made available, each using new file extensions for encrypted files (.bip, .xxxxx, .like, java, .arrow, .gamma, .arena, .betta, and .tron to name but a few). In the past two months alone four new Dharma ransomware variants have been discovered.

The threat actors to blame for Dharma ransomware have claimed many victims in recent months. Successful attacks have been seen recently by Altus Baytown Hospital in Texas, the Arran brewery in Scotland, and the port of San Diego.

While free decryptors for Dharma ransomware have been created, the constant evolution of this ransomware threat rapidly renders these decryptors obsolete.  Infection with the most recent variants of the ransomware threat only give victims three options: pay a sizeable ransom to recover files, restore files from backups, or face permanent file loss.

The latter is not a solution given the extent of files that are encrypted. Restoring files from backups is not always an option as Dharma ransomware can also encrypt backup files and can erase shadow copies. Payment of a ransom is not a solution as there is no guarantee that files can or will be decrypted.

Safeguarding against ransomware attacks requires a combination of policies, processes, and cybersecurity solutions. Dharma ransomware attacks are mostly carried out via two attack vectors: The exploitation of Remote Desktop protocol (RDP) and via email malspam campaigns.

The most recent Dharma ransomware variant attacks involve an executable file being sent using a .NET file and HTA file. Infections happen using RDP-enabled endpoints using brute force attempts to guess passwords. Once the password is obtained, the malicious payload is activated.

While it is not exactly obvious how the Arran brewery attack happened, a phishing attack is suspected. Phishing emails had been received just before file encryption. Arran Brewery’s managing director Gerald Michaluk said: “We cannot be 100 percent sure that this was the vector that infection occurred through, but the timing seems to be more than coincidental”.

To safeguard against RDP attacks, RDP should be disabled unless it is absolutely necessary. If RDP is a requirement, access should only be possible through a VPN and strong passwords should be established. Rate limiting on login attempts should be set to block login attempts after a set number of failures.

Naturally, good backup policies are vital. They will ensure that file recovery is possible without meeting a ransom. Multiple copies of backups should be made with one copy held securely off site.

To safeguard against email-based attacks, an advanced spam filter is needed. Spam filters that rely on AV engines may not notice the latest ransomware variants. Advanced analyses of incoming messages are vital.

SpamTitan can enhance protection for businesses through combination of two AV engines and predictive techniques to prevent new types of malware whose signatures have not yet been installed on AV engines.

For more information on SpamTitan and safeguarding your email gateway from ransomware attacks and other threats, contact TitanHQ’s security experts today.

Network Security News Updates

Our network security news section has a wide variety of articles linked to securing networks and blocking cyberattacks, ransomware and attempted malware installations. This section also features articles on recent network security breaches, alerting groups about the latest attack trends being used by hackers.

Layered cybersecurity measures are essential given the growth in hacking incidents and the explosion in ransomware and malware variants over the past 24 months. Entities can tackle the threat by spending money on new security defenses such as next generation firewalls, end point protection measures, web filtering solutions and advanced anti-malware and antivirus security measures.

While much investment is spent on tried and tested solutions that have been highly successful previously, many cybersecurity solutions – antivirus software – are not as successful as they once were. In order to keep up with hackers and cybercriminals and get ahead of the curve, entities should think about putting in place some new cybersecurity solutions to block network intrusions, stop data breaches and improve protection against the most recent malware and ransomware dangers.

This category includes information and guidance on different network security solutions that can be adopted to enhance network security and ensure networks are not infiltrated by hackers and infected with dangerous software.

Flash Player Vulnerability Being Actively Exploited via Spear Phishing Campaign

Adobe has released an unscheduled update to correct vulnerabilities in Adobe Flash Player, including a zero-day flaw that is currently being targeted in the wild by an APT threat group on targets in Russia. One target was a Russian healthcare center that supplies medical and cosmetic surgery services to high level civil servants of the Russian Federation.

The zero-day flaw is a use-after-free weakness – CVE-2018-15982 – which enables arbitrary code execution and privilege execution in Flash Player. A malicious Flash object operates malicious code on a victim’s computer which gives command line access to the system.

The vulnerability was noticed by security researchers at Gigamon ATR who reported the vulnerability to Adobe on November 29. Researchers at Qihoo 360 discovered a spear phishing campaign that is being used to send a malicious document and linked files that exploit the weakness. The document used in the campaign was a forged staff questionnaire.

The emails included a .rar compressed file attachment which included a Word document, the vulnerability, and the payload. If the .rar file is unpacked and the document viewed, the user is shown a warning that the document may damage the computer. If the content is activated, a malicious command is run which extracts and initiates the payload – a Windows executable file named backup.exe that is hidden as an NVIDIA Control Panel application. Backup.exe acts as a backdoor into a system. The malicious payload gathers system data which is sent back to the hackers via HTTP POST. The payload also downloads and runs shell code on the infected device.

Qihoo 360 researchers have labelled the campaign Operation Poison Needles due to the identified target being a healthcare center. While the attack seems to be politically motivated and highly targeted, now that details of the vulnerability have been made public it is likely that other threat groups will use exploits for the vulnerability in more and more attacks.

It is therefore vital for companies that have Flash Player installed on some of their devices to update to the most recent version of the software as soon as they can. That said, removing Flash Player, if it is not required, is a better option given the number of vulnerabilities that are identified in the software each month.

The vulnerability is Flash Player 31.0.0.153 and all previous versions. Adobe has addressed the flaw together with a DLL hijacking vulnerability in version 32.0.0.101.

Starbucks Porn Filter to Finally be Implemented in 2019

A Starbucks porn filter will be brought in 2019 to stop adult content from being accessed by customers hooked up to the chain’s free WiFi network.

It has taken a considerable amount of time for the Starbucks porn filter to be applied. In 2016, the coffee shop chain agreed to put in place a WiFi filtering solution following a campaign from the internet safety advocacy group Enough is Enough, but two years on and a Starbucks porn filter has only been applied in the UK.

Companies Pressured to Put in Place WiFi Filters to Block Porn

Enough is Enough released its Porn Free WiFi campaign – now renamed the SAFE WiFi campaign – to pressure companies that offer free WiFi to customers to apply WiFi filters to prevent access to adult content. In 2016, over 50,000 petitions were sent to the CEO’s of Starbucks and McDonalds urging them to apply WiFi filters and take the lead in preventing access to pornography and child porn on their WiFi networks.

After petitioning McDonald’s, the global restaurant chain took swift action and rolled out a WiFi filter across its 14,000 restaurants. However, Starbucks has been slow to take steps. After the McDonalds announcement in 2016, Starbucks agreed to roll out a WiFi filter once it had determined how to limit access to unacceptable content without involuntarily blocking unintended content. Until the Starbucks porn filter was applied, the coffee shop chain said it would reserve the right to stop any behavior that negatively impacted the customer experience, including activities on its free WiFi network.

The apparent lack of action lead Enough is Enough to increase the heat on Starbucks. On November 26, 2018, Enough is Enough president and CEO, Donna Rice Hughes, issued a fresh call for a Starbucks porn filter to be put in place and for the coffee chain to follow through in its 2016 promise. Rice Hughes also called for the public to sign a new petition calling for the Starbucks porn filter to finally be put in place.

Starbucks Porn Filter to Be Launched in All Regions in 2019

Starbucks has responded to Enough is Enough, via Business Insider, stating that it has been testing a variety of WiFi filtering solutions and has identified one that meets its needs. The Starbucks porn filter will be released across all its cafes in 2019.

All companies that offer free WiFi to their customers have a responsibility to ensure that their networks cannot be abused and remain ‘family-friendly.’ It is inevitable that some individuals will abuse the free access and flaunt policies on acceptable use. A technical solution is therefore necessary to enforce those policies.

While Enough is Enough is focused on ensuring adult content is prevented, there are other benefits of WiFi filtering. A WiFi filter protects customers from malware downloads and can stop them accessing phishing websites. All manner of egregious and illegal content can be restricted.

WiFi filters can also help companies conserve bandwidth to make sure that all customers can log on to the Internet and enjoy reasonable speeds.

TitanHQ has long been a supporter of WiFi filtering for public WiFi hotspots and has developed WebTitan Cloud for WiFi to allow businesses to easily restrick access to unacceptable and illegal web content on WiFi networks.

WebTitan Cloud for WiFi allows companies to carefully control the content that can be accessed over WiFi without involuntarily blocking unintended content. Being 100% cloud based, no hardware purchases have to be completed and no software downloads are necessary.

The solution offers companies advanced web filtering capabilities through an easy to use intuitive user interface. No IT consultants are needed to implement and run the solution. It can be set up and managed by individuals that have little to no technical knowhow.

The solution is highly scalable and can be used to safeguard thousands of users, at multiple locations around the globe, all managed through a single user interface.

If you run a company that offers free WiFi to customers and you have not yet started controlling the activities that can take place over your WiFi network, contact TitanHQ today for further information on WebTitan Cloud for WiFi.

Managed Service Providers (MSPs) that want to start providing WiFi filtering to their clients can join the TitanHQ Alliance. All TitanHQ solutions have been created to meet the needs of MSPs and make it simple for them to add new security capabilities to their service stacks.

Office 365 Phishing Emails Masquerade as Non-Delivery Notifications

A phishing campaign was recently discovered by ISC Handler Xavier Mertens and it seems as though the campaign is still  active.

The phishing emails look like legitimate Office 365 non-delivery notifications and include Office 365 branding. As is the case with official non-delivery alerts, the user is warned hat messages have not been delivered and told that action must be taken.

The Office 365 phishing emails claim that “Microsoft found Several Undelivered Messages” and attributes the non-delivery to “Server Congestion.” The emails direct the sender to retype the recipient’s email address and share the message again, although conveniently they have a Send Again button.

If users use the Send Again button, they will be directed to a website that closely looks like official Office 365 website and includes a login box that has been pre-filled-out with the user’s email address.

If the password is handed over, a JavaScript function sends both the email address and password to the hacker. The user will then be sent to the actual outlook.office365.com website where they will be shown a real Office 365 login box.

While the Office 365 phishing emails and the website look genuine, there are signs that all is not what it seems. The emails are well composed and the sender’s email – postmaster@us.ibm.com – looks official but there is irregular capitalization of the warning alert: Something that would not be included on an official Microsoft notification.

The most obvious sign that this is a phishing scam is the domain to which users are directed if they click on the Send Again button. It is not an authentic Microsoft domain (agilones.com).

While the mistake in the email may be missed, users should notice the domain, although some users may proceed and enter passwords as the login box is the exact same as the login on the official Microsoft site.

The campaign shows just how vital it is to carefully check every message before taking any action and to always review the domain before disclosing any sensitive data.

Hackers use Office 365 phishing emails because so many companies have signed up to use Office 365. Mass email campaigns therefore have a high probability of reaching an Outlook inbox. Even so, it is easy to target office 365 users. A business that is using Office 365 broadcasts it through their public DNS MX records.

Companies can bolster their resilience to phishing attacks through mandatory security awareness training for all staff. Employees should be told to always review messages carefully and should be taught how to spot phishing emails.

Companies should also make sure they have an advanced spam filtering solution implemented. While Microsoft does provide anti-phishing protection for Office 365 via its Advanced Threat Protection (APT) offering, businesses should think about using a third-party spam filtering solution with Office 365.

SpamTitan supplies protection against phishing and zero-day attacks, an area where APT experiences difficulty.

Lion Air Spear Phishing Campaign Spreading Cannon Trojan

A new malware variant,labelled the Cannon Trojan, is being implemented in targeted attacks on government agencies in the United States and Europe. This malware threat has been strongly connected to a threat group known under many names – APT28, Fancy Bear, Sofacy, Sednet, Strontium – that has connections  to the Russian government.

The Cannon Trojan is being used to collate data on potential targets, collecting system information and capturing screenshots that are sent back to APT28. The Cannon Trojan is also an installer capable of installing further malware variants onto an impacted system.

This recently-detected malware threat is stealthy and uses a mix of tricks to prevent detection and hide communications with its C2. Rather than communicating over HTTP/HTTPS, like other malware variants used by APT28, the Cannon Trojan communicates through email over SMTPs and POP3S.

Once downloaded, an email is shared over SMTPS through port 465 and an additional two email addresses are obtained through which the malware sends with its C2 using the POP3S protocol to receive instructions and send back data. While the use of email for communicating with a C2 has been seen previously, it is relatively unusual. One benefit offered by this method of communication is it is more difficult to identify and block that HTTP/HTTPS.

The Cannon Trojan, like the Zebrocy Trojan which is also being implementing using APT28, is being shared through spear phishing emails. Two email templates have been intercepted by Palo Alto Networks’ Unit 42 team, one of which takes advantage of interest in news about the Lion Air plane crash in Indonesia.

The Lion Air spear phishing campaign looks like it is providing updates on the victims of the crash, which the email claims are detailed in an attached Word document titled Crash List (Lion Air Boeing 737).docx. The user must Enable Content to see the contents of the document. It is claimed that the document was set up in an earlier version of Word and content must be turned on for the file to be displayed. Opening the email and enabling content would let the macro run, which would then silently install the Cannon Trojan.

Instead of the macro running and installing the payload straightaway, as an anti-analysis mechanism, the hackers use the Windows AutoClose tool to delete completion of the macro routine until the document is closed. Only then is the Trojan installed. Any sandbox that reviews the document and exits before closing the document would be unlikely to see it as malicious. In addition, the macro will only run if a link with the C2 is created. Even if the document is opened and content is allowed, the macro will not run without its C2 channel open.

The methods used by the hackers to obfuscate the macro and hide communications make this threat difficult to spot. The key to spotting infection is blocking the threat at source and stopping it from reaching inboxes. The provision of end user assistance to allow employees identify threats such as emails with attachments from unknown senders is also crucial.

Germany Cybercrime Losses Estimated to be €43 Billion

With the world’s largest economy, the United States is naturally a major focus for cybercriminals. Various studies have been carried out in relation to the cost of cybercrime in the United States, but little data has been made available on cybercrime losses in Germany – Europe’s largest economy.

The International Monetary Fund releases a list of countries with the largest economies. In 2017, Germany came in fourth place after the United States, China, and Japan. Its GDP of $3,68 trillion accounts for 4.61% of global GDP.

A recently released study carried out by Germany’s federal association for Information Technology – BitKom – has placed a figure on the toll that cybercrime is having on the German economy.

The study targeted on security chiefs and managers at Germany’s top 503 companies in the manufacturing sector. Based on the results of that survey, BitKom calculated cybercrime losses in Germany to be €43 billion ($50.2 billion). That accounts for 1.36% of the country’s GDP.

Extrapolate those cybercrime figures in Germany and it places the global cost of cybercrime at $1 trillion, substantially higher than the $600 billion figure estimate from cybersecurity company McAfee and the Center for Strategic and International Studies (CSIS) in February 2018. That study estimated the global percentage of GDP lost to cybercrime at between 0.59% and 0.80%, with GDP losses to cybercrime across Europe calculated to be between 0.79 to 0.89% of GDP.

Small to Medium Sized Businesses Most in Danger

While cyberattacks on large enterprises can be highly profitable for cybercriminals, those firms tend to have the resources available to spend heavily in cybersecurity. Attacks on large enterprises are therefore much more difficult and time consuming. It is far simpler to focus on smaller companies with less robust cybersecurity defenses.

Small to medium sized businesses (SMBs) often do not have the resources to spend heavily on cybersecurity, and consequently are far simpler to attack. The BitKom study confirmed that these firms, which form the backbone of the economy in Germany, are particularly susceptible to cyberattacks and have been extensively focused on by cybercriminals.

It is not just organized cybercriminal groups that are running these attacks. Security officials in Germany have long been concerned about attacks by well-financed foreign spy agencies. Those agencies are using cyberattacks to obtain access to the advanced manufacturing techniques created by German firms that give them a competitive advantage. Germany is one of the world’s main manufacturing nations, so it stands to reason that the German firms are an attractive target.

Cybercriminals are stealing money from German firms and selling stolen data on the black market and nation-state backed hackers are stealing proprietary data and technology to assist manufacturing in their own countries. According to the survey, one third of companies have had mobile phones stolen and sensitive digital data has gone missing from a quarter of German firms. 11% of German firms report that their communications systems have been tapped.

Attacks are also being used to sabotage German firms. According to the study, almost one in five German firms (19%) have had their IT and production systems infiltrated and impacted through cyberattacks.

Companies Must Enhance Their Defenses Against Cyberattacks

Achim Berg, head of BitKom recently stated: “With its worldwide market leaders, German industry is particularly interesting for criminals”. Companies, SMBs especially, must take cybersecurity much more seriously and invest commensurately in cybersecurity solutions to stop cybercriminals from gaining access to their systems and data.

Thomas Haldenweg, deputy president of the BfV domestic intelligence agency stated: “Illegal knowledge and technology transfer … is a mass phenomenon.”

Stopping cyberattacks is not easy. There is no onee solution that can safeguard against all attacks. Only defense-in-depth will see to it that cybercriminals and nation-state sponsored hacking groups are stopped from obtaining access to sensitive data.

Companies need to carry out regular, in-depth organization-wide risk analyses to identify all threats to the confidentiality, integrity, and availability of their data and systems. All identified dangers must then be addressed through a robust risk management process and layered defenses put in place to thwart attackers.

One of the chief vectors for attack is email. Figures from Cofense indicate that 91% of all cyberattacks begin with a malicious email. It stands to reason that enhancing email security should be a key priority for German firms. This is an area where TitanHQ can be of assistance.

TitanHQ is a supplier of world-class cybersecurity solutions for SMBs and enterprises that obstruct the most commonly used attack vectors. To discover more about how TitanHQ’s cybersecurity solutions can help to enhance the security posture of your company and block email and web-based attacks, contact the TitanHQ sales team now.

Windows Components Used to Install Banking Trojans in New Office 365 Threat

The attack begins with malspam including a dangerous link embedded in an email. A range of different themes could be used to entice users into clicking the link, although one of the latest campaigns pretends to be emails from the national postal service in Brazil.

The emails claim the postal service tried to send a package, but the delivery failed as there was no one at home. The tracking code for the package is sent in the email and the user is requested to click the link in the email to receive the tracking data.

In this instance, visiting the link will result in a popup asking the user to confirm the install the zip file, which it is alleged includes the tracking data. If the zip file is downloaded, the user is asked to click on a LNK file to receive the data. The LNK file runs cmd.exe, which runs a Windows Management Instrumentation (WMI) file: wmic.exe. This legitimate Windows file will be used to communicate with the hacker’s C2 server and will create a duplicate of another Windows file – certutil.exe in the %temp% folder with the name certis.exe. A script then operates which instructs the certis.exe file to connect to a different C2 server to install malicious files.

The focus of this attack is to use authentic Windows files to install the malicious payload: A banking Trojan. The use of real Windows files for communication and downloading files helps the attackers bypass security controls and install the malicious payload unnoticed.

These Windows files can install other files for legitimate purposes, so it is hard for security teams to spot malicious activity. This campaign focuses on users in Brazil, but this Office 365 threat should be a worry for all users as other threat actors have also tried this tactic to install malware.

Due to the difficulty in differentiating between legitimate and malicious wmic.exe and certutil.exe activity, blocking an office 365 threat such as this is simplest at the initial point of attack: Preventing the malicious email from being delivered to an inbox and providing security awareness training to staff to help them identify this Office 365 threat. The latter is crucial for all businesses. Employees can be turned into a strong last line of defense through security awareness training. The former can be achieved with a spam filtering solution such as SpamTitan. SpamTitan will stop the last line of defense from being tested.

How to Prevent this Office 365 Threat with SpamTitan & Enhance Email Security

Microsoft uses many techniques to identify malspam and stop malicious messages from reaching users’ inboxes; however, while efforts have been made to enhance the effectiveness of the spam filtering controls of Office 365, many malicious messages are still sent.

To enhance Office 365 security, a third-party spam filtering solution should be deployed. SpamTitan has been created to allow simple integration into Office 365 and provides superior protection against a wide variety of email threats.

SpamTitan uses different methods to stop malspam from being sent to end users’ inboxes, including predictive techniques to spot threats that are misidentified by Office 365 security controls. These techniques ensure industry-leading catch rates in excess of 99.9% and stop malicious emails from reaching inboxes.

How SpamTitan Spam Filtering Works

How SpamTitan Secure Companies from Email Threats

Security Solutions for MSPs to Prevent Office 365 Threats

Many MSPs resell Office 365 licenses to their clients. Office 365 permits MSPs to capture new business, but the margins are tiny. By offering extra services to improve Office 365 security, MSPs can make their Office 365 offering more desirable to businesses while growing the profitability of Office 365.

TitanHQ has been creating innovative email and web security solutions for over 25 years. Those solutions have been created from the foundations up with MSPs for MSPs. Three solutions are ideal for use with Office 365 for compliance ad to enhance security – SpamTitan email filtering, WebTitan web filtering, and ArcTitan email archiving.

By including these solutions into Office 365 packages, MSPs can supply clients with much greater value as well as majorly improving the profitability of offering Office 365.

To discover more about each of these solutions, speak to TitanHQ. The MSP team will outline how the products operate, how they can be adapted to your company, and how they can boost margins on Office 365.

ArcTitan Offers Lightning-Fast, Enterprise-Class Microsoft Exchange Email Archiving for your Business

Is your business looking for a lightning-fast, enterprise-class method of email archiving? Nowadays, it is a requirement in business to have an email archiving solution in order to ensure that emails are not lost, emails can be retrieved on demand and storage space is kept to a minimum. Although native Microsoft Exchange Email Archiving is already available, most businesses will find the archiving options are not up to standard. The only alternative is to adopt a third-party email archiving solution. This will provide all the features required by businesses, as well improve efficiency and save on cost. In order to improve efficiency and meet the requirements of businesses, TitanHQ developed ArcTitan: A secure, fast, cloud-based email archiving solution.

What Email Archiving is and its Importance

Businesses have been required by federal, state, and industry regulations to retain emails for many years. Often a considerable amount of storage space is taken up through storing emails, especially when you consider the number of emails that are typically sent and received by employees daily. Although it suffices for businesses to store emails in backups to meet legal requirements, backups are not searchable. When a business needs to recover a certain email, it needs to be recovered quickly. This is simply not possible with backups, they are not searchable. The solution to this problem is an email archive. In comparison to backups, email archives are searchable and messages can be retrieved quickly and with minimal effort.

Email Archiving Necessary for eDiscovery and GDPR Compliance

An email archiving solutions for eDiscovery is essential. There have been a number of cases where, as part of the eDiscovery process, businesses have received heavy fines for the failure to produce emails. An example of this can be seen in the Zubulake v. USB Warburg case where the plaintiff was awarded $29 million as a result of the failure to produce emails.

In order to comply with GDPR legislation, email archives are now vital. Since May 25, 2018, when the EU’s General Data Protection Regulation came into effect, companies have been required on request to produce (and delete) every element of an individual’s personal data, including personal data contained in emails. This can be incredibly time consuming without an email archive and may result in data being unlawfully retained since backups are not searchable. The fines for GDPR compliance failures can reach as high as €20 million or 4% of global annual revenue, whichever is more substantial.

Native Microsoft Exchange Email Archiving Drawbacks

Native Microsoft exchange email archiving provides businesses with journaling and personal archive functions, but there are drawbacks to each. While the functions meet some business requirements such as freeing up space in mailboxes, they lack the full functions of a dedicated archive and do not meet all eDiscovery requirements.

When using native Microsoft Exchange email archiving, end users have too much control over the information that is loaded into an archive and they can’t delete emails unless a legal hold is activated. For admins, retrieving emails can be complicated and extremely time consuming.

With native Microsoft Exchange email archiving, functions fail to meet the needs of a lot of businesses particularly those in highly regulated industries. Although the native Microsoft Exchange email archiving functions have improved over the years, the limitations remain with most product versions and archiving can be complex with certain email architectures.

Any business that uses multiple email systems alongside Microsoft Exchange will require a third-party email archiving solution. This is due to Microsoft Exchange not supporting the archiving of emails from other platforms.

There has been an improvement in email archiving with Office 365. SMBs that use Office 365 already have email archiving functionality included in their plans, but it is only free of charge with E3-E5 plans. Additional plans charge around $3 per user, which is more expensive than custom-built archiving solutions such as ArcTitan.

Native Microsoft Exchange email archiving is an option for businesses, but Microsoft Exchange was not developed specifically for email archiving. However, despite the improvements that have been made by Microsoft, a third-party solution for email archiving on Microsoft Exchange is still required.

A third-party email archiving solution will make managing your email archiving significantly more efficient. It will save your IT department a considerable amount of time trying to locate old messages, especially for the typical requests that are received which are light on detail. The advanced search options in ArcTitan make search and retrieval of messages much faster and easier.

ArcTitan: Lightning-Fast, Enterprise-Class Email Archiving

ArcTitan has been specifically developed for email archiving making it more specialised than competitors. ArcTitan has been designed to meet all the archiving needs of businesses and allow managed service providers to offer email archiving to their clients.

The benefits of ArcTitan include extremely fast email archiving and message retrieval, secure encrypted storage and compliance with industry regulations such as HIPAA, SOX, FINRA, SEC and GDPR. ArcTitan allows businesses meet eDiscovery requirements without having to pay for additional eDiscovery services from Microsoft. ArcTitan also maintains an accurate audit trail. This allows businesses to have near instant access to all of their emails. ArcTitan serves as a black box recorder for all email to meet the various eDiscovery requirements and ensures compliance with federal, state, and industry regulations.

ArcTitan Features

ArcTitan requires no hardware or software, is quick and easy to install, and slots in to the email architecture of businesses with ease. The solution is highly scalable (there are no limits on storage space or users), it is easy to use, lightning fast and stores all emails safely and securely.

Businesses that have not yet implemented a Microsoft Exchange email archiving solution typically save up to 75% storage space. Costs are also kept to a minimum with a flexible pay as you go pricing policy, with subscriptions paid per live user.

  • Unlimited cloud based email archiving including inbound/outbound/internal email, folders, calendars and contacts
  • A full data retention and eDiscovery policy
  • HIPPA, SOX (and more) standard compliance and audited access trail
  • SuperFast Search™ – email is compressed, zipped, uses message de-duplication and attachment de-duplication ensuring the fast search and retrieval
  • Web console access with multi-tiered and granular access options – You decide user access permissions
  • No hardware / software installation required
  • Works with all email servers including MS Exchange, Zimbra, Notes, SMTP/IMAP/Google/PO
  • Secure transfer from your email server
  • Encrypted storage on AWS cloud
  • Instantly searchable via your browser – You can find archived emails in seconds
  • Maintains a complete audit trail
  • Optional Active Directory integration for seamless Microsoft Windows authentication
  • Optional Outlook email client plugin

If you have not yet implemented an email archiving solution, if you are unhappy with the native Microsoft Exchange email archiving features, or if you are finding your current archiving solution too expensive or difficult to use, contact TitanHQ today to find out more about the benefits of ArcTitan and the improvements it can offer to your business.

California Wildfire Scam Email Warning Issued

A California wildfire scam is underway that asks for donations to help those impacted by the recent wildfires. The emails seem to come from the CEO of a company and are aimed at its staff members in the accounts and finance sections.

It should come as no shock that hackers are taking advantage of yet another natural disaster and are trying to con people into giving donations. Scammers often move swiftly following natural disasters to pull on the emotions and defraud businesses. Similar scams were carried out in the wake of the recent hurricanes that hit the United States and caused widespread harm.

The California wildfire scam, discovered by Agari, is a business email compromise (BEC) attack. The emails seem to have been sent by the CEO of a company, with his/her email address used to transmit messages to company staff. This is often accomplished by spoofing the email address although in some instances the CEO’s email account has been compromised and is used to broadcast the messages.

The California wildfire scam includes one major red flag. Rather than ask for a monetary donation, the scammers request money in the form of Google play gift cards. The messages ask for the redemption codes to be sent back to the CEO by reply.

The emails are sent to staff members in the accounts and finance departments and the emails ask that the money be donated in 4 x $500 denomination gift cards. If these are returned to the CEO, he/she will then forward them on to company clients that have been impacted by the California wildfires.

The reason Google play gift cards are asked for is they can easily be exchanged on darknet forums for other currencies. The gift cards are almost impossible to trace back to the hacker.

The messages include lots of grammatical errors and incorrect spellings. Even so, it is another indication that the messages are not authentic. However, scams like this are sent because they are successful. Many people have been tricked by similar scams previously.

Safeguarding against scams like this requires a combination of technical controls, end user training and company policies. An advanced spam filtering solution should be be put in place – SpamTitan for instance – to stop messages such as these from arriving in inboxes. SpamTitan checks all incoming emails for spam signatures and uses complex techniques such as heuristics, machine learning and Bayesian analysis to spot advanced and never-before-seen phishing campaigns.

End user training is vital for all staff, especially those with access to corporate bank accounts. Those workers are usually targeted by scammers. Policies should be put in place that require all requests for changes to bank accounts, unusual payment requests, and wire transfers above a certain threshold to be confirmed by phone or in person before they are given approval.

A combination of these tactics will help to secure businesses from BEC attacks and other email scams.

California Wildfire Scam Warning

A California wildfire scam is doing the rounds that asks for donations to be made in order to help the victims of the recent wildfires. The emails look like that have been sent from the CEO of a company and are aimed at its employees in the accounts and finance sections.

It will be no shock to learn that cybercriminals are taking advantage of a natural disaster and are attempting to trick people into giving donations. Cybercriminals often take advantage of natural disasters to pull on the heart strings and defraud companies. Scams like this were conducted in the wake of the recent hurricanes that hit the United States and caused a lot of damage.

The California wildfire scam, first discovered by Agari, is a form of business email compromise (BEC) attack. The emails are created to look like they were sent by the CEO of a company, with his/her email address used to send messages to company staff. They do this by spoofing the email address although in some cases the CEO’s email account has been compromised and is used to share the emails.

The California wildfire scam includes one big warning sign. Rather than asking for a monetary donation, the scammers request money to be donated using Google play gift cards. The messages request the redemption codes be returned to the CEO by return.

The emails are sent to staff in the accounts and finance departments and the emails request that the money be donated in the form of 4 x $500 denomination gift cards. If these are sent back to the CEO, he/she will then forward them on to company clients that have been impacted by the California wildfires.

The reason Google play gift cards are requested is because they can easily be used on darknet forums for other currencies. The gift cards are practically impossible to trace back to the hacker.

The messages are full of grammatical mistakes and spelling errors. Despite this, it is another sign that the messages are not authentic. However, scams like this are sent because they are successful. Many people have been reeled in by similar scams on previous occasions.

Safeguarding against scams such as this requires technical controls, end user training and company policies. An advanced spam filtering solution should be deployed  – like SpamTitan – to stop messages such as these from reaching inboxes. SpamTitan audits all incoming emails for spam signatures and uses advanced techniques including heuristics, machine learning, and Bayesian analysis to identify advanced and previously unseen phishing attacks.

End user training is vital for all worker, especially those who can view corporate bank accounts. Those employees are often targeted by scammers. Policies should be devised that require all requests for changes to bank accounts, unusual payment requests, and wire transfers above a specific threshold to be confirmed by phone or in person before they are given the ok.

A combination of these measures will help to safeguard companies from BEC attacks and other email scams.

Spam News

Our spam news section is a collect of up to date news articles on the latest threats that are likely to hit the inboxes of your employees. Hackers are always  changing tactics with new spam email campaigns, different social engineering ploys and new methods of installing malware and ransomware. By keeping up to date on the most recent spam news, organizations can take timely action to tackle risk.

In relation to that, a spam filtering solution is crucial. All it takes is for one employee to click on a malicious link or open an infected email attachment for an entire network to be infiltrated. A spam filter will check all incoming email messages and search for typical spam signatures in addition to checking senders’ email accounts against blacklists of known hackers. Email attachments will be checked for virus signatures and hyperlinks compared to blacklists of recognized malicious domains.

Armed with the most recent spam news article, information security teams can send email alerts to their staff warning of pertinent threats that they need to know.

This section also includes news on industry-specific hacking attacks, in particular those that are being used to focus on and take advantage of the healthcare, education, financial services, legal and hospitality sectors.

Web Filtering Software for Schools

Although the aims of the Children´s Internet Protection Act (CIPA) – and later state legislation relating to web filters for schools – were undoubtedly well-intentioned, some educational institutions have been reluctant to adapt school web filtering software.

Some of the reasons for this reluctance are logical. Over-zealous web filters for schools can stop students from accessing educational material and teenage support groups, while students from lower-income families without home Internet can be hindered by “digital deprivation” in an over-filtered environment.

It is sometimes the case that school web filtering software is responsible for an over-filtered environment. Depending on the extent of the software, it may have a high maintenance overhead or lack the versatility to account for students of different ages studying a wide range of topics.

In these instances, it is easier for system managers to apply the maximum security settings to ensure compliance with federal and state laws. This is when the issues are seen. Now, there is a solution from SpamTitan that can resolve these issues quickly and simply – WebTitan Cloud.

WebTitan Cloud is cloud-based school web filtering software that is quick to put in place and easy to configure. Being a cloud-based solution, there is no hardware to buy or software to be installed – so no technical skills are required and there are no upfront costs to consider.

Once active, WebTitan Cloud uses a three-tier mechanism to review each request to visit a website against its filtering parameters, providing the level of granularly web filters for schools should have in order to be effective in a multi-age, multi-cultural environment.

The filtering parameters can be created according to age, by user, by class, or by year – and password protected – to ensure each student is able to access the educational and age-appropriate material they need to become digitally literate and in order to be able to seek help from support groups if needed.

Along with its versatility, WebTitan Cloud provides a safe barrier against online content prohibited by CIPA and protects networks and users´ devices against malware, adware, spyware and ransomware. Our school web filtering software also has security measures to prevent students trying circumnavigate the filtering parameters. With WebTitan Cloud schools can:

  • Restrict access to VPNs and proxy websites.
  • Set up multilingual filter settings.
  • Stop access to cached website pages.
  • Filter out numerical IP addresses.

For schools that supply a wireless network for students, WebTitan Cloud for WiFi is equally as versatile and safe. Our school web filtering software for wireless networks allows schools to manage the content students can access from their mobile devices, and supplies a deep analysis of network activity – right down to the online activity of each individual user.

In states where parents have the right to state the level of Internet access their children can have at school, the versatility of WebTitan Cloud for WiFi prevents the scenario in which every child has to adhere to the wishes of the strictest parent. The detailed level of oversight also helps to identify students who may be using the Internet inappropriately and who are then vulnerable to online attacks.

Our WiFi web filters for schools can be deployed to filter Internet content from a single hotspots or multiple hotspots. It safeguards users´ devices as well as the school´s network without affecting the speed at which web content is sent. They also have a very useful bandwidth-restricting function that can stops students consuming a school´s bandwidth by streaming sports, films and music videos.

Our school web filtering software for both fixed networks and wireless networks has been created to be effective against online threats, compliant with federal and states laws, easy to use and sufficient versatile to resolve issues about stopping students from accessing educational material and teenage support groups. Now we ask you to test our web filters for schools for free.

If your school has been reluctant to put in place school web filtering software due to worries regarding an over-filtered environment, we invite you to contact us and discuss your concerns. Our team of Sales Technicians will reply to any questions you have about web filters for schools and invite you to have a free trial of WebTitan Cloud or WebTitan Cloud for WiFi – whichever is the most proper solution for your specific circumstances.

There are no set up expenses to address, no credit cards are required and there are no contracts to complete order to take advantage of our offer. Our free trial is intended to give you the chance to evaluate the merits of school web filtering in your own environment and there is no obligation on you to go on using our service once the free trial has ended. Call us now and your school could be safeguarding your students from online dangers and inappropriate content within 15 minutes.

MSPs Email Archiving: A Simple Way to Win Business & Increase Email Revenue

Email archiving for MSPs is an often-disregarded service that can add value and enhance profits. Email archiving is simple to implement and control, has a high margin, generates regular extra income, and is a simple sell to clients.

In this post we look into the advantages for clients and MSPs and explain why email archiving for MSPs and their clients is a win-win.

Advantages of Email Archiving for SMBs

Email archiving is now crucial for organizations of all sizes, from SMBs to the largest enterprises. Huge amounts of emails are sent and received on a daily basis and duplicates of those emails need to be stored, saved, and often retrieved.  Storage of emails in mailboxes poses issues. The storage space necessary for emails and attachments can be considerable, which means hardware must be purchased and maintained. In terms of security, storing large amounts of emails in mailboxes is never wise.

Storing emails in backups is a solution, although it is far from ideal.  Space is still necessary and recovering emails when they are needed is a major issue as backup files are not indexed and searching for messages can be extremely time consuming.

An email archive on the other hand is indexed and searchable and emails can be quickly and easily rescued on demand. If there is a legal argument or when a group needs to demonstrate compliance – with GDPR or HIPAA for example – companies need to be able to recover emails quickly and easily. An email archive also puts in place a clear chain of custody, which is also necessary for compliance with many regulations.

Cloud-based archives offer secure storage for emails with no limits on storage space. Cloud storage is highly scalable and emails can be easily retrieved from any area.

In short, email archiving can enhance efficiency, enhance security, lower expenses, and is an invaluable compliance tool.

Advantages of Email Archiving for MSPs

Given the advantages of email archiving it should be an easy sell for MSPs, either as Office 365 archiving-as-a-service as an add-on or incorporated into current email packages to offer greater value and make your packages stand out from those of your competitors.

As an add-on service, Office 365 archiving-as-a-service will lead to regular income for very little effort and will improve the meagre returns from simply offering Office 365 to your clients. As part of a package it can help you to winning more business.

ArcTitan –Email Archiving for MSPs the Easy Way

TitanHQ is a main provider of cloud-based security solutions for MSPs. All TitanHQ products – SpamTitan, WebTitan and ArcTitan SaaS email archiving – have been created from the group up to specifically meet the requirements of MSPs.

ArcTitan has been created to be easy to adapt and manage and it seamlessly integrates into MSPs service stacks, allowing them to supply increased value to clients and make email services much more lucrative offering. On that front, TitanHQ is able to offer generous profits on ArcTitan for MSPs.

ArcTitan Advantages for MSPs

  • Easy to adapt
  • No hardware necessary
  • No software installation required
  • Very scalable email archiving
  • Safe, cloud-based storage with a simple to use centralized management system
  • Enhances profitability of Office 365
  • Simple for MSPs to set up
  • Straight forward for clients to use
  • Great profits for MSPs
  • Available with a full suite of APIs for easy integration
  • Usage-based pricing and monthly invoices
  • Multiple hosting solutions: TitanHQ Cloud, dedicated private cloud, or host the solution in your own data center
  • Completely rebrandable – ArcTitan can be supplied in white-label form ready for your own branding
  • Top class customer service and support

If you have yet to begin providing email archiving to your clients or if you are unhappy with your current supplier, get in touch with the TitanHQ MSP team today for full ArcTitan product information, details of pricing, and further information on our Alliance program.

 

Emotet Malware Being Spread Using Thanksgiving Themed Spam Emails

There has been a rise in malspam campaigns spreading Emotet malware in recent times, with many new campaigns initiated that spoof financial institutions – the modus operandi of the threat group behind the attacks.

The Emotet malware campaigns use Word documents including malicious macros. If macros are turned on, the Emotet malware payload is installed. The Word documents are either sent as email attachments or the spam emails contain hyperlinks which direct users to a website where the Word document is installed.

Various social engineering tricks have been used in these recent campaigns. One new tactic that was spotted by Cofense is the wrapping of malicious hyperlinks in Proofpoint’s (PFPT) TAP URL Defense wrapping service to make the email seem benign.

According to Cofense, the campaign shares Emotet malware, although Emotet in turn installs a secondary payload. In past campaigns, Emotet has been sent along with ransomware. First, Emotet steals details, then the ransomware is used to steal money from victims. In the most recent campaign, the secondary malware is the banking Trojan named IcedID.

A additional campaign has been seen that uses Thanksgiving-themed spam emails. The messages seem to be Thanksgiving greetings for employees, and similarly include a malicious hyperlink or document. The messages claim the document is a Thanksgiving card or greeting. Many of the emails have been personalized to help with the deception and include the user’s name. In this campaign, while the document downloaded seems to be a Word file, it is actually an XML file.

A new version of Emotet malware has been updated recently. Along with stealing credentials, a new module has been added that harvests emails from an infected user. The previous six months’ emails – which include subjects, senders, and message content – are illegally taken. This new module is thought to have been added to enchance the effectiveness of future phishing campaigns, for corporate espionage, and data theft.

The latest increase in Emotet malware campaigns, and the wide variety tactics used by the threat actors behind these campaigns, highlight the importance of implementing a defense in depth strategy to block phishing emails. Organizations should not rely on one cybersecurity solution to provide security against email attacks.

Phishing campaigns aim for a weak link in security defenses: Staff members. It is therefore vitaal to ensure that all employees with corporate email accounts are taught how to spot phishing threats. Training needs to be constant and should cover the latest tactics used by cybercriminals to spread malware and steal details. Staff are the last line of defense. Through security awareness training, the defensive line can be greatly strengthened.

As a frontline defense, all businesses and groups should deploy an advanced spam filtering solution. While Office 365 email includes a basic level of protection against phishing attacks, a powerful third-party anti-phishing and spam filtering solution is needed to provide protection against more complex email attacks.

SpamTitan is an advanced email filtering solution that employs predictive techniques to supply provide superior protection against phishing attacks, zero-day attacks, and new malware variants that bypass signature-based defenses.

Along with scanning message content, headers, attachments, and hyperlinks for spam and malware signatures, SpamTitan uses heuristics, machine-based learning, and Bayesian analysis to discover emerging threats. Greylisting is used to identify and block bigger spam campaigns, such as those typically carried out by the threat actors spreading banking Trojans and Emotet malware.

How SpamTitan Spam Filtering Works

 

Lion Air Spear Phishing Campaign Shares Stealthy Cannon Trojan

A newly created malware variant, callede Cannon Trojan, is being used in focused attacks on government agencies in the United States and Europe. The new malware threat has been connected to a threat group known under many titles – APT28, Fancy Bear, Sofacy, Sednet, Strontium – that has links to the Russian government.

The Cannon Trojan is being used to gather data on potential targets, collatting system information and capturing screenshots that are sent back to APT28. The Cannon Trojan is also an installer capable of loading further malware variants onto a compromised system.

The new malware threat is stealthy and uses a range of tricks to avoid detection and hide communications with its C2. Rather than communicating over HTTP/HTTPS, like other malware variants used by APT28, the Cannon Trojan communicates through email over SMTPs and POP3S.

Once downloaded, an email is shared through SMTPS through port 465 and another two email addresses are obtained through which the malware communicates with its C2 using the POP3S protocol to receive instructions and share back data. While the use of email for communicating with a C2 is not unknown, it is relatively unusual. One advantage provided by this method of communication is it is more difficult to spot and block that HTTP/HTTPS.

The Cannon Trojan, like the Zebrocy Trojan which is also being used by APT28, is being shared via spear phishing emails. Two email templates have been captured by Palo Alto Networks’ Unit 42 team, one of which takes advantage of interest in the Lion Air plane crash in Indonesia.

The Lion Air spear phishing campaign seems to provide data on the victims of the crash, which the email claims are listed in an attached Word document titled Crash List (Lion Air Boeing 737).docx. The user must Enable Content to see the contents of the document. It is alleged that the document was created in an earlier version of Word and content must be turned on for the file to be displayed. Opening the email and enabling content would trigger the macro to run, which would then silently install the Cannon Trojan.

Instead of the macro running and downloading the payload immediately, as an anti-analysis mechanism, the hackers use the Windows AutoClose tool to slow the completion of the macro routine until the document is shut. Only then is the Trojan installed. Any sandbox that analyzes the document and exits before closing the document would be unlikely to view it as malicious. Further, the macro will only run if a link with the C2 is established. Even if the document is opened and content is enabled, the macro will not run without its C2 channel open.

The techniques employed by the hackers to obfuscate the macro and hide communications make this threat difficult to spott. The key to stopping infection is blocking the threat at source and preventing it from arriving at inboxes. The provision of end user training to assist employees identify threats such as emails with attachments from unknown senders is also vital.

Banking Trojans Installed Using Windows Components in New Office 365 Threat

A new Office 365 threat has been discovered that stealthily downloads malware by masking communications and downloads by targeting legitimate Windows components.

The attack begins with malspam including a malicious link included in an email. Various themes could be used to encourage users into visiting the link, although one of the latest campaigns masquerades as emails from the national postal service in Brazil.

The emails claim the postal service tried to deliver a package, but the delivery failed as there was no one home. The tracking code for the package is listed in the email and the user is requested to click the link in the email to receive the tracking data.

In this instance, clicking the link will lead to a popup asking the user to confirm the installation of a zip file, which it is claimed includes the tracking information. If the zip file is downloaded, the user will be asked to click on a LNK file to receive the information. The LNK file runs cmd.exe, which executes a Windows Management Instrumentation (WMI) file: wmic.exe. This legitimate Windows file will be used to communicate with the attacker’s C2 server and will establish a copy of another Windows file – certutil.exe in the %temp% folder with the name certis.exe. A script then runs which tells the certis.exe file to connect to a different C2 server to install malicious files.

The focus of this attack is to use authentic Windows files to install the malicious payload: A banking Trojan. The use of legitimate Windows files for communication and installing files helps the attackers bypass security controls and download the malicious payload unnoticed.

These Windows files can install other files for legitimate purposes, so it is hard for security teams to identify malicious activity. This campaign focuses on users in Brazil, but this Office 365 threat should be a worry for all users as other threat actors have also adopted this tactic to download malware.

Due to the complexity in distinguishing between legitimate and malicious wmic.exe and certutil.exe activity, blocking an office 365 threat such as this is simplest at the initial point of attack: Stopping the malicious email from being sent to an inbox and providing security awareness training to workers to help them spot this Office 365 threat. The latter is vital for all companies. Employees can be turned into a strong last line of prevention using security awareness training. The former can be completed with a spam filtering solution like SpamTitan. SpamTitan will stop the last line of defense from being challenged.

Microsoft uses many different ways to spot malspam and prevent malicious messages from arriving in users’ inboxes; however, while efforts have been made to improve the effectiveness of the spam filtering controls of Office 365, many malicious messages are still reaching their destinations.

To enhance Office 365 security, a third-party spam filtering solution should be implemented. SpamTitan has been created to allow easy integration into Office 365 and provides superior security from a wide variety range of email threats.

SpamTitan uses a range of different methods to stop malspam from being sent to end users’ inboxes, including predictive techniques to discover threats that are misidentified by Office 365 security controls. These methods ensure industry-leading catch rates of over 99.9% and stop malicious emails from arriving in inboxes.

HookAds Malvertising Campaign Sending People to Trojans, Info Stealers and Ransomware Websites

One of the ways that threat actors download malware is using malvertising. Malvertising is the positioning of malicious adverts on legitimate websites that send visitors to websites where malware is installed. The HookAds malvertising campaign is one such example and those responsible for the campaign have been particularly active recently.

The HookAds malvertising campaign has one aim – to direct people to a website hosting the Fallout exploit kit. An exploit kit is malicious code that operates when a visitor arrives on a web page. The visitor’s computer is explored to determine whether there are any flaws – unpatched software – that can be exploited to silently download files.

In the case of the Fallout exploit kit, users’ devices are explored for several known Windows vulnerabilities. If one is discovered, it is exploited and a malicious payload is installed. Several malware variants are currently being shared via Fallout, including data stealers, banking Trojans, and ransomware.

According to threat analyst nao_sec, two different HookAds malvertising campaigns have been identified: One is being used to broadcast the DanaBot banking Trojan and the other is sending two malware payloads – The Nocturnal data stealer and GlobeImposter ransomware via the Fallout exploit kit.

Exploit kits can only be implemented to deliver malware to unpatched devices, so businesses will only be under threat from of this web-based attack vector if they are not 100% up to date with their patching. Sadly, many businesses are slow to run patches and exploits for new vulnerabilities are frequently uploaded to EKs such as Fallout. Due to this, a security solution is needed to obstruct this attack vector.

The threat actors responsible for the HookAds malvertising campaign are taking advantage of the low prices for advertising blocks on websites by low quality ad networks – those often utilized by owners of online gaming websites, adult sites, and other types of websites that should not be logged onto by employees. While the site owners themselves are not actively working with the threat actors behind the campaign, the malicious adverts are still displayed on their websites along with legitimate ads. The use of a web filter is advisable to mitigate this threat.

Emotet Malware Spread Using Thanksgiving Themed Spam Emails

There has been a rise in malspam campaigns spreading Emotet malware in recent time, with many new campaigns initiated that spoof financial institutions – the operating methods of the threat group responsible for the campaigns.

The Emotet malware campaigns use Word documents which have malicious macros. If macros are enabled, the Emotet malware payload is installed. The Word documents are either shared as email attachments or the spam emails include hyperlinks which bring users to a website where the Word document is installed.

Various social engineering tricks have been implemented in these campaigns. One new tactic that was spotted by Cofense is the wrapping of malicious hyperlinks in Proofpoint’s (PFPT) TAP URL Defense wrapping service to make the email seem benign.

According to Cofense, the campaign sends Emotet malware, although Emotet in turn installs a secondary payload. In previous campaigns, Emotet has been sent along with ransomware. First, Emotet steals details, then the ransomware is used to steal money from victims. In the most recent campaign, the secondary malware is the banking Trojan named IcedID.

Another campaign has been discovered that uses Thanksgiving themed spam emails. The messages seem to be Thanksgiving greetings for employees, and similarly include a malicious hyperlink or document. The messages say that the document is a Thanksgiving card or greeting. Many of the emails have been personalized to help with the deception and include the user’s name. In this campaign, while the document downloaded seems to be a Word file, it is actually an XML file.

Emotet malware has been refreshed recently. In addition to stealing details, a new module has been incorporated which harvests emails from an infected user. The past six months’ emails – which include subjects, senders, and message content – are stolen. This new module is thought to have been added to enhance the effectiveness of future phishing campaigns, for corporate espionage, and data theft.

The recent rise in Emotet malware campaigns, and the highly varied tactics implemented by the threat actors behind these campaigns, emphasise the importance of adopting a defense in depth strategy to block phishing emails. Groups should not rely on one cybersecurity solution to provide protection against hacking attacks.

Phishing campaigns aim for a weak link in security defenses: Staff members. It is therefore wise to ensure that all employees with corporate email accounts are trained how to recognize phishing threats. Training needs to be constant and should cover the latest tactics used by hackers to spread malware and steal details. Staff members are the last line of defense. Through security awareness training, the defensive line can be significantly enhanced.

As a frontline defense, all businesses and groups should use an advanced spam filtering solution. While Office 365 email includes a basic level of protection against phishing attacks, a powerful third-party anti-phishing and spam filtering solution is needed to provide security against more complex email attacks.

SpamTitan is an advanced email filtering software that uses predictive techniques to supply superior protection against phishing attacks, zero-day attacks, and new malware variants that bypass signature-based security.

Along with scanning message content, headers, attachments, and hyperlinks for spam and malware signatures, SpamTitan employs heuristics, machine learning, and Bayesian analysis to spot emerging threats. Greylisting is used to spot and obstruct large scale spam campaigns, such as those usually carried out by the threat actors spreading banking Trojans and Emotet malware.

Easy Way to Win Business and Boost Revenue for MSPs With Email Archiving

Email archiving is a great way for a company to win business and boost revenue. Although it is often an overlooked service, it can add value and improve profits for MSPs. Email archiving has a high margin, generates regular additional income, is easy to implement and manage and is an easy sell to clients.

Email Archiving in SMBs

Email archiving is now essential for organisations of all sizes, from SMBs to the largest enterprises. Large numbers of emails are sent and received on a daily basis by companies. Copies of those emails need to be stored, saved, and often retrieved. Storage of emails in mailboxes can often pose problems. Emails and attachments often need a considerable amount of storage, which means hardware must be purchased and maintained. Storing large volumes of emails in mailboxes is not a secure way of storing emails.

Although storing emails in backups is an option, it is far from ideal. Space is still needed and recovering emails when they are required is not a straightforward task as backup files are not indexed and searching for messages can take a considerable amount of time.

An email archive, in comparison, is indexed and searchable and therefore emails can be retrieved on demand quickly and with ease. If there is a legal dispute or when an organisation needs to demonstrate compliance (with GDPR or HIPAA for example) businesses need to be able to recover emails in an efficient manner. Additionally, an email archive also provides a clear chain of custody, which is also required to comply with a lot of regulations.

Cloud-based archives offer secure storage for emails and have no restrictions on storage space. The cloud storage offered is also highly scalable and emails can be easily retrieved, regardless of the location.

In summary, email archiving can enhance security, lower costs, improve efficiency and is an invaluable compliance tool.

Email Archiving in MSPs

Due to the benefits of email archiving it should be an easy sell for MSPs, either as Office 365 archiving-as-a-service as an add-on or incorporated into existing email packages. This is in order to offer greater value and make your packages unique compared to those of your competitors.

Office 365 archiving-as-a-service will generate regular income for very little effort as an add-on service. It will also improve the meagre returns from simply offering Office 365 to your clients. Overall, it can help you to attract more business when put as part as a package.

Email Archiving Made Simple Made Simple for MSPs by ArcTitan

TitanHQ is a leading provider of cloud-based security solutions for MSPs. TitanHQ products such as SpamTitan, WebTitan and ArcTitan SaaS email archiving have all been developed from the group up to specifically meet the various needs of MSPs.

ArcTitan has been developed by TitanHQ to be easy to implement and manage. It seamlessly integrates into MSPs service stacks, allowing them to provide greater value to clients and make email services a much more lucrative offering. As a result of this, TitanHQ is able to offer generous margins on ArcTitan for MSPs.

Benefits of ArcTitan for MSPs

  • Easy implementation
  • Software downloads not necessary
  • No hardware requirements
  • Secure, cloud-based storage
  • Easy to operate centralised management system
  • Increases profitability of Office 365
  • Highly scalable email archiving
  • Easy set up for MSPs
  • Usage easy for clients
  • Improved margins for MSPs
  • Full suite of APIs supplied for simpler integration
  • Multiple hosting options: TitanHQ Cloud, dedicated private cloud, or host the solution in your own data centre
  • Fully rebrandable (ArcTitan can be supplied in white-label form ready for your own branding)
  • Usage-based pricing and monthly billing available
  • World class customer service and support

If you are yet to start offering email archiving to your clients or if you are unhappy with your current provider, contact the TitanHQ MSP team today for full ArcTitan product information, pricing details and further information on our MSP Program.

Office 365 Phishing Attacks Are Abusing Cloud Service Providers’ SSL Certificates

Office 365 phishing attacks take place very often, are highly realistic and Office 365 spam filtering controls are easily being got around by hackers to ensure messages reach inboxes. Additionally, phishing forms are being hosted on web pages that are secured with valid Microsoft SLL certificates to fool users into thinking that the websites are authentic.

Office 365 Phishing Attacks Can Be Difficult to Spot

Should a phishing email making it past perimeter defenses and land in an inbox, there are several tell-tale signs that the email is not authentic.

There are often spelling errors, incorrect grammar, and the messages are sent from questionable senders or domains. To enhance the response rate, hackers are now spending much more time carefully crafting their phishing emails and they are often practically indistinguishable from authentic communications from the brand they are spoofing. As regards formatting, they are carbon copies of genuine emails complete with the branding, contact data, sender details, and logos of the company being spoofed. The subject is perfectly realistic and the content well composed. The actions the user is requested to take are perfectly believeable.

Hyperlinks are included in emails that direct users to a website where they are required to enter their login details. At this point of the phishing attack there are usually further signs that all is not as it seems. A warning may appear that the website may not be authentic, the website may start with HTTP rather than the safe HTTPS, or the SSL certificate may not be owned by the company that the website is spoofing.

Even these indications are not always present, as has been shown is many recent Office 365 phishing attacks, which have the phishing forms hosted on web pages that have valid Microsoft SSL certificates or SSL certificates that have been awarded to other cloud service providers such as CloudFlare, DocuSign, or Google.

Microsoft Azure Blog Storage Phishing Campaign

One recent phishing scam uses Azure blob storage to receive a current SSL certificate for the phishing form. Blob storage can be used for storing a variety of unstructured information. While it is possible to use HTTP and HTTPS, the phishing campaign uses the latter, which will show a completed SSL certificate from Microsoft.

In this campaign, end users are shared an email with a button that must be clicked to view the content of a cloud-hosted file. In this case, the document seems to be from a Denver law firm. Clicking the button sends the user to an HTML page hosted on Azure blog storage that requires Office 365 credentials to be handed over to view the document. Since the document is hosted on Azure blob storage, a Microsoft service, it has a valid SSL certificate that was issued to Microsoft adding legitimacy to the hacking attempt.

Entering login credentials into the form will send them to the attackers. The user will then be directed to another webpage, most likely unaware that they have been phished.

CloudFlare IPFS Gateway Targeted

A similar campaign has been discovered that abuses the CloudFlare IPFS gateway. Users can access content on the IPFS shared file system through a web browser. When linking to this gateway through a web browser, the HTML page will be secured with a CloudFlare SSL certificate. In this instance, the login requires data to be entered including username, password, and recovery email address and phone number – which will be forwarded to the hacker, while the user will be directed to a PDF file unaware that their details have been stolen.

Office 365 Phishing Protections are Not Enough

Office 365 users are being targeted by hackers as they know Office 365 phishing controls can be easily got around. Even with Microsoft’s Advanced Threat Protection for Office 365, phishing emails are still shared. A 2017 study by SE Labs showed even with this additional anti-phishing control, Office 365 anti-phishing measures were only rated in the low-middle of the market for security. With only the basic Exchange Online Protection, the protection was worse again.

Whether you run an SMB or a large enterprise, you are likely to receive high amounts of spam and phishing emails and many messages will be sent to end users’ inboxes. Since the emails can be virtually impossible for end users to identify as malicious, it is probable that all but the most experienced, well trained, security conscious workers will be tricked. What is therefore needed is an advanced third-party spam filtering solution that will work alongside Office 365 spam filtering controls to provide far greater security.

How to Make Office 365 Safer

While Office 365 will prevent spam emails and phishing emails (Osterman Research showed it prevents 100% of known malware), it has been shown to lack performance against advanced phishing threats including spear phishing.

Office 365 does not have the same level of predictive technology as specialized on-premises and cloud-based email security gateways which are much better at detecting zero-day attacks, new malware, and advanced spear phishing campaigns.

To greatly enhance protection what is needed is a dedicated third-party spam filtering solution for Office 365 such as SpamTitan. SpamTitan focuses on defense in depth, and supplies superior protection against advanced phishing attacks, new malware, and sophisticated email attacks to make sure malicious messages are blocked or quarantined rather than being sent to end users’ inboxes. Some of the extra protections provided by SpamTitan against Office 365 phishing attacks are detailed in the image here:

” alt=”” aria-hidden=”true” />

To discover more about making Office 365 safer and how SpamTitan can benefit your company, get in touch TitanHQ. Our highly experienced sales consultants will be able to inform you on the full range of benefits of SpamTitan, the best deployment option, and can offer you a free trial to allow you to personally evaluate the solution.

Sophisticated Phishing Scam Spoofed Iceland Police

Police in Iceland have said a highly complex phishing attack is the biggest ever cyberattack the country has ever witnessed. The campaign saw thousands of messages sent that tried to get Icelanders to download a remote access tool that would give the hackers full access to their computers.

The software implemented in this campaign is an authentic remote access tool called Remcos. Remcos is used to permit remote access to a computer, often for the purpose of providing IT support, for surveillance, or as an anti-theft tool for laptop computing devices. However, while it was created for legitimate use, because it gives the administrator full control over the computer once downloaded, it has significant potential to be used for malicious reasons. Unsurprisingly, Remcos has been used by hackers in several malware campaigns in the past, often carried out using spear phishing campaigns. One notable attack involved the spoofing of the Turkish Revenue Administration, Turkey’s equivalent of the IRS, to get the RAT downloaded to provide access to victim’s computers.

The use of Remcos for malicious purposes violates the terms and conditions of use. If discovered, the developer can block the customer’s license to prevent use of the software. However, during the time that Remcos is present on a system, considerable harm can be caused – sabotage, theft of sensitive data, installation of malicious software, and file encryption with ransomware to name a small number.

As was the case in Turkey, the phishing campaign in Iceland tried to trick end users into installing the program through deception. In this case, the emails purported to have come from the Icelandic Police. The emails used fear to get recipients of the message to click a link in the email and install the remote access tool.

The emails informed the recipients that they were due to visit the police for questioning. Urgency was included by informing the recipient of the message that an arrest warrant would be sent if they did not respond. Visiting the link in the email directed the user to what appeared to be the true website of the Icelandic police. The website was a carbon copy of the authentic website and required the visitor to enter their Social Security number along with an authentication code sent in the email to find out more details about the police case.

In Iceland, Social Security numbers are often required on websites to use official services, so the request would not appear strange. On official websites, Social Security numbers are matched against a database and are rejected if they are not real. In this case, the hacker was also able to check the validity of the SSN, which means access to a database had been obtained, most likely an old database that had been previously leaked or the attacker may have had authentic access and improperly used the database.

After submitting the information, a password protected archive was installed which allegedly contained documents with details of the case. The webpage provided the password to unlock the password protected archive, which included a .scr file disguised as a Word document.

On this occasion, the RAT was augmented with a VBS script to ensure it ran on startup. The RAT had keylogging and password taking capabilities and was used to steal banking details. After obtaining access to banking credentials, the information was sent back to command and control servers located in Germany and the Netherlands.

While the campaign looked completely genuine, a common trick was used to trick recipients of the email, which number in the thousands. The domain used in the attack closely resembled the official police website, logreglan.is but included a lower case i instead of the second l – logregian.is.  A casual glance at the sender of the email or the domain name in the address bar would unlikely show that the domain was not genuine. Additionally, the link in the email replaced the lower case i with a capital I, which is almost impossible to distinguish from a lower-case L.

The Icelandic police moved swiftly to address the attack and the malicious domain was taken down the next day. It is unknown how many people were tricked by the scam.

New Variant of Dharma Ransomware Discovered

A new Dharma ransomware variant has been created that is evading detection by most antivirus engines. Heimdal Security has said that his most recent Dharma ransomware variant captured by its researchers was only discovered to b malware by one of the 53 AV engines on VirusTotal.

Dharma ransomware (also referred to as CrySiS) was first spotted in 2006 and is still being developed. 2018 several new Dharma ransomware variants have been made public, each using new file extensions for encrypted files (.bip, .xxxxx, .like, java, .arrow, .gamma, .arena, .betta, and .tron to name but a few). In just the past two months four new Dharma ransomware variants have been discovered.

Those to blame for Dharma ransomware have claimed many victims in recent months. Successful attacks have been made public recently by Altus Baytown Hospital in Texas, the Arran brewery in Scotland, and the port of San Diego.

While free decryptors for Dharma ransomware have been created, the constant evolution of this ransomware threat rapidly makes these decryptors obsolete.  Infection with the latest variants of the ransomware threat only allows victims three options: pay a sizeable ransom to recover files, restore files from backups, or face permanent file deletion.

The latter is not viable given the extent of files that are encrypted. Rescuing files from backups is not always possible as Dharma ransomware can also encrypt backup files and can erase shadow copies. Payment of a ransom should not be completed as there is no guarantee that files can or will be decrypted.

Safeguarding against ransomware attacks requires a combination of policies, procedures, and cybersecurity solutions. Dharma ransomware attacks are mostly carried out via two attack vectors: The exploitation of Remote Desktop protocol (RDP) and through email malspam campaigns.

The most recent Dharma ransomware variant attacks involve an executable file being dropped by a .NET file and HTA file. Infections take place via RDP-enabled endpoints using brute force attempts to guess passwords. Once the password is stolen, the malicious payload is deployed.

While it is not yet known how the Arran brewery attack occurred, a phishing attack is suspected. Phishing emails had been received just prior to file encryption. “We cannot be 100 percent sure that this was the vector that infection occurred via, but the timing seems to be more than coincidental,” said Arran Brewery’s managing director Gerald Michaluk.

To safeguard against RDP attacks, RDP should be turned off unless it is absolutely necessary. If RDP is required, access should only be possible through a VPN and strong passwords should be put in place. Rate limiting on login attempts should be set up to block login attempts after a set number of failures.

Due to this, good backup policies are essential. They will mean that file recovery is possible without payment of a ransom. Multiple copies of backups should be made with one copy held securely off site.

To safeguard against email-based attacks, an advanced spam filter is necessary. Spam filters that rely on AV engines may not spot the latest ransomware variants. Advanced reviews of incoming messages are vital.

SpamTitan can enhance protection for companies through combination of two AV engines and predictive techniques to block new types of malware whose signatures have not yet been installed on AV engines.

For additional information on SpamTitan and safeguarding your email gateway from ransomware attacks and other threats, contact TitanHQ’s security experts today.

New WebTitan and ArcTitan Integrations as Z Services Expands Partnership with Titan HQ

TitanHQ has recently expanded its partnership with Z Services, the leading SaaS provider of cloud-based cybersecurity solutions in the MENA region, which will result in new WebTitan and ArcTitan integrations.

Z Services operates 17 secure data centers in the UAE (base location), Qatar, Egypt, Saudi Arabia, Morocco, Jordan, Kuwait, Oman, Bahrain, and Kuwait. It is the only company in the Middle East and North Africa to offer a multi-tenant, cloud-based, in-country, cybersecurity architecture.

Z Services partnered with TitanHQ in February of 2017 and integrated TitanHQ’s award-winning email filtering technology into its service stack. Through doing this, it enabled Z Services to start offering SpamTitan-powered Z Services Anti-Spam SaaS to its clients. TitanHQ’s email filtering technology now also enables Z Services’ clients to filter out spam email and protect against sophisticated email-based threats such as malware, viruses, ransomware, botnets, phishing and spear phishing.

Due to the integration proving to be such a great success for Z Services, the firm has now decided to take its partnership with Titan HQ to the next level by integrating two new TitanHQ-powered SaaS solutions into its service stack. WebTitan – TitanHQ’s award-winning web filtering technology and ArcTitan – its innovative email archiving solution, have now both been incorporated Z Services’ MERALE SaaS offering. MERALE has been specifically developed to meet the needs of small to medium sized enterprises, such as cybersecurity, threat protection, and compliance solutions.

“With cybersecurity growing as a critical business concern across the region, there is a clear need to make security an operational rather than a capital expense. Hence the paradigm shift in the delivery of effective security solutions from the traditional investment and delivery model to an agile SaaS model through the primary connectivity provider of SMEs – the ISPs,” explained Z Services’ President for the Middle East and North Africa, Nidal Taha. “MERALE will be a game-changer in how small and medium businesses in the region ensure their protection, and as a subscription-based service, it removes the need for heavy investments and long-term commitments.”

Speaking from Titan HQ’s point of view, CEO Ronan Kavanagh said “We are delighted to continue our successful partnership with Z Services and share their vision for serving the SME segment with leading edge SaaS based security solutions. With this development Z Services is strengthening its leadership position as an innovative cloud-based cybersecurity solutions provider in the Middle East and North Africa.”

TitanHQ’s cloud-based cybersecurity solutions have been developed specifically to meet the needs of Managed Service Providers. More than 7,500 businesses worldwide are currently using the email filtering, web filtering, and email archiving solutions supplied by TitanHQ and more than 1,500 MSPs are now offering TitanHQ solutions to their clients.

When compared to many other cybersecurity solution providers, TitanHQ offers its products with a range of hosting options (including within an MSP’s own infrastructure), as full white label solutions ready for MSPs to apply their own branding. Through offering their clients TitanHQ solutions MSPs are able to significantly reduce costs related to support and engineering. They achieve this by blocking a wide range of cyber threats at source. MSPs also benefit from generous margins and world class customer service and support.

If you are an MSP and have not yet incorporated email filtering, web filtering, and email archiving solutions into your service stack, if you are unhappy with your current providers, or are looking to increase profits significantly while also ensuring your clients have the best protection against email and web-based threats, contact TitanHQ today for further information.

Users with Valid SSL Certificates Being Tricked by CloudFlare IPFS Gateway Phishing Forms

The CloudFlare IPFS gateway has only recently been made publically available, but it is already being used by phishers to serve malicious content.Cloudflare IPFS gateway phishing attacks are likely to have a good success rate, as some of the checks carried out  by end users to confirm the legitimacy of domains will not produce red flags.

The IPFS gateway is a P2P system that permits files to be shared easily throughout a group and accessed through a web browser. Content is sent to different nodes throughout the networked systems. The system can be used for creating sharing websites, and CloudFlare has made this process simpler by offering free SSL certificates and allowing domains to be easily linked to IPFS.

If phishers host their phishing forms on CloudFlare IPFS, they can use CloudFlare’s SSL certificate. Since the phishing page will begin with cloudflare-ipfs.com, this adds legitimacy. The CloudFlare-owned domain is more likely to be trusted than other phishing domains.

When CloudFlare IPFS Gateway phishing forms are detected, visitors will be advised that the webpage is secure, the site starts with HTTPS, and a green padlock will be displayed. If the visitor takes the time to check certificate information of the web page, they will find it has been issued to CloudFlare-IPFS.com by CloudFlare Inc., and the certificate is authentic. The browser will not serve any warning and CloudFlare IPFS Gateway phishing content will therefore seem genuine.

At least one threat actor is using the CloudFlare IPFS Gateway for phishing and is hosting forms that state they are standard login pages for Office 365, DocuSign, Azure AD, and other cloud-based services, complete with proper logos.

If a visitor fills out the form information, their credentials will be forwarded to the operator of a known phishing domain – searchurl.bid – and the user will be shown a document about business models, strategy and innovation. This may also not lead to a red flag.

The CloudFlare IPFS Gateway phishing strategy is like that used on Azure Blob storage, which also take advantage of legitimate SSL certificates. In that case the certificate is produced by Microsoft.

It is becoming more and more important for phishers to use HTTPS for hosting phishing content. As more businesses change from HTTP to HTTPS, and browsers such as Chrome now display warnings to users about insecure sites, phishers have similarly had to move to HTTPS. Both CloudFlare IPFS Gateway and Azure Blog storage offer a simple way to do this.

In both instances, links to the malicious forms are shared through spam email. One of the most typical ways to do this is to include an email attachment that contains a button which must be clicked in order to install content. The user is warned that the content of the file is secured, and that professional email login credentials must be entered in order to see the content. The document may be an invoice, purchase order, or a scanned document that needs to be looked over.

The rise in use of cloud platforms to host phishing content makes it more important than ever for groups to set up advanced phishing defenses. A strong spam filter such as SpamTitan should be used to block the initial emails and prevent them from being sent to end users’ inboxes. These phishing tactics should also be included in security awareness training to raise awareness of the threat and to warn users that SSL certificates do not necessarily mean the content of a web page is authentic. Web filtering solutions are also vital for restricting access to known malicious web pages, should a user click on a malicious link.

Universities Targeted as Hackers Search for Valuable Research Data

Hackers have been targeted universities extensively in the last year according to figures recently released by Kaspersky Lab.

Universities store very valuable information. As research group collate valuable proprietary data. The results of research studies are particularly valuable. It may not be possible to sell data as easily as credit cards and Social Security numbers, but there are certainly buyers will pay top dollar for valuable research. Nation state sponsored hacking groups are focusing on universities and independent hacking groups are getting in on the act and carrying out cyberattacks on universities.

There are many possible attack vectors that can be used to obtain access to university systems. Software flaws that have yet to be patched can be targeted, misconfigured cloud services such as unsecured S3 buckets can be logged onto, and brute force attempts can be used to estimate guess passwords. However, phishing attacks on universities are often witnessed.

Phishing is often linked with scams to obtain credit card information or login details to Office 365 accounts, with companies and healthcare groups often targeted. Universities are also in the firing line and are being attacked.

The reason phishing is so common is because it is often the most simple way to access targeted networks, or at least gain a foothold for additional attacks. Universities are naturally careful about protecting their research and security controls are usually used accordingly. Phishing permits those controls to be got around relatively easily.

A successful phishing attack on a student may not result in much damage, at least initially. However, once access to their email account is obtained, it can be used for additional phishing attacks on lecturers for example.

Spear phishing attacks on lecturers and research associates offer a more standard route. They are likely to have higher privileges and access to sought after research data. Their accounts are also likely to include other interesting and useful information that can be used in a wide variety of secondary attacks.

Email-based attacks can include malicious attachments that send information stealing malware such as keyloggers, although many of the the latest attacks have used links to fake university login web pages. The login pages are identical copies of the genuine login pages used by universities, the only difference being the URL on which the page is hosted.

Kaspersky Lab has revealed that over 1,000 phishing attacks on universities have been detected in the past 12 months and 131 universities have been focused on. Those universities are spread across 16 different countries, although 83/131 universities were in the United States.

Stopping phishing attacks on universities, staff, and students requires a multi layered approach. Technical security measures must be implemented to cut risk, such as an advanced spam filter to block most of phishing emails and stop them being sent to end users. A web filtering solution is vital for restricting access to phishing websites and web pages hosting malware. Multi-factor authentication is also vital to ensure that if account information is infiltrated or passwords are guessed, an extra form of authentication is required to gain access to accounts.

As a last line of security, staff and students should trained so they are conscious of the risk from phishing.

Office 365 Phishing Attacks Using Cloud Service Providers’ SSL Certificates

Office 365 phishing attacks are widely witnessed, very realistic, and Office 365 spam filtering controls are easily being got around by cybercriminals to ensure messages land in inboxes. Further, phishing forms are being hosted on webpages that are secured with valid Microsoft SLL certificates to trick users into believing that the websites are real.

Should a phishing email get past perimeter defenses and arriving in an inbox, there are many giveaway signs that the email is not genuine.

There are often spelling errors, bad grammar, and the messages are sent from suspicious senders or domains. To improve the response rate, cybercriminals are now spending much more time carefully creating their phishing emails and they are often virtually indistinguishable from real communications from the brand they are spoofing. Formatting wish, they are carbon copies of real emails complete with the branding, contact information, sender details, and logos of the business being spoofed. The subject is perfectly realistic and the content well composed. The actions the user is asked to take are perfectly plausible.

Hyperlinks are included in emails that direct users to a website where they are asked to enter their login credentials. At this stage of the phishing attack there are usually more indications that all is not as it seems. A warning may flash up that the website may not be authentic, the website may begin with HTTP rather than the secure HTTPS, or the SSL certificate may not be owned by the company that the website is spoofing.

Even these tell-tale signs are not always on display, as has been shown is many recent Office 365 phishing attacks, which have the phishing forms hosted on webpages that have current Microsoft SSL certificates or SSL certificates that have been issued to other cloud service providers such as CloudFlare, DocuSign, or Google.

To greatly enhance your security measures you will require a dedicated third-party spam filtering solution for Office 365 such as SpamTitan. SpamTitan focuses on defense in depth, and supplies superior protection against advanced phishing attacks, new malware, and complex email attacks to ensure malicious messages are restricted or quarantined rather than being sent to end users’ inboxes. Some of the additional security measures supplied by SpamTitan against Office 365 phishing attacks are detailed in the image here:

To find out more about making Office 365 more secure and how SpamTitan can benefit your company, contact TitanHQ. Our highly experienced sales consultants will be able to advise you on the full range of benefits of SpamTitan, the best deployment option, and can offer you a free trial to allow you to personally evaluate the solution before committing to a purchase.

 

Chinese and English Speakers Targeted New RaaS Variant of FilesLocker Ransomware

FilesLocker, a new ransomware threat has been discovered is currently being offered as ransomware-as-a-service (RaaS) via a TOR malware forum. FilesLocker ransomware is not a extremely sophisticated ransomware variant, but it still poses a major threat.

FilesLocker ransomware is a dual language ransomware variant that shows ransom notes in both Chinese and English. MalwareHunterTeam has found a Chinese forum on TOR where it is being offered to affiliates to distribute for a percentage of the ransom payments.

Unless advertised more widely, the number of affiliates that sign up may be restricted, although it may prove popular. There are a number of features which could see the ransomware variant favored over other RaaS offerings, notably a sliding scale on commissions. The developers are offering a 60% cut of ransoms, which will go up by 75% if sufficiently high numbers of infections can be generated.

While relatively straightforward, FilesLocker ransomware still uses an RSA 2048+AES algorithm to lock files and it erases Windows shadow copies to hamper efforts to recover files without paying the ransom. FilesLocker is also capable of file encryption in a broken network environment.

No server is needed and the ransomware is working on all Windows versions later than XP plus 32-bit and 64-bit Windows Server. Users are also able to easily keep an eye for infections through a tracking feature which displays infections by country.

There is no free decryptor for FilesLocker ransomware in existence. Recovery can only be completed by restoring files from backups.

While news of a new RaaS offering is never welcome, there has at least been some good news on the ransomware front this recently at least for some victims.

GandCrab ransomware is another RaaS offering that has been for sale since January 2018. It has been widely adopted, with many affiliates using it to distribute the ransomware over the past 10 months.

A GandCrab ransomware decryptor was designed by Bitdefender in February that was able to unlock files encrypted by version 1.0 and v1.1 of GandCrab ransomware. The decryptor was developed after private keys were released online. However, it didn’t take long for v2.0 to be released, for which no free decryptor is available. There have been a number of further updates to GandCrab ransomware over the past few months, with v5.0 of the ransomware variant released in late September.

This week, Bitdefender has revealed that after collaboration with the Romanian Police, Europol and other law enforcement bodies, a new decryption tool has been developed that permits GandCrab ransomware victims to decrypt files for free, provided they have been hacked with version 1, 4, or 5 of the ransomware.

The version can be deduced by the extension used on encrypted files. V1=GDCB; v2/3=CRAB; v4=KRAB; and v5 uses a completely random 10-character extension.

The free GandCrab ransomware decryptor has been placed to the NoMoreRansom Project website. Bitdefender is currently attempting to put in plsvr on a free decryptor for v2 and v3 of GandCrab ransomware.

Recipe Unlimited Ryuk Ransomware Attack Leads to Restaurant Closures

What is thought to have been a Ryuk ransomware attack on Recipe Unlimited, a group of some 1,400 restaurants in Canada and North America, has forced the chain to shutdown computers and temporarily close the doors of some of its restaurants while IT teams try to address the attack.

Recipe Unlimited, previously known as Cara Operations, operates pubs and restaurants under many different titles, including Harvey’s, Swiss Chalet, Kelseys, Milestones, Montana’s, East Side Mario’s, Bier Markt, Prime Pubs, and the Landing Group of Restaurants. All of these  pub and restaurant brands have been impacted by the Recipe Unlimited ransomware attack.

While only a relatively small number of restaurants were forced to close, the IT outage caused widespread issues, stopping the restaurants that remained open from taking card payments from customers and using register systems to complete orders.

While it was at first unclear what caused the outage, a ransomware attack on Recipe Unlimited was later confirmed. A staff member at one of the impacted restaurants provided CBC News with a copy of the ransom note that had appeared on the desktop of one of the infected computers.

The ransom note is the same sent by the threat actors behind Ryuk ransomware. They say that files were encrypted with “military algorithms” which cannot be decrypted without a key that is only available from them. While it is unclear exactly how much the hackers asked for payment to decrypt files, they did threaten to increase the cost by 0.5 BTC (Approx. $4,000 CAD) per day until contact was made. The Recipe Unlimited ransomware attack is thought to have taken place on September 28. Some restaurants remained closed on October 1.

The ransomware attack on Recipe Unlimited is just one of the recently witnessed attacks involving Ryuk ransomware. The hackers are understood to have gathered more than $640,000 in ransom payments from companies who have had no other option other than to pay for the keys to unlock their files. The ransomware attack on Recipe Unlimited did not push up that total, as Recipe Unlimited conducted regular backups and expects to be able to restore all systems and data, although naturally that will take some time.

Ransomware attacks on restaurants, businesses, healthcare suppliers, and cities are extremely common and can be incredibly costly to address. The recent City of Atlanta ransomware attack caused widespread disruption due to the massive scale of the attack, involving thousands of computers.

The cost of addressing the attack, including making upgrades to its systems, is likely to cost around $17 million, according to estimates from city officials. The Ransomware attack on the Colorado Department of Transportation is estimated to cost $1.5 million to resolve.

There is no straightforward solution that will block ransomware attacks, as many different vectors are used to download the malicious file-encrypting software. Preventing ransomware attacks requires defense in depth and multiple software solutions.

Spam filtering solutions should be used to stop email delivery of ransomware, web filters can be set up to prevent access to malicious websites where ransomware is downloaded, antivirus solutions may detect infections in time to block attacks, and intrusion detection systems and behavioral analytics solutions are useful to quickly identify an attack in progress and limit the harm inflicted.

All operating devices and software must be kept fully up to date, strong passwords should be implemented, and end user must receive training to make them aware of the danger posed by ransomware. They should be trained in security best practices and trained how to identify threats. Naturally, robust backup policies are necessary to ensure that in the event of disaster, files can be rescued without having to meet the ransom demand.

New Sextortion Scam: Emails Appear to Have Been Sent from User’s Email Account

A new sextortion scam has been discovered that tries to fool the recipient of the message into believing their email account has been compromised and that their computer is under full control of the hacker.

The hackers trick he user’s email address so that it appears that the message has been issued from the user’s email account – The sender and the recipient names are the exact same.

A quick and simple check that can be performed to deduce whether the sender name shown is the actual account that has been used to send the email is to click forward. When this is completed, the display name is shown, but so too is the actual email address that the message has been broadcast from. In this instance, that check does not work making it seem that the user’s email account has actually been compromised.

The messages used in this campaign try to extort money by suggesting the hacker has obtained access to the user’s computer by means of a computer virus. It is alleged that the virus gives the attacker the ability to review the user’s internet activities in real time and use the computer’s webcam to record the user.

The hacker claims that the virus was placed to the computer due to the user viewing an adult website and that while viewing internet pornography the webcam was active and recording. “Your tastes are so weird,” states the hacker in the email.

The hacker claims that they will synch the webcam footage with the content that the user was looking at and send a copy of the video to all the user’s partner, friends, and relatives. It is said that all the user’s accounts have been compromised. The message also has an example of one of the user’s passwords.

While it is very unlikely that the password given in the email is valid for any of the user’s account, the message itself will still be worrying for some individuals and will be enough to get them to make the requested payment of $800 to have the footage erased.

However, this is a sextortion scam where the hackers have no leverage as there is no virus and no webcam footage. However, it is clear that at least some recipients were not willing to take a risk.

According to security experts SecGuru, who received a version of the email in Dutch and found a similar English language version, the Bitcoin account used by the hacker had received payments of 0.37997578 Bitcoin – $3,500 – in the first two days of the attack.  Now 7 days after the first payment was completed, the earnings have grown to 1.1203 Bitcoin – $6,418 – with 15 people having paid.

A similar sextortion scam was carried out in the summer which also had an interesting twist. It implemented an old password for the account that had been downloaded from a data dump. In that instance, the password was real, at least at some point in the past, which made the scam seem authentic.