Beware of COVID-19 Vaccine Phishing Scams!

Hackers are attempting to use the roll our of COVID-19 vaccination programs around the world by launching a host of COVID-19 vaccine phishing campaigns in order to illegally obtain private protected data including passwords details for networks and databases and also to speed up the distribution of their malware emails.

A number of US-based government bodies have already made malwares warnings for businesses and consumers public. These agencies the Federal Bureau of Investigations (FBI), the Department of Health and Human Services’ Office of Inspector General and the Centers for Medicare and Medicaid Services.

These malware attacks will be disguised in a number of different ways. Those already identified include offers for early access to COVID-19 vaccine programmes, seeking a payment to skip the line and move to the head of the waiting list, and an offer for email recipients to register for another waiting once they hand over some private personal information – which will later be used to infiltrate personal account with contact details and financial information.

Email is the chosen vector for this COVID-19 vaccine phishing scams but it will be no surprise to see that there are also advertising being conducted across a spectrum of different websites, social media platforms, instant messaging platforms and even using phone calls or SMS messages. The vast majority of these campaigns will take aim at individual consumers but is is expected they they could infiltrate business databases should employees access any of the medium mentioned previously while using their work network – or if the email land in their corporate inboxes.

The scam emails will most of the time have links to web portals, hidden in email attachments to mask them from antivirus software, where information will be gathered that can be used to carry out fraud. In a lot of cases Office documents will be deployed to delivering malware through via malicious macros. Mostly, these emails will claim to be trusted entities or people. COVID-19 vaccine scam emails are likely to disguise themselves as healthcare providers, health insurance firms, vaccine centers, and federal, state, or local public health bodies. Since the outbreak of COVID-19 there have been many cases of fraudsters impersonating the U.S. Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO) in Covid-19 related phishing campaigns.

Recently the U.S. Department of Justice revealed that two websites have been seized that claimed to be vaccine developers. The domains were practically identical to the authentic websites of two biotechnology firms working on vaccine development. The malicious content has been deleted but there is a strong chance that there are a huge number of other domains registered and used in COVID-19 vaccine phishing scams yet to be deployed.

Alerts have also been made public in relation to the dangers of ransomware attacks that take aim to leverage the interest in COVID-19 vaccines and supply the hackers with access to databases that will allow them to launch their attacks.

There are four important measures that companies should deploy to address the danger of being tricked by these scams. Since email is widely used, it is crucial to have a strong spam filtering solution configured. Spam filters access blacklists of malicious email and IP addresses to tackle malicious emails, but since new IP addresses are always constantly being created for these hacking campaigns, it is important to opt for a solution that features machine learning. Machine learning assists in spotting phishing attacks from IP addresses that have not previously been used for malicious purposes and to discover zero-day phishing threats. Sandboxing is also crucial in the fight against zero-day malware threats that have yet to have their signatures incorporated into the virus definition lists of antivirus engines.

Even though spam filters can identify and block emails that include malicious links, a web filtering solution is also a very important tool for this. Web filters are used to manage the access to websites that employees wish to view and stops visits to malicious websites through general web browsing, redirects, and clicks on malicious links in emails. Web filters are always being updated through threat intelligence feeds to put protection in place against recently discovered malicious URLs.

Companies should not forget to conduct end user training and should constantly run refresher training sessions for staff to help them spot phishing attacks and malicious emails. Phishing simulation exercises are also good for evaluating the effectiveness of security awareness training.

Multi-factor authentication should also be implemented as an additional security measure. Should credentials be illegally obtained, multi-factor authentication will help to see to it that stolen details cannot be used to remotely log onto accounts.

Once these measures are put in place companies will be safe from the majority of malware attacks, including COVID-19 vaccine phishing attacks.

Contact the TitanHQ team as soon as you can to find out more about spam filtering, web filtering, and safeguarding your company from malware and phishing attacks.


Phishing Statistics for 2020

The danger posed by phishing attacks is constant and is still the main cause of data breaches. All that is required is one member of staff to be tricked by a phishing email for threat actors to obtain the access to carry out further attacks on your group

In this update we list some key 2020 phishing statistics to raise awareness of the threat and highlight the need for businesses to rethink their current phishing security measures.

Phishing is the most straightforward way for hackers to obtain access to sensitive data and spread malware. A small amount of skill or expertise is required to conduct a successful phishing campaign and steal details or infect users with malware. The most recent figures indicate that in 2020, 22% of reported data breaches began with a phishing email and some of the largest data breaches in history have started with a phishing attack, including the 78.8 million record data breach at the health insurer Anthem Inc., and the huge Home Depot data breach in 2014 that saw the email addresses of 53 million individuals illegally taken.

Phishing can be carried out using the phone, via SMS, social media networks, or instant messaging platforms, but email is most the most common vector chosen. Around 96% of all phishing attacks take place over email. Successful phishing attacks lead to the theft of data, theft of credentials, or the installation of malware and ransomware. The cost of settling the incidents and resultant data breaches is significant. The 2020 Cost of a Data Breach Report by the Ponemon Institute/IBM Security showed that the average cost of a data breach is around $150 per impacted record with an overall cost of $3.86 million per breach. A single spear phishing attack costs around $1.6 million to address.

Staff members may think they are able to recognize phishing emails, but data from security awareness training companies show that in many cases, that confidence is not well founded. One study in 2020 showed that 30% of end users opened phishing emails, 12% of users visited a malicious link or opened the attachment in the email, and one in 8 users then shared sensitive data on phishing web pages. Remember that 78% of users said that they know they should never click on email attachments from unknown senders or click links in unsolicited emails.

The 2020 phishing statistics show phishing and spear phishing attacks are still widespread incredibly common and that phishing attacks often succeed. Another study showed that 85% of firms have been tricked by a phishing attack at least once. Phishing websites are always being designed to be used in these scams. Once a URL is confirmed as malicious and placed on a blacklist, it has often already been abandoned by the cybercriminals. In 2020, around 1.5 million new phishing URLs were identified per month.

2020 registered a huge rise in ransomware attacks. While manual ransomware attacks often see networks infiltrated thanks to exploiting flaws in firewalls, VPNs, RDP, and networking equipment, ransomware is also sent using email. Since 2016, the number of phishing emails containing ransomware has grown by over 97%.

Taking on phishing and stopping successful attacks requires a defense in depth tactic. An advanced spam filtering solution is a must to prevent phishing emails from landing inboxes. Businesses that use Office 365 often rely on the protections that come as standard with their licenses, but studies have shown that the basic level of protection supplied by Microsoft’s Exchange Online Protection (EOP) is insufficient and average at best and phishing emails are often not spotted. A third-party, solution is recommended to layer on top of Office 365 – One that incorporates machine learning to spot never before seen phishing threats. The solution should implement email authentication protocols such as DMARC, DKIM, and SPF to identify and block email impersonation attacks and outbound scanning to discover compromised inboxes.

End user training is also crucial. In the event of a phishing email landing in an inbox, employees should be shown how to identify it as such and be conditioned into reporting the danger to their IT team to ensure action can be taken to delete all instances of the threat from the email database. Web filters are also crucial for preventing the web-based component of phishing attacks and preventing employees from visiting phishing websites.

Malicious Cobalt Strike Script Delivered in Malicious Word Documents

A malicious Cobalt Strike script campaign has been discovered that uses phishing emails, malicious macros, PowerShell, and steganography to take advantage of unsuspecting email recipients.

When the email first lands in an inbox it includes a legacy Word attachment (.doc) with a malicious macro that installs a PowerShell script from GitHub if it is permitted to run. That script then installs a PNG image file from the genuine image sharing service Imgur. The image includes hidden code within its pixels which can be executed with a single command to run the payload. In this instance, a Cobalt Strike script.

Cobalt Strike is a widely-implemented penetration testing tool. While it is used by security experts for legitimate security reasons, it is also of value to hackers. The tool premits beacons to be added to compromised devices which can be used to run PowerShell scripts, create web shells, escalate privileges, and provide remote access to devices. In this campaign, the hiding of the code in the image and the use of legitimate services such as Imgur and GitHub helps the hackers bypass detection.

The hiding of code within image files is known as steganography and has been implemented for many years as a way of hiding malicious code, usually in PNG files to prevent the code from being discovered. With this campaign the deception doesn’t finish there. The Cobalt Strike script includes an EICAR string that is aimed at tricking security solutions and security teams into labelling the malicious code as an antivirus payload, except contact is made with the hacker’s command and control server and instructions are recognized.

This campaign was discovered by expert ArkBird who compared the campaign to one conducted by an APT group known as Muddywater, which emerged around 2017. The threat group, aka Static kitten/Seedworm/Mercury, primarily carries out attacks on Middle eastern countries, commonly Saudi Arabia and Iraq, although the group has been known to conduct attacks on European and US targets. It is not known whether this group is to blame for the campaign.

Of course one of the most effective ways to prevent these types of attacks is by stopping the malicious email from being delivered to inboxes. A spam filter such as SpamTitan that incorporates a sandbox for reviewing attachments in safety will help to ensure that these messages do not get sent to inboxes. End user training is also recommended to ensure that employees are made aware that they should never enable macros in Word Documents sent using email.

A web filtering solution is also effective. Web filters like WebTitan can be set up to give IT teams full management over the web content that employees can access. Since GitHub is commonly used by IT expert and other workers for authentic reasons, a group-wide block on the site is not a wise move. Rather, a selective block can be implemented for groups of employees or departments that prevents GitHub and other possibly risky code sharing sites including PasteBin from being accessed, either deliberately or unintentionally, to provide an extra layer of security.

CISA: SolarWinds Orion Software Under Active Attack

The Cybersecurity and Infrastructure Security Agency (CISA) has released an official alert warning that experienced hackers are currently exploiting SolarWinds Orion IT monitoring and management software.

The cyberattack is thought to be the work of a highly complex, evasive, nation state hacking group who invented a Trojanized strain of Orion software that has been used to deploy a backdoor into customers’ systems labelled SUNBURST.

The supply chain attack has affected  approximately 18,000 customers, who are thought to have installed the Trojanized version of SolarWinds Orion and the SUNBURST backdoor. SolarWinds Orion is used by large public and private groups and government bodies.

SolarWinds customers incorporate all five branches of the U.S. military, the Pentagon, State Department, NASA and National Security Agency. Its solutions are also implemented by 425 of the 500 largest publicly traded U.S. firms. The US Treasury, US National Telecommunications and Information Administration (NTIA), and Department of Homeland Security are known to have been targeted. The campaign was first discovered by the cybersecurity company FireEye, which was also attacked as part of this attack.

The attacks began during spring 2020 when the first malicious versions of the Orion software were launched. The hackers are thought to have been active in compromised networks since that time. The malware is evasive, which is why it has taken so long to discover the threat. FireEye commented: “The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity”. Once the backdoor has been put in place, the hackers move laterally and steal data.

Kevin Thompson, SolarWinds President and CEO said: “We believe that this vulnerability is the result of a highly-sophisticated, targeted, and manual supply chain attack by a nation-state”.

The hackers obtained access to SolarWinds’ software development environment and placed the backdoor code into its library in SolarWinds Orion Platform software versions 2019.4 HF 5 through 2020.2.1 HF 1, which were made public between March 2020 and June 2020.

CISA released an Emergency Directive ordering all federal civilian bodies to take swift action to block any attack in progress by immediately unlinking or powering down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their networks. The agencies have also been forbidden from “(re)joining the Windows host OS to the enterprise domain.”

All users have been told to immediately upgrade their SolarWinds Orion software to Orion Platform version 2020.2.1 HF 1. A subsequent hotfix – 2020.2.1 HF 2 – is due to be released on Tuesday and will replace the compromised component and implement other additional security measures.

If it is not possible to quickly upgrade, guidelines have been made available by SolarWinds for securing the Orion Platform. Organizations should also scan for signs of compromise. The signatures of the backdoor are being included on antivirus engines, and Microsoft has confirmed that all its antivirus products now detect the backdoor and users have been advised to complete a full scan.

SolarWinds is working alongside FireEye, the Federal Bureau of Investigation, and the intelligence community to investigate the hacking attempts. SolarWinds is also working with Microsoft to remove an attack vector that results in the compromise of targets’ Microsoft Office 365 productivity tools.

It is currently not known which group is to blame for the attack; although the Washington Post claims to have contacted sources who confirmed the attack was the work of the Russian nation state hacking group APT29 (Cozy Bear). An official representative for the Kremlin said Russia had nothing to do with the attacks, saying “Russia does not conduct offensive operations in the cyber domain.”

Vulnerability in VMWare Virtual Workspaces Attacked by Russian State-Sponsored CyberCriminals

The U.S. National Security Agency (NSA) has released a cybersecurity advisory alert informing the public that Russian state-sponsored hackers are focusing on a flaw in VMWare virtual workspaces used to support remote working.

The flaw, labelled as CVE-2020-4006, is present in certain versions of VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector products and is being targeted to obtain access to enterprise networks and protected data on the impacted systems.

The flaw is a command-injection flaw in the administrative configurator component of the affected products. The vulnerability can be targeted remotely by a hacker with valid details and access to the administrative configurator on port 8443. If successfully taken advantage of, a hacker would be able to execute commands with unlimited privileges on the operating system and access sensitive data.

VMWare launched a patch to address the vulnerability on December 3, 2020 and also published information to help network defenders identify networks that have already been impacted, along with steps to eradicate threat actors who have already exploited the vulnerability.

The flaw may not have been allocated a high priority by system managers as it was only rated by VMWare as ‘important’ severity, with a CVSS v3 base score of 7.2 out of 10 assigned to the flaw. The relatively low severity rating as a result of the fact that a valid password must be supplied to exploit the flaw and the account is internal to the impacted range of products. However, as the NSA outlined, the Russian threat actors are already exploiting the flaw using stolen details.

In attacks reviewed by the NSA, the hackers targeted the command injection flaw, installed a web shell, followed by malicious activity where SAML authentication assertions were produced and shared to Microsoft Active Directory Federation Services (ADFS), granting access to secured data.

The best manner of stopping exploitation is to apply the VMWare patch as soon as possible. If it is not possible to apply the patch, it is important to see to it that strong, unique passwords are set to safeguard from brute force attempts to reveal passwords. The NSA also advises administrators ensure the web-based management interface is not accessible via the Internet.

Strong passwords will not stop the flaw from being successfully targeted and will not provide protection if the flaw has already been exploited. NSA said: “It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration. Otherwise, SAML assertions could be forged, granting access to numerous resources.”

If linking up with authentication servers with ADFS, the NSA recommends following Microsoft’s best practices, especially for safeguarding SAML assertions. Multi-factor authentication should also be configured.

The NSA has released a workaround that can be used to stop exploitation until the patch can be applied and recommends reviewing and hardening configurations and monitoring federated authentication suppliers.

Unfortunately, spotting exploitation of the flaw can be tricky. The NSA explained in the advisory that “network-based indicators are unlikely to be effective at detecting exploitation since the activity occurs exclusively inside an encrypted transport layer security (TLS) tunnel associated with the web interface.

VMWare advises that all customers refer to VMSA-2020-0027 for information on this flaw.

Start with Network Basics for Cybersecurity

All too often enterprise administrators follow best practices for numerous network infrastructure but forget the importance of email cybersecurity. You could argue that email cybersecurity is more important than any other OpSec strategy since many of the biggest data breaches start with a phishing email. With more employees working from home due to COVID-19, it’s more important than ever to ensure that email cybersecurity is configured and implemented across all communication channels.

Firewalls, access controls, user identity management, and other network fundamentals are all components in good cybersecurity posture. But EmailCybersecurity is equally as important in blocking and protecting you from malicious malware and you won’t even see suspicious emails because they are put in quarantine to be reviewed.

Email security is built on two things – Sender Policy Framework (SPF) and Domainkeys Identified Mail (DKIM). An SPF record is the easiest to implement and takes only a few minutes of the administrator’s time. The SPF record is added to the organization’s DNS server as a TXT entry. This TXT entry is a string with specific syntax that provides recipient email servers with a list of authorized IP address that can be used to send enterprise email.

DKIM is similar to en encrypted signature. A header is added to an email message with the senders own signature. The recipient verifies this signature to ensure that the message was sent by the recipients domain. With SPF and DKIM , cyber security validated the sender and completely stops the recipient email servers from sending spoofed phishing emails to that users inbox.

The recipient email server can be configured with Domain-based Message Authentication, Reporting and Conformance (DMARC) cybersecurity. DMARC rules determine how an email server should handle messages when SPF and DKIM are present. With strict DMARC rules, email servers might reject messages where no SPF record is present. For instance, organizations that use Google Suite might find their domain emails blocked if an SPF record is not present for the third-party sender.

Only one successful phishing email is all it takes for an attack to break into a network and send more and more of these to higher targets. A recent Ponemon report the average cost of any breach is $3.82 Million, and a lot of these breaches use text to trick the recipient into clicking on harmful links with a malware attachment.

Tech Radar has reported that a trillion emails are sent per year and that 3.4 billion are sent per day. With employees working from home there’s a high risk of them receiving one of these emails and could be the next vessel for a huge breach.

Even trained users can be susceptible to these sorts of attacks and if a phishing email is opened the large amount of data this person has been trusted with could be completely stolen and sold on Darknet markets to be used in a long term attack.

With many email attacks happening more and more often , cyber security should be part of all organisations’ networks. Firewalls to block these attacks are necessary and usage of DMARC , DKIM and SPF are basic cyber security tools that minimise the threat of severe data breach.

New Phishing and Malware Campaigns Must be Tackled with Advanced Cybersecurity Measures

Hackers are relying on a growing range or methods, techniques and processes to trick the unwary into sharing their private details or downloadling malware, which is making it more difficult for end users to distinguish between authentic and malicious messages.

It is typical for hackers to buy lookalike domains for use in phishing scams and for distributing malware. A lot of the time the domains bought are very similar to the domains they impersonate, aside from one or two changed characters.

FBI Issues Alert of Use of Spoofed FBI Domains

Recently the Federal Bureau of Investigation (FBI) released an alert after the discovery that many FBI-related domain names have been bought that look like official FBI websites. While these domains are not believed to have been used for malicious reasons so far, it is likely that the individuals registering these domains were planning to use them in phishing attacks, for distributing malware, or for disinformation campaigns. The domains spotted include, fbimaryland, fbi-ny,,,, and

These domains can be used to launch phishing kits or exploit kits, but the domains can be used to set up official-looking email addresses. An email from one of these spoofed domains, that has the FBI in the name, could simply trick someone into taking an action demand in the email, such as disclosing their login details or opening a malicious email attachment.

Authentic Cloud Services Leveraged in Sophisticated Phishing Campaigns

There have also been phishing attacks detected in recent times that use legitimate cloud services to mask the malicious manner of the emails. Campaigns have been discovered that use links to Google Forms, Google Docs, Dropbox, and cloud services from Amazon and Oracle. Emails are sent that include fake alerts with links to these cloud services; however, once the link is clicked, the user is taken through a range of redirects to a malicious website hosting fake Office 365 login prompts that steal details.

Many of these campaigns involved checks to make sure the recipient is an actual person, with automated responses sent to official domains to prevent analysis. Phishers are still typosquatting – the name given to the use of domains with natural typographical mistakes – to catch out careless typists.

Sophisticated Campaigns Call for Complex Sophisticated Cybersecurity Measures

The complex nature of today’s phishing and malware attacks, together with hackers’ constantly changing tactics, techniques, and procedures, mean it is becoming more and more difficult for end users to spot the difference between genuine and malicious emails. End user security awareness training is still crucial, but it has never been more important to have strong technical solutions in place to ensure that these threats are identified and blocked before any harm is inflicted.

The first line of defense against phishing is an email security gateway solution via which all emails need to pass before they land in inboxes. These solutions must employ a variety of advanced mechanisms for spotting malicious and suspicious emails, so should one mechanism fail to identify a malicious email, others are in place to provide security.

SpamTitan from TitanHQ is one such solution that links many tiers of protection to spot and block phishing and malware attacks via email. Checks are carried out on the message headers, content is analyzed, and machine learning is included to identify never before seen attacks, along with blacklisting of known malicious email addresses and domains. To block malware threats, SpamTitan employs dual anti-virus engines to prevent known threats and sandboxing to identify and block zero-day malware threats. Working seamlessly together, these mechanisms will block 99.97% of malicious emails.

An extra anti-phishing solution that you may not have thought about is a web filtering solution. Web filters are crucial for preventing the web-based component of phishing attacks and preventing individuals from visiting sites used for malware transmission. A web filter can also prevent redirects to malicious websites that hide behind links to genuine cloud services.

WebTitan from TitanHQ is an intelligent, DNS-based web filtering solution that employs automation and advanced analytics to prevent emerging phishing and other malicious URLs, not just those that have been already used in attacks and have been placed on blacklists. Through the use of AI-based technology, WebTitan can provide protection from zero-minute attacks.


Threat Landscape Dominated by Emotet Trojan

The Emotet Trojan first reared its head during 2014 and was first seen as a banking Trojan, leveraged to exfiltrate sensitive data such as bank account information from browsers when the user logs into their bank account. The Emotet Trojan has since undergone some changes and represents a much bigger threat to cybersecurity nowadays.

Emotet is is easily spread to other devices, using a worm like process to infect other devices on the network as well as hijacking the user’s email account and using it to send duplicates of itself to victims’ contacts. Infected devices are placed on the Emotet botnet, and have been used in attacks on other groups. The Emotet creators have now linked up with other hacking operations and are using their malware to share other Trojans such as TrickBot and QakBot, which in turn are employed to share ransomware.

Data from HP Inc. revealed Emotet infections grew by 1,200% from Q2 to Q3, displaying the extent to which activity has increased recently. Data from Check point show Emotet is the most serious malware threat, representing for 12% of all infections in October 2020. TrickBot, which is delivered by Emotet, is the second biggest threat, representing for 4% of infections.

The Emotet and TrickBot Trojans are resulting in the rapid rise of ransomware infections worldwide, especially attacks on healthcare groups. The healthcare sector in the United States is being focused on by ransomware gangs as a result of the heightened chance of the ransom being paid. In a number of instances, the latest ransomware attacks have been made possible due to previous Emotet an TrickBot infections.

Sadly, as a result of the efficient way that Emotet spreads, removing the malware can be tricky. It is likely that more than one device has been infiltrated, and when the Trojan is removed from one device, it is often reinfected by other infected devices in the organization.

Emotet is mainly shared using phishing emails, most often using malicious macros in Word documents and Excel spreadsheets, although JavaScript attachments are also known to be utilized. The lures employed in the phishing emails differ a lot varied, often using lures connected with recent news events, COVID-19, and holiday season lures in build up to Halloween, Black Friday, and Cyber Monday.

The wisest tactic is prevent infiltration is to block Emotet emails from reaching inboxes and making sure that employees are trained how to spot phishing emails.

If you wish to safeguard your organization from Emotet and other malware and phishing attacks, contact the TitanHQ team a call to discover more details about SpamTitan Email Security.

Phishing Attack Prevention Solutions lacking in Most Healthcare Organizations

The danger posed by phishing attacks is constant, especially for the healthcare sector which is often focused on by cybercriminals as a result of the high profit to be earned from selling healthcare data and obtaining access to compromised email accounts.

Phishing attacks are having a massive impact on healthcare suppliers in the United States, which are recording huge record numbers of phishing attacks. The sector industry is also inundated with ransomware attacks, with many of the attacks beginning with a successful phishing attack. One that sends a ransomware installer like the Emotet and TrickBot Trojans, for instance.

A recent survey carried out by HIMSS on U.S. healthcare cybersecurity workers has shown that the extent to which phishing attacks are meeting their intended targets. The survey, which was carried out durinf trhe period from March to September 2020, showed that phishing to be the leading cause of cybersecurity incidents at healthcare organizations in the past year, being cited as the cause of 57% of attacks.

One interesting details discovered is the lack of proper security from phishing and other email attacks. While 91% of surveyed organizations have implemented antivirus and antimalware solutions, it is extremely worrying that 9% appear to have not. Only 89% said they had implemented firewalls to prevent cybersecurity attacks.

Then there is multi-factor authentication, feature which is highly effective at stopping stolen credentials from being used to remotely log in to email accounts.  Microsoft stated in a Summer 2020 blog post that multifactor authentication will prevent 99.9% of attempts to use stolen credential to log into accounts, yet multifactor authentication had only been implemented by 64% of healthcare groups.

That does represent a massive improvement from 2015 when the survey was last carried out, when just 37% had put in place MFA, but it shows there is still room for improvement, especially in a sector that experiences more than its fair share of phishing attacks.

In the data breach reports that are needed for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Rules, which healthcare groups in the U.S are required to adhere with, it is common for breached groups to state they are putting in place MFA after suffering a breach, when MFA could have stopped that costly breach from occurring in the first place. The HIMSS survey revealed 75% of groups augment security after experiencing a cyberattack.

The amount of phishing attacks that are succeeding cannot be blamed on a single factor, but what is clear is there needs to be larger scale investment in cybersecurity to prevent these attacks from succeeding. An effective email security solution should be a priority – One that can block phishing emails and malware attacks. Training on cybersecurity must be conducted for staff for HIPAA compliance, but training should be provided regularly, not just once a year to meet compliance requirements. Implementation of multifactor authentication is also a crucial anti-phishing tactic.


Most Healthcare Groups Do Not have the Correct Solutions to Prevent Phishing Attacks

The danger posed by phishers is constant, especially for the healthcare sector which is often focused on by cybercriminals as a result to the high value of healthcare data and impacted email accounts. Phishing campaigns are having a massive impact on healthcare groups in the United States, which are reporting the highest ever numbers of successful infiltrations.

The industry is also heavily impacted by ransomware campaigns, with many of the attacks beginning with a successful phishing attack. One that shares a ransomware downloader such as the Emotet and TrickBot Trojans, for instance.

A recent survey carried out by HIMSS on U.S. healthcare cybersecurity experts has revealed the extent to which phishing attacks are hitting their targets. The survey, which was distributed from March and September 2020, showed that phishing is the main cause of cybersecurity attacks at healthcare groups in the 12 months, being referred to as the cause of 57% of attacks.

One interesting revelation garnered from the survey is the lack of appropriate protections against phishing and other email attacks. While it is reassuring that 91% of surveyed groups have implemented antivirus and antimalware solutions, it is extremely worrying that 9% appear to have not. Only 89% said they had implemented firewalls to prevent cybersecurity attacks.

Then there is multi-factor authentication. Multifactor authentication will not prevent phishing emails from being delivered, but it is highly effective at preventing stolen log in details from being used to remotely access email accounts.

In the data breach reports that are necessary for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Rules, which healthcare groups in the U.S are required to comply with, it is common for breached entities to state they are implementing MFA after experiencing a breach, when MFA could have prevented that costly breach from happening initially. The HIMSS survey showed that 75% of groups augment security after being hit by a cyberattack.

These cyberattacks can also have a negative impact on patient treatment. 28% of respondents said cyberattacks disrupted IT operations, 27% said they disrupted business management, and 20% said they resulted in financial losses. 61% of respondents said the attacks had an impact on non-emergency clinical care and 28% said the attacks had interfered with emergency treatment, with 17% saying they had resulted in patient harm. The latter figure could be underestimated, as many groups do not have the mechanisms in place to see if patient safety has been impacted.

The amount of phishing attacks that are hitting their targets cannot be attributed to a single factor, but what is clear is there needs to be higher level of investment in cybersecurity to prevent these attacks from succeeding. An effective email security solution should be a top priority – One that can block phishing emails and malware attacks. Training on cybersecurity must be conducted for employees for HIPAA compliance, but training should be provided on a constant basis, not just once a year to meet compliance requirements. Implementation of multifactor authentication is also an essential anti-phishing tactic.

One area of phishing security that is often ignored is a web filter. A web filter prevents the web-based component of phishing attacks, preventing employees from accessing websites hosting phishing forms. With the complex nature of current phishing attacks, and the realistic fake login pages used to capture credentials, this anti-phishing measure is also crucial.

TitanHQ can give you cost-effective cloud-based anti-phishing and anti-malware processes solutions to safeguard your network from email- and web-based components of cyberattacks and both of these solutions are provided at quite a reasonable cost, with flexible payment options.

If you want to enhance your defenses against phishing, prevent costly cyberattacks and data leaks, and the possible regulatory penalties that can follow, contact TitanHQ now.

New MacOS and Windows Malware Variants Sent by APT32 and TA416 APT Groups

Also known as aka OceanLotus, the Advanced Persistent Threat (APT) group APT32 is, at present, running a malware campaign yting to take advantage of Apple MacOS users. APT32 is a nation-state-funded collective that mainly attacks foreign companies with a base in Vietnam. The data stolen by the cybercriminals is thought to have been used to provide Vietnamese firms with a competitive advantage, although the precise motives behind the attacks are not known.

The group is renowned for using fully featured malware which is often sent using phishing emails and commercially available tools. The most recent malware strain was discovered by security experts at Trend Micro, who linked the malware to APT32 due to code similarities with other malware variants known to have been utilized by the group. The malware is a MacOS backdoor that pemits the group to steal protected information such as business documents. The malware also gives the hackers the ability to download and install additional malicious programs on victim devices.

The malware is being using phishing emails that have a zip file attachment which is hidden as a Microsoft Word document. If the recipient is convinced to open the attached file, no Word document will be downloaded, but the first stage of the payload will execute in the background. The first stage changes access permissions which permits the second stage payload to be executed, which leads to the third stage of the payload that downloads and the backdoor on the database. This multi-stage delivery of the backdoor helps the malware to get around security solutions.

Safeguarding against attacks involves blocking the initial attack vector to prevent the phishing emails from being sent to end users. End user security awareness training should be supplied, and employees conditioned not to click on email attachments from unknown senders. It is also advised to ensure computers are kept fully patched, as this will limit the ability of the group to use its malware to carry out malicious actions.

Chinese TA416 APT Group Delivering New Variant of PlugX RAT

The APT collective TA416 – aka Mustang Panda/Red Delta – is running a campaign to distribute a new strain of its PlugX Remote Access Trojan (RAT). TA416 is a nation state sponsored group with strong connections to the Chinese government and has previously conducted attacks on a wide range of targets around the globe.

The group is famous for using spear phishing emails and social engineering tactics to deliver malware that allows the hackers to gain full control of an infiltrated computer. The attacks are conducted for espionage purposes; however, the malware has a wide range of capabilities. Along with stealing data, the malware can copy, move, rename, execute, and delete files, log keystrokes, and carry out other actions.

The new campaign transmits two RAR archives, which behave as droppers for its PlugX malware. The theme of the emails in the most recent campaign are a supposed new agreement between the Vatican and the Chinese Communist Party.

The campaign was discovered by researchers at Proofpoint, who could not pinpoint the exact delivery method; however, TA416 is known to use Google Drive and Dropbox URLs in its phishing emails to sendmalicious payloads. One of the RAR files is a self-extracting archive that extracts four files and runs an Adobelm.exe file, which delivers a Golang version of the PlugX malware. The latest update to the PlugX RAT helps it evade security solutions.

Tackling the APT Threat

The tactics used by these and other APT groups to send malware are constantly changing, with phishing campaigns regularly amended to increase the likelihood of end users performing the desired action and to stop the campaigns being detected by anti-virus and anti-phishing solutions. The changes to the malware and campaigns are effective and can simply trick end users and bypass technical controls, especially signature-based antivirus solutions.

Advanced AI-based cybersecurity solutions are necessary to detect and block these threats. These solutions spot known malware variants and can also identify zero-day malware threats and never-before seen phishing campaigns. The solutions are operated by protecting against the two most witnessed attack vectors – email and the web – and stop malicious messages from reaching inboxes and block downloads of malicious files from attacker-controlled web portals.

IRS Phishing Spoof Involving Request for Outstanding Tax Payment Discovered

A recent phishing campaign has been discovered that deceived the US Internal Revenue Service (IRS) and tells recipients that their are facing immediate legal action to take back a huge tax repayment. These emails are expertly written and demand immediate payment of to prevent stop legal action. The sender claims to have attempted to call the recipient to no avail and have been forced to take legal action.

Compared to other scams, that ask for login credentials or attempt to get the user to open file attachments to trigger a malware download, this particular attack utilised social engineering techniques to frighten the receiver into making contact by email to resolve this supposed issue. This aim of the scam is to get the recipient to send money or share their financial account information.

These scammers have purposely left out any hyperlinks or attachments to increase the chances of it making to inboxes and deceiving anti spam devices. The message body contains all the classic hallmarks of a phishing scam:

  • There is urgency to get prompt action taken – Immediate resolution of the issue is necessary
  • There is a threat of negative consequences if no action is taken – Legal action to recover funds
  • The request is plausible, but an atypical request is made – to only make contact via email

The emails include a case file number, detail the outstanding amount – $1460.61 in this case – and include a docket number and warrant ID for the impending legal action. The receiver is told that legal action will being within four days if payment is not made in that time. The opportunity for voluntary action to fix this issue is coming to and end. Adding to the threat of legal action, the recipient is told that credit reference bureaus may also be notified about this false late/missed payment, negatively impacting their credit score.

These emails have the subject line “Re: Re: Case ID#ON/7722 / WARRANT FOR YOUR ARREST,” which indicates that this is not the first time this message has been sent; emphasising this is a ‘final warning’

These phishing emails highlight the vitality of stopping and thinking of what any email is asking you to do before responding – no matter how dangerous the threat might be. Any and all requests for payments should be verified over phone with contact info being received by a trusted source. A call to the IRS would quickly dissolve this scam.

Precautions have been made to make the emails seem more legitimate, such as making it seem the sender has as its address – a legitimate domain used by the IRS. However the reply to email address supplied it – clearly not a real IRS domain name. The emails does include a postal address but no telephone number is included. Full contact info would be given by an official in the IRS but never would they initiate contact by email.

The reason these scams succeed is because they rely on individuals responding quickly without thinking. An effective spam filter will detect these scam emails and will quarantine or reject the messages.

Sextortion Scam Target Zoom Users

One of the main business successes of the Covid-19 pandemis is the Zoom video conferencing app, which registered over 300 million new users by the end of April thanks to the requirements of remote workers and long distance communications.

This new working routine means that some remote workers take a more haphazard attitude towards cybersecurity and what they do in front of their laptop cameras. This comfort zone has results in a new way for hackers to target staff and companies through of Zoom sextortion scams.

Sextortion has become a new vector of attack for hackers to steal money from unsuspecting individuals. The scam is largely email-based. The scam is blackmail based. Sextortion, also called ‘porn scams’ is not new to cybersecurity threats. A recent report released by Sophos discovered that millions of sextortion emails were broadcast in 2019-2020 earning the fraudsters behind the emails over $500,000. Hackers love successful scams, so they continue to come up with new campaigns based on a successful theme.

The sextortion emails normally include a threat to make public sexually explicit material, usually as a video. The hacker explains in the sextortion email that the video was recorded by malware downloaded on the user’s device. The threat continues that if the victim does not meet the ransom demand (usually in bitcoin) within a given time period, the compromising video will be shared to the user’s contact list.

An example of a sextortion email (received recently) is displayed here:

As always, hackers are talented at spotting an opportunity, and as Zoom has become a major part of our daily lives, so cybercriminals have perfected their sextortion tactics to the video conferencing platform. This most recent sextortion campaign, ‘Zoom sextortion’, has been connected to an incident that included TV analyst Jeffrey Toobin. Toobin was caught in a compromising position on a Zoom video conference with other media workers. Whilst Toobin was not specifically a victim of sextortion, in this instance. However, the fact such a famous  person was captured ‘on camera’ in a compromising position, has permitted fraudsters to use the incident as added pressure in sextortion email campaigns.

Email is again the central vector in the Zoom sextortion campaign. As the Zoom app increased in use, security was quickly identified as a major area for concern. “Zoombombing”, involving Zoom conferences being invaded by uninvited users was a particular issue in the early days of COVID-19 lockdown. In March, the FBI released a warning about the hijacking of Zoom and other video conferencing services. Security vulnerabilities were focused on access control issues in the Zoombombing attacks.

This most recent Zoom sextortion targets two weaknesses, the fears of Zoom users in relation to security and being exposed do embarrassing things that are captured on Zoom.

The sextortion email claims that states that a zero-day flaw in the Zoom app has permitted access to the victim’s camera and other device metadata. The hacker continues by outlining that they have captured embarrassing footage of the user during a Zoom meeting, referencing to the Jeffrey Toobin case.

“I do not want you to be the next Jeffrey Toobin”  — states the sextortion hacker scammer…

Most workers being sent this email will not feel threatened. However, a small number of people may feel bullied and concerned that even a minor misdemeanor may end in a warning or even a sacking. Due to this, the victim may decide to pay the ransom, which in this particular scam is $2000 in bitcoin.

Cyber-extortion is becoming more popular as hackers look for quick wins.

QBot Trojan Shared in Election Interference-Themed Phishing Emails

Recently , Cybercriminals seized the chance to cause to attack the millions of people watching the US presidential election coverage by conducting a malware attacked disguised with emails claiming to hold information about possible election interference.

As the high amount of postal votes lead to many delays in the release of official results and possible legal challenges and recounts being demanded, the traffic garnered by news reports related to this has been very high. Spam campaigns exploiting and using this situation for their own gain began being shared not lon gafter polls closed. Qbot banking Trojan was included in the emails which, when opened by recipients resulted in the hijacking of the email account. A subsequent move was that the email woul dthen be sent out to more contacts.

In this campaign, searches are completed for for emails including the term “election” and a reply is sent out to these emails. A zip file is attached to the emails named “ElectionInterference” with the zip file containing a malicious spreadsheet. These messages aim to encourage the recipient to open the attached spreadsheet spreadsheet to find important details about interference in the US election. As incumbent President Trump continues to claim that there was fraud occurring during the election count these messages seem very reliable to recipients. This spreadsheet is similar in style to a safe DocuSign file and the user is instructed to activate content to decode this file and see the contents. However, completing this action will allow macros to run which will quietly download the Qbot Trojan.

The Qbot Trojan was created in 2008 but has had many updates over the years, including the addition of many new features to evade and avoid modern security solutions. This included the ability to override Outlook email threads, the same technique is used by the Emotet Trojan to increase chances of their damaging content being opened by recipients.

In addition to targeting vulnerable customers of huge financial institutions, Qbot Trojan aims to steal protected information such as credit card info and important passwords. Qbot is a malware deliverer and the operators gang up with other dangerous groups to lead to mass sending of malicious payloads with ransomware being delivered.

These threat actors take avail of any chance to infect all devices with malware. A huge amount of COVID-19 themed lures and Election-themed spam emails are likely to be shared as further legal action is expected in relation to the election results. Threat actors will also target Black Friday, Cyber Monday and many other holiday times to use phishing lures to steal credentials and spread malware.

All businesses can defend against these phishing and malspam campaigns using a mix of a spam filters, web filters, antivirus software and end user training. For more information on protecting your business against emails and web based threats, contact TitanHQ now.

Emotet Trojan Being Spread Using New Windows Update Lure

The Emotet Trojan is one of the most widespread forms of malware attack in use at present to try an infiltrate database.

This Trojan is usually broadcasted via spam email campaigns in conjunction with a range of lures to convince users to download the Trojan file. These spam emails are generated by the Emotet botnet – an army of zombie devices that have been infiltrated by the Emotet Trojan. The Trojan takes over the victim’s email account and uses it to send duplicates of itself to the victim’s company contacts using the email addresses in victims’ contacts list.

Emotet emails typically have a corporate theme, since it is company users that are targeted by the Emotet users. Campaigns often use proven phishing lures including fake invoices, purchase orders, shipping notices, and CVs, with the messages often including restricted text and an email attachments that the recipient is required to open to view additional details.

In a lot of cases word documents are send containing malicious macros which install the Emotet Trojan on the victim’s computer. In order for the macros to be enable, the user is required to ‘Enable Content’ when they download the email attachment.

Users are advised in the attached documents to turn on content using a range of different tricks, lots of the time the documents say that the Word document has been created on an IoS or mobile device, and content needs to be switched on to permit the content to be accessed or that the contents of the document have been protected and will not be displayed unless content is turned on.

Earlier this month, a new lure was used by the Emotet actors. Spam emails were sent explaining a Windows update needed to be installed to upgrade apps on the device, which were preventing Microsoft Word from displaying the document contents. Users were told to Enable Editing – thus disabling Protected View – and then Enable Content – which allowed the macro to run.

The Emotet Trojan does not just include devices to a botnet and use them to begin more phishing campaigns. One of the main uses of Emotet is to install other malware variants onto infected devices. The operators of the Emotet botnet are sponsored by other threat actors to share their malware payloads, such as the TrickBot Trojan and QBot malware.

at first the TrickBot Trojan was a banking Trojan that first cam on the scene during 2016, but the modular malware has been regularly amended over the past few years to include a range of new functions. TrickBot still behaves like a banking Trojan, but is also a stealthy information stealer and malware installer, as is QBot malware.

As is the case with Emotet, once the operators of these Trojans have met their targets, they send a secondary malware payload. TrickBot has been widely used to share Ryuk ransomware, one of the biggest ransomware threats around at present. QBot has linked up with another threat group and sends Conti ransomware. From just one phishing email, a victim could therefore receive Emotet, TrickBot/QBot, and then be hit with a ransomware attack.

For these reasons it it crucial for companies to select an effective spam filtering solution to block the initial malicious emails at source and stop them from being sent to their corporate inboxes. It is also important to supply security awareness training to staff members to help them identify malicious messages such as phishing emails in case a danger is not blocked and reaches employees’ inboxes.

Groups that depend on the default anti-spam defenses that come with Office 365 licenses should think about configuring an extra spam filtering solution to improve protection against Emotet and other malware and phishing campaigns. Phishing emails often slip past Office 365 defenses and are sent to inboxes. With a powerful, advanced spam filtering solution such as SpamTitan layered on top of Office 365 anti-spam protections, users will be better protected.

To see more details the full package that comes with SpamTitan and how the solution protects businesses from threats such as malware, ransomware, phishing, and spear phishing attacks, call the SpamTitan team now.


Surge in Hospital Attacks Using Ryuk Ransomware

The hacking group that created Ryuk ransomware – thought to be an eastern European hacking group known as Wizard Spider – has increased attacks targeting hospitals and health systems in the United States. This week a range of attacks on hospitals from the Californian coast to the eastern seaboard has taken place, with 6 Ryuk ransomware attacks on hospitals reported in just one day.

Ryuk ransomware can inflict widespread file encryption across complete networks, disabling systems and stopping medics from accessing patient data. Even when the attacks are removed quickly, systems must be disable to stop the spread of the ransomware. While hospitals have disaster protocols for exactly this kind of incident and patient data can be recorded using pen and paper, the disruption caused is massive. Non-essential procedures and appointments often need to be cancelled and, in some cases, hospitals have been forced to divert patients to alternative medical centers.

It is not known if any ransomware attacks on U.S. hospitals have lead to deaths, but there was recently a death in an attack in Germany, where a patient was sent to a different hospital and died before lifesaving treatment could be carried out. Had the ransomware attack not taken place, treatment could have been provided in time to save the patient’s life. The attacks in the United States also have the potential to lead to a fatality, especially in such as large-scale, coordinated campaign.

Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Health and Human Services (HHS) released an advisory after credible evidence emerged indicating Ryuk ransomware attacks on U.S. hospitals and healthcare providers were about to surge upwards.

It remains unknown the attacks have spiked now and the specific motives for the current campaign, but recently Microsoft and U.S. Cyber Command, in conjunction with several cybersecurity companies, disrupted the TrickBot botnet – a group of devices infected with the TrickBot Trojan. The TrickBot Trojan is operated by another cybercriminal group to Ryuk, but it was widely used to share Ryuk ransomware. The botnet is back up and operational, with the threat actors changing to a different infrastructure, but there have been suggestions that this could be a response to the takedown.

The Ryuk ransomware attacks on hospitals come at a time when healthcare suppliers are fighting the coronavirus pandemic. In the United States the number of new cases is higher than at any time since the beginning of the pandemic. Hospitals cannot find themselves in a position where systems are taken out of action and patient care disrupted. The timing of the attacks is such that hospitals may feel there is little option other than paying the ransom to ensure that disruption remains minimal. Ransomware gangs planned in order to cause maximum disruption.

Ryuk ransomware attacks on hospitals have been increasing over time in the United States prior to the latest surge. Figures published by Check Point Research in recent days show ransomware attacks on hospitals grew by 71% from September, with healthcare the most targeted industry sector, not only in October, but also Q3, 2020. Ryuk ransomware attacks account for 75% of all ransomware attacks on hospitals in the United States.

There is some worry that the most recent attacks will be just the tip of the iceberg. Some security experts suggest the gang is looking to attack hundreds of hospitals and health groups in the United States in this campaign. Every attack on a health system could see many hospitals impacted. The attack this week on the University of Vermont Health Network infiltrated seven hospitals.

Securing against ransomware attacks can be a challenge, a number of different methods are used to obtain access to healthcare networks. Ryuk ransomware is commonly sent by the TrickBot Trojan, which is delivered as a secondary payload by the Emotet Trojan. The Buer loader and BazarLoader are also being used to share Ryuk ransomware. These malware installers are sent using via phishing emails so a good spam filter is therefore vital.

Staff should be made aware of the heightened threat of attack and advised to exercise extra caution with emails. Software updates need to be run quickly promptly and all systems kept fully patched and up to date. Default passwords should be amended, and complex passwords created, with multi-factor authentication implemented where possible. If it is not a requirement for systems to be connected to the Internet, they should be disconnected, and RDP should be turned off.

It is also crucial for ongoing backups of critical data to be made and for those backups to be stored safely on non-networked devices to ensure that in the event of an attack hospitals have the option to recover their data without having to meet the ransom demand.

More details on indicators of compromise and other mitigations can be seen here.

Remote Workforce Ideally Suited for Cloud-Based Email Solutions

Universities and other higher education establishments are at risk of data breaches and possible malware threats , the same as all big organisations. From any cyber criminals perspective, schools and universities represent a big target. Personal and financial data within university data systems are very valuable to cyber criminals. 

The possibilities of all data thefts are huge – reputational, legal , economic and operational. Future funding could be affected as well as a possible loss of student fees and associated income in the future. 

Prosecution and other penalties could also arrive, or losing sensitive data. Even the infrastructure could sustain significant damage that damages the activities of the institution.

A malware attack was so vicious a Minnesota ah lol had to shut down completely for a full day. Repairing this could take weeks and it could have been avoided.

A crypto-ransomware attack encrypted the entirety New Jersey school network very recently. The source the this infection is still unclear but it may have been that a someone opened a malicious email attachment or an unsafe app or even just visited a website with malicious advertisements.

The nature of the university campus and network is the huge differences between higher-education establishments and the corporate network. Made up of a lot of dispersed networks and the university network infrastructure is so often complex. There are certain environments where the concept of tight data security has traditionally been unhelpful or, in some cases , unwanted. When a big institute thrives on the free exchange of data and ideas, it isn’t easy to apply the same high tech security measures larger companies can. 

In the cases of cyber criminals targeting educational organisations timing is critical. The new school year always means scammers are segmenting their email data bases to launch calculated and planned attacks as soon as students and employees come back online. Every year scammers launch new spam and phishing campaigns , fake welcome emails , password reset emails, and banking noticifations are just a small amount of ways spammers use to infiltrate your data. 

The internet has provided the education sector with some great and unique opportunities and some major headaches. Educators continue to come up with the best way to help kids use the internet to do with school whilst protecting them from an array of online dangers. 

And blocking inappropriate content doesn’t have to block learning too. As students spend a lot more time connected to the web ensuring this time is spent safely is vital. By scanning the page content , WebTitan’s content engine can keep up with the ever changing nature of the web. 

Educational Institutions need to filter for the following reasons:

  • Student safety  – protection from dangerous, inappropriate or illegal sites
  • Network security
  • Identify  cyberbullying
  • CIPA compliance
  • Application of  Acceptable internet Usage Policies
  • Control bandwidth 
  • Ability to monitor

It is your vital duty as an education establishment to provide a safe and effective learning environment. Schools are legally obliged to demonstrate reasonable and proper measures to control access to the internet. There is a fine balance on what has to be allowed and what possible security measures can be put in place. Security in all organisations, commercial of academic is a trade off between the likelihood and possible impact of an attack and the financial cost or loss of utility thay age incurred in defence.

Malware Attacks Being Used by Cybercriminals to Target Schools

Universities and other higher education establishments are at risk of data breaches and possible malware threats , the same as all big organisations. From any cyber criminals perspective, schools and universities represent a big target. Personal and financial data within university data systems are very valuable to cyber criminals. 

The possibilities of all data thefts are huge – reputational, legal , economic and operational. Future funding could be affected as well as a possible loss of student fees and associated income in the future.  Prosecution and other penalties could also arrive, or losing sensitive data. Even the infrastructure could sustain significant damage that damages the activities of the institution.

A malware attack was so vicious a Minnesota ah lol had to shut down completely for a full day. Repairing this could take weeks and it could have been avoided.

A crypto-ransomware attack encrypted the entirety New Jersey school network very recently. The source the this infection is still unclear but it may have been that a someone opened a malicious email attachment or an unsafe app or even just visited a website with malicious advertisements.

The nature of the university campus and network is the huge differences between higher-education establishments and the corporate network. Made up of a lot of dispersed networks and the university network infrastructure is so often complex. There are certain environments where the concept of tight data security has traditionally been unhelpful or, in some cases , unwanted. When a big institute thrives on the free Exchange of data and ideas, it isn’t easy to apply the same high tech security measures larger companies can. 

In the cases of cyber criminals targeting educational organisations timing is critical. The new school year always means scammers are segmenting their email data bases to launch calculated and planned attacks as soon as students and employees come back online. Every year scammers launch new spam and phishing campaigns , fake welcome emails , password reset emails, and banking notifications are just a small amount of ways spammers use to infiltrate your data. 

The internet has provided the education sector with some great and unique opportunities and some major headaches. Educators continue to come up with the best way to help kids use the internet to do with school whilst protecting them from an array of online dangers. 

And blocking inappropriate content doesn’t have to block learning too. As students spend a lot more time connected to the web ensuring this time is spent safely is vital. By scanning the page content , WebTitan’s content engine can keep up with the ever changing nature of the web. 

The following are the main reasons for mitigating these attacks:

  • Student safety  – protection from dangerous, inappropriate or illegal sites
  • Network security
  • Identify  cyberbullying
  • CIPA compliance
  • Application of  Acceptable internet Usage Policies
  • Control bandwidth 
  • Ability to monitor


It is your vital duty as an education establishment to provide a safe and effective learning environment. Schools are legally obliged to demonstrate reasonable and proper measures to control access to the internet. There is a fine balance on what has to be allowed and what possible security measures can be put in place. Security in all organisations, commercial of academic is a trade off between the likelihood and possible impact of an attack and the financial cost or loss of utility thay age incurred in defence. 

Infrastructure Takedown Hinders TrickBot Phishing Campaigns

The majority of modern businesses have put in place a hybrid workforce model, where employees can carry out their duties whether based in the office or working from home. This working model is ideal for msot companies due to the flexibility it provides.

Recent research produced by Gartner has revealed that, since the beginning of the coronavirus pandemic, 88% of companies made remote working mandatory. This quicke shift from an office-based to remote workforce caused major issues for IT departments, but it has allowed business to continue to operate as close to normal as possible. There have been productivity issues and technical obstacles to overcome. Most importantly workers are able to remain in touch and collaborate by implementing online using chat platforms, videoconferencing, and the telephone and some companies have even recorded enhances productivity levels using these communication methods.

Due to the increase in the number of methods being used for collaborating and maintaining contact, remote working has resulted in companies and their staff being dependent on email to a much greater extent. This higher reliance on email means it is now crucial to make sure that emails can be accessed come what may, even if email servers are compromised that would see work come to a halt.

The majority of companies use emails to hold vital information and much of the data in emails is not held in any other location. A report from from IDC states that approximately 60% of business-critical data resides in emails and email attachments and that was before the pandemic took hold.

There is a lot of legislation and regulations governing business data, including at the federal, state, and industry level. There are set stated times required for specific types of data, regardless of where the data is held. If the information is stored in emails, then that information must be safeguarded protected and secured against accidental or deliberate deletion until the retention period is ended.

Backups of emails can be carried out to meet certain regulations, but there are issues when it comes to retrieving emails. Locating emails in backups can be a time-consuming task that can take days or weeks. Even locating the appropriate backup media can be a major issues before you can search for emails within it.

The best method for ensuring privacy, security, and meet compliance obligation and ensure that emails and attachments never go missing is to configure an email archiving service. Email archives are established for long term data storage. Email archives can be simply searched, so when emails need to be located and retrieved, the task takes seconds or minutes. A tamper-proof record of all emails is retained for compliance purposes and to protect against data loss and ensure business continuity in the event of something unwelcome happening.

Most companies have configured an on-premises email archive, but this is far from ideal in a world where almost all staff members are working remotely. After the pandemic is ended, many staff member will go back to the office, but remote working looks set to remain. The ideal option is therefore to use an email archiving solution that perfectly suits the remote working or hybrid working system.

Cloud-based email archives centralize disparate email servers and hold all emails safely in the cloud where they can be quickly and simply retrieved by any authorized individual, from any location. As many companies now use cloud-based email, sending emails to a cloud-based archive makes more sense than using on-site archives. Sending emails to the archive and recovering emails will be far faster from a cloud service to a cloud service.

If you have an on-site email archive, moving to a cloud-based service can save time and money. There is no need to manage hardware, perform software updates, and the archive is automatically backed up to see to it that emails can always be retrieved and storage space will never be an issue due to the scalability of the cloud based solution.

10 Reasons Why Archiving Email Is Important for Your Business

Any possibility of losing email would be detrimental to the workings of a modern company. The vast majority of the information held in old emails is, typically, not saved elsewhere so losing emails due to a technology issues or having it stolen/locked by a hackers is not a desirable course of events.

Along with the inconvenience of business interruption there are also regulatory issues to take into account as you could be fined if a breach takes place. in addition to this email may be need in the event of an official investigation and not maintaining them on your databases could result in a costly mistake to make. Even though the majority of companies complete backups in order to be prepared for a disaster, there can be issues with this solution. These backups are not searchable in the same way that archives are. The best solution for backing up you emails is to establish a relaiable archives. here we have listed the 10 reasons for doign this.

10 Reasons Why Businesses Should Archive Emails

  1. Stopping Data Loss: Emails are placed in your archive for long term, safe storage. Emails can be easily retrieved from here should an employee accidentally accidentally remove something important from their inbox.
  2. Mail Server Performance: As emails make up so much of the correspondence that your company handles they place a massive strain on email servers. Moving a lot of email to the archive will release this pressure and can result in servers that are working better.
  3. Litigation and eDiscovery: In the event of a lawsuit, you are likely to be required to produce emails related to the case and you will only have a short period of time in which to respond. Finding emails in PST files and backups can be an extraordinarily time-consuming process, and you may have to search through several years of email data to find all the emails you need. You must also ensure that the messages are original and have not been altered in any way. An email archive makes responding to eDiscovery requests and finding and producing emails a quick and simple process.
  4. Less work for IT Departs: If employees delete or lose important emails, the IT support desk will be the point of call for addressing this. Placing emails in an archive eliminates email storage issues and makes the work that they have to do much easier, especially if staff members can access their own email archives.
  5. Recovery during Disaster: Email data can easily be lost if there is an issue with hardware or the theft of a device. When emails are moved to the archive they can be swiftly and simply retrieved.
  6. Regulatory Compliance: An email archive assists with all regulatory compliance tasks. Data can be categorized and retention periods can be created with emails automatically erased when the legal retention period is ended.
  7. Data Access and Right to be Forgotten Requests: The General Data Protection Regulation (GDPR) and other laws allow people the right to have access to all data that a company holds on them. If a request for access to personal data is registered, the data must be produced promptly. An email archive allows you to quickly review for email data and process right-of-access and right-to-be-forgotten requests.
  8. Internal Audits: An email archive makes the internal review process quick and simple and negates the need to include the IT department.
  9. Business Continuity: No matter what happens you can simply access old emails with the advanced search capability of an email archiving solution, you will be able to ensure business can continue as you always were.
  10. Addressing Costs: Looking for lost emails, managing email servers, answering eDiscovery requests, and producing email data for audits can take a massive amount of time. An email archive will cut the amount of time that needs to be dedicated to these issues and allow you avoid unnecessary expense.

Solution: Use ArcTitan

ArcTitan is a strong, safe, cloud-based email archiving solution provided by TitanHQ that means emails will never be lost. Quick searches can be completed when you need to find old emails, with emails sent to the archive automatically at a rate of 200 emails a second with searches of 30 million emails taking less than one single second. There are no restrictions on storage space, no onsite hardware needed and you only pay for the number of active mailboxes. Companies that use ArcTitan normally save up to 80% of email storage space.


CISA Issues Alert Regarding Rise in LokiBot Malware Attacks

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has released a public warning in relation to a marked rise in LokiBot malware activity was recorded in the two months.

Also known as Lokibot, Loki PWS, and Loki-bot, LokiBot initially came to the fore during 2015. it is a complex data stealer, used to obtain credentials and other protected data from victim devices. The malware attacks Windows and Android operating systems and uses a keylogger to spy on usernames and passwords and monitors browser and desktop actions. LokiBot can capture log in credentials from a range of different applications and data sources such as Safari, Chrome, and Firefox web browsers, along with log in details for email accounts, FTP and sFTP clients.

The malware can also record other important data and cryptocurrency wallets and can set up backdoors in infiltrated devices to permit ongoing access, allowing the operators of the malware to deliver additional malicious downloads.

The malware is able to establish a connection with its Command and Control Server and steals data using HyperText Transfer Protocol. The malware has been captured employing a process where it places itself in authentic Windows processes such as vbc.exe to avoid being discovered. The malware can also create a duplicate of itself, which is saved to a hidden file and directory on an infiltrated device.

The malware may be quite simple but that has made it an useful tool for a wide range of cybercriminals and it is being deployed is used in a wide variety of data compromise use attacks.  Since July, CISA’s EINSTEIN Intrusion Detection System tracked a huge spike in LokiBot activity.

LokiBot is typically deployed with a malicious attachment; however, since July, the malware has been distributed shared in a range of different fashions, including links to websites hosting the malware being transmitted via SMS and using text messaging software.

Data stealers have been en vogue since the beginning of the COVID-19 pandemic, particularly LokiBot. In order to tackle attacks like this your group should use a strong e-security solution like SpamTitan and WebTitan

SpamTitan is a robust security solution that attacks phishing emails at source, stopping dangerous messages from landing in mailboxes. WebTitan is a DNS filtering package that is used to manage the web pages that can be accessed on wired and wireless networks, restricting access to web pages that are deployed for phishing and malware delivery.

WebTitan and SpamTitan can be used as part of a free TitanHQ trial.

Phishers Using Fake GDPR Compliance Reminders for CyberAttacks

A GDPR-related smap campaign has been identified that involves phishers send out false fake GDPR compliance reminders as they attempt to trick unsuspecting recipients into handing over log in credentials.

This campaign was initially identified by the cybersecurity group Area 1 Security researchers. They detailed how an attack involves phishers sharing an alert notification to a distribution list of companies emails that they possibly purchased from a vendor on the black market.

An Area One representative stated: “The attacker lures targets under the pretense that their email security is not GDPR compliant and requires immediate action. For many who are not versed in GDPR regulations, this phish could be merely taken as more red tape to contend with rather than being identified as a malicious message.”

They went one: “On the second day of the campaign the attacker began inserting SMTP HELO commands to tell receiving email servers that the phishing message originated from the target company’s domain, when in fact it came from an entirely different origin. This is a common tactic used by malicious actors to spoof legitimate domains and easily bypass legacy email security solutions.”

If one of the recipients was to visit the website included in the email they would be brought to a web page loaded to malware and phishing lures. This website would steal their log in credentials and allow access to their company email address. After this email addresses can be leveraged to share the campaign further within that company, resulting in even more cyber crime. The phishing website is hosted on a compromised, outdated WordPress webpage.

Another characteristic of this type of campaign is that the URL has a degree of personalization as as the email address of the recipient (target) is auto-completed in a HTML form on the malicious webpage. In addition to this the username field and the correct email field address (found in the URL’s “email” parameter) are also filled out. Such precision can presuade the recipients of the email think that the website they are viewing is genuine and result in them supplying log in details.

To prevent attacks like this you should install a cybersecurity solution like SpamTitan. SpamTitan is a powerful cybersecurity package that stop phishing emails at source, stopping dangerous messages from landing in mailboxes. WebTitan and SpamTitan can be used as part of a free trial of SpamTitan.

Media and Finance Attacked in Palmerworm Espionage Malware Targeting Campaign

A recent Symantec has indicated that Palmerworm attacked are on the rise for the first time since 2013.

It was recently discovered that the malware has had more persistent activity in 2020 and even remained on an unnamed corporate network for almost six months. Hackers behind Palmerworm have added new malware to the advanced persistent threat (APT) aimed at mainstream media and financial groups in the US, Japan, Taiwan, US, and China.

Even though Symantec was unable to discover the initial attack vector, it is thought that these attacks have begun with a phishing campaign. Palmerworm uses a unique approach to fooling users into running malicious content. Included in the malware is stolen signed certificates making users believe that the software is genuine.

Code-signing is a way to inform operating systems and users who developed the software. When users attempt to download software, the operating system shows the publisher. The publisher employs a signing method using specific keys only available to the publisher. An example of a code-signing message is included here:


In this image, the user can see that the publisher is Microsoft and will allow the program to be installed. Palmerworm authors use stolen code-signing keys to sign software, which makes it highly likely that users will install the malware.

Palmerworm uses custom malware and some freely available software to send the payload. The malware is a group of backdoors giving the hackers access to the network and allows them to remain on a corporate network even after administrators think that it’s been deleted.

The custom malware sent with Palmerworm are:

  • Backdoor.Consock
  • Backdoor.Waship
  • Backdoor.Dalwit
  • Backdoor.Nomri

The software included that assist Palmerworm install and scan the network includes:

  • Putty – gives hackers remote access
  • PSExec – used to run commands on a Windows network
  • SNScan – Scans the network to find other possible targets.
  • WinRAR – archiving tool to transfer data to the hacker, hide malware and extract it to a new target.

The backdoor malware gives hackers a high level of access across devices. Once an attacker has full management of one device, the malware can be shared across other devices on the network.  The network reconnaissance and administration tools assist the hacker find additional vulnerable devices so that backdoors and remote control can be created.

Palmerworm is not a new advanced persistent threat. It has been inexistence since 2013, so strong anti-malware programs can detect and prevent the backdoors from downloading to a device. Groups with enterprise-level anti-malware should have it downloaded on all devices including desktops and mobile devices.

As it’s presumed that Palmerworm starts with a phishing campaign, it’s even more important than ever to use email filters. Content filters will also prevent users from accessing malicious sites where hackers could host Palmerworm malware and trick users into installing it. Email filters will prevent malicious emails with attachments that could contain Palmerworm malware or macros that will download it form an hacker-controlled server.

Training users on the dangers of phishing and identifying red flags linked with phishing also helps. Users with adequate education are less likely to install malicious content or open attachments. They will also be aware of suspicious links from unknown senders.

TitanHQ supplies a cloud-based solution for email filters that blocks Palmerworm and other advanced persistent attacks. By implementing the cloud-based WebTitan platform, your organization will be safeguarded from Palmerworm and other web-based attacks that need users to initially access a hacker-controlled site where malware can be downloaded and downloaded.


HMRC Phishing Scam Sees UK Businesses Targeted

Uk companies are the victims of a recent scamming campaign where cybercriminals are pretending to be agents of Her Majesty’s Revenue and Customs. There have been a number of spamming campaigns identified over the past weeks that are taking advantage of the measures implemented by the UK government to help companies through the COVID-19 pandemic and the forced lockdowns that have stopped companies from operating or have meant that they had to scale back operations seriously.

The HMRC scams have been widespread and differing, focusing on companies, the self-employed, furloughed workers and others using email, telephone, and SMS messages. A number of the attack include threats of arrest and jail time as a result of the underpayment of tax, demanding payment over the phone to prevent court action or arrest.

One scam focused on clients of Nucleus Financial Services and used an authentic communication from the firm as a template. The authentic email looks like it was obtained from a third-party hacked email account. The email warned recipients that they were entitled to a tax refund from HMRC. A link is given that the recipient is directed to click on in order to be sent their refund. In order to apply for the refund the user must hand over sensitive information via the website, which is captured by the hackers.

A separate campaign has been discovered that pretends to be the HMRC and similarly seeks sensitive data information such as bank account and email details. To address these attacks, the UK government kicked off a scheme to help businesses by allowing them to defer their VAT payments between March and June 2020, until June 2021 to help ease the financial impact of the nationwide lockdown. Many companies took advantage of the scheme and applied to have their Value Added Tax (VAT) payments pushed back.

The campaign deploys emails that spoof HMRC and advise form companies that their application to have their VAT payments deferred has been rejected as the company is in arrears. The emails incorporate an attachment with further information and a report on their application. The document is password safeguarded and the password is supplied in the email to allow the file to be opened.

A hyperlink is given that will take the user to a website where they are asked to provide sensitive information including their bank account details and email address and password, which are captured by the hackers.

COVID-19 has resulted in scammers identifying a host of new opportunities to fool businesses into disclosing sensitive information. Many of the lures used in the emails, calls, and text messages are believable, the messages are well composed, and the hacker have gone to lengths to make their phishing websites look like the entities they are pretending to be.

Companies should be on high alert and be particularly wary of phishing scams. They should warm their staff to use extra care with any request that requires the disclosure of sensitive details.

Technical controls should also be implemented to block phishing emails at source and prevent visits to malicious websites. TitanHQ can help with this. TitanHQ offers two anti-phishing solutions for companies and MSPs to help them prevent phishing attacks: SpamTitan and WebTitan.


Higher Incidence of Exploit Kit Activity on Adult Ad Networks Reported

Malwarebytes has recently released a report that show a campaign is being carried out using the Fallout exploit kit to distribute Racoon Stealer using popular adult websites.

This cyber attack was made known to the ad network and the malicious advert was taken down. However, it was soon replaced with an advert bringing visitors to a site hosting the Rig exploit kit. Following this a separate campaign was discovered where another threat, renowned for targeting various adult ad networks. The malicious adverts were served via a wide range of different adult websites, including one of the most popular adult websites that boasts more than 1 billion page views monthly.

The threat actor had filed bids for users of Internet Explorer only, as the exploit kit included an exploit for an unpatched IE flaw. The flaw exploited were CVE-2019-0752 and CVE-2018-15982, the former is an IE vulnerability and the latter is a vulnerability in Adobe Flash Player. In this campaign, Smoke Loader malware was shared, along with Racoon Stealer and ZLoader.

For an exploit kit to be effective, a computer must have an unpatched flaw, an exploit for which must be included in the EK. Prompt patching is almost always one of the most effective methods for ensuring that these attacks are not successful. It is important to stop using Internet Explorer and Flash Player. Vulnerabilities in each are frequently attacked.

These campaigns can also be simply prevented by using a web filter. Unless your business is working in the adult entertainment sector, access to adult content on work devices should be prevented. A web filter permits your business to block access to all adult websites, and other categories of web content that employees should not be accessing in the office.

A cloud-based web filter such as WebTitan is cost effective option to address this that can safeguard against a web-borne attacks such as exploit kits and drive-by malware downloads, while also helping companies to improve productivity by stopping staff members from viewing websites that have no work purpose. Web filters can also reduce legal liability by preventing employees from participating in illegal online activities, such as copyright infringing file installations.

Once configured – a quick process – access to specific categories of website can be blocked with the click of a mouse and staff will be stopped from viewing websites known to host malware, phishing kits, and other potentially dangerous malicious websites.

For more details on WebTitan and protecting your company from web-based attacks contact TitanHQ now.

Webinar Sept 22, 2020 – How Email Archiving Can Ensure Business Continuity with a Remote Workforce

Businesses have been forced to change their working practices as a result of COVID-19. The lockdowns introduced by governments around the world have meant businesses have had to rapidly change from an office-based workforce to having virtually everyone working remotely.

The restrictions on office work may have now eased, and employees are starting to be encouraged to return to working from the office, but remote working to some extent is now here to stay.

Most businesses have coped well with the new remote working environment. Many report that their employees have been just as productive, if not more productive, working from home. However, remote working is not without its challenges. Many businesses are concerned about how to ensure compliance with regulations with a remote workforce and how to ensure business and email continuity.

On Tuesday, September 22, 2020, TitanHQ is hosting a webinar to discuss some of the key challenges faced by businesses with a remote workforce and to introduce a solution to keep businesses moving forward when employees are working remotely and ensure business continuity.

During the webinar TitanHQ experts will discuss the following topics:

  • The Current 2020 Technology Landscape
  • Security & Compliance in a time of Global Remote Working
  • Increase in Companies Relying Solely on Office 365
  • Protecting Business Critical Data
  • The Importance of Continuity in the Era of Remote Working

Attendees will also be given a live demo of TitanHQ’s cloud email archiving solution, ArcTitan.

Webinar Information

Title:       How to Ensure Business Continuity with Email Archiving for your Remote Workforce

Date:     Tuesday, September 22, 2020

Time:    London/Dublin: 5:00 pm (GMT +1)  ¦  USA:      12:00 pm ET; 09:00 am PT

Hosts:     James Clayton, ArcTitan Product Specialist  ¦  Derek Higgins, Engineering Manager, TitanHQ


Click Here to Register for the Webinar

New Phishing Campaign Spoofs Security Awareness Training Company

A new spoofing campaign has been discovered that attacked businesses in a bid to steal their Microsoft Outlook credentials. The campaign is spoofing KnowBe4, a company that provides security awareness training for staff – Training that helps companies train their employees how to recognize a phishing attack.

The emails warn the recipient that the coming expiration of a security awareness training module is getting close. The recipient is informed that they only have one day left to finish the training. Three links are given in the email that look like, at face value, a genuine KnowBe4 URL; however, they bring the user to a phishing page on a compromised website where Outlook credentials and personal information are stolen using a realistic login page for the Outlook Web App.

Guidelines are given for conducting the training outside of the network, with the user instructed to supply their username and password before clicking the sign in button. Doing so, it is claimed, will bring the user to the training module. While the site to which the phishing email links is realistic, the giveaway sign that this is a scam is the domain. Many different URLs across a range of different sites have been used in this campaign, all of which are not linked to the security awareness training provider. However, busy employees may fail to check the URL before disclosing their details.

It is a brave move to spoof a cybersecurity company dedicated to phishing prevention; one that may trick staff into believing the email is genuine.  Any company can be spoofed in a phishing campaign. Just because the company provided services to tackle phishing does not mean that the email should not be subjected to the usual checks to prove its validity, which is something that should be emphasized in employee security awareness training modules.

Cofense, the group which reviewed the websites, report that the compromised sites have recently hosted a web shell that allowed the hackers to upload and edit files. The websites had been impacted since at least April 2020, unbeknown to the site owners. The phishing kit implemented in this campaign has been installed onto at least 30 different websites since the campaign commenced in mid-April.

Employees are sent hundreds of emails each week and spotting all phishing emails can be a complex task, especially when many phishing emails are realistic and are very similar to genuine emails that staff members are sent every day. Security awareness training is crucial, but it is also important to configure an advanced spam filtering solution that is capable of blocking virtually all (in excess of 99.9%) malicious emails.

With an advanced spam filtering solution like SpamTitan configured these emails can be stopped at source and will not be sent to end users’ inboxes, negating the danger posed.

How to Spot a Phishing Email

Despite the fact that there are some very straightforward way to uncover a phishing email that is sent to your network it still happens that workers are tricked into replying or clicking on links.

Phishing campaigns can be conducted cheaply, little skill is required, phishing can be very profitable, and the attacks often succeed. It is no surprise that more than two thirds of data breaches start with a phishing email, according to the Verizon Data Breach Investigations Report.

Spotting a Phishing Email

There is a strong possibility that a phishing email could land in your inbox in many different ways. Hackers change their tactics to try and fool staff members into handing over vital information or granting access to databases. You should use these steps, and advise your staff to do the same.

  1. Double Check who sent the Email: You need to make sure that the email you received didn’t come from a spoofed email. It might look like it came from a trusted company when there is actually one character changed so as to trick you. Place your mouse arrow on top of the display name and you will be able to see what the real URL is.
  2. Beware of Spelling Mistakes: Review closely for spelling mistakes If anything seems unusual then you should reconsider how you treat it. In some cases they are intentionally included so as to identify who is easily fooled. Later they will be sent another spam email to try and take advantage of them.
  3. Urgency is Typically Used by Phisher: ibn a phishing email t is likely that you will be implored to complete an action within a stated deadline before you become aware that the sender is not genuine. Urgency is one of the main tools employed by phishers to get people to hand over information. It is vital to take a few seconds extra to verify that the email is from some genuines and not a hacker.
  4. Beware of URLs: The aim of most phishing emails is to obtain access credentials or other valuable data. To do so they will try and get you to click on a URl that brings you to a website which hosts malware and can track all your online activity. In order to avoid this from happening take a few seconds longer to make sure that the website address is genuine.
  5. Thread Carefully with Email Attachments: Another way that phishers try to infiltrate your device it to include a file in an email that appear to be authentic. However, it will really be downloading tracking software to your device that will steal all sorts of information or lock access to your network until you pay a large ransom.

Business Anti-Phishing Solutions

There are many different option that you can choose and TitanHQ has created a couple of strong anti-phishing services to help secure your network. The spam detection rate reported by its SpamTitan service has reached a 99.97% level. This is done using a range of of checks such as RBL checks, Bayesian analysis, heuristics, machine learning methods to spot zero-day attacks, and sender policy frameworks to prevent email impersonation campaigns. Dual antivirus engines are deployed in order to spot malware and sandboxing is put to use in order to discover dangerous email attachments. Their other solution, WebTitan, is a DNS filtering solution that has the ability to prevent all web-based phishing attacks by blocking staff from viewing prohibited web pages and attempts to install malware.


Crucial Security Measures for All Companies

All companies must be aware of the constant danger posed by phishers and hackers regardless of how big they are or how much profits they report. Phishing is when an email attack takes place using a lure to trick the recipient and a direction to to get the user to complete an action – such as downloading a file or visiting a link.

Phishing protection measures should be deployed to block both of these components. First, you need a solution that stops the phishing attack at source and prevents phishing emails from being delivered to inboxes. You should also have security measures in place to prevent information from being handed over to the attackers at the web stage of the attack. As an additional protection, in case both of those measures fail, you need to prevent stolen credentials from being used to gain access to the account.

Four Crucial Phishing Protection Security Tactics

In order for your company to successfully block phishing attacks you need to use four different modes of security:

  1. Web filtering: Hackers are always coming up with new tactics in order to try and trick people into handing over valuable information or allowing you to access databases. Spam filters (see below) can be implemented to prevent these attacks from being successful but you need to be conscious that some of the attacks will slip through the net almost every day. if you use a web filtering will refer to a range of  blacklists to ensure that the websites your are trying to visit are safe and free from malware and phishing lures.
  2. Spam filtering: Your initial attempts to block these emails must be a spam filters as these can prevent 99.9% of spam, phishing, and malware-laced attacks via email. Using a range of different spam filters  and blacklists of known hackers and origins of attack they can obstruct lots of different types of hacking attempts.
  3. Multi-factor authentication: in the unfortunate event of an attack taking place successfully and your access details being stolen then it is important that you have implemented multi-factor authentication to stop your databases being infiltrated using the stolen details.
  4. End user training: An often-neglected security measure is end user training for your staff. You need to educate them as to how they can spot phishing emails and hacking attempts. This should conducted on an ongoing basis a number of times during each year. In addition to this phishing simulations are a good idea to test you security measures and properly prepare your group for any possible cyber attack.

TitanHQ Phishing Security Solutions

TitanHQ has developed two powerful cybersecurity solutions to help you protect against phishing and malware attacks: SpamTitan email security and the WebTitan web filter. Both of these solutions have multiple deployment options and are easy to implement, configure, and use. The solutions are consistently rated highly by end users for the level of protection provided, ease of deployment, ease of use, and for the excellent customer support if you ever have any problems or questions.

Along with that, the cost is very up front and compares well with markets rivals. To learn more, call TitanHQ now or register for a free trial now.

Case Study: Phishing Attack on a Security Awareness Training Group

Companies are always facing attacks from hackers using many different vector. Email is one of the main ways that they will target a company, typically using a lure email to get someone to download malware or visit a malicious URL that includes tacking cookies that will infiltrate your databases. Once a browser visits this site their information will be available to the hackers.

A recent attack took place on the SANS Institute, a leading information security training and certification group which specializes in anti-phishing guidance. However, in August 2020, the group made it public that one of its staff members had been taken in by a phishing attack and handed over their database access details. After stealing the details were stolen a new accounts was created and a mail forwarder was implemented to forward all emails to the hackers emails account. In total, 513 emails were forwarded that included some private data belonging to SANS account holders. Once the attack was discovers it was calculated that the private information of 28,000 SANS members was stolen. Now the attack is being used by the SANS Institute  to show people that no group or company is safe.

Even the best trained individual can be taken in by lures and hackers are constantly changing their methods of attack. A new style of attack may be even more authentic looking than anything that has eern been seen previously so you always need to be on your guard.

In most cases you can block phishing attacks by uses a number of different security steps. The reason for using so many tactics is that one will work if another one doesn’t. As the success of phishing attacks are constantly improving using a security solution that works like this has never been more important.

Along with conducting normal end user training and phishing simulation emails to enhance your staff’s awareness of cyber attacks you will need to deploy an advanced spam filter. Office 365 comes with a low entry level of protection that comes with the software called Exchange Online Protection (EOP). However you will need to add a third-party solution like SpamTitan to prevent more threats from infiltrating your systems. EOP prevents spam, recognized malware and vast majority of phishing emails, but SpamTitan will greatly improve security against more complex phishing attacks and zero-day malware.

You should also think about using a web filter to prevent the web-based component of phishing emails from hitting your databases successfully. When a staff members tries to view a malicious web page that is used to steal details and other sensitive data, a web filter can stop that website from being viewed.

using a spam filter, web filter, and end user training, means you will be fully secured, but you should also use two-factor authentication. If details are illegally obtained, two-factor authentication can stop those credentials from being used by the hacker to obtain access to the account.


Teleworkers Targets in New Vishing Campaign

An active voice phishing (vishing) campaign is being used to attacked those workers, form many different industries, who are currently working remotely.

The campaign sees threat actors pretending to be a trusted entity and try to leverage social engineering tactics to persuade victims to share access to their corporate Virtual Private Network (VPN).

A joint advisory about the attacks has been released by the Federal Bureau of Investigation (FBI) and the DHS Cybersecurity and infrastructure Security Agency (CISA). This type of attack has grown in popularity in recent times to the the huge increase in remote working during the COVID-19 pandemic.

The attack begins with the hacking group buying and registering domains that are used to host phishing pages that pretend to be the targeted company’s internal VPN login page and SSL certificates are obtained for the domains to make them appear real. Many naming schemes are used for the domains to make them appear real, such as [company]-support, support-[company], and employee-[company]. The cybercriminals then harvest data about company employees.

The range of information collected includes names, addresses, personal phone numbers, job titles, and length of time at the company. That information is then used to gain the trust of the targeted staff member.

Employees are then contacted from a voice-over-IP (VOIP) number. Initially the VOIP number was not revealed, but later in the campaign the hackers began spoofing the number to make it appear that the call was coming from a company office or another staff member in the firm. Employees are then told they will be sent a link that they need to click to login to a new VPN system. They are also told that they will need to answer any 2-factor authentication and one-time password communications shared to their phone.

The attackers capture the login information as it is entered into their fake website and use it to login to the proper VPN page of the company. They then capture and use the 2FA code or one-time password when the employee responds to the SMS message.

The hackers have also used SIM-swap to bypass the 2FA/OTP step, using information gathered about the employee to persuade their mobile telephone provider to port their phone number to the attacker’s SIM. This ensures any 2FA code is sent directly to the hacker. The threat actors use the details to access the company network to steal sensitive data to use in other attacks. The FBI/CISA say the end goal is to make profit from the VPN access.

The FBI/CISA recommend groups limit VPN connections to managed devices using mechanisms such as hardware checks or downloaded certificates, to restrict the hours that VPNs can be used to access the corporate network, to use domain monitoring tools to manage web applications for unauthorized access and anomalous activities.

A formal authentication procedure should also be created for employee-to-employee communications over the public telephone network where a second factor is required to authenticate the phone call before the disclosure of any sensitive data

Data should also monitor authorized user access and usage to spot anomalous activities and employees should be notified about the scam and instructed to report any suspicious calls to their security department.


Email Archiving Departmental Benefits

While it is widely recognized that there are many different business advantages to be gained by configuring an email archive in order to assist your organization achieving 100% compliance, there are a multitude of benefits to be gained for your individual departmentals.

When you install an email archive you will have an instant record of everything that happens on your email server, where it is located. Email retention is guaranteed and in place for compliance reasons should an audit be required to take place. Additionally, disaster recovery is much easier is the event of a physical disaster or a ransomware attacked resulting in the content of your email server being inaccessible. However, there are numerous other advantages to be gained by configuring an email archive including:

1. IT Staff Email Archiving Benefits

Your IT department will be very happy with the configuration of an email archive as it will mean that they have instant access to old mails as soon as they are required. This will make it much easier to process all staff requests for email recovery. You can also set some email archives to allow staff members their own access to their email archives. In the same manner human resource investigations become much more straightforward. The strain on servers is lower as there is not need to hold archives locally in PST files or on the mail server. This eliminates a huge security risk. Productivity is increased as less times will need to be spent on maintenance and performance of the network should be smoother with less pressure on bandwidth.

2. HR & Legal Departments Email Archiving Advantages

As stated previously HR investigations are easier to conduct suing an email archive. This investigations can be completed much quicker as IT staff can provide the necessary information in much less time. This will result in the outcomes of HR investigations being known much sooner. EDiscovery requests can also be completed much quicker and can be processed in a matter of hours rather than days. From a legal standpoints there is an immutable record of emails, which is crucial for all legal actions. Due to this the legal staff can be certain that no email have accidentally gone missing and can find everything using an audit trail.

3. Staff Advantages

Adobe have produced research that revealed staff dedicated massive amounts of time to managing email during 2019. found that employees spend a huge amount of their time on email, on average 5 hours on a daily basis.  This is a massive productivity drain. With an email archive nothing will be misplace so there will be no time spent searching for missing emails.

There is a 30-day free trial of ArcTitan emailing solution will which allow you to ascertain how this solution will assist your organization. If you are considering a change from your existing email archive provider than call the TitanHQ team now so we can go through the full range of advantages to be gained when you configure our solution.


SBA Loan Phishing Scams Warning Issued to Small Businesses

Many SBA loan phishing scams discovered in recent weeks that pretend to be the U.S. Small Business Administration in order to obtain personally identifiable information and login details for fraudulent aims.

As a result of the hardships suffered by companies due to the COVID-19 pandemic, the SBA’s Office of Disaster Assistance is making loans and grants available to small companies to help them weather the storm.

Hundreds of millions of dollars has been made available by the U.S government under the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) to help struggling individuals and firms during the pandemic. Hackers have been quick to develop campaigns to fraudulently obtain those funds, raid bank accounts, steal sensitive information, and spread malware and ransomware.

Many phishing campaigns have been initiated since April 2020 targeting businesses that are considering or have already applied for loans under the SBA’s Economic Injury Disaster Loan Program.

Phishing emails have been shared encouraging small businesses to apply for a loan. One such campaign confirms that the company is eligible for a loan and the loan has been pre-approved. The purpose of the scam is to obtain business information that allows the hackers to apply for a loan on behalf of the business and pocket the funds.

Another scam pretends the SBA and claims an application for a loan is complete and payment will be made once supporting documents have been submitted. The emails include an attached form that must be completed and submitted to the SBA website. The email attachment seems to be a .img file but has a hidden double extension and is actually a .exe executable. Double clicking and running the file will see GuLoader malware installed, which is a downloader that can deliver a variety of different malicious payloads.

The same email address used for that campaign was used in a different attack that featured a PDF form that requested bank account information and other sensitive data, which needed to be completed and installed to a spoofed SBA website.

In recent days, yet another SBA loan phishing scam has come to light. Phishing emails were sent to Federal Executive Branch, and state, local, tribal, and territorial government bodies. The phishing scam relates to an SBA application for a loan with the subject line “SBA Application – Review and Proceed.” The emails links to a cleverly spoofed SBA web page that indistinguishable from the authentic login page apart from the URL that attempts to steal details. The scam lead to the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) to releasing an emergency alert warning of the scam.

These SBA loan phishing scams use a range of lures and have multiple aims, but they can be avoided by following good cybersecurity best practices.

First and chiefly, you should have an advanced spam filtering solution configured such as SpamTitan. SpamTitan checks email headers and message content for the signs of spam, phishing and scams and uses DMARC and sender policy framework (SPF) to identify and prevent email impersonation attacks.

Dual antivirus engines spotted 100% of known malware and sandboxing is used to subject attachments to deep analysis to spot malicious code and malware that has not been seen before. Machine learning technology is also used to discover new phishing scams, along with multiple threat intelligence feeds to identify known phishing scams.

Before opening any downloaded document or file it should be reviewed using antivirus software that has up to date virus definitions. Check the properties of files to make sure they are what they claim to be and do not have a double extension.

Care should be applied opening any email or email attachment, even emails that are expected. Steps should be taken to prove the legitimacy of any request received via email, especially one that requires the provision of personally identifiable information or requests bank account and other highly sensitive data.

Emails and websites may look legitimate and have SBA logos, but that does not guarantee they are real. Always carefully review the sender of the email – Genuine SBA accounts end with The display name can simply be spoofed so click reply and carefully check the email address is the proper one. Care should be taken when visiting any website included in an email. Review the full URL of any website to make sure it is the proper domain.

CISA also recommends tracking users’ web browsing habits and restricting access to potentially malicious websites. The easiest way to do this is by using a web filtering solution such like WebTitan. WebTitan allows businesses to monitor Internet activity in real-time, send automatic alerts, block downloads of certain file types, and carefully control the types of website that can be accessed by staff members.

For additional details on spam filtering and web filtering solutions to protect your business from phishing and other cyberattacks, give the SpamTitan team a call now.

FBI Issue Netwalker Ransomware Warning

Cyberattacks involving Netwalker ransomware have become much more common, to the point that Netwalker is now one of the biggest ransomware threats of 2020.

Netwalker is a ransomware variant that was previously known as Mailto, which was initially seen a year ago in August 2019. The threat actors behind the ransomware rebranded their malware as Netwalker in late 2019 and in 2020 began advertising for affiliates to share the ransomware under the ransomware-as-a-service model. As opposed to many RaaS offerings, the threat group is being particularly choosy about who they identify to distribute the ransomware and has been trying to build a select group of affiliates with the ability to carry out network attacks on enterprises that have the means to pay large ransoms and the data to warrant such large payments if targeted.

Netwalker ransomware was implemented in an attack in February on Toll Group, an Australian logistics and transportation firm, which caused widespread disruption although the firm claims not to have paid the ransom. Like many other ransomware gangs, the Netwalker gang took advantage of the COVID-19 pandemic and was using COVID-19 lures in phishing emails to share the ransomware payload via a malicious email attachment, opting for a Visual Basic Scripting (.vbs) loader attachments.

Then came attacks on Michigan State University and Columbia College of Chicago, with the frequency of attacks growing during in June. The University of California San Francisco, which was carrying out research into COVID-19, was attacked and had little choice other than to pay the $1.14 million ransom demand to regain access to crucial research data that was encrypted in the attack. More recently Lorien Health Services, a Maryland operator of assisted living facilities, also had files encrypted by the Netwalker group.

The recent attacks have included a change in the style of attack, suggesting the attacks have been the work of affiliates and the recruitment campaign has been effective. Recent attacks have seen a variety of techniques used in attacks, including brute force attacks on RDP servers, exploitation of flaws in unpatched VPN systems such as Pulse Secure VPNs that have not had the patch applied to correct the CVE-2019-11510 vulnerability. Attacks have also been carried out exploiting user interface components of web apps, such as the Telerik UI vulnerability CVE-2019-18935, in addition to vulnerabilities in Oracle WebLogic and Apache Tomcat servers.

With the ransoms paid to date, the group is now far better funded and appears to have talented affiliates working at distributing the ransomware. Netwalker has now become one of the largest ransomware threats and has joined the ranks of Ryuk and Sodinokibi. Like those threat groups, data is stolen before file encryption and threats are issued to publish or sell the data if the ransom is not paid.

The rise in activity and skill of the group at gaining access to enterprise networks prompted the FBI to release a flash alert warning of the risk of attack in late July. The group seems to be focusing on government organizations, educational institutions, healthcare providers and entities involved in COVID-19 research, and the attacks are showing no sign of slowing, in fact they are more than likely to rise.

Securing yourself from the attacks requires a defense in depth approach and adoption of good cyber hygiene. An advanced spam filtering solution should be used to obstruct email attacks, end users should be taught how to recognize dangerous emails and shown what to do if a suspicious email is received. Vulnerabilities in software are being exploited so prompt patching is vital. All devices should be running the latest software versions.

Antivirus and anti-malware software should be implemented on all devices and kept up to date, and policies requiring strong passwords to be created should be enforced to stop brute force tactics from succeeding. Patched VPNs should be implemented for remote access, two-factor authentication should be implemented, web filters used for secure browsing of the internet, and backups should be performed as they become available. Backups should be stored on a non-networked device that is not accessible via the internet to ensure they too are not encrypted in an attack.

Phishing Warning Issued Follow Sports Industry Attacks

Football transfers involved huge amounts of money being shifted, often electronically, between clubs to bring in new players. If hackers were to place themselves into the communications between clubs, huge payments could easily be stolen.

This is exactly what happened recently when a scam was conducted against a Premier League football club in England. The hackers obtained access to the email account of the managing director of the club through a phishing campaign after directing the MD to a domain where Office credentials were gathered. Those details were then used to access the MD’s email account, and the scammers inserted themselves into and email conversation with another club looking to buy a player. Luckily, the scam was detected by the bank and a £1 million fraudulent payment was prevented.

This variety of scam starts with a phishing email but is referred to as a Business Email Compromise (BEC) scam. BEC scams are widespread and often successful. They range from straightforward scams to complicated multi-email communications between two parties, whether one party believes they are communicating with the real email account holder when they are actually communicating with the scammer. When the time comes to make payment, the scammer supplies their own account credentials. All too often, these scams are not detected until after payment is completed.

That is far from the only cyberattack on the sports sector in recent weeks and months. There have been numerous attempted cyberattacks which prompted to the UK’s National Cyber Security Center (NCSC) to release a warning advising the UK sports sector to be on high alert.

Before lockdown, a football club in the UK was hit with a ransomware attack that encrypted essential databases, including the computer systems that controlled the turnstiles, preventing them from working. A game nearly had to be called off due to the attack. The ransomware attack is suspected to have also begun with a phishing email.

The recent attacks are not restricted to football clubs. NCSC data show that 70% of sports institutions in the United Kingdom have suffered a cyberattack in the past year.

NCSC figures show around 30% of incidents lead to financial losses, with the average loss being £10,000, although one organization lost £4 million in a scam. 40% of the attacks involved the use of malware, which is often sent using spam email. 25% of attacks involved ransomware.

While malware and ransomware attacks are costly and disruptive, the main cause of losses is BEC attacks. Reports released by the FBI show these scams accounted for around 50% of all losses to cybercrime in 2019. $1.77 billion was lost to BEC attacks in 2019, with an average loss of $75,000 (£63,333). The true figure is likely to be even higher, as not all BEC attacks are reported. The FBI expects even greater losses this year.

While there are many different attack tactics, email remains the most common vector used in cyberattacks on companies. It is therefore vital to put in placea robust email security solution that can block malicious emails and stop them from being delivered to inboxes.

TitanHQ has created a powerful, advanced email security solution that can help businesses improve their email security measures and block phishing, spear phishing, BEC, malware, and ransomware attacks. SpamTitan incorporates many threat intelligence feeds, machine learning systems to identify phishing scams, dual anti-virus engines, and a sandbox to subject suspicious email attachments to in-depth analysis. SpamTitan also incorporates SPF and DMARC to identify and block email impersonation campaigns.

If you are worried about email security and want to improve your defenses against email dangers, call the TitanHQ team a call  now to discover more about SpamTitan and other security solutions that can help you defend your company from cyberattacks.


Phorpiex Botnet Activity Surges with Large-Scale Avaddon Ransomware Campaign

Recently there has been a rise in Phorpiex botnet activity. A botnet is a group of computers that have been infected with malware, placing them under the management f the botnet operator. Those computers are then used to share spam and phishing emails, often in the hope of distributing malware and ransomware. There are known to be approximately 500,000 devices in the Phorpiex botnet globally and the botnet has been in operation for around 10 years.

The Phorpiex botnet has previously been used for sharing sextortion emails, sharing cryptocurrency miners, and malware such as the Pony information stealer, GandCrab ransomware, and the XMRig cryptocurrency miner. In June, the Phorpiex botnet was deployed to conduct a huge Avaddon ransomware campaign that resulted in around 2% of companies being targeted globally.

Ransomware attacks have grown in recent times, with many ransomware gangs sharing ransomware manually after obtaining access to corporate networks by exploiting flaws in VPNs and other software or taking advantage of insecure default software configurations. There has also been a rise in ransomware attacks using email as the attack vector. Many ransomware variants are now being primarily shared by email, and Avaddon ransomware was one of the most serious email threats in June. One week in June resulted in over 1 million spam emails sent via the Phorpiex botnet, with most of those emails targeting U.S. firms.

Avaddon ransomware is a new ransomware variant that was first discovered in June. The operators of Avaddon ransomware are selling their malware as ransomware-as-a-service (RaaS) and have been identifying affiliates to distribute the ransomware for a cut of the profits.

In early June, an Avaddon ransomware campaign was detected that used JavaScript attachments in spam emails. The files had a double extension which made them look like JPG files on Windows computers. Windows computers hide file extensions by default, so the file attachment would appear to be labelled IMG123101.jpg on a Windows computer in the default configuration. If Windows had been changed to display known file extensions, the user would see the file was actually IMG123101.jpg.js. Clicking on the file would launch a PowerShell and Bitsadmin command that would trigger the install and execution of Avaddon ransomware.

More recently, a campaign was spotted that shared Avaddon ransomware using spam emails with Excel spreadsheet attachments with malicious Excel 4.0 macros. As opposed to JavaScript files, which will run when opened by users, Excel macros need user action to run, so they are less effective. Even so, users are instructed to enable the macros using a variety of social engineering techniques and they are still effective.

Avaddon ransomware searches for a variety of file types, encrypts those files and adds the .avdn extension. A ransom note is dropped, and a link is given for a Tor site along with a unique user ID to allow the victim to login to pay the ransom for the keys to unlock encrypted files. There is no free decryptor on the market for Avaddon ransomware. File recovery can on only be completed if the ransom is paid or if viable backups exist that have not also been encrypted by the ransomware.

Many subject lines have been inlcuded in the emails, such as “Your new photo?” and “Do you like my photo?”, with only a 😉 emoji in the body of the email. This tactic is simple, yet effective.

There are many steps that can be taken by companies to stop Avaddon and other email-based ransomware attacks. End user security awareness training should increase awareness of the threat and teach staff how to recognize phishing and malspam threats and condition them to report emails to their security department. If possible, macros should be disabled on all end user devices, although the email attachments used often change and disabling macros will not therefore always stop infection.

One of the strongest defenses against email threats such as phishing, malware and ransomware is to download a powerful anti-spam solution like SpamTitan. SpamTitan can work as a standalone anti-spam solution, but also as an extra tier of protection for Office 365 email, complementing Microsoft Exchange Online Protection (EOP) and providing an additional layer of security to prevent zero-day phishing and malware threats.

For more details on securing your group from ransomware and other email threats, give the TitanHQ team a call now.

Phishers Leverage Google Cloud Services to Capture Steal Office 365 Credentials

A new phishing campaign has been discovered that leverages Google Cloud Services to trick victims into handing over their Office 365 log in details. This new hacking campaign is part of an increasing trend of disguising phishing attacks using authentic cloud services.

The phishing attack begins like the majority of attacks in that an email containing a hyperlink is sent to the recipient who is then requested to click on it. If the user clicks the link in the email, they are taken to Google Drive where a PDF file has been placed. When the file is clicked on, users are asked to click a hyperlink in the document, which appears to be an invitation to open  a file hosted on SharePoint Online.

The PDF file asks the victim to visit  the link to sign in with their Office 365 ID. Clicking the link will bring the user to a landing page hosted using Google’s When the user vosots on the landing page, they are shown with an Office 365 login prompt that looks exactly like the real thing. After entering their details, they will be directed to a legitimate PDF whitepaper that has been obtained from a well-respected global consulting company.

The campaign has been created to make it look like the victim is simply being taken to a PDF file that has been shared via Sharepoint, and the actual PDF file is displayed after the victim has divulged their details. It is therefore possible that the victim will not realize that their Office 365 credentials have been phished. The only sign that this is a scam is the source code on the phishing page, which even tech-savvy people would be unlikely to check.

This campaign was discovered by experts at Check Point, but it is just one of many similar campaigns to have been identified over the past few months. Since these domains are authentic and have valid SSL certificates, they are difficult to detect as malicious. This campaign targeted Google Cloud Services, but several other campaigns have been detected using the likes of IBM Cloud, Microsoft Azure and others to add authenticity to the campaigns.

This campaign emphasises the importance of providing security awareness training to the workforce and warning employees about the risks of visiting links in unsolicited emails, even those that link to real domains. An advanced email security solution should also be put in place to prevent malicious emails and ensure the majority of malicious messages are not sent to inboxes. That is an area where TitanHQ can be of assistance.

Hackers Leveraging Inactive Domains to Attack Web Users

Hackers have begun using a new tactic to spread malware and conduct phishing attacks on unsuspecting internet users. They are hijacking inactive domains and using them to bring visitors to malicious websites in a form of malvertising attacks.

Malvertising classified as the use of malicious code in seemingly legitimate adverts, which are often displayed on high-traffic websites.  Website owners use third-party ad networks as a way to increase revenue from their websites. Most of these adverts are genuine and will bring users to a legitimate website, but hackers often sneak malicious code into these adverts. Visiting the link will result in the user being sent to a website hosting an exploit kit or phishing form. In some instances, ‘drive-by’ malware downloads take place without any user interaction, simply if the web content loads and the user has a susceptible device.

The new tactic leverages domains that have expired and are no longer active. These websites may still be listed in the search engine browser result pages for key search terms. When user enters a search and clicks the link or uses a link in their bookmarks to an earlier visited website, they will arrive at a landing page that explains that the website is no longer active. A lot of the time that page will include a series of links that will direct the visitor to related websites.

What often happens is these expired domains are put up for sale. They can be attractive for purchasers as there may already be many existing links to the website, which is better than starting a brand-new website from scratch. These expired domains are then sold to the highest bidder. Experts at Kaspersky found that cybercriminals have taken advantage of these auction-listed websites and have added links that bring visitors to malicious websites.

When a visitor lands on the site, instead of being directed to the auction stub, the stub is replaced with a link to a malicious website. The study showed that almost 1,000 domains that had been listed for sale on a popular auction site, which brought visitors to more than 2,500 unwanted URLs. In the majority of those cases, the URLs were ad-related pages, but 11% of the URLs were malicious and were mostly being used to spread the Shlayer Trojan via infected documents that the user is prompted to download. The Shlayer Trojan places adware on the user’s device. Several of the sites hosted malicious code on the site rather than redirecting the visitor to a different website.

These domains were once genuine websites, but are now being used for malicious purposes, which makes the threat hard to prevent. In some instances, the sites will display different content based on where the user is located and if they are using a VPN to log on the internet. These websites change content frequently, but they are indexed and categorized and if ruled to be malicious they are added to real time block lists (RBLs).

A web filtering solution like WebTitan can add protection from malvertising and redirects to malicious sites. If an attempt is made to send a user to a known malicious website, rather than being linked the user will be directed to a local block page, addressing the threat. WebTitan can also be configured to block downloads of risky file types from these web pages.

Many groups have put in place firewalls to prevent direct attacks by hackers, use antivirus software to block malware, and use an anti-spam solution to block attacks via email, but there is a vulnerability in their security protections and web-based threats are not effectively tackled. WebTitan allows groups to plug that gap and control the websites that can be accessed by staff.

For more information on WebTitan and filtering the internet, contact the TitanHQ.

Beware of new New Netflix Phishing Scam

Any widely-used platform is an lucrative target for cyber criminals, and with more than 167 million subscribers worldwide, the Netflix streaming service certainly falls into that area. While Netflix may not appear a main attraction for phishers, a successful attack could give scammers access to credit card and banking details.

Netflix phishing scams are popular, so it is not uncommon to see yet another scam kicked off, but one of the most recent uses a novel tactic to evade security solutions. By incorporating a CAPTCHA challenge, it is more difficult for security solutions to access the phishing websites and spot their malicious intent.

This Netflix phishing scam launches with an email like many other Netflix scams that came before. The emails look like they have been sent from the Netflix customer support team and advise the recipient there has been an issue with billing for the most recent monthly payment. As a result, the subscription will be suspended in the next day.

The Netflix user is given with a link to click and they are told they need to update their information on file. The emails also include a link to unsubscribe and amend communication preferences, although they are not operational.

As with the majority of phishing scams there is urgency and a threat. Update your details within 24 hours or you will lose access to the service. Clicking the link will bring the user to a fully functioning CAPTCHA page, where they are required to go through the normal CAPTCHA checks to verify they are not a bot. If the CAPTCHA challenge is passed, the user will be brought to a hijacked domain where they are presented with the standard Netflix sign-in page.

They must log-in, then they are asked to enter their billing address, along with their full name and date of birth, and then toy a second page where they are asked for their card number details, expiry date, CVV code, and optional fields for their bank sort code, account number, and bank name. If those details are provided they are told that they have correctly verified their information and they will be redirected to the real Netflix page, most likely unaware that they have given highly sensitive information to the phishers.

There have been many Netflix phishing emails captured over the past few months claiming accounts have been put on hold due to problems with payments. The emails are realistic and very closely resemble the emails sent out regularly by Netflix to service account holders. The emails include the Netflix logo, correct color schemes, and direct the recipients to authentic looking login pages.

What all of these emails have in common is they are connected to a domain other than If you are sent that appears to be from Netflix, especially one that contains some sort of warning or threat, login to the site by typing the actual domain into the address bar and always make sure you are on the correct website before entering any sensitive details.

Trickbot/Qakbot Malware Campaign Signals Resumption of Emotet Botnet Activity

Emotet was the most dangerous malware botnet of 2018 and 2019, but the botnet disappeared from February 7, 2020 but it has reappeared is being used to spread Trojan malware.

The botnet was spotted as part of a malicious spam campaign on July 17 of at least 30,000 emails, mostly targeting groups in the United States and United Kingdom. The scale of the campaign has now grown to around 250,000 emails a day with the campaign now worldwide.

The Emotet botnet is a network of computers infected with Emotet malware and there are calculate to be around half a million infected Windows computers under the management of the botnet operators. Those infected devices are contacted through the hackers’ command and control (C2) servers and are sent instructions to send out spam emails distributing Emotet malware.

Once the malware is installed, the infected computer is placed to the botnet and is used to share spam emails. Emotet infections can also spread laterally within a group. When investigations are initiated following the detection of Emotet, it is common for other computers to have the malware installed.

What makes Emotet very dangerous is the operators of the botnet pair up with other threat groups and deliver other strains of malware. Emotet has been used to share a range of malware variants since its creation in 2014, but recently the malware payload of choice was the TrickBot Trojan. TrickBot is a banking trojan cum information harvester that also acts as a malware downloader. In addition to stealing sensitive data, the operators of TrickBot pair up with other malware developers, notably the creators of Ryuk ransomware.  Once TrickBot has stolen data, the baton is passed over to Ryuk, which will also steal data before encrypting files on network. The new Emotet campaign begins by distributing the TrickBot Trojan, although the payload has since changed to the QakBot banking Trojan.  QakBot also delivers ransomware as a secondary payload, with Prolock often used in the past.

Emotet emails use a range of lures to get recipients to click links to malicious websites or open infected email attachments. Emotet targets companies, so the lures used are business related, such as fake shipping notices, invoices, purchase orders, receipts, and job applications. The emails are typically personalized, and the threat actors known to hijack email threads and share responses with malicious documents included.

An Emotet infection is serious and should be dealt with the same urgency as a ransomware attack. Prompt action may permit Emotet to be removed before a secondary payload is sent.

Luckily, Emotet malware is shared using email so that gives companies the chancey to stop infections. By sharing an advanced spam filter like as SpamTitan that has sandboxing to subject email attachments to deep analysis, these malicious emails can be listed and then quarantined. Coupled with other email security steps such as end user training, businesses can mount a robust defense and prevent infections.


TitanHQ Upgrades to New ArcTitan Email Archiving Systems

TitanHQ has announced that the ArcTitan cloud email archiving service has benefited from a major upgrade which will greatly enhance performance and reliability. Customers in the EU and US are in the process of being migrated to the new email archiving systems and are being contacted to transfer their accounts to the new infrastructure.

The transfer process has been made as simple as possible for existing customers. TitanHQ will be in touch to provide details of the new ArcTitan account and will talk customers through reconfiguring their connector/mail server to point to the new server. Once the change has been made, all new emails will be sent to the account on the new server. TitanHQ will then verify mail flow and the original account will be closed off to new emails.

During the transition, customers may still need to access emails archived through the old account. Searches can still be performed, and historical mail can be searched and accessed as and when required. The next step involves transferring the old archive onto the new infrastructure. When TitanHQ completes the migration, the customer will be contacted and asked to verify that the archive has been transferred. Once verified, TitanHQ will delete the old account and the archived emails and customers will be able to access their full archive on the new server.

The new email archiving system has been introduced to improve performance and reliability and uses a high availability system that is self-maintaining, self-healing, and has improved scalability and ensures archiving can take place with minimal effort and zero downtime.

The new and improved ArcTitan email archiving service is delivered as a high availability Kubernetes structure, with multiple components working together in harmony. The new system ensures that each component is independently available, so should any component go down, due to a outage for example, all other components will still be available. The component that has gone down will be taken offline and automatically repaired, without any effect on the other components.

Archive searches and email recovery is lightning fast, as with the old system. Each email receives a unique identity for its entire lifespan and is fully indexed, including the message headers, subject line, body, sender/receiver, and email attachments. Customers can search millions of emails in seconds.  ArcTitan indices are distributed across Apache SoLr instances simultaneously and raw email data is encrypted and stored in Replicated Persistent Storage on Ceph storage clusters, with automated replication and fail over.

A high availability database Percona XtraDB MySQL cluster is deployed within Kubernetes for handling all database operations and ArcTitan uses tiered storage on Amazon S3 ensuring reliability, redundancy, and scalability. ArcTitan customers will also benefit from a new, intuitive GUI.


We are sure you will be happy with the changes and improved performance and reliability of the new ArcTitan email archiving system.  If you have any questions about the migration to the new ArcTitan systems, give the customer service team a call and they will be happy to answer your questions about the new system and the planned migration.

Preventing Cyberattacks for Managed Services Providers

Managed Service Providers are a lucrative victim for hackers. If a threat actor can obtain access to an MSP’s network, they can use the same remote management tools that MSPs use to carry out attacks on the MSPs clients.

Many businesses are now turning to MSPs for IT support and management services. This is typically the most cost-effective solution, especially when firms lack the in-house IT expertise to manage their networks, applications, and security. An MSP will typically supply IT management services for many different firms. A successful cyberattack on the MSP can result in a threat actor gaining access to the networks of all the MSPs clients, which makes the attack extremely worthwhile.

There was a marked rise in cyberattacks on managed service suppliers in 2019, in particular by ransomware gangs using GandCrab, Sodinokibi BitPaymer and Ryuk ransomware. The MSPs were attacked in a variety of ways, including phishing, brute force attacks on RDP, and exploitation of unpatched flaws.

Once access has been obtained to an MSP’s network, hackers search for remote management tools such as Webroot SecureAnywhere and ConnectWise which the MSP uses to access its clients’ networks to supply IT services. Several 2019 ransomware attacks on MSPs used these tools to access clients’ networks and install ransomware. MSPs such as PerCSoft, TrialWorks, BillTrust, MetroList, CloudJumper, and IT by Design were all attacked in 2019 and ransomware was deployed on their and their clients’ databases.

Kyle Hanslovan, CEO at Huntress Labs, told ZDNet in a recent telephone interview that his company had provided support to 63 MSPs that had been targeted in 2019 but believes the total number of attacks was likely to be more than 100. However, the number of MSPs that have been attacked is likely to be much higher. It is likely that many cyberattacks on MSPs are not even seen.

The attacks have shown no sign of dropping off. Recently the U.S. Secret Service issued a TLP Green alert warning MSPs of a rise in targeted cyberattacks. Compromised MSPs have been used to carry out business email compromise (BEC) attacks to get payments sent to hacker-controlled accounts. Attacks have been carried out on point-of-sale (POS) systems and malware has been deployed that intercepts and exfiltrates credit card data, and there have been several successful ransomware attacks.

Along with hackers, nation state-sponsored hacking groups have also been carrying out cyberattacks on MSPs, notably hacking groups connected with China. The National Cybersecurity and Communications Integration Center (NCCIC) issued an alert about the threat to MSPs from state-sponsored hacking groups in October 2019.

There are many best practices that can be implemented by MSPs to improve security and prevent these attacks. MSPs may currently be incredibly busy helping their clients deal with IT issues linked to the COVID-19 pandemic, but given the increase in focused cyberattacks on MSPs, time should be spent improving their own security, not just security for their clients.

The U.S Secret Service advises MSPs keep up to date on patching, especially patches for any remote administration tools they implement. ConnectWise issued a security advisory last month and patched a vulnerability in the ConnectWise Automate solution. The API vulnerability could be successfully targeted remotely by a threat actor to execute commands and/or modifications within an individual Automate instance. Vulnerabilities such as these are actively sought by hackers.

The principle of least privilege should be used for access to resources to restrict the damage inflicted in the event of a breach. It is also wise to have well-defined security controls that are fully compliant with industry standards.

Annual data audits should be completed along with regular scans to identify malware that may have been downloaded on systems. Logging should be turned on, and logs should be regularly checked to spot potentially malicious activity. MSPs should also ensure that their employees receive ongoing security awareness training to teach cybersecurity best practices and how to spot phishing and BEC scams.

Banking Credentials Targeted in iCalandar Phishing Scam

A new phishing campaign has been discovered that uses calendar invites to try and steal banking and email details. The messages in the campaign have an iCalendar email attachment which may trick employees as this is a rare file type for phishing. These attachments are therefore unlikely to have been included in security awareness training.

iCalendar files are the file types used to save scheduling and calendaring information including tasks and events. In this instance, the messages in the campaign have the subject line “Fault Detection from Message Center,” and have been issued from a legitimate email account that has been compromised by the attackers in a previous campaign.

As the email comes from a real account rather than a spoofed account, the messages will get around checks such as those conducted through DMARC, DKIM, and SPF, which identify email impersonation attacks where the true sender spoofs an account. DMARC, DKIM, and SPF check to see if the true sender of an email is authorized to send messages from a domain.

As with most phishing campaigns, the hackers use fear and urgency to get users to click without thinking about the legitimacy of the request. On this occasion, the messages include a warning from the bank’s security team that withdrawals have been made from the account that have been marked as suspicious. This campaign is aimed at mobile users, with the messages asking for the file to be opened on a mobile device.

If the email attachment is clicked on, the user will be presented with a new calendar entry titled “Stop Unauthorized Payment” which includes a Microsoft SharePoint URL. If that link is visited, the user will be directed to a Google-hosted website with a phishing kit that spoofs the login for Wells Fargo bank. Both of these websites have authentic SSL certificates, so they may not be marked as suspicious. They will also display the green padlock that shows that the connection between the browser and the website is encrypted and secure, as would be the case for the actual bank website.

The user is then asked to type their username, password, PIN, email address, email password, and account numbers. If the information is entered it is captured by the hacker and the information will be used to gain access to the accounts. To make it appear that the request is authentic, the user will then be directed to the legitimate Wells Fargo website once the information is handed over.

There are warning signs that the request is not authentic, which should be identified by security conscious people. The use of SharePoint and Google domains rather than a direct link to the Wells Fargo website are suspect, the request to only open the file on a mobile device is not explained. The phishing website also requests a lot of information, including email address and password, which are not relevant.

These flags should be enough to trick most users that the request is not real, but any phishing email that bypasses spam filtering defenses and is sent to inboxes is a danger.

Returning Office Workers Targeted by Phishing Scam

A new phishing campaign has been discovered that targets remote workers who will soon be going back to their place of work. The campaign emails claims to include information on coronavirus training. The campaign is one of the most genuine-looking phishing scams seen in recent weeks, as it is plausible that before returning to the office after lockdown would involve some changes to workplace procedures to ensure workers are safe.

This campaign focuses on Microsoft Office 365 users and tries to steal users’ Office 365 credentials under the guise of a request to register for COVID-19 training.  The emails include the Office 365 logo and are rprecise and to the point.

They state: “COVID-19 Training for Employees: A Certificate For Healthy Workspaces (Register) to participate in Covid-19 Office Training for Employees.”

The message includes a button to use to register, and the emails claim to be “powered by Microsoft Office 365 health safety measures.”

Visiting the link will direct the user to a malicious website where they are asked to enter their Office 365 credentials.

This campaign, like many others to have been seen over the past few weeks, closely follow world events. At the start of the pandemic, when there was little data available about COVID-19, phishers were offering new information about COVID-19 and the Novel Coronavirus. As more countries were impacted and cases were increasing, incorporation was being offered about local cases in the area. Now that most countries have passed the peak of infections and lockdowns have helped to bring the virus under control, tactics have been amended once again.

Campaigns have been discovered in the United Kingdom related to the new Track and Trace system being used by the NHS to help control infections warning users that they need to buy a COVID-19 test. Another campaign targeted parents who are suffering from financial difficulties due to COVID-19, asking for bank account information to allow them to receive a support payment from the government. Messages have also been seen about Free school dinners over the summer, now that the UK government has said that it will be supplying support to parents.

There have been many campaigns that have taken advantage of the popularity of the Black Lives Matter movement in their aftermath of the death of George Floyd. This campaign asked recipients of the email to register their opinions about Black Lives Matter and submit a review, with the campaign used to deliver the TrickBot Trojan.

What these phishing campaigns clearly show is the fluid nature of phishing campaigns, that are regularly changed to reflect global events to maximize the chance of the emails being opened. They show that users must to remain on their guard and be alert to the threat from phishing and always take time to consider the legitimacy of any request and to conduct a series of checks to determine whether an email is what it claims to be. This can be tackled through security awareness training, which should be given to employees regularly.

Of course, the best defense is to make sure that these emails are blocked and do not reach inboxes, which is why it is crucial to have layered defenses in place. An advanced spam filtering solution such as SpamTitan is required that uses machine learning and other advanced detection measures to ispotnew phishing scams along with measures to prevdiscover unseen malware variants. As an extra layer of protection, you should consider implementing a web filtering solution such as WebTitan that supplies time-of-click protection to block the web-based component of phishing attacks and stop drive-by malware installations. In tandem with security awareness training, these solutions will help you to mount a strong defense against phishing attacks.

Black Lives Matter Malspam Campaign Conducted by TrickBot Malware Operators

As the COVID-19 pandemic has clearly indicated, hackers are quick to adapt their phishing and malware campaigns in response to global and local happenings. New lures are quickly developed to maximize the probability of success.

In the initial stages of the pandemic, when very little was knowledge available regarding SARS-CoV-2 and COVID-19, there was huge public worry and hackers used this to their own advantage. The threat actors behind TrickBot malware, one of the most dangerous malware threats, regularly amend their lures in response to newsworthy events to increase the probability of emails and attachments being clicked on. The TrickBot gang adopted COVID-19 and coronavirus themed lures when the virus began to spread globally and there was a huge craving for knowledge about the virus and local clusters.

It is therefore no shock to see the TrickBot operators adopt a new lure linked to Black Lives Matter. There were huge protests in the United States after the death of George Floyd at the hands of a police officer, and those protests have spread around the world. In many countries the headlines have featured stories about Black Lives Matter protests and counter protests, and the public mood has presented another possibility for the gang.

The most recent TrickBot email campaign uses a subject line of “Leave a review confidentially about Black Lives Matter,” which has been designed to appeal to individuals both for and against the protests. The emails include a Word document attachment named e-vote_form_3438.doc, although several variations along this theme are possible.

The emails ask the user open and complete the form in the document to file their anonymous feedback. The Word document involves a macro which users are requested to turn on to allow their feedback to be provided. Doing so will trigger the macro which will install a malicious DLL, which installs the TrickBot Trojan.

TrickBot is mainly a banking Trojan but is modular and frequently updated with new functions. The malware gathers a range of sensitive information, can exfiltrate files, can move laterally, and also install other malware variants. TrickBot has been widely used to install Ryuk ransomware as a secondary payload when the TrickBot gang has achieved their main objective.

The lures implemented in phishing and malspam emails frequently change, but malspam emails distribute the same threats. Security awareness training can assist in enhancing resilience against phishing threats by conditioning employees how to treat unsolicited emails. Making employees aware of the latest tactics, techniques, procedures, and social engineering tactics being used to spread malware will help them to spot threats that land in their inboxes.

No matter what trick is used to get users to click, the best security measure against these attacks is to ensure that your technical defenses are up to scratch and malware and malicious scripts are spotted as such and are blocked and never land in end users’ inboxes. That is an area where TitanHQ can be of assistance.

SpamTitan Cloud is a strong email security solution that provides protection against all email attacks. Dual antivirus engines prevent all known malware threats, while predictive technologies and sandboxing supplies protection against zero-day malware and phishing attacks. No matter what email system you deploy, SpamTitan adds a vital extra layer of security to block threats before they land in inboxes.

For additional information on how you can enhance protection and block phishing, spear phishing, email impersonation, and malware and ransomware threats, give the TitanHQ team a call now.

Rockingham School District Emotet Malware Infection Cost $314,000 to Address

In November 2018 the Rockingham school district in North Carolina suffered an Emotet malware infection that cost a massive $314,000 to resolve.

The malware was first noticed being delivered using spam emails, which were sent to multiple users’ inboxes. The attack included an often-used ploy by hackers to get users to install malware.

The emails appeared to have been broadcast by the anti-virus supplier used by the school district, with the subject line ‘incorrect invoice’ and the correct invoice sent as an attachment. The emails were believable and looked like many other legitimate emails received on a daily basis.

The emails requested that the recipient to open and check the attached invoice; however, doing so would see malware downloaded and installed on the email recipient’s device.

Not long after those emails were received and opened, staff started to experience problems. Internet access seemed to have been disabled for some users. Reports from Google saying email accounts had been disabled due to spamming started to be received. The school district looked into the issue and discovered several devices and servers had been infected with malware.

Emotet malware is a network worm that can share itself across a network. Infection on one machine will result in the virus being sent to other vulnerable devices. The worm leaves a type of banking malware on infected devices that is used to steal victims’ credentials including online banking details.

Emotet is a very advanced malware variant that is difficult to spot and hard to address. The Rockingham school district discovered just how troublesome Emotet malware infections can be when attempts were made to remove the worm. The school district was able to successfully clean some infected machines by reimaging the devices; however, the malware simply re-infected those devices.

Addressing the attack required assistance from security experts. 10 ProLogic ITS engineers spent approximately around 1,200 on site reimaging machines. 12 servers and around 3,000 end points must be reimaged to remove the malware and stop reinfection. The cost of cleanup ran to $314,000.

Attacks such as this are far from not usual. Cybercriminals focus on a wide range of vulnerabilities to install malware on business computers and servers. In this case the attack took advantage of gaps in email defenses and a lack of security awareness of staff members. Malware can similarly be downloaded by exploiting unpatched flaws in software, or by drive-by downloads over the Internet.

To safeguard against Emotet malware and other viruses and worms layered defenses are necessary. An advanced spam filtering solution can ensure malicious emails are not sent, endpoint detection systems can detect unusual user behavior, antivirus solutions can potentially discover and stop infections, while web filters can block web-based attacks and drive-by installations. End users are the last line of defense and should therefore be shown how to recognize malicious emails and websites.

Only a combination of these and other cybersecurity measures can keep groups safe.

TitanHQ Secures Investment from UK Private Equity Firm Livingbridge

TitanHQ has announced the company has secured investment from Livingbridge, one of the UK’s leading mid-market private equity firms. Livingbridge has offices in UK, the US and Australia and invests in companies with a value of up to £200 million.

Livingbridge has been investing in firms for two decades, during which time more than 150 companies have benefited from investment and have thrived with the injection of capital. Many of the firms Livingbridge has invested in have gone on to become household names.

TitanHQ similarly has a history spanning two decades. The company was formed as Copperfasten Technologies in 1999 in Galway, Ireland where the company is still based. The firm started life selling spam filtering appliances to companies in its native Ireland and has since grown into a truly global company with its solutions used by companies in 150 countries around the world.

TitanHQ has developed three SaaS-based solutions – SpamTitan Email Security, WebTitan Web Security, and ArcTitan for email archiving. These solutions have multiple deployment options, with the cloud-based deployments hugely popular. The solutions have been adopted by more than 8,500 businesses around the world and they have been incorporated into the security stacks of more than 2,500 managed service providers (MSPs).

TitanHQ now has an ARR of $15 million and is the leading provider of cloud-based security solutions to managed service providers serving the SMB market. TitanHQ has recorded impressive, consistent growth and as more companies have adopted WFH initiatives, its security solutions have been in even greater demand.

Livingbridge identified TitanHQ as an attractive target for investment, thanks to the company’s strong growth and proven track record for delivering powerful and popular SaaS solutions.

Livingbridge used its Enterprise 3 fund, which is set aside to invest in fast-growing companies up to the value of £50 million. The funds will be used to accelerate TitanHQ’s ambitious growth plans and will be used to increase investment in product development and people.

“We are excited to be taking this next step in our growth journey with Livingbridge, a partner that understands the unique strengths of our business, shares our vision for success and has the experience and resources to help us to achieve it,” said Ronan Kavanagh, Chief Executive Officer of TitanHQ.

“We are delighted to be partnering with TitanHQ, a uniquely positioned business with a well-differentiated product portfolio operating in a fast-growing, attractive market that is benefiting from strong macro tailwinds,” said Nick Holder, Director at Livingbridge. “There is a tremendous opportunity for Titan HQ to accelerate its growth trajectory over the coming years and we look forward to working closely with the management team to fulfil the company’s potential.”

Bill Mc Cabe’s Oyster Technology Investments invested in TitanHQ at inception and will continue to maintain a significant stake in the business.

MVP GrowthFest: A Virtual MSP Event Featuring Magic Johnson and TitanHQ

The worldwide COVID-19 pandemic has forced businesses to make huge changes very quickly. Many managed service providers have shown resilience and met the challenge head on, showing that while we are now living in very uncertain times there are opportunities for expansion.

Efficient MSPs have not only adapted their business to ensure their survival, they have identified the opportunities and are gaining considerable growth momentum and have shown it is possible to prosper in spite of an very challenging economy.

At MVP GrowthFest on June 23, 2020 you will be able to discover how successful MSPs are turning adversity into growth and profit and will learn from an all-star line up of Channel experts in relation to the state of the Channel and what you must do to adapt to these challenging times. You will also be given guidance on the steps you can take now to ensure success and grow your business and prosper.

MVP GrowthFest is a 3-hour virtual event that will supply valuable insights and advice that can be used immediately to help you expand your business. The event is being headlined by a conversation with Earvin “Magic” Johnson Jr., the 3-time NBA MVP Award winner.

Matt Solomon, VP of Business Development at ID Agent, will be chatting to Magic Johnson, who will explain how he succeeded by overcoming obstacles during his lifetime, and how tenacity and commitment to the community were key to his success.

MVP GrowthFest will be celebrating the energy that powers growth and the drive to thrive during challenging times and, along with the interview, MSPs will hear from 15 Channel all-stars in four powerhouse panels.

TitanHQ is happy to announce that Sales Director Conor Madden will be leading the panel in the security session titled “Leading with Security through Education.” The key to selling products in your security stack is to inform your clients about the need for cybersecurity. Given the fact that cyber actors have been attacking companies with increased vigor during the pandemic, positioning your security stack front and central is the sensible step.

TitanHQ can provide web and email security solutions that will not only keep you and your clients safe, they can be efficiently set up in your security stack and can be easily packaged. Plus, a very competitive price point means they are affordable solutions for your clients and generous margins will help you improve your bottom line.

Also attending the security powerhouse are:

  • Jon Murchison – CEO, BlackPoint Cyber
  • Kevin Lancaster – CEO, ID Agent & GM Security, Kaseya
  • Jessvin Thomas – President & CTO, SKOUT

Attendees will also get to hear from Channel leaders in three additional Powerhouse sessions that will provide invaluable advice on how to grow your business and boost profits during the current crisis.

Managing Through Change


  • Dan Wensley – CEO, Warranty Master
  • Joe Alapat – CEO & Founder, Liongard
  • Ryan Walsh – Chief Channel Officer, Pax8

Establishing Trust in the New Normal


  • Dave Goldie – Vice President of Channel, Cytracom
  • Ted Roller – Channel Chief, ConnectBooster
  • Andra Hedden – CMO, Marketopia
  • Frank DeBenedetto – Founder, AudIT

Leading & Accelerating through the Recovery


  • Tim Conkle – Founder, The 20
  • Dennis O’Connell – Vice President, Taylor Business Group
  • Ted Roller – Channel Chief, Zomentum

Advance registration is mandatory.

 Click Here to Book Your Virtual Place at MVP GrowthFest

MVP GrowthFest: A Must Attend Virtual MSP Event Featuring TitanHQ and Magic Johnson

The Channel has shown considerable strength and resilience during the COVID-19 pandemic. Managed service providers have adapted to a new way of working during lockdown and now that the economy is opening up once again are looking to increase growth and boost profits.

Many MSPs have already gained growth momentum and, despite the uncertain times, are managing to grow their business and succeed even with an extremely challenged economy. MVP GrowthFest will help you become one of the MSP success stories of the pandemic.

On June 23, 2020 at MVP GrowthFest you will hear from Channel All-Stars who help you through these challenging times. They will provide insights into the current state of the channel, along with actionable advice that you can use to adjust your business to drive growth and succeed.

MVP GrowthFest celebrates the energy that powers growth and the drive to thrive during challenging times. The 3-hour virtual event is being headlined by none other than the 3-time NBA Most Valuable Player (MVP) Award winner, Earvin “Magic” Johnson Jr.,

Magic Johnson will be interviewed by Matt Solomon, VP of Business Development at ID Agent, and will explain how he has overcome many challenges throughout his life, and how his success came through a combination of talent, tenacity, and commitment to the community.

MVP GrowthFest provides a great opportunity for learning through four powerhouse panels consisting of 15 Channel all-stars. The first powerhouse panel – Security – is led by TitanHQ Sales Director, Conor Madden. Conor will be explaining the importance of “Leading with Security through Education.” Selling security through education is essential and should be first and foremost in the modern-day MSP tech stack.

TitanHQ has developed MSP-friendly web and email security solutions that can be efficiently implemented into your security stack and packaged easily with your existing security offerings. These solutions are affordable for clients, will keep them well protected from the increasing number of threats that have emerged during the pandemic, and they are offered with generous margins to help boost MSP profits.

At the security powerhouse, attendees will also hear from:

  • Jon Murchison – CEO, BlackPoint Cyber
  • Kevin Lancaster – CEO, ID Agent & GM Security, Kaseya
  • Jessvin Thomas – President & CTO, SKOUT

Three further Powerhouse sessions will be taking place at MVP GrowthFest to give you important insights into how successful MSPs are succeeding during the pandemic.

Managing Through Change


  • Dan Wensley – CEO, Warranty Master
  • Joe Alapat – CEO & Founder, Liongard
  • Ryan Walsh – Chief Channel Officer, Pax8

Establishing Trust in the New Normal


  • Dave Goldie – Vice President of Channel, Cytracom
  • Ted Roller – Channel Chief, ConnectBooster
  • Andra Hedden – CMO, Marketopia
  • Frank DeBenedetto – Founder, AudIT

Leading & Accelerating through the Recovery


  • Tim Conkle – Founder, The 20
  • Dennis O’Connell – Vice President, Taylor Business Group
  • Ted Roller – Channel Chief, Zomentum

Advance registration is required

 Click Here to Secure Your Place at MVP GrowthFest

Remote Workers Should Enhance Cybersecurity Now

As remote-working employees are being targeted by hackers the time has never been better for the enhancement of home-working cybersecurity measures.

The threat faced by companies that have quickly moved to a largely at-home workforce should not be underestimated. When most people are working in an office, within the protection of the corporate firewall, IT departments could keep hackers at bay. Any staff that were authorized to work from home could be given a laptop that had security protections appropriate for the heightened level of risk.

Moving the complete workforce from the office to attics, basements, kitchens, and spare rooms in a very short space of time has meant shortcuts need to be implemented. Many SMBs have had to shift quickly and have not had enough time to provide additional training to their at-home workers. The laptop computers now being used by their employees have had to be supplied quickly and they lack the security measures are working. Some companies are even allowing personal computers to be used out of necessity. Hackers have been rubbing their hands with glee at the new targets and the ease at which they can attack companies.

Lockdowns are now being removed and people are being encouraged to go back to work, but additional increases in cases are likely as a result and with social distancing in the office problematic for many companies, many employees will still need to work from home. To minimize the risk of those employees falling for a phishing scam or inadvertently installing malware or ransomware, additional cybersecurity measures should be put in place.

You will more than likely have an email security solution to prevent the most common attack vector, but extra layers of security will greatly enhance your security posture, one of the most important of which is a web filtering solution. A web filter stops your staff from visiting malicious websites, such as those used for phishing or malware distribution. When an effort is made to view a malicious website – through a link in a phishing email, a web redirect, or general web browsing – instead of being allowed to view the website, employees will be directed to a local block page that explains the site cannot be viewed as it breached your internet usage policies.

A web filter can also be used to stop staff from using their work laptop for personal use by blocking websites by category, and as a measure to tackle shadow IT and stop unauthorized software downloads.

WebTitan Cloud will permit you to enhance cybersecurity for remote workers without requiring any software installations and can be set up and protecting your office staff and remote workers quickly.