Cybercriminals are using an increasing range of tactics, techniques and procedures to fool the unwary into disclosing their credentials or installing malware, which is making it hard for end users to distinguish between genuine and malicious messages.
It is common for cybercriminals to purchase lookalike domains for use in phishing scams and for distributing malware. Oftentimes the domains purchased are very similar to the domains they impersonate, aside from one or two changed letters.
For instance, the letters v v could be used in place of a w for a domain spoofing Wal-Mart – e.g. VVal-Mart. In internationalized domain name (IDN) homograph attacks, aka script spoofing, Greek, Latin, and Cyrillic letters are used in domains instead of standard letters. This can lead to domains being almost indistinguishable from the domains they are spoofing, especially since the web pages hosted on those domains include the logos and color schemes used on the official websites.
FBI Warns of Use of Spoofed FBI Domains
Recently the Federal Bureau of Investigation (FBI) issued a warning following the discovery that many FBI-related domain names have been purchased that closely resemble official FBI websites. While these domains are not believed to have been used for malicious purposes to date, it is probable that the individuals registering these domains were intending to use them in phishing attacks, for distributing malware, or for disinformation campaigns. The domains include fbidefense.com, fbimaryland, fbi-ny, fib.ca, fbi-intel.com, fbi.systems, and fbi.health.
These domains can be used to host phishing kits or exploit kits, but the domains can be used to create official-looking email addresses. An email from one of these domains, that has the FBI in the name, could easily scare someone into taking an action demand in the email, such as disclosing their login credentials or opening a malicious email attachment.
Legitimate Cloud Services Leveraged in Sophisticated Phishing Attacks
There have also been phishing campaigns detected in recent weeks that use legitimate cloud services to mask the malicious nature of the emails. Campaigns have been detected that use links to Google Forms, Google Docs, Dropbox, and cloud services from Amazon and Oracle. Emails are sent that include fake notifications with links to these cloud services; however, once the link is clicked, the user is taken through a series of redirects to a malicious website hosting fake Office 365 login prompts that steal credentials.
Several of these campaigns involved checks to make sure the recipient is a real person, with automated responses directed to official domains to prevent analysis. Phishers are also continuing to use typosquatting – the name given to the use of domains with natural typographical errors – to catch out careless typists.
Sophisticated Campaigns Call for Sophisticated Cybersecurity Defenses
The sophisticated nature of today’s phishing and malware campaigns, together with cybercriminals’ constantly changing tactics, techniques, and procedures, mean it is becoming harder for end users to distinguish between genuine and malicious emails. End user security awareness training is still important, but it has never been more important to have effective technical solutions in place to ensure that these threats are identified and blocked before any harm is caused.
The first line of defense against phishing is an email security gateway solution through which all emails need to pass before they reach inboxes. These solutions need to use a range of advanced mechanisms for identifying malicious and suspicious emails, so should one mechanism fail to identify a malicious email, others are in place to provide protection.
SpamTitan from TitanHQ is one such solution that incorporates many layers of protection to detect and block phishing and malware attacks via email. Checks are performed on the message headers, content is analyzed, and machine learning is incorporated to identify never before seen threats, in addition to blacklisting of known malicious email addresses and domains. To block malware threats, SpamTitan uses dual anti-virus engines to block known threats and sandboxing to identify and block zero-day malware threats. Working seamlessly together, these mechanisms will block 99.97% of malicious messages.
An additional anti-phishing solution that you may not have considered is a web filtering solution. Web filters are important for blocking the web-based component of phishing attacks and preventing individuals from visiting sites used for malware delivery. A web filter can also block redirects to malicious websites that hide behind links to legitimate cloud services.
WebTitan from TitanHQ is a smart, DNS-based web filtering solution that uses automation and advanced analytics to block emerging phishing and other malicious URLs, not just those that have been already used in attacks and have been added to blacklists. Through the use of AI-based technology, WebTitan can provide protection from zero-minute threats.
Advanced cybersecurity defenses do not need to be complicated for end users to use. Both SpamTitan and WebTitan have been developed to be easy to implement, use, and maintain. While they incorporate all the required protections and allow advanced users to drill down and analyze threats, they can also easily be used to protect networks and devices by users with little technical skill. The ease of implementation, use, and maintenance together with the superb threat protection are why the solutions are consistently rated so highly on review sites such as Capterra, GetApp, Software Advice, and on Google Reviews.
To improve your defenses against cybersecurity threats delivered via email and via the web, give the TitanHQ a team a call today and find out more about SpamTitan Email Security and WebTitan DNS filtering.
The first known ransomware attack occurred in 1989, but in the years since this form of malware has not proven popular with cybercriminals. That started to change in 2013 with Cryptolocker and the number of attacks – and ransomware threats as continued to grow ever since.
Today, ransomware is one of the biggest malware threats faced by businesses. Ransomware attacks are no longer relatively small campaigns conducted by ransomware developers. Rather than conduct their own attacks, it is now common for ransomware developers to leave the distribution of the ransomware to a network of affiliates. Under the ransomware-as-a-service model, more attacks can be conducted and more ransoms will be paid as a result. Most ransomware operations now operate under this RaaS model and there is no shortage of affiliates willing to distribute the ransomware for a cut of the profits.
While ransomware was once used simply to encrypt files and prevent them from being accessed by businesses unless a ransom was paid for the keys to decrypt files, the Maze ransomware operators started stealing data in 2019 prior to file encryption to add an extra incentive for victims to pay up. Many other ransomware operations followed suit and either threatened to publish the stolen data or sell it on to other cybercriminals if the ransom is not paid.
Data theft prior to file encryption is fast becoming the norm. Coveware, a company that works with ransomware victims to resolve ransomware attacks (often entering into negotiations with the attackers on behalf of its clients), recently published a report that shows half of all ransomware attacks now involve data theft prior to file encryption. It may be possible to recover encrypted data from backups, but that will not prevent the publication or misuse of stolen data.
This tactic has proven to be effective for the ransomware gangs, but there have been many cases where payment of the ransom has not resulted in the deletion of stolen data. In the United States, several victims in the healthcare industry have paid the ransom demand only to receive a second demand for a payment to prevent stolen data from being released.
According to Coveware, the Sodinokibi ransomware gang is known to issue further demands after the initial payment is made, and it has been a similar case with Netwalker and Mespinoza ransomware. The operators of Conti ransomware provide proof that files are deleted after the ransom is paid, but that proof is faked.
Ransom demands are also increasing. The average ransom demand in Q3, 2020 was $234,000, up 31% from the previous quarter according to the Coveware Quarterly Ransomware Report.
The healthcare industry has been extensively targeted by ransomware gangs and attacks have increased during the COVID-19 pandemic. The healthcare industry is heavily reliant on data and attacks aim to encrypt patient data and steal medical records prior to encryption. If the ransom is not paid, the data has a high value and can be sold on easily.
Recently, a joint warning was issued by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), in conjunction with the FBI and the Department of Health and Human Services, warning of an increased and imminent threat of targeted ransomware attacks on the healthcare and public health sectors. A few days after the alert was issued, 6 healthcare providers were attacked with Ryuk ransomware in a single day.
Ransomware attacks are here to stay for the foreseeable future. They will only start to decline when they are no longer profitable. With attacks at record levels and no guarantee that stolen data will be returned even I the ransom is paid, it is more important than ever for businesses and healthcare organizations to ensure their defenses are hardened against ransomware attacks.
Ransomware can be delivered using a variety of techniques. Vulnerabilities in software and operating systems are commonly exploited to gain access to networks, so vulnerability scanning is important for identifying exploitable vulnerabilities to ensure they are promptly addressed before they can be exploited.
Email remains one of the most common attack vectors, not only for delivering ransomware, but delivering ransomware downloaders. Emotet and TrickBot are two Trojans commonly used to deliver ransomware as a secondary payload, and both are primarily delivered via email, as is BazarLoader, which has been used to deliver ransomware in many recent attacks.
To block this attack vector, an advanced AI-powered spam filter is required – one that is capable of not only detecting known malware threats, but zero-day malware and email attacks that have not been seen before. SpamTitan uses AI and machine learning techniques to identify these email threats at source and prevent them from being delivered to inboxes where employees unwittingly provide the attackers with access to their networks. In addition to dual anti-virus engines, SpamTitan has a sandboxing feature for identifying zero-day malware threats and SPF, DKIM, and DMARC to detect and block email impersonation attacks.
Ransomware, ransomware droppers, and other malware threats are often delivered via the Internet, so cybersecurity measures are needed to block this attack vector. WebTitan similarly uses AI and machine learning techniques to provide protection from websites used to deliver malware threats. The solution uses automation and advanced analytics to search through billions of URLs/IPs and phishing sites that could comprise a company and ensure those threats are blocked.
By implementing layered defenses, it is possible to block the majority of threats, but it is still important to ensure that your data is protected in the event that an attack succeeds. You should make sure that come what may, your data is secured.
A good approach to adopt is the 3-2-1 backup strategy, which involves making three backups, storing the copies on 2 different media (tape, disc, or cloud for instance), and ensuring one copy is stored securely off site. Should an attack succeed, you will not be at the mercy of the attackers and will at least be able to recover your data without paying the ransom.
If you want to improve your defenses against ransomware, give the TitanHQ team a call today for information and advice on the steps you can take to harden your defenses.