Telegram is a popular messaging app that has seen user numbers soar in recent months, with many users of WhatsApp making the change to Telegram after recent changes to the WhatsApp privacy and data management policies.
Telegram has also proven popular with cybercriminals who are using the app for distributing and communicating with malware. Recently, a campaign has been identified involving a new malware variant dubbed ToxicEye. ToxicEye malware is a Remote Access Trojan (RAT) that gives an attacker full control of an infected device. The malware is used to steal sensitive data and download other malware variants.
The malware uses a Telegram account for its command and control server communications. Through the attacker’s Telegram account, they can communicate with a device infected with ToxicEye, exfiltrate data, and deliver additional malicious payloads.
It is easy to see the attraction with using Telegram for malware communication. First, the app is popular. The Telegram app was the most popular app in January 2021, having amassed more than 63 million downloads, and has around 500 million active users worldwide. During the pandemic the app has been adopted by many businesses who have been using it to allow their remote workers to communicate and collaborate. The app supports secure, private messaging and most businesses allow Telegram to be used and do not block or inspect communications.
Setting up a Telegram account is easy and attackers can remain anonymous. All that is required to set up an account is a mobile phone number, and the communication infrastructure allows attackers to easily exfiltrate data and send files to malware-infected devices undetected.
Telegram is also being used for distributing malware. Attackers can create an account, use a Telegram bot to interact with other users and send files, and it is also possible to send files to non-Telegram users via phishing emails with malicious attachments. It is phishing emails that are being used to deliver ToxicEye malware. Emails are sent with a .exe file attachment, with one campaign using a file named “paypal checker by saint.exe” to install the malware.
If the attachment is opened and run, a connection will be made to Telegram which allows malware to be downloaded by the attacker’s Telegram bot. The attackers can perform a range of malicious activities once the malware is installed, with the primary goals of the attackers being gathering information about the infected device, locating and exfiltrating passwords, and stealing cookies and browser histories.
ToxicEye malware can kill active processes and take control of Task Manager, record audio and video, steal clipboard contents, and deploy other malware variants – such as keyloggers and ransomware.
TitanHQ offers two solutions that can protect against ToxicEye and other Telegram-based phishing and malware campaigns. SpamTitan is a powerful email security solution that will block malicious emails delivering the executable files that install the ToxicEye RAT and other malware. For even greater protection, SpamTitan should be combined with WebTitan web security. WebTitan is a DNS-based web filtering solution that can be configured to block access to Telegram if it is not in use and monitor traffic in real time to identify potentially malicious communications.
For further information on both of these solutions, details of pricing, and to register for a free trial, contact TitanHQ today.
Cloud-based instant messaging platforms have allowed individuals to easily communicate and collaborate, but cybercriminals are also benefitting from these platforms and are abusing the services for a range of malicious purposes. Discord is one such platform that has been favored by cybercriminals for several years and is now being extensively used for phishing and malware distribution.
Discord is a VoIP, instant messaging and digital distribution platform that has been extensively adopted by the gaming community and latterly by a much broader range of users. In 2019, Discord has amassed around 150 million users worldwide and usership has grown considerably since then. The platform has long been abused by cybercriminals who have used the platform’s live chat feature for selling and trading stolen data, such as gift cards and login credentials, for anonymous communications, and the platform has also been abused to act as C2 servers for communicating with malware-infected devices.
In 2021, the platform has been increasingly used for distributing a wide range of malware variants such as information stealers, cryptocurrency miners, Remote Access Trojans, and ransomware by abusing the cdn.discordapp.com service.
Discord, like other collaboration apps, use content delivery networks (CDNs) for storing shared files within channels. Cybercriminals can upload malicious files to Discord and create a public link for sharing, and that link can be shared with anyone, not just Discord users. The URL generated for sharing starts with https://cdn.discordapp.com/ so anyone receiving the link will see that the link is for a legitimate site. While there are controls to prevent malicious files from being uploaded, oftentimes cybercriminals can bypass those protections have get their malicious files hosted, and warnings are not always displayed to users about the risk of downloading files from Discord. Since the malicious payloads are delivered via encrypted HTTPS, the downloads can be hidden from security solutions.
Further, once uploaded, the malware can be deleted from a chat, but it is still accessible using the public URL. Users are often tricked into downloading these malicious files under the guise of pirated software or games. Gamers have been targeted as their PCs typically have a high spec for gaming, which makes them ideal for cryptocurrency mining.
This method of malware distribution allows malware developers and distributers to easily distribute their malicious payloads with a high degree of anonymity. An analysis by Zscaler identified more than 100 unique malware samples from Discord in the Zscaler cloud in just a two-month period. Another analysis of Discord CDN results identified around 20,000 results on VirusTotal.
Discord is far from the only communication and collaboration solution to be abused. Slack and Telegram are similarly being abused in phishing campaigns and for malware distribution.
How TitanHQ Can Improve Your Organization’s Security Posture
TitanHQ offers two cybersecurity solutions that can be configured to block the use of these legitimate platforms in the workplace and stop malicious links from being distributed to their employees. WebTitan is a powerful but easy-to-use DNS filtering and web security solution that can be configured to block access to sites such as Discord, thus preventing employees from visiting malicious content. Since WebTitan performs malware scans in real time, if malicious files are encountered, employees will be prevented from downloading them. WebTitan supports HTTPS (SSL) inspection so can decrypt, scan, then re-encrypt traffic to identify and block malicious content.
Malicious links to Discord are often distributed via phishing emails. SpamTitan Email Security prevents malicious emails from being delivered to inboxes, such as emails containing links to Discord, Telegram, or other services that are abused by cybercriminals and used to host phishing kits or malware.
Both solutions work seamlessly together to protect against email- and web-based cyberattacks and prevent credential theft, and malware and ransomware attacks. Both solutions are cost effective to implement and easy-to-use and are much loved by IT staff who benefit from a high level of protection coupled with a low management overhead.
If you want to improve protection from email and web-based attacks, contact TitanHQ today to find out more about these award-winning cybersecurity solutions. Both solutions are available on a free trial and a product demonstration can be arranged on request.
Further, these solutions have been developed to be MSP-friendly, with a range of benefits for managed service providers who want to want to improve email and web security for their clients.
Do you want to help the workforce learn how to identify fake emails to stop them divulging their credentials on phishing websites or inadvertently downloading malware onto their computers? In this post we outline some of the signs of phishing emails that everyone should be looking for every time an email is opened to confirm whether it is legitimate or if it is likely a phishing email, email impersonation scam, or poses a network security threat.
What Threats are Sent via Email?
Email is the most common way for cybercriminals to breach company defenses. It has been estimated that 91% of all cyberattacks start with a phishing email. Phishing is the name given to an attempt to obtain sensitive information by deception, often by impersonated a trusted entity. Phishing can occur over the telephone, text message, social media networks, or instant messenger services, but most commonly phishing occurs via email. Phishing emails also deceive people into downloading malicious files that install malware or ransomware. One response to a phishing email is all it takes for cybercriminals to obtain login details that allow them to access email accounts and cloud services and steal large quantities of sensitive data or gain the foothold they need for an extensive compromise of a business network.
If you have a powerful email security solution installed, the majority of phishing emails and other email threats will be blocked, but no email security solution will provide complete protection, so everyone needs to learn how to identify fake emails and know what they should do if such an email is received.
Employees Must be Receive Security Awareness Training
In certain industries, security awareness training for the workforce is mandatory and it is necessary to teach employees how to identify fake emails. In the United States, for example, regular security awareness training is a requirement of the Health Insurance Portability Act (HIPAA). All healthcare organizations must ensure that their employees can identify fake emails such as those used for phishing.
Even if not required by law, security awareness training is strongly advised. Employees cannot be expected to know the difference between a genuine and a scam email if they are not taught what to look for. By providing this training regularly you can condition your employees to always conduct checks to identify fake emails, which will help you to prevent costly data breaches.
How to Identify Fake Emails!
Cybercriminals regularly change their tactics, techniques and procedures to evade security defenses and fool people into divulging sensitive information or installing malware. The themes of malicious emails and lures in phishing emails often change, but there are commonalities in many of these scams which are detailed below. A scam or phishing email may include one or more of these tactics or techniques.
Be aware that just because an email appears to have been sent from a known and trusted email address or person, or a company with the right branding and logos, it does not mean that the email is genuine. You should still carefully check the message before responding or taking any action suggested in the message.
Phishing and scam emails usually have a sense of urgency. Attackers want you to act quickly without thinking, as the longer you take, the more likely it is you will identify the email for what it really is.
Phishing and scam emails often include a threat of negative consequences if no action is taken. Your account will be closed, you will lose access to a service, you will have to pay a fine, or you will be arrested, are all common ways to convey urgency and get people to take the action suggested in the email.
Scammers often use FOMO, bargains, or rewards to encourage people to get in touch or visit a website. A too-good-to-be-true offer such as a new iPhone for $100 or a prize in a competition that you haven’t entered is a common ruse to get people to click a malicious link.
Requests for Sensitive Information
The easiest way to obtain sensitive information is simply to ask for it. You should stop, think, and carefully consider any request to send sensitive information via email. Make sure the email address – not just the display name – is correct and try to call to confirm requests to send sensitive information or change payment details using verified contact information – Not contact information supplied in the email.
Hyperlinks are often included to get past email security defenses and direct individuals to scam websites. The URL is often masked with different text so hover your mouse arrow over the link to find the destination URL. URL shortening services are often used to hide the true destination URL. The URL linked in a message may also not be the destination URL as you may be redirected via multiple websites before landing on a page. Make sure you carefully check the URL and any domain you land on. If in doubt, do not click hyperlinks in emails.
Attachments are often used with double extensions to make them appear legitimate (.doc.exe). Simply opening these files is all it takes to install malware. Macros are often used that contain code that will download malware if they are allowed to run. Scan email attachments with AV software before opening and do not enable content unless you are 100% sure the attachment is genuine. Always treat email attachments as suspicious, and never open a file with an unfamiliar, unusual, or suspicious extension (.zip, .scr, .js, .exe, .vbs, .bat, .com, .msi, .jse, .lnk, .vb etc.)
Irregular email addresses and domains
Often the display name and the actual email address will be very different. Make sure you check the actual address used. Companies do not use public email domains (the part after the @) such as Gmail. Check that the domain is actually the one used by a company i.e., paypal.com is genuine; pay–pal.com is not. Also check that the domain is spelled correctly and there are no missing or transposed letters. Look out for potential alternative characters such as an rn instead of an m, a zero instead of an o, and a 1 instead of an I.
Spelling and grammar
Scammers are good at scamming, but often not so good at spelling. Many attackers do not speak English as their first language, so mistakes are often made with spelling and grammar. These mistakes can be deliberate to ensure only people who are likely to fall for the next stage of the scam respond.
Malicious emails often convince people to take out of the ordinary actions, such as requests to help out a colleague or boss by buying gift cards. Any out-of-band request should be confirmed with a quick phone call, but not using any contact information supplied in the email.
Odd salutations and message tone
How messages are addressed is a good indicator of whether the message is genuine. Most emails from companies now address recipients by name. If Netflix emails you and addresses you as Dear Customer, it could well be a scam. Attackers will probably not be used to the tone of emails usually sent when they conduct email impersonation attacks and may be overly familiar or unnaturally formal.
Block More Email Threats with an Advanced Email Security Solution
Many phishing and scam emails are highly sophisticated and are very difficult to distinguish from genuine emails, even by employees who have been trained how to identify fake emails. Messages can be sent from genuine email accounts that have been compromised, past message threads can be hijacked, and genuine logos and layouts used when companies are spoofed. Training the workforce how to identify fake emails is important, but you also need an advanced spam filtering solution in place to ensure the vast majority of these emails are blocked and not delivered to inboxes.
If you want to improve your defenses against email attacks, contact the TitanHQ team and ask about SpamTitan. SpamTitan is an easy to use, powerful email security solution that will keep you protected from scams and emerging and zero-day email threats. Furthermore, SpamTitan is one of the most cost-effective email security solutions on the market for businesses of all sizes.