Email & Web Spam

Our news section dedicated to email & web spam highlights many scenarios in which organizations – and individuals within organizations – act on fraudulent communications sent via email or presented to them on a hacked website. The news items report not only cyberattacks launched via email and the web, but also on the damage that is caused and the consequences of the attack.

Trends in email & web spam attacks are also identified within our news items, plus information on how many of the attacks can be avoided – typically with an email spam filter and/or a web content filter. If yours is an organization at risk from email & web spam, we recommended that you speak with one of our technical sales team today.

Malicious Word Documents Used to Deliver Malicious Cobalt Strike Script Hidden in PNG file

A malware delivery campaign has been identified that uses phishing emails, malicious macros, PowerShell, and steganography to deliver a malicious Cobalt Strike script.

The initial phishing emails contain a legacy Word attachment (.doc) with a malicious macro that downloads a PowerShell script from GitHub if allowed to run. That script in turn downloads a PNG image file from the legitimate image sharing service Imgur. The image contains hidden code within its pixels which can be executed with a single command to execute the payload. In this case, a Cobalt Strike script.

Cobalt Strike is a commonly used penetration testing tool. While it is used by security professionals for legitimate security purposes, it is also of value to hackers. The tool allows beacons to be added to compromised devices which can be used to execute PowerShell scripts, create web shells, escalate privileges, and provide remote access to devices. In this campaign, the hiding of the code in the image and the use of legitimate services such as Imgur and GitHub helps the attackers avoid detection.

The hiding of code within image files is known as steganography and has been used for many years as a way of hiding malicious code, typically in PNG files to prevent the code from being detected. With this campaign the deception doesn’t end there. The Cobalt Strike script includes an EICAR string that is intended to fool security solutions and security teams into classing the malicious code as an antivirus payload, except contact is made with the attacker’s command and control server and instructions are received.

This campaign was identified by researcher ArkBird who likened the campaign to one conducted by an APT group known as Muddywater, which emerged around 2017. The threat group, aka Static kitten/Seedworm/Mercury, primarily conducts attacks on Middle eastern countries, commonly Saudi Arabia and Iraq, although the group has been known to conduct attacks on European and US targets. It is unclear whether this group is responsible for the campaign.

Naturally one of the best ways to block these types of attacks is by preventing the malicious email from being delivered to inboxes. A spam filter such as SpamTitan that incorporates a sandbox for analyzing attachments in safety will help to ensure that these messages do not get delivered to inboxes. End user training is also recommended to ensure that employees are made aware that they should never enable macros in Word Documents sent via email.

A web filtering solution is also beneficial. Web filters such as WebTitan can be configured to give IT teams control over the web content that employees can access. Since GitHub is commonly used by IT professionals and other employees for legitimate purposes, an organization-wide block on the site is not recommended. Instead, a selective block can be placed for groups of employees or departments that prevents GitHub and other potentially risky code sharing sites such as PasteBin from being accessed, either deliberately or unintentionally, to provide an extra layer of protection.

APT32 and TA416 APT Groups Delivering New MacOS and Windows Malware Variants

The Advanced Persistent Threat (APT) group APT32 – aka OceanLotus – is conducting a malware campaign targeting Apple MacOS users. APT32 is a nation-state hacking group that primarily targets foreign companies operating in Vietnam. The data exfiltrated by the hackers is believed to be used to give Vietnamese companies a competitive advantage, although the exact motives behind the attacks are opaque.

The group is known for using fully featured malware which is often delivered via phishing emails and commercially available tools. The latest malware variant was identified by security researchers at Trend Micro, who tied the malware to APT32 due to code similarities with other malware variants known to have been used by the group. The malware is a MacOS backdoor that allows the group to steal sensitive information such as business documents. The malware also gives the attackers the ability to download and install additional malicious programs on victim computers.

The malware is being delivered via phishing emails that have a zip file attachment which is disguised as a Microsoft Word document. If the recipient is convinced to open the attached file, no Word document will be opened, but the first stage of the payload will execute in the background. The first stage changes access permissions which allows the second stage payload to be executed, which prompts the third stage of the payload that downloads and installs the backdoor on the system. This multi-stage delivery of the backdoor helps the malware to evade security solutions.

Protecting against attacks involves blocking the initial attack vector to prevent the phishing emails from being delivered to end users. End user security awareness training should be provided, and employees conditioned not to open email attachments from unknown senders. It is also recommended to ensure computers are kept fully patched, as this will limit the ability of the group to use its malware to perform malicious actions.

Chinese TA416 APT Group Delivering New Variant of PlugX RAT

The APT group TA416 – aka Mustang Panda/Red Delta – is conducting a campaign to distribute a new variant of its PlugX Remote Access Trojan (RAT). TA416 is a nation state sponsored group with strong links to the Chinese government and has previously conducted attacks on a wide range of targets around the world.

The group is known for using spear phishing emails and social engineering techniques to deliver malware that allows the hackers to gain full control of an infected computer. The attacks are conducted for espionage purposes; however, the malware has an extensive range of capabilities. In addition to stealing data, the malware can copy, move, rename, execute, and delete files, log keystrokes, and perform many other actions.

The new campaign delivers two RAR archives, which act as droppers for its PlugX malware. The theme of the emails in the latest campaign are a supposed new agreement between the Vatican and the Chinese Communist Party.

The campaign was identified by researchers at Proofpoint, who could not pinpoint the exact delivery method; however, TA416 is known to use Google Drive and Dropbox URLs in its phishing emails to deliver malicious payloads. One of the RAR files is a self-extracting archive that extracts four files and executes an Adobelm.exe file, which delivers a Golang version of the PlugX malware. The recent update to the PlugX RAT helps it evade security solutions.

Combating the APT Threat

The tactics used by these and other APT groups to deliver malware are constantly changing, with phishing campaigns regularly tweaked to increase the likelihood of end users performing the desired action and to prevent the campaigns being detected by anti-virus and anti-phishing solutions. The changes to the malware and campaigns are effective and can easily fool end users and bypass technical controls, especially signature-based antivirus solutions.

Advanced AI-based cybersecurity solutions are required to detect and block these threats. These solutions detect known malware variants and can also identify zero-day malware threats and never-before seen phishing campaigns. The solutions work by protecting against the two most common attack vectors – email and the web – and prevent malicious messages from reaching inboxes and block downloads of malicious files from attacker-controlled websites.

Advanced Cybersecurity Defenses Needed to Combat New Phishing and Malware Campaigns

Cybercriminals are using an increasing range of tactics, techniques and procedures to fool the unwary into disclosing their credentials or installing malware, which is making it hard for end users to distinguish between genuine and malicious messages.

It is common for cybercriminals to purchase lookalike domains for use in phishing scams and for distributing malware. Oftentimes the domains purchased are very similar to the domains they impersonate, aside from one or two changed letters.

For instance, the letters v v could be used in place of a w for a domain spoofing Wal-Mart – e.g. VVal-Mart. In internationalized domain name (IDN) homograph attacks, aka script spoofing, Greek, Latin, and Cyrillic letters are used in domains instead of standard letters. This can lead to domains being almost indistinguishable from the domains they are spoofing, especially since the web pages hosted on those domains include the logos and color schemes used on the official websites.

FBI Warns of Use of Spoofed FBI Domains

Recently the Federal Bureau of Investigation (FBI) issued a warning following the discovery that many FBI-related domain names have been purchased that closely resemble official FBI websites. While these domains are not believed to have been used for malicious purposes to date, it is probable that the individuals registering these domains were intending to use them in phishing attacks, for distributing malware, or for disinformation campaigns. The domains include fbidefense.com, fbimaryland, fbi-ny, fib.ca, fbi-intel.com, fbi.systems, and fbi.health.

These domains can be used to host phishing kits or exploit kits, but the domains can be used to create official-looking email addresses. An email from one of these domains, that has the FBI in the name, could easily scare someone into taking an action demand in the email, such as disclosing their login credentials or opening a malicious email attachment.

Legitimate Cloud Services Leveraged in Sophisticated Phishing Attacks

There have also been phishing campaigns detected in recent weeks that use legitimate cloud services to mask the malicious nature of the emails. Campaigns have been detected that use links to Google Forms, Google Docs, Dropbox, and cloud services from Amazon and Oracle. Emails are sent that include fake notifications with links to these cloud services; however, once the link is clicked, the user is taken through a series of redirects to a malicious website hosting fake Office 365 login prompts that steal credentials.

Several of these campaigns involved checks to make sure the recipient is a real person, with automated responses directed to official domains to prevent analysis. Phishers are also continuing to use typosquatting – the name given to the use of domains with natural typographical errors – to catch out careless typists.

Sophisticated Campaigns Call for Sophisticated Cybersecurity Defenses

The sophisticated nature of today’s phishing and malware campaigns, together with cybercriminals’ constantly changing tactics, techniques, and procedures, mean it is becoming harder for end users to distinguish between genuine and malicious emails. End user security awareness training is still important, but it has never been more important to have effective technical solutions in place to ensure that these threats are identified and blocked before any harm is caused.

The first line of defense against phishing is an email security gateway solution through which all emails need to pass before they reach inboxes. These solutions need to use a range of advanced mechanisms for identifying malicious and suspicious emails, so should one mechanism fail to identify a malicious email, others are in place to provide protection.

SpamTitan from TitanHQ is one such solution that incorporates many layers of protection to detect and block phishing and malware attacks via email. Checks are performed on the message headers, content is analyzed, and machine learning is incorporated to identify never before seen threats, in addition to blacklisting of known malicious email addresses and domains. To block malware threats, SpamTitan uses dual anti-virus engines to block known threats and sandboxing to identify and block zero-day malware threats. Working seamlessly together, these mechanisms will block 99.97% of malicious messages.

An additional anti-phishing solution that you may not have considered is a web filtering solution. Web filters are important for blocking the web-based component of phishing attacks and preventing individuals from visiting sites used for malware delivery. A web filter can also block redirects to malicious websites that hide behind links to legitimate cloud services.

WebTitan from TitanHQ is a smart, DNS-based web filtering solution that uses automation and advanced analytics to block emerging phishing and other malicious URLs, not just those that have been already used in attacks and have been added to blacklists. Through the use of AI-based technology, WebTitan can provide protection from zero-minute threats.

Advanced cybersecurity defenses do not need to be complicated for end users to use. Both SpamTitan and WebTitan have been developed to be easy to implement, use, and maintain. While they incorporate all the required protections and allow advanced users to drill down and analyze threats, they can also easily be used to protect networks and devices by users with little technical skill. The ease of implementation, use, and maintenance together with the superb threat protection are why the solutions are consistently rated so highly on review sites such as Capterra, GetApp, Software Advice, and on Google Reviews.

To improve your defenses against cybersecurity threats delivered via email and via the web, give the TitanHQ a team a call today and find out more about SpamTitan Email Security and WebTitan DNS filtering.

Phishing Campaign Uses CAPTCHA to Fool Users and Email Security Solutions

Phishers are constantly coming up with new scams that abuse trust. People tend to trust their favorite brands and when email communications are sent by those companies there is a tendency for the emails to be trusted. The same is true when emails are sent from email contacts such as work colleagues and friends. Cybercriminals take advantage of trust to get users to take a specific action, such as clicking on an embedded hyperlink in an email or opening an email attachment.

Many businesses now provide security awareness training to employees and try to teach them to always be vigilant and never to trust emails implicitly, even if they have been sent by known contacts. Just because an email has been sent from a known and trusted email account does not mean the message is genuine. Email accounts are often compromised and used to send phishing emails. The Emotet Trojan hijacks email accounts and uses them to send copies of itself to the victim’s contacts, and several other malware variants do the same. Email addresses are also spoofed. The display name may be correct or believable, but the actual email account used to send the message is anything but.

Another tactic is now being used by at least one cybercriminal group than similarly abuses trust, albeit in a new way. A phishing campaign, which was first detected on September 21, 2020, uses the challenge-response test CAPTCHA to simultaneously make the campaign believable and also to reduce the probability of the scam being detected by email security solutions.

Internet users will be familiar with CAPTCHA, although maybe not by name. The CAPTCHA system is used by many websites as a way to determine if a website visitor is a human or a bot, most commonly on forms.

Google uses CAPTCHA and requires users to pass a pictorial challenge where it is necessary to select all the images in a group that featuring a car, bicycle, bus, or traffic lights. If you pass the challenge you will be allowed to proceed, if you fail you will not. Other versions involve entering in a number or code word that has been heavily disguised in an image.

While these CAPTCHA challenges can be annoying, they are associated with security so if a website has one of these challenges, subconsciously people tend to feel more secure. However, as with a website starting with HTTPS, it does not mean the website is genuine.

In this new phishing campaign, users are likely to feel more secure when credentials are requested since they had to pass a CAPTCHA test, especially considering the page on which the challenge was set up looks just like the genuine login prompt for Office 365.  The background is the same, as is the login prompt. The only difference between the genuine login page and the fake version is the URL.

Security teams face a challenge detecting and blocking these phishing pages as email security solutions, despite having AI-based detection mechanisms, are essentially bots and, as such, cannot pass a CAPTCHA challenge.

A second tactic is also used to evade detection. The scammers have set up their campaign so that only a specific set of IP addresses will be presented with the CAPTCHA test on the fraudulent domain. If any IP address outside a specific range attempts to visit the link– the IP range used by the targeted company – a redirection will occur to the genuine Microsoft login page.

While these scams help to ensure that malicious emails are delivered to inboxes, organizations do not need to be totally reliant on their employees recognizing the scams and taking appropriate action (reporting the email to the IT security team).

With a web filtering solution in place, attempts to visit known malicious websites will be blocked. When malicious domains are detected they are automatically added to a web filter’s blacklist, and any attempts to visit malicious domains will be blocked.

WebTitan is a low maintenance security solution that can be set up in about 5 minutes and will protect against the web-based component of phishing attacks and will block malware downloads from malicious websites. WebTitan works in tandem email security solutions to provide greater protection against malware and phishing attacks. The solution can also be used to control the content that employees and guest network users can access over the internet, whether they are on the network or working remotely.

If you have not implemented a web filter or are unhappy with your current solution, give the WebTitan team a call to find out more. A product demonstration can be arranged, you can have a free trial of the solution, and assistance can be provided to help you get the most out of WebTitan during your trial.

Malicious COVID-19 Domains Used to Deliver Banking Trojans and Other Malware

The COVID-19 pandemic has given cybercriminals a golden opportunity to make money. With the world focused on little else other than the response to the pandemic, and with people craving information about the virus, it is not surprising that standard phishing lures have been abandoned in favor of COVID-19 themed lures.

COVID-19 and coronavirus themed domains have been purchased in the tens of thousands and are being used for phishing, malware distribution, and a variety of scams such as obtaining donations to fake charities. Figures released by the Palo Alto Networks Unit 42 team for the period of February to March show there has been an average daily increase of new COVID-19 related domains of 656%, a 569% increase in the number of malicious COVID-19 domains, and a 788% increase in new high-risk domains.

Several domain registrars have started taking steps to combat coronavirus and COVID-19 related fraud and some, such as Namecheap, are now preventing the registration of new domains related to COVID-19. Domain registrars are flagging these new domains for investigation, but that is a manual review process that takes time. In the meantime, the domains are being set up and used for convincing scams.

One malicious campaign uncovered in the past few days uses COVID-19 themed domains to distribute the banking Trojan Grandoreiro. The websites are used to host videos that promise to provide important information about SARS-CoV-2 and COVID-19. When visitors click on the video, a file download is triggered and the user is required to run the installer to view the video content, but instead installs the banking Trojan. The banking Trojan has previously been delivered via spam email, but the threat group behind the malware have changed tactics in response to the pandemic and have changed to web-based delivery.

There have been many similar campaigns created using malicious COVID-19 domains to deliver a slew of malware variants such as keyloggers, information stealers, cryptocurrency miners, and other Trojans.

Lockdown has left people with a lot of time on their hands and outdoor activities have been swapped for more TV time. It is no surprise that movie piracy sites have seen a huge surge in traffic and malware distributors are taking advantage and are bundling malware with pirated video files and using fake movie torrents to deliver malware.

An investigation by Microsoft identified a campaign that uses a VBScript packaged into ZIP files that claim to be pirated movie files. The campaign was being conducted to deliver a coinminer that runs in the memory, with living-of-the-land binaries also used to download other malicious payloads.

These campaigns often have a phishing component, with emails sent to drive traffic to these malicious websites. An advanced spam filtering solution can help to block the email component of these campaigns, but businesses should also consider an additional layer to their security defenses to block the web-based component of these attacks and prevent their remote employees from visiting malicious COVID-19 domains. That protection can be provided by a DNS filtering solution such as WebTitan Cloud.

WebTitan Cloud filters out malicious websites at the DNS lookup stage of a web access request. When a user attempts to visit a website, instead of the standard DNS lookup to find the IP address of a website, the request is sent through WebTitan. If an attempt is made to visit a malicious domain, the request will be blocked and the user will be directed to a local block page. WebTitan can also be configured to block certain file downloads and filter the internet by category, such as blocking P2P file-sharing and torrents sites to provide additional protection against malware and the installation of shadow IT.

WebTitan Cloud can be quickly set up remotely by sysadmins to protect all workers on and off the network with no clients required, which makes it an ideal solution during the COVID-19 pandemic for protecting remote workers.

For further information on protecting your organization and remote employees from web-based attacks, to register for a free trial of WebTitan, and for details of pricing, give the TitanHQ team a call today.

Meteoric Rise in Phishing and Web Attacks Targeting NASA’s Telecommuting Workers

There has been a massive rise in the number of telecommuting workers as a result of the 2019 Novel Coronavirus pandemic and cybercriminals are taking advantage. Phishing and malware attacks have soared in the past few weeks and home workers are being targeted.

Individuals who regularly worked from home before the COVID-19 crisis will be used to taking precautions when connecting to virtual environments set up by their employers, but huge numbers of employees are now logging in remotely for the very first time and may not be aware of the telecommuting cybersecurity risks. IT and IT security departments have also had to set up the workforce for home working in a hurry, and the sheer number of employees that have been forced into telecommuting means corners have had to be cut which has created opportunities for cybercriminals.

Even if the transition to having the entire workforce telecommuting has been expertly managed, risk will have increased considerably.  Cybersecurity is far harder to manage when the entire workforce is outside the protection of the corporate firewall and with most workers telecommuting, the attack surface has grown considerably.

Telecommuting workers are seen as low hanging fruit and cybercriminals are taking advantage of the ease at which attacks can be conducted. Since January there has been a massive increase in phishing attacks, malware attacks, and attacks over the internet targeting remote workers.

NASA Sees “Exponential Increase” in Malware Attacks

On April 6, 2020, NASA sent a memo to all personnel warning of a massive increase in targeted attacks on the agency.  NASA explained in the memo that the number of phishing attempts on NASA employees has doubled in the past few days and its systems designed to block employees from accessing malicious websites has gone into overdrive. The number of malicious websites that are now being blocked has also doubled, which strongly suggests employees are clicking on links in phishing emails and are being fooled by these scams. NASA also reports that there has been an “exponential increase in malware attacks on NASA systems.”

Attacks are being conducted by a diverse range of threat actors, from small players to prolific advanced persistent threat (APT) groups and nation-state sponsored hackers. NASA has warned its employees that those attackers are targeting NASA employees’ work and personal devices and that the attacks are likely to continue to increase throughout the Novel Coronavirus pandemic.

NASA is far from alone in experiencing a massive increase in attempted cyberattacks. Businesses of all sizes are now having to deal with unprecedented risks and are struggling to defend their networks from attack. They now have to defend a massively increased attack surface and the number of attacks has skyrocketed.

There are other factors that are making it difficult for employers. Employees crave information about the Novel Coronavirus and COVID-19 and cybercriminals are sending huge numbers of emails offering them just the information they seek. Huge numbers of websites are being set up that purport to offer advice on the Novel Coronavirus and COVID-19. Check Point has reported that more than 16,000 domains related to coronavirus or COVID-19 have been registered since January and those domains are 50% more likely to be malicious than other domains registered in the same period.

How to Protect Telecommuting Workers

There are three main ways that telecommuting workers are being attacked: Email, malicious websites, and the exploitation of vulnerabilities.

To prevent the latter, it is essential for software and operating systems to be kept up to date. This can be a challenge for IT departments at the best of times, but much harder when everyone is working remotely. Despite the difficulty, prompt patching is essential. Vulnerabilities in VPNs are being targeted by cybercriminals and offer an easy way to gain access to corporate networks. Employees should be told to make sure their VPN clients are running the latest software version and businesses should ensure their VPN infrastructure is kept up to date, even if it means some downtime while updates are applied.

TitanHQ Can Help You Strengthen Email and Web Security

Advanced email security defenses are now required to protect against phishing and email-based malware threats. Some of the COVID-19 phishing campaigns that are now being conducted include some of the most sophisticated phishing threats we have ever seen.

You should not rely on one form of email security, such as Microsoft’s Exchange Online Protection for Office 365 accounts. Layered defenses are essential. Office 365 email security can be significantly strengthened by layering SpamTitan on top of Microsoft’s EOP protections. SpamTitan does not replace Office 365 protections, it improves them.

SpamTitan is an advanced email security solution that incorporates powerful, real time updated AI-driven threat intelligence to block spam, phishing, malware, malicious links, and other email threats from incoming mail. SpamTitan sandboxing identifies threats that signature-based detection solutions miss and is effective at identifying and blocking zero-day malware threats.

Each day, the number of malicious websites related to COVID-19 grows. These websites are used to phish for sensitive information such as email and VPN credentials and for drive-by downloads of malware. To protect remote workers and prevent them from accessing these malicious websites, a web filtering solution is required.

WebTitan DNS Security offers protection against web-based threats and prevents employees from accessing known malicious websites. WebTitan DNS Security is seeing massively increased traffic demand for its scanning and web detection features, but the solution is cloud based and has been developed with scalability in mind. WebTitan DNS Security is blocking new threats as soon as they are identified to keep customers and their employees protected. The solution can be easily implemented to protect remote workers but inserting simple code into enterprise devices which points the DNS to WebTitan. That small change will ensure the internet is filtered for all employees, no matter where they are working.

TitanHQ is committed to providing safe and secure email and internet usage for our customers, partners and their users, now more than ever. Contact TitanHQ today for help improving security at your organization.

How is Ransomware Delivered and How Can I Block Ransomware Attacks?

There are many ways that ransomware can be downloaded onto business networks, but most commonly, ransomware attacks occur via Remote Desktop Protocol (RDP), drive-by downloads, or email.

RDP Attacks

Scans are performed to discover organizations with open RDP ports, which are then attacked using brute force tactics to guess weak passwords. Cybercriminals also add credentials from historic data breaches to their password lists.

The best way to defense against this method of ransomware delivery is to disable RDP entirely; however, RDP is often required for remote management or remote access to virtual desktops, so this may not be an option. If RDP cannot be disabled, there are steps that should be taken to make it as secure as possible.

Use of strong passwords is important to protect against brute force attempts to guess passwords. You should follow NIST advice on creating complex passwords. Passwords must be unique and not used on any other platform. Two-factor authentication should be implemented to prevent stolen credentials from being used.

You must make sure you are running the latest software versions for servers and clients. RDP connections to listening RDP ports should only be permitted through a secure VPN, and ideally, an RDP gateway should be used. You should also restrict who is permitted to login to remote desktop. Finally, you should use rate limiting to lock users out after a set number of failed attempts to enter the correct password.

Drive-By Ransomware Downloads

Drive-by downloads occur on websites controlled by hackers, either their own sites or insecure sites that have been compromised. Malicious scripts are added to the websites that download ransomware and other malware payloads onto a user’s device when they visit the malicious webpage. This method of attack does not require any user interaction, other than visiting the malicious website. That could occur by clicking a malicious link in an email, via a redirect, or even through general web browsing.

A web filter such as WebTitan is one of the best defenses against drive-by ransomware downloads. WebTitan is a DNS filtering solution that prevents end users from visiting websites known to be malicious. Rather than connecting to the website, the user will be directed to a local block page if they attempt to visit a known malicious website. WebTitan can also be configured to block downloads of risky file types such as executable files.

Email-Based Attacks

Ransomware is also commonly delivered via email. This could be via an embedded hyperlink to a website where a drive-by download occurs or via malicious scripts in file attachments. Protecting against email-based attacks requires a defense in depth approach, as no single solution will provide total protection against all email attacks.

An advanced email security solution such as SpamTitan should be implemented. SpamTitan scans all inbound and outbound emails and uses a variety of techniques, including machine learning, to identify and block potentially malicious emails. SpamTitan incorporates two antivirus engines that detect known malware variants and a sandbox to analyze suspicious files for malicious actions. Sandboxing protects against never-before-seen malware and ransomware variants.

End user training is also important to ensure that in the event of a malicious email reaching an end user’s inbox, it can be recognized as such. A web filtering solution will help to ensure that any attempt to visit a malicious website via a hyperlink in an email or email attachment is blocked before ransomware is downloaded.

Ransomware as a Secondary Payload

Several ransomware operators use commodity malware to deliver their ransomware payloads. The threat actors behind DoppelPaymer ransomware have been using the Dridex banking Trojan to deliver their malicious payload, while the Ryuk ransomware gang uses the TrickBot Trojan.

Even if these commodity malware infections are discovered and removed, the ransomware gangs may still have access to systems. These commodity malware infections are often viewed as relatively trivial and when these malware variants are discovered the attacks are not properly investigated. The Trojans are removed, but the ransomware operators continue to spread laterally before deploying their ransomware payloads.

In the case of TrickBot, once it is downloaded it gets to work harvesting data such as passwords files, cookies, and other sensitive information. Once the attackers have harvested all the data they can, a reverse shell is opened to the Ryuk ransomware operators who perform recon of the network and attempt to gain administrator credentials. They then use PSExec and other Windows tools to deploy ransomware on all devices connected to the network.

That is exactly what happened with the attack on the e-discovery firm, Epiq Global. The initial TrickBot infection occurred in December 2019. Access was provided to the Ryuk operators who deployed the ransomware on February 29, 2020. Prior to the deployment of ransomware, the Ryuk operators compromised computers in all 80 of Epiq’s global offices.

TrickBot and other Trojans are primarily delivered via phishing emails. SpamTitan will help to keep you protected against these Trojans and other ransomware downloaders.

How to Improve Restaurant Cybersecurity and Thwart Hackers

Any business that processes card payments is a target for cybercriminals, but restaurants in particular are favored by hackers. Over the past few weeks, cybercriminals have stepped up their efforts to attack these businesses and several restaurant chains have had their systems compromised. In all cases, malware has been installed on point-of-sale systems that steals payment card information when diners pay for their meals.

Many of the attacks have hit restaurant chains in the Midwest and East, with credit card data from diners recently having been listed for sale on the underground marketplace, Joker’s Stash. A batch of approximately 4 million credit and debit cards is being offered for sale, which comes from malware attacks at Moe’s, McAlister’s Deli, Krystal, and Schlotzsky’s.

The cyberattack on Krystal was detected in November, with the other three chains, all owned by Focus Brands, attacked in August. In total, the above chains have more than 1,750 restaurants and almost half of those locations, mostly in Alabama, Florida, Georgia and North and South Carolina, were affected.

Catch Hospitality Group also announced in November that it had suffered a cyberattack which had seen malware installed on its point-of-sale system that scraped and exfiltrated payment card data as diners paid for their meals. The data breach affected customers of Catch NYC, Catch Roof, and Catch Steak restaurants. Fortunately, the devices used to process the majority of payments were unaffected. Malware was on the Catch NYC and Catch Roof devices between March 2019 and October 2019, with Catch Steak affected between September 2019 and October 2019.

Church’s Chicken restaurants were also attacked in a separate incident in October. The majority of its 1,000+ restaurants were not affected, but at least 160 restaurants in Alabama, Arkansas, Florida, Georgia, Illinois, Louisiana, Mississippi, Missouri, South Carolina, Tennessee and Texas had malware installed on their POS system.

Other restaurant chains that have been attacked in 2019 include Checker’s Drive-In, Cheddar’s Scratch Kitchen, Huddle House, Applebee’s, Chilli’s, and Earl Enterprises (Buca di Beppo, Chicken Guy, Tequila Taqueria, Mixology, Planet Hollywood). Malware n the systems of Earl Enterprises had been present for almost a year before it was detected.

How to Improve Restaurant Cybersecurity

Restaurants process many thousands of card transactions which makes them an attractive target for hackers. Restaurants often use out-of-date operating systems, have vulnerability-ridden legacy hardware, and their cybersecurity solutions often leave a lot to be desired. Consequently, cyberattacks on restaurants are relatively easy to perform, at least compared to many other types of businesses.

In order to infect the POS system, the attackers will need network access. That is most commonly gained via phishing emails, drive-by malware downloads, or by abusing remote access tools. Direct attacks are also possible using techniques such as SQL injection and weak passwords can be easily guessed using brute force tactics.

The malware that sits on systems and exfiltrates data tends to have a very small footprint and is often stealthy as it needs to be present for long periods of time to collect payment card data. That can make it hard to detect when it has been installed. The key to security is therefore improving defenses to make sure the malware is not installed in the first place, which means preventing the attackers from gaining access to the network.

Listed below are some easy-to-implement steps that will help restaurants improve their security posture and block attacks. The key is defense in depth through layered security.

  • Use an enterprise-grade firewall –Ensure an enterprise-grade firewall is purchased. A firewall will prevent unauthorized individuals from gaining access to your network resources.
  • Patch promptly and update all software and firmware – Ensure patches are applied promptly and software and firmware updates are implemented when they are released. That includes all systems and networked devices, not just your POS.
  • Upgrade hardware – When your hardware is approaching end of life it is time to upgrade. Unsupported hardware (and software) will no longer be updated and vulnerabilities will no longer be fixed.
  • Lockdown your POS: Use whitelisting or otherwise lock down POS systems to make it harder for malware to operate. Only allow trusted apps to run on your POS systems.
  • Install powerful antivirus software – Ensure all devices are protected by a powerful anti-virus solution and that it is set to update virus definitions automatically. Regularly scan the network for malware, especially your POS.
  • Implement an intrusion detection system – These systems monitor the network for unusual activity that could indicate a malware infection, attackers searching the network for the POS system, and unusual traffic that could indicate data exfiltration.
  • Change all default passwords and set strong passwords – To protect against brute force attacks, ensure strong passwords are set on all systems and all default passwords are changed. Also implement rate limiting to block attempts to access a system or device after a set number of failed password attempts.
  • Implement a powerful spam filtering solution – A powerful email security solution, such as SpamTitan, is required to prevent spam and malicious emails from being delivered to end users. Even if you have Office 365, you will need a third-party email security solution to block email-based threats.
  • Restrict Internet access with a DNS filter – A DNS filter such as WebTitan provides protection against drive-by malware downloads and web-based phishing attacks. WebTitan will block all known malicious websites and those with a low trust score. The solution can also be configured to prevent employees from accessing categories of websites where malware downloads are more likely.
  • Disable Remote Access if Possible – Disable Remote Desktop Protocol and all remote access tools. If remote access tools are required to allow essential maintenance work to be completed, ensure they can only used via a VPN and restrict the people who can use those tools.

Beware of Black Friday Phishing Scams and Malware Attacks!

Black Friday phishing scam are rife this year. With almost a week to go before the big discounts are offered by online retailers, scammers are stepping up their efforts to defraud consumers.

Spam email campaigns started well ahead of Black Friday this year and the scams have been plentiful and diverse. Black Friday phishing emails are being sent that link to newly created websites that have been set up with the sole purpose of defrauding consumers or spreading malware and ransomware. It may be a great time of year to pick up a bargain, but it is also the time of year to be scammed and be infected with malware.

A wide range of spam emails and scam websites have been detected over the past few weeks, all of which prey on shoppers keen to pick up a bargain. This year has seen the usual collection of almost too-good-to-be-true offers on top brands and the hottest products, free gift cards, money off coupons, and naturally there are plenty of prize draws.

Anyone heading online over the next few days to kick start their holiday shopping spree needs to beware. The scammers are ready and waiting to take advantage. With legitimate offers from retailers, speed is of the essence. There is a limited supply of products available at a discount and shoppers are well aware that they need to act fast to secure a bargain. The scammers are playing the same game and are offering limited time deals to get email recipients to act quickly without thinking, to avoid missing out on an exceptional deal.

This time of year always sees a major uptick in spam and scams, but this year has seen much more sophisticated scams conducted than in previous years. Not only are the scammers insisting on a quick response, several campaigns have been identified that get users to help snag more victims. In order to qualify for special offers or get more deals, the scammers require users to forward messages and share social media posts with their friends and contacts. This tactic is highly effective, as people are more likely to respond to a message or post from a friend.

So how active are the scammers in the run up to Black Friday and Cyber Monday? According to an analysis by Check Point, the number of e-commerce phishing URLs has increased by 233% in November. Those URLs are being sent out in mass spam campaigns to direct people fake e-commerce sites that impersonate big name brands. Those sites are virtual carbon copies of the legitimate sites, with the exception of the URL.

While consumers must be wary of Black Friday phishing scams and potential malware and ransomware downloads, businesses should also be on high alert. With genuine offers coming and going at great speed, employees are likely to be venturing online during working hours to bag a bargain. That could easily result in a costly malware or ransomware infection.

The scams are not limited to the run up to Black Friday. Cyber Monday scams can be expected and as holiday season fast approaches, cybercriminals remain highly active. It’s a time of year when it pays to increase your spam protections, monitor your reports more carefully, and alert your employees to the threats. A warning email to employees about the risks of holiday season phishing scams and malicious websites could well help to prevent a costly data breach or malware infection.

Its also a time of year when a web filtering solution can pay dividends. Web filters prevent employees from visiting websites hosting exploit kits, phishing kits, and other known malicious sites. They can also be configured to block downloads of malicious files. A web filter is an important extra layer to add to your phishing defenses and protect against web-based attacks.

If you have yet to implement a web filter, now is the ideal time. TitanHQ is offering a free trial of WebTitan to let you see just how effective it I at blocking web-based threats. What’s more, you can implement the solution in a matter of minutes and get near instant protection from web-based phishing attacks and holiday season malware infections.

What is the Ideal Security Stack for MSPs?

According to research from Channel Futures, security is the fastest growing service for 73% of managed service providers (MSPs). If you have yet to start offering security services to your clients, you are missing out on a steady income stream that could really boost your profits. But where should you start? What services should you be offering? In this post we will be exploring the ideal security stack for MSPs and the essential services that should form the core of your security offering.

Why is Managed Security is so Important?

As an MSP, you should be aware of the importance of security. Companies are being targeted by cybercriminals and data breaches are occurring at an alarming rate. It is no longer a case of whether a business will be attacked, it is a case of when and how often.

Many SMBs do not have sufficiently skilled staff to handle IT and it is far easier, and often more cost effective, to outsource their IT to MSPs. The same is true for security, but even more so due to the difficulty finding sufficiently skilled cybersecurity staff. With so many positions available and a national shortage of cybersecurity staff, cybersecurity professionals can afford to pick and choose there they work. SMBs must ensure they are well protected against cyberattacks, so they look to MSPs to provide security-as-a-service either as a stop gap measure while they try to fill internal positions or so they can forget about security and let an MSP look after that side of the business.

If you are not providing security services to your clients, they will most likely search for another MSP that can protect their business from threats such as malware, ransomware, phishing, botnets, and prevent costly data breaches.

What do SMBs Want?

SMBs may be aware of the need for security, but they may not be so clued up about the solutions they need to protect them from cyber threats. You may need to explain to them exactly what they need and why. What is vital when explaining cybersecurity to SMBs is to emphasize the need for layered security. No single solution will provide protection against all threats and you will need to educate your clients about this.

Layered security is essential for protecting against ever increasing cybersecurity threats. No single solution will provide total protection. You need overlapping layers so that if one layer is bypassed, others are there to block the attack.

You should certainly be initiating conversations with your clients about security. Many SMBs only look for security services after they experience a costly data breach. By being proactive and approaching your clients and offering security services, you will not only have a much greater opportunity for increasing sales quickly, you will help them avoid a costly data breach and will not have to clear up the mess that such a breach causes.

What is the Ideal Security Stack for MSPs?

The best place to start is with a cybersecurity package that includes the core security services that all businesses need to protect them from a broad range of threats. Different packages can be offered based on the level of protection your clients need and their level of risk tolerance. Extra services can always be provided as add-ons.

There are four key security services you should be offering to your clients to give them enterprise-grade protection to secure their networks and protect against the main attack vectors. The ideal security stack for MSPs will differ from company to company, depending on the kind of clients that each MSP has. It may take some time to find the ideal security stack, but a good place to start is with core security services that every business will need.

Core Security Services for MSPs

  • Firewalls
  • Email security
  • DNS filtering
  • Endpoint security

Firewalls are essential for securing the network perimeter and separating trusted from untrusted networks. They will protect network resources and infrastructure against unauthorized access.  It may even be necessary to implement multiple firewalls.

Email security is essential as this is the most common attack vector. Without email security, malware and phishing emails will hit inboxes and employees’ security awareness will be regularly put to the test. The threat of email attacks cannot be understated.

Email security must be explained to clients to ensure they understand its importance and why standard email security such as that provided by Microsoft through Office 365 simply doesn’t cut in anymore. Too many threats bypass Office 365 defenses. A study by Avanan showed that 25% of phishing emails bypass Office 365 security and are delivered to inboxes.

DNS filtering is also a requirement to protect against web-based attacks such as malvertising, drive-by downloads, and exploit kits. Even the best email security solutions will not block all phishing threats. DNS filtering provides an additional layer of security to protect against phishing attacks. While email was once the primary method of delivering malware, now malware is most commonly delivered via web-based attacks. The average business user now encounters three malicious links per day and 80% of malware is downloaded via the internet. Further, with more and more employees spending at least some of the week working remotely, protection is needed for public Wi-Fi hotspots. DNS filtering provides that protection when they are off the network.

Endpoint security solutions add another layer to the security stack. If any of the above solutions fail and malware is downloaded, endpoint security solutions will provide extra protection. This can include basic protection such as antivirus software or more advanced solutions such as intrusion detection systems.

When choosing solutions for your security stack, it is important to make sure they work seamlessly together. This can be difficult if you purchase security solutions from a lot of different vendors.

Additional Services to Add to your Security Stack.

The above security services should form the core of your security offering, but there are many additional services you can easily provide to ensure your clients are better protected. These can be offered as addons or as part of more comprehensive security packages.

  • Data loss protection
  • Security helpdesk
  • Email archiving and backup services
  • Vulnerability scanning and patch management
  • Security policy management
  • Security information and event management (SIEM)
  • Incident response and remediation
  • Security awareness training and phishing email simulations

How TitanHQ Can Help

TitanHQ is the global leader in cloud-based email and web security solutions for the MSP that services the SMB market. TitanHQ products are consistently rated highly by MSPs for the level of protection, ease of use, ease of admin, and the level of support provided.

The TitanHQ portfolio of cybersecurity products consists of three core solutions:

  • SpamTitan Email Security
  • WebTitan DNS Filtering
  • ArcTitan Email Archiving

Each of these solutions has a 100% cloud-based architecture and has been developed for MSPs to easily incorporate into their security stacks. TitanHQ offers seamless deployments and easy incorporation into MSP’s management portals via RESTful API.

The above solutions can be supplied with multiple hosting options. You can host with TitanHQ, on your existing infrastructure or in the cloud with AWS, Azure or any other system.

SMBs want to know they are protected, but many don’t care about what solutions are used. This gives you an opportunity to reinforce your brand. This is easily achieved with TitanHQ as the above solutions can be provided in white label form, ready for you to add your own branding. You can even customize the user interface and only include the features that you need to reduce complexity.

Need reports for your clients? No problem. TitanHQ has an extensive range of pre-configured reports that can be scheduled to ease your admin burden, including board-level reports with scope to create your own reports to meet you and your clients’ needs.

Other key features for MSPs include:

  • Multi-tenant dashboard
  • Automated policy management
  • Continuous monitoring
  • Full visibility of usage
  • Flexible, affordable, and transparent pricing with monthly billing
  • Set and forget solutions to ease the admin burden
  • World-class customer support included with all solutions
  • AD integration
  • Generous margins for MSPs
  • Excellent MSP program – TitanShield – with dedicated account managers, assigned sales engineers, scalable pre-sales and technical support, and sales and technical training

TitanHQ has made it as easy as possible for MSPs to start offering security services to their clients. These solutions will also help established security-as-a-service providers ease their management burden and improve their margins.

To find out more about the TitanShield program and for further information on any or all of TitanHQ’s security solutions for MSPs, get in touch with the channel team today. Product demonstrations can be arranged and free 14-day trials are available to allow you to see for yourself why TitanHQ is the leading provider of email and web security solutions for MSPs.

TitanHQ Announces Fall Schedule of Trade Shows and Conferences

Over the next three months, TitanHQ will be travelling throughout Europe and the United States to meet with managed services providers (MSPs) at some of the biggest trade shows serving the MSP community.

The trade shows and conferences bring together the best MSPs from around the world and gives them the opportunity to learn about new industry trends, best practices, and proven tactics for increasing growth. The shows provide a tremendous opportunity for networking and bring together MSPs and companies offering MSP-focused cybersecurity solutions.

For the past 20 years, TitanHQ has been developing cybersecurity solutions for MSPs and the SMBs marketplace. From humble beginnings, the company has grown into a leading provider of cloud-based email security, web security, and email archiving solutions for MSPs. TitanHQ products have now been adopted by more than 7,500 businesses and 2,000 MSPs around the globe.

TitanHQ products are much loved by MSPs as they have been developed specifically to meet their needs. The solutions are quick and easy to implement and maintain and they save MSPs a considerable amount of support and engineering time by blocking email and web-based cyberattacks at source.

At these MSP events you will be able to find out more about the benefits of cloud-based spam filtering and the importance of adding web filtering to your service stack. The TitanHQ team will be on hand to answer questions about the products and will explain how the solutions can be seamlessly integrated into your client management platforms and how they can make your life easier and improve your bottom line.

Come and Meet the TitanHQ Team at these fall MSP Trade Shows and Conferences

Date Event Location
September 17, 2019 Datto Dublin The Alex Hotel, Dublin, Ireland
September 18, 2019 MSH Summit 155 Bishopsgate, London, UK
October 6-10, 2019 Gitex Dubai World Trade Centre, Dubai, UAE
October 7-8, 2019 CompTIA EMEA Show Park Plaza Westminster Bridge,

London, UK

October 16-17, 2019 Canalys Cybersecurity Forum SOFIA Barcelona, Spain
October 21-23, 2019 DattoCon Paris Palais des Congrès de Paris, Paris, France
October 30, 2019 MSH Summit North Hilton Hotel, Manchester, UK
October 30, 2019 IT Nation Evolve (HTG 4) Hyatt Regency, Orlando, Florida, USA
October 30, 2019 IT Nation Connect Hyatt Regency, Orlando, Florida, USA
November 5-7, 2019 Kaseya Connect NH Collection Amsterdam Gran Hotel Krasnapolsky, Amsterdam, Netherlands

If you are planning on attending any of the above events this fall, be sure to come and visit the TitanHQ team to discuss your options and feel free to reach out in advance of the event to arrange a meeting.

Rocco Donnino, Executive Vice President-Strategic Alliances, LinkedIn
Eddie Monaghan, MSP Alliance Manager, LinkedIn
Marc Ludden, MSP Alliance Manager, LinkedIn

If you are unable to attend any of these exciting events, give the team a call for further product information, to book a product demonstration, or to sign up for a free trial of SpamTitan, WebTitan, and ArcTitan.

 

Exploit Kit Activity Triples in a Year – Is Your Business Protected?

Exploit kit activity may be at a fraction of the level of 2016 when peak activity was reached, but the threat has not gone away. In fact, the mid-year cybersecurity roundup from Trend Micro shows exploit kit activity is now triple the level of mid-2018. Websites hosting exploit kits still pose a significant threat to businesses.

Exploit kits are toolkits that contain exploits for vulnerabilities in popular software applications, such as Internet Explorer and Adobe Flash Player. When a user lands on a web page that hosts an exploit kit, it will scan the user’s browser for vulnerabilities. If an exploitable flaw is identified, malware is automatically downloaded and executed on the user’s device. In many cases, the downloading of a Trojan, ransomware, or other form of malware is not identified by the user.

Traffic is sent to exploit kits through malvertising – malicious advert – on high traffic websites. User’s can be directed to malicious websites through phishing emails, and it is also common for hackers to hijack high traffic websites and use them to host their exploit kit. That means users could visit a malicious website just through general web browsing.

There are several exploit kits currently in use such as Magnitude, Underminer, Fallout, Green Flash/Sundown, Rig, GrandSoft, and Lord. These exploit kits are pushing cryptocurrency miners and botnet loaders, although ransomware and banking Trojans are the most common payloads.

Many of the exploits used by these toolkits are for old vulnerabilities, but since businesses are often slow to apply patches, they still pose a major threat. Exploit kits such as GrandSoft and Rig are regularly updated and now host exploits for much more recently disclosed vulnerabilities.

One of the most recently identified campaigns has seen the threat actors behind Nemty ransomware team up with the operators of RIG to push their ransomware on businesses still using old, vulnerable versions of Internet Explorer.

A new exploit kit named Lord is being used to infect users with Eris ransomware. In this case, traffic is being directed to the exploit kit through malvertising on the PopCash ad network. The EK primarily uses exploits for flaws in Adobe Flash Player such as CVE-2018-15982.

Protecting against exploit kits is straightforward on paper. Businesses need to ensure that vulnerabilities are identified and patched promptly. If there are no vulnerabilities to exploit, no malware can be downloaded. Unfortunately, in practice things are not quite so simple. Many businesses are slow to patch or fail to apply patches on all devices in use.

Anti-spam software can help to reduce risk by blocking phishing emails containing links to exploit kits, but most of the traffic comes from search engines and malvertising, which anti-spam software will do nothing to block. To improve your defenses against exploit kits, drive-by downloads, and phishing websites, one of the best cybersecurity solutions to deploy is a DNS filtering solution.

A DNS filter allows businesses to carefully control the websites that employees can access when connected to the business’s wired and wireless networks. Controls can be set to block different types of web content such as gambling, gaming, and adult websites but crucially, the DNS filter also blocks all known malicious websites. DNS filters use blacklists of known malicious websites such as those hosting exploit kits or phishing forms. If a web site or web page is included in the blacklist, it will automatically be blocked.  Websites are also scanned in real time to identify malicious content.

Since all filtering takes place at the DNS level, access to malicious or undesirable content is blocked without any content being downloaded. Setting up the solution is also quick and easy, as it only requires a change to the DNS record to point it to the service provider. No hardware is required and there is no need to download any software.

If you want to improve your defenses against malware, ransomware, botnets, and phishing and are not yet controlling the web content that your employees can access, contact TitanHQ today and ask about WebTitan. Alternatively, sign up for a free trial of the solution by clicking the image below.

Ransomware Attacks on Businesses Have Doubled in 2019

The year 2018 saw a reduction in ransomware attacks on businesses as cybercriminals opted for alternative means to make money. Major ransomware attacks were still occurring, just at a slightly lower rate than in 2017.

Some reports were released that suggested ransomware was no longer such a massive threat as it was in 2016 and 2017, but the number of reported attacks in 2019 have shown that is definitely not the case. Any business that has not implemented defenses to protect against ransomware attacks could well be the next victim and have to pay millions to recover from an attack.

Make no mistake. Ransomware is one of the most dangerous threats faced by businesses. If ransomware is installed on the network, all files, including backups, could be encrypted. That could prove catastrophic, as one small Michigan medical practice discovered.

The two-doctor practice in Battle Creek, MI suffered an attack that resulted in the encryption of all patient data. A ransom demand was issued by the attackers, but as there was no guarantee that files could be recovered after the ransom was paid, the decision was taken not to pay up. The hackers then deleted all the encrypted files. Faced with having to rebuild the practice from scratch, the doctors decided to call it quits and took early retirement.

Ransomware attacks on healthcare providers are now being reported at an alarming rate and government entities, cities, and municipalities are being extensively targeted. The city of Baltimore suffered a major attack in May involving a ransomware variant called RobbinHood. The attack brought down the city’s servers and systems, causing major disruption across the city. A ransom of $6 million was paid for the keys to regain access to the encrypted files.

Two small cities in Florida also suffered major attacks. Lake City was forced to pay a ransom of $460,000 and Riviera Beach paid a ransom of $600,000, while Jackson County in Georgia paid $400,000 after its court system was attacked.

As the year has progressed, the attacks have increased. A report from Malwarebytes indicates there was a 195% increase in ransomware attacks in Q1, 2019. Figures from Kaspersky Lab show ransomware attacks almost doubled in Q2, 2019, with 46% more attacks reported than the corresponding period in 2018.

The increase in attacks means businesses need to be prepared and have the necessary security tools in place to make it difficult for the attacks to succeed.

There is no one cybersecurity solution that can be implemented to eliminate the threat of attack, as hackers are using a variety of methods to gain access to networks and download their malicious payloads. Layered defenses are key to repelling an attack.

Email is the primary method of delivering ransomware. All it takes if for a malicious email to arrive in an inbox and for an employee to be fooled into opening a malicious attachment or clicking on a hyperlink for ransomware to be installed. An advanced email filtering solution such as SpamTitan Cloud is therefore needed to block malicious emails and ensure they do not reach employees’ inboxes.

SpamTItan includes Domain-based Message Authentication, Reporting, and Conformance (DMARC) to block email impersonation attacks and a sandbox where suspicious attachments can be executed in safety and studied for malicious activity. Sandboxing is essential as it allows zero-day ransomware threats to be identified and blocked.

Not all attacks occur via email. Attacks over the Internet are also common. A web filtering solution should therefore be implemented to block these web-based attacks. A web filter will prevent employees from accessing known malicious sites where ransomware is automatically downloaded. With these two technical measures in place, businesses will be well protected from attacks. Along with security awareness training for staff and the adoption of good data backup practices, businesses can mount a strong defense against ransomware attacks.

Tax Professionals Targeted in IRS Tax Return Phishing Scam

Taxpayers and tax professionals are being targeted by scammers posing as the Internal Revenue Service (IRS). The goal of this new IRS tax return phishing scam is to deliver information-stealing malware. The malware harvests credentials that are used to gain access to and empty financial accounts.

The campaign uses at least two subject lines for the emails – “Electronic Tax Return Reminder” and “Automatic Income Tax Reminder.” The emails contain a hyperlink that directs the user to a website that closely resembles the IRS.gov website. The emails include a one-time password to use to login in to submit a claim for a tax refund.

When the user logs in to the site, they are told that they need to download a file in order to submit their refund. The file is actually keylogging malware which records keystrokes on an infected computer and sends a range of sensitive information to the attackers.

The IRS warning was issued after several taxpayers and tax professionals reported the phishing emails to the IRS. Efforts are ongoing to disrupt the campaign, but the IRS notes that dozens of compromised websites and malicious URLs are being used by the scammers. The IRS is contacting hosting companies to get the websites shut down, but the number of URLs being used makes this a major challenge. As soon as one URL is shut down, there are others to take its place.

The offer of a tax refund or a threat of legal action over tax issues prompts many people to click without first assessing the content of the message and the legitimacy of the request, which is what the scammers are banking on.

The advice of the IRS is never to click on any link in an unsolicited email claiming to be from the IRS. The IRS does not initiate contact with taxpayers by email, text message or social media channels, and no requests are sent for personal information.

The latest warning comes just a couple of months after the IRS and Security Summit partners issued a reminder that all professional tax preparers are required by law – The FTC Safeguards Rule – to implement a written information security plan to ensure the tax information of their clients is properly protected.

The reminder was issued as it had become clear that many tax professionals were unaware of their obligations to implement a security plan to protect client tax data.

There are several required elements of the information security plan:

  • Designate an employee or employees to coordinate the information security plan
  • Conduct a risk analysis to identify risks to the confidentiality of client data
  • Assess the effectiveness of current safeguards
  • Implement, monitor, and test the safeguards program
  • Only use service providers that can maintain appropriate safeguards and oversee the handling of client data
  • Evaluate and update the security program, as appropriate, in response to changes to business practices and operations

The requirements for the information security plan are flexible. For instance, tax preparers can choose the safeguards to implement based on their own circumstances and the findings of their risk analyses.

Two important safeguards that protect businesses from phishing and malware attacks are a spam filter and a web filter. The spam filter protects the email system by identifying and blocking malicious messages such as phishing emails and malspam (malicious spam email), while a web filter blocks web-based attacks and malware downloads. Both of these solutions are highly effective at blocking phishing and malware attacks yet are cheap to implement.

To find out more about how spam filters and web filters can protect your business and help you meet your legal responsibilities contact TitanHQ today.

Phishers Use Google Drive Links to Bypass Office 365 Anti-Phishing Controls

A new phishing campaign has been detected that uses Google Drive links to avoid detection by Office 365 Exchange Online Protection and ensure messages are delivered to inboxes.

The emails, reported through Cofense Intelligence, impersonated the CEO of the company who was attempting to share an important document. The document had been shared via Google Drive and came with the message, “Important message from – CEO.”

Google Drive allows files and collaboration requests to be easily sent to other individuals. The account holder chooses who to share a file with and the system generates an email alert containing a link to the shared file.

In this case, the name of the CEO was correct, but the email address used was different to the format used by the company. While this is a clear sign that the emails are not what they seem, some employees would likely be fooled by the message.

Importantly, the messages are not detected as malicious by EOP and are delivered to inboxes. A scan of the message would reveal nothing untoward, as the embedded URL is a legitimate shared link to a genuine cloud service operated by Google.

The shared document itself is not malicious, but it does link to another Google Docs document and a phishing URL. Any anti-phishing solution that only assesses the embedded hyperlink in the email to determine whether it is malicious would allow the email to be delivered. Only a deeper inspection would reveal the true nature of the URL.

If the link is visited by an end user, a fake login window is presented. If login credentials are entered, they are captured and stored on the attacker’s server.

This campaign highlights the importance of multi-layered anti-phishing defenses and the risks of relying on EOP to provide protection against phishing attacks.

An advanced spam filtering solution should be implemented on top of Office 365 to provide greater protection from phishing and other email-based attacks. This will ensure more sophisticated phishing attacks are blocked.

If a malicious message is delivered and a link is clicked, the connection to the malicious webpage could be blocked using a web filtering solution.

WebTitan is a DNS-based content filtering solution that serves as an additional layer in organization’s anti-phishing defenses.  Should an attempt be made by an employee to visit a malicious website or suspicious domain, the attempt would be blocked before any content is downloaded. WebTitan assesses each website when the DNS query is made. Malicious websites and those that violate an organization’s content control policies are blocked.

To find out more about how a DNS filter can improve your defenses against phishing attacks and malware downloads, contact TitanHQ today.

La Porte County Latest Victim in String of Ransomware Attacks on Municipalities

There has been a spate of ransomware attacks on cities, municipalities, mayor’s offices, and local government facilities in recent weeks.

The latest attack was on La Porte County in Indiana. The attack started on July 6, 2019, but prompt action by the IT department allowed the ransomware to be contained. That rapid response meant only 7% of the laptops used by the county were affected. However, two domain controllers were also affected and that rendered the network unavailable.

Experts were brought in to try to restore files from backups and bring the network back online, but those attempts failed as the backup servers had also been infected with the ransomware. La Porte County was left with no alternative other than to pay the ransom demand. The Bitcoin ransom equated to around $130,000, $100,000 of which was covered by an insurance policy.

This attack involved Ryuk ransomware – The same ransomware variant that was used in the attack on Lake City in Florida on June 10, 2019.  For Lake City, Ryuk ransomware was delivered by the Trickbot Trojan, which was in turn deployed by the Emotet Trojan. Lake City paid approximately $500,000 to the attackers to obtain the keys to unlock the encryption. Riviera Beach in Florida was also attacked and paid a ransom of around $600,000.

These are just three cases out of several recent attacks. Those three attacks alone have resulted in more than $1,200,000 being paid to cybercriminals. That sends a very clear message to other cybercriminals that these attacks can be extremely profitable. That is the reason the FBI advice is never to pay.

2018 saw a decline in ransomware attacks as cybercriminals pursued other strategies for attacking businesses, but ransomware is now certainly back in favor and is being used in an increasing number of attacks.

Something that several of the targets in the recent ransomware campaigns have in common is they are relatively small cities that have limited resources to devote to cybersecurity. They have hardware and software that has reached end of life and, due to limited funds, security gaps have started to appear.

Riviera Beach, for instance, is a city of 35,000 people with limited resources. It had recently undergone a period of turmoil in management, had suffered scandals, and during the upheaval its cybersecurity contract had been allowed to lapse. That left the door wide open to attack.

These attacks have proven incredibly costly, yet they could have been prevented with a very small spend on a select number of security solutions. The attacks on Rivera Beach and Lake City could have been prevented with an advanced email security solution such as SpamTitan. The ransomware was installed in both of these attacks as a result of employees opening malware-infected email attachments.

SpamTitan incorporates dual anti-virus engines to detect malicious software and a Bitdefender-powered sandbox for deep analysis of suspicious email attachments. SpamTitan incorporates DMARC email authentication to counter email impersonation attacks and a host of other anti-spam and anti-phishing controls.

SpamTitan can be deployed as a gateway solution on existing hardware or as a cloud-based solution, and can be easily layered on top of Office 365 to improve protection against phishing and ransomware attacks.

Further, the cost of protection against ransomware and phishing attacks is likely to be much lower than you think. For more information, contact TitanHQ today.


 

Monroe College Ransomware Attack: $2 Million Ransom Demand Issued

There has been a spate of ransomware attacks on cities and government agencies in recent months and the healthcare industry sees more than its fair share of attacks, but they are not the only industries being targeted.

Schools, colleges, and universities are prime targets for hackers and ransomware attacks are common. One recent attack stands out due to its scale and the massive ransom demand that was issued. The attackers demanded $2 million (170 BTC) for the keys to unlock the encryption.

Monroe College in New York City was attacked at 6:45am on Wednesday, July 10, 2019. The ransomware quickly spread throughout the network, shutting down the computer systems at its campuses in Manhattan, New Rochelle and St. Lucia and taking down the college website.

The college has switched to pen and paper and is finding workarounds to ensure students taking online courses receive their assignments. No mention has been made about whether files will be recovered from backups or if the ransom will need to be paid.

This is one of many recent ransomware attacks in the United States. Ransomware may have fallen out of favor with cybercriminals in 2018, but it now appears to be back in vogue and attacks are rising sharply. So too have the ransom demands.

$2 million is particularly high, but there have been several recent attacks involving ransom demands for hundreds of thousands of dollars. In several cases, the ransom has been paid.

Riviera Beach City in Florida was attacked and was forced to pay a $600,000 ransom to regain access to its files and bring its computer systems back online. Lake City in Florida also paid a sizeable ransom – $500,000. Jackson County was also attacked and paid a $400,000 ransom.

There have been several cases where ransoms have not been paid. The City of Atlanta was attacked and around $51,000 in Bitcoin was demanded. Atlanta refused to pay. Its cleanup bill has already reached $3 million. With such high costs it is clear to see why many choose to pay up.

In all of the above cases, the cost of implementing cybersecurity solutions to protect against the main attack vectors would have cost a tiny fraction of the cost of the ransom payment or the mitigation costs after an attack.

For less than $2 per employee, you can ensure that the email network is secured and you are well protected against web-based attacks. To find out more, call TitanHQ today.

Sodinokibi Ransomware Poised to Become New GandCrab

As one ransomware-as-a-service operation shuts down, another is vying to take its place.  Sodinokibi ransomware attacks are increasing and affiliates are trying to carve out their own niche in the ransomware-as-a-service operation.

Developing ransomware and staying one step ahead of security researchers is important, but what made the GandCrab operation so successful were the affiliates conducting the campaigns that generated the ransom payments. The GandCrab developers have now shut down their operation and that has left many affiliates looking for an alternative ransomware variant to push.

Sodinokibi ransomware could well fill the gap. Like GandCrab, the developers are offering their creation under the ransomware-as-a-service model. They already have a network of affiliates conducting campaigns, and attacks are on the increase.

As is the case with most ransomware-as-a-service operations, spam email is one of the most common methods of ransomware delivery. One Sodinokibi ransomware campaign has been detected that uses spoofed Booking.com notifications to lure recipients into opening a Word document and enabling macros. Doing so triggers the download and execution of the Sodinokibi payload.

Download websites are also being targeted. Access is gained the websites and legitimate software installers are replaced with ransomware installers. Managed Service Providers (MSPs) have also been targeted. The MSP attacks have exploited vulnerabilities in RDP to gain access to MSP management consoles.

Two cases have been reported where an MSP was compromised and malicious software was pushed to its clients through the client management console. In one case, the Webroot Management Console and the Kaseya VSA console in the other.

Recently, another attack method has been detected. Sodinokibi ransomware is being distributed through the RIG exploit kit. Malvertising campaigns are directing traffic to domains hosting RIG, which is loaded with exploits for several vulnerabilities.

With so many affiliates pushing Sodinokibi ransomware and the wide range of tactics being used, no single cybersecurity solution will provide full protection against attacks. The key to preventing attacks is defense in depth.

TitanHQ can help SMBs and MSPs secure the email and web channels and block the main attack vectors. Along with security awareness training and good cybersecurity best practices, it is possible to mount a formidable defense against ransomware, malware, and phishing attacks.

Web Filtering for MSPs (Part 2): Why WebTitan Cloud is the Best Web Filtering Service for MSPs

In our previous post we explained why managed service providers (MSPs) should be offering a web filtering service to their customers and the benefits that can be gained by customers and MSPs alike. In this post we explain what makes WebTitan Cloud the go-to web filtering solution for MSPs and why so many MSPs have chosen TitanHQ as their web filtering partner.

Why WebTitan Cloud is the Best Web Filter for MSPs

One problem MSPs face before they can start offering a web filtering service to their clients is how to incorporate the solution into their service stacks and their existing cloud offerings. While there are many providers of web filtering services, not all solutions have been developed with MSPs in mind. TitanHQ differs in that respect.

TitanHQ’s web filtering solution, WebTitan Cloud, has been developed specifically to meet the needs of MSPs and make it as easy as possible for the solution to be added to their existing cloud offerings. WebTitan Cloud seamlessly integrates within existing workflows regardless of whether MSPs self-host, use AWS, Azure, or other cloud platforms.

How Does WebTitan Cloud Integrate into MSPs Management Systems?

To make integration as easy as possible, TitanHQ uses RESTful API, which allows fast and risk-free integration into MSPs management systems. WebTitan Cloud uses the OAuth 1.0 protocol for authentication and has a full set of keys and secrets in the WebTitan Cloud user interface (UI). Once an MSP has signed up, no further registration or authentication is necessary. The API client provides the appropriate oauth_signature to authorize requests to protected resources.

Best Web Filtering Service for MSPs

 

Overly complex user interfaces are a problem with many cloud-based solutions. With WebTitan Cloud, the UI is made as clean and easy to use as possible. MSPs can remove all elements from the UI that are not required to keep the UI clean and simple. WebTitan Cloud can also be integrated into MSP cloud interfaces to create a better user experience and greater consistency for customers.

Having information at your fingertips is important when customers send in requests or when reports are required on web use and blocking. WebTitan Cloud allows MSPs to create and integrate a full suite of high-level system and customer reports into their own management consoles.

Onboarding new customers is also a quick and simple process, which can be integrated into current MSP on-boarding processes. New customer accounts can easily be created (or deleted) from within an MSP’s own UI, in addition to performing updates and listing all current customer accounts.

Onboarding customers with WebTitan Cloud

 

MSPs can connect to WebTitan Cloud to manage their customers settings, including locations, whitelists, and blacklists. Customers that would prefer to manage their own settings can perform a limited number of operations themselves using APIs. Since WebTitan Cloud is available in a full white label, customers who do access their own settings can be given a UI with MSP branding rather than TitanHQ’s to maintain consistency and help reinforce the MSPs brand.

TitanHQ also operates an extremely competitive pricing strategy with generous margins for MSPs and aligned monthly billing cycles through the TitanShield MSP Program.

Onboarding Customers with WebTitan Cloud APIs

WebTitan APIs for MSPs

The full set of APIs available to MSPs can be found on this link: https://apidoc.webtitancloud.com/

If you have yet to start offering web filtering to your clients as part of your service stack or if you are unhappy with your current provider’s product, contact TitanHQ today and as about becoming a member of the TitanShield MSP Program. Product demonstrations can also be scheduled on request.
 

Web Filtering for MSPs (Part 1): Why Web Filtering is so Important

A web filtering service allows Managed Service Providers (MSPs) to better protect their clients from accidental malware downloads and phishing attacks while improving their bottom lines. Further, by preventing phishing attacks and malware infections, they can reduce the amount of time they spend fighting fires. For busy MSPs, the latter will be especially beneficial.

Why is Web Filtering Important?

There are several reasons why MSP clients will benefit from a web filtering service. First and foremost, a web filter will help to prevent their customers’ employees from visiting phishing websites and malicious URLs. Most phishing attacks start with a phishing email, so a powerful spam filtering solution is essential. While commercial spam filters such as SpamTitan will block more than 99% of spam and phishing emails, additional protections are required to protect against the 1% that bypass spam defenses.

Naturally end user security awareness training will help in this regard, but as the 2018 Verizon Data Breach Investigations Report shows, 30% of delivered phishing messages are opened by end users and 12% of those users also click on malicious links in the messages.

A web filter is an additional layer of anti-phishing and anti-malware defenses that kicks in when malicious links are clicked and when end users attempt to visit other malicious sites while browsing the Internet. With a web filter in place, when an employee attempts to access a malicious web page, that attempt will be blocked before any content is downloaded. Instead of displaying the web page, a block page will be displayed.

Web filters also allow companies to carefully control the types of content their employees can access. This allows them to enforce acceptable internet usage policies with ease. Employers can prevent their employees from accessing NSFW content such as pornography, illegal content and, if tighter controls are required to improve productivity, other categories of web content such as dating sites, social media networks, gambling sites, and gaming sites.

With a web filter in place, security and productivity can both be quickly improved and the gains in both of those areas is likely to more than pay for the cost of the web filtering package provided by their MSP.

Cloud Based Web Filtering Solutions for MSPs

Convincing customers to implement a web filtering solution should be straightforward given the number of phishing attacks that are now being conducted and the cost of mitigating phishing attacks and malware infections. The cost of web filtering is tiny by comparison.

For MSPs, cloud-based filtering solutions are the natural choice. They can be implemented in minutes once a customer request has been received, no hardware is required, there is no software to install, and patching is handled by the service provider. All that is required from the MSP is a brief set up and configuration for each customer and ongoing management and reporting.

Web Filtering for MSPs

However, not all cloud-based web filtering solutions make set up, management and reporting simple. WebTitan Cloud differs in this respect. Not only does the solution offer excellent protection, the solution has been developed specifically with MSPs in mind. The ease of integration into MSP’s back-end systems and management has made WebTitan Cloud the go-to web filtering solution for MSPs.

In our next post we will explain how WebTitan Cloud differs from other web filtering solutions, why it is the easiest solution for MSPs to integrate into their existing cloud offerings, and how TitanHQ makes getting started, provisioning new customers, and managing customer accounts a quick and easy process requiring the minimal management overhead.

Click here for Web Filtering for MSPs (Part 2)
 

Fake Game of Thrones Video Files Embedded with Malware

For many people, Game of Thrones Season 8 is the TV highlight of the past 12 months, but not all fans of the series are keen to pay for the channel to watch the latest installments of this hugely popular series.

Some fans are turning to P2P file sharing sites to download the latest episodes, but hackers are ready and waiting. Many illegal video files of Game of Thrones episodes have been embedded with malware, most commonly adware and Trojans.

Research from Kaspersky Lab revealed Trojans to be the most common form of malware to be embedded in rogue video files. A third of all fake TV show downloads that have been impregnated with malware include a Trojan.

When one of these infected files is opened after it has been downloaded, the Trojan is launched and silently runs in the background on the infected device.

Many of the Trojans embedded into video files are brand new. These zero-day malware variants are not detected by traditional AV solutions as their signatures are not present in malware definition lists. That means malware infections are likely to go undetected. When signatures are updated, the malware may continue to run until a full system scan is completed. Either way, during the time that the malware is active it could be collecting a range of sensitive data including usernames and passwords.

Malware can also be installed that gives the attacker access to an infected device and the ability to run commands, change programs, download further malware variants, and add the infected device to a botnet.

File sharing websites offer an easy way of distributing malware. Users of the platforms voluntarily download the files onto their computers. However, only a small percentage of internet users visit P2P file sharing sites. Hackers therefore have turned to other methods to get users to execute their infected video files.

Prior to the release date of Game of Thrones Season 8, offers of free access to the TV show were being distributed via email. Campaigns were also detected offering episodes in advance of the release date to tempt GOT fans into installing malicious software or visiting malicious websites.

It is no surprise that fake Game of Thrones video files have been embedded with malware, given the huge popularity of the show. However, Game of Thrones fans are not the only people targeted using this tactic of malware distribution. In the past few months, malware has been detected in fake videos files claiming to be the latest episodes of the Walking Dead, Suits, and the Vikings to name but a few.

Some people feel the risk of a malware infection from downloading pirated video files to be low, or they do not even consider the risks. That is bad news for businesses. When employees ignore the risks and download illegal files at work, they risk infecting their network with malware.

The easiest solution to prevent illegal downloads at work and the visiting of other malicious websites is to use a web filtering solution. A web filter – WebTitan for instance – can be configured to prevent users from accessing file sharing and torrents websites. WebTitan uses a continuous stream of ActiveWeb URLs from over 550 million end users, which provides important threat intelligence to TitanHQ’s machine learning technology. This allows new, malicious URLs to be identified, and users are then prevented from visiting those malicious URLs.

Blocking email attacks is simple with SpamTitan. SpamTitan blocks 99.97% of spam emails to prevent malicious messages from reaching end users, including messages offering free access to Game of Thrones and other TV shows. In addition to dual AV engines to protect against known malware, SpamTitan also now has a sandboxing feature. Suspicious attachments can be safely executed and analyzed in the sandbox to identify potentially malicious actions. The sandboxing feature provides superior protection against zero-day malware which AV software does not block.

With both of these solutions in place, businesses will be well protected against malware, ransomware, botnets, viruses, and phishing attacks.

Each solution is available with a range of different deployment options to suit the needs of all businesses. For a product demonstration and further information, contact the TitanHQ team today.

G2 Crowd Report Names SpamTitan Leading Secure Email Gateway Solution

G2 Crowd, a peer-to-peer review platform trusted by millions of businesses, has named SpamTitan the leading email security gateway solution in its Spring G2 Crowd Grid Report for Email Security Gateways.

TitanHQ’s SpamTitan email security gateway solution was named the leader in the category of secure email gateway performance

SpamTitan was assessed along with other popular email security solutions from big name companies such as Cisco, Barracuda, Proofpoint, Mimecast, and SolarWinds, but took top spot thanks to consistently high ratings for all key metrics assessed for the report.

The G2 Crowd platform allows businesses to find out important information about software solutions that is not often included in the product spiel offered by software providers: What the solutions are actually like to use and whether they match up to expectations. The platform is trusted by businesses thanks to its honest reviews from genuine customers. The company was formed in 2012 and now attracts more than 1.5 million visitors a month to its website.

For the report, each product was assessed based on market presence and four areas of customer satisfaction:  Quality of support, ease of use, meets requirements, and ease of administration. SpamTitan scored highly in all four categories, outperforming all other solutions for customer satisfaction and market presence.

SpamTitan ranked highest for meeting requirements and quality of support, achieving a score of 94% in both categories. The average for all 10 email security gateways was 88% and 84% respectively.  SpamTitan achieved a score of 92% for ease of use and 90% for ease of administration. The average for all products in these areas was 82% and 83% respectively.

It was clear from the report that TitanHQ customers were extremely happy with the products and service provided by TitanHQ. The user reviews praised SpamTitan for many aspects of the product, two examples of which have been listed below.

“SpamTitan has some of the best filtering we’ve seen compared to other products, it does an excellent job when configured right of capturing a high volume of spam. It’s relatively simple to get around and set it up, and runs in a very lightweight VMware appliance.”

“The degree of customization and logging is amazing. You can account for everything going in or out of your organization and set filtering rules to match any scenario. Performance of the web UI and functions like searching and reporting are lightning quick.

G2 Crowd also released a Spring G2 Crowd Grid Report for Secure Web Gateways and TitanHQ’s WebTitan solution was rated a high performer, achieving a customer satisfaction score of 94% against an average of 87% across all 10 solutions under assessment.

If you are unhappy with your current email or web security gateway product or you have yet to implement one of these important cybersecurity solutions, contact TitanHQ today to arrange a product demonstration. The full versions of both solutions are available on a free trial to allow you to see for yourself how effective they are and how easy they are to use.

If you have any questions about either product, contact the TitanHQ today to have your questions answered.

MSPs Targeted as Hackers Realize Potential for Profit in Supply Chain Attacks

Supply chain attacks allow cybercriminals to attack businesses through weak links in the supply network. Smaller companies are attacked, which gives hackers access to larger and better secured businesses: Businesses that would be harder to attack directly.

This attack method was used to spread NotPetya malware in Ukraine. A software supply company was breached which allowed the malware to be spread to the software supplier’s clients. The massive data breach at Target in 2014 was made possible by first attacking an HVAC system provider. The attack allowed hackers to install malware on the Target’s POS system and obtain the credit card numbers of millions of its customers. According to Symantec, supply chain attacks doubled in 2018.

There are many different types of supply chain attacks, but all serve a similar purpose. By attacking one company it is then possible to attack a bigger fish, or in the case of attacks on cloud service providers and managed service providers, a single attack will give a hacker access to the networks of all MSP clients.

Large businesses often have the budgets to hire their own IT and security staff and can implement robust defenses to prevent attacks. Smaller businesses often struggle to recruit security professionals as they are in high demand. With the shortage of skilled cybersecurity staff and an inability to pay the large salaries that skilled cybersecurity professionals demand, SMBs often turn to MSPs to provide those services.

In order to be able to provide those services, managed service providers are given remote access to their client’s networks. Many of the tasks that need to be performed by MSPs require administrative privileges. Managed service providers also hold login credentials to their clients’ routers and cloud accounts. All of those credentials are extremely valuable to hackers.

Given the typical number of clients each MSP has, a successful attack on an MSP could prove very profitable for a hacker. It is therefore no surprise that there has been an increase in cyberattacks on MSPs and CSPs.

While MSPs are usually good at securing their clients’ networks and ensuring they are well protected, they also need to ensure their own house is in order. Patches must be applied promptly, vulnerabilities must be addressed, and security solutions must be put in place to protect MSPs systems.

MSP staff should be security aware, but when they are busy resolving their clients’ problems, mistakes can easily be made such as responding to a well-crafted spear phishing email. All it takes is for one MSP employee to respond to such an email for a hacker to gain a foothold in the network.

Naturally, security awareness training should be provided to all MSP employees and security solutions need to be deployed to protect against email and web-based attacks.

This is an area where TitanHQ can help. TitanHQ’s anti-spam solution, SpamTitan, offers advanced protection against phishing and spear phishing attacks. A recent update has also seen DMARC email authentication and sandboxing features added to better protect users from phishing and malware attacks.

TitanHQ’s DNS-based content filtering solution further enhances protection against phishing attacks and prevents MSP employees from visiting malicious websites. Being DNS-based, malicious websites are blocked before any content can be downloaded.

In addition to helping MSPs protect their own networks, both solutions are ideal for MSPs to offer to their SMB clients and have been developed to perfectly meet the requirements of MSPs.

If you are an MSP and you have yet to implement a web filter or you are looking for an advanced spam filtering solution for you or your clients, give the MSP team at TitanHQ a call today to find out more about both solutions and how they can protect your business and better protect your clients.
 

Webinar: New SpamTitan DMARC and Sandboxing Features Explained

Traditional email security solutions are effective at keeping inboxes free from spam email, but many fall short when it comes to blocking phishing and spear phishing attacks. Cybercriminals are conducting ever more sophisticated campaigns that manage to bypass traditional email security defenses by impersonating legitimate companies and spoofing their domains.

In addition to phishing attacks that attempt to obtain sensitive information, email is often used to spread malware, ransomware and botnets. Traditional anti-virus solutions are effective at blocking known malware threats, but signature-based AV solutions are not effective at blocking never-before-seen malware variants.

Today, new malware variants are being released at record pace. To block these zero-day malware attacks, an advanced email security solution is required which does not rely on signatures to identify malicious file attachments.

SpamTitan was already a powerful email security solution for SMBs and MSPs serving the SMB market and was capable of blocking sophisticated phishing emails and new malware threats. However, new features have now been added that improve detection rates further still and provide superior protection against zero-day malware and phishing attacks that spoof legitimate domains.

TitanHQ has updated SpamTitan to include a DMARC email authentication feature which is capable of detecting and blocking spoofed emails to better protect users from sophisticated phishing attacks.

To better protect against malware, ransomware, botnets, and zero-day attacks, TitanHQ has incorporated a new Bitdefender-powered sandboxing feature into SpamTitan. Email attachments that pass standard checks are safely detonated in the sandbox and are analyzed for malicious activity. The sandboxing feature provides an additional layer of security and greatly enhances protection against malicious attachments. This feature also helps to ensure that more legitimate emails and attachments are delivered to end users.

To explain how these new features work and the benefits to users, TitanHQ is running a webinar. In the webinar, TitanHQ will cover the new features in detail and will explain how SpamTitan can protect against the full range of email-based threats.

Webinar Information:

 Date:     Thursday, April 4, 2019

Time:    12pm, EST

The webinar will last 30 minutes and advance registration is necessary.

You register for the webinar here

Cybersecurity Protections for SMBs Found to Be Lacking

A new report has confirmed the need for robust, multi-layered cybersecurity protections for SMBs to prevent successful cyberattacks. SMBs are increasingly being targeted by cybercriminals as security is often weak and attacks are easy to pull off.

While large corporations are an attractive target for cybercriminals, large corporations tend to have mature cybersecurity programs and they are usually very well protected. A successful attack could prove extremely profitable but breaking through the cybersecurity defenses of large corporations is difficult and attacks can be extremely time consuming and labor intensive.

Cybercriminals often choose the path of least resistance, even though the potential for profit may not be so high. Cyberattacks on SMBs are much easier and hackers are concentrating their efforts on SMB targets. This was clearly demonstrated in the latest cybersecurity report from Beazley Breach Response (BBR) Services.

BBR Services analyzed all of the data breaches that it investigated in 2018. 9% of the successful attacks involved ransomware and 71% of those ransomware attacks were on SMBs. The healthcare industry suffered the highest number of ransomware attacks, and accounted for one third of successful attacks. Companies in the professional and financial services sectors accounted for 12% of ransomware attacks each, followed by the retail industry with 8% of attacks.

The costs of those ransomware attacks can be considerable. If companies are unable to recover data from backups, a sizable ransom must be paid to recover encrypted data. In 2018, the average ransom demand was $116,400 and the median ransom demand was $10,310. One client was issued a ransom demand of $8.5 million. The highest ransom demand paid was $935,000.

Massive demands for payment for the keys to unlock encrypted files may not be the norm, but even at the lower end of the spectrum SMBs may struggle to find the money to pay. The ransom demand is also likely to be considerably higher than the cost of cybersecurity protections for SMBs to prevent ransomware attacks.

One of the main ways that hackers gain access to the networks of SMBs is by exploiting flaws in Remote Desktop Protocol. SMBs that leave RDP ports open are at a much higher risk of being attacked. RDP is required by many SMBs because they outsource IT to managed service providers, which need to use RDP to access their systems. In such cases it is essential for default RDP ports to be changed and for very strong passwords to be implemented to reduce the risk of brute force attacks succeeding.

There was also an increase in sextortion scams in 2018. These scams attempt to extort money by threatening to expose victims’ use of adult websites. While these scams usually contain empty threats, they are often successful. In addition to attempting to extort money, the scams are used to install malware or ransomware.  Email attachments are sent which claim to contain videos of the victim accessing adult websites, which the scammers claim to have been recorded using the computer’s webcam. When the files are opened to be checked, malware or ransomware is installed.

2018 also saw a 133% increase in Business Email Compromise attacks. These attacks spoof the email address of a senior executive to make the emails and requests seem more plausible. These scams are usually conducted to obtain sensitive information or to get employees to make fraudulent wire transfers. BEC attacks accounted for 24% of all breaches investigated by BBR Services in 2018.

One of the most important cybersecurity protections for SMBs to implement to prevent these attacks is an advanced email filtering solution – One that is capable of detecting spoofed emails. SpamTitan, TitanHQ’s cloud-based spam filtering solution, has recently been updated to include DMARC authentication to detect email impersonation attacks such as BEC scams. The solution also now includes a new sandboxing feature that allows potentially malicious attachments to be analyzed in detail in the sandbox where no harm can be caused. This helps to identify more malicious attachments and better protect SMBs from zero-day malware and other malicious files.

TitanHQ’s powerful cybersecurity protections for SMBs can greatly improve email security and block a wide range of web-based attacks. For further information on effective cybersecurity protections for SMBs to deploy to improve security posture and block costly attacks, contact TitanHQ today.

SpamTitan Email Security Now Includes Sandboxing and DMARC Authentication

TitanHQ has announced its award-winning anti-spam solution, SpamTitan, has been updated and now has two powerful new features to better protect users from phishing, spear phishing, malware, ransomware, botnets, and APT threats.

SpamTitan has long been the go-to solution for SMBs to improve email security and the solution is popular with managed service providers serving the SMB market. SpamTitan is quick and easy to install, simple to use, and provides excellent protection against a wide range of email threats.

As email threats have become more sophisticated and zero-day attacks and new malware variants have skyrocketed, new features are needed to keep end users protected.

To maintain pace and better protect SpamTitan users, two important new features have now been rolled out with the latest release of SpamTitan: Sandboxing and DMARC authentication.

Sandboxing Feature Added to SpamTitan Product Suite

Blocking known threats is one thing, but detecting and blocking brand new threats that evade AV solutions is another matter, yet businesses need protection from these zero-day threats as well. SpamTitan already incorporates a range of mechanisms to detect these new threats but the latest feature takes protection to the next level.

SpamTitan now incorporates a new next-gen sandboxing feature. The Bitfedender-powered sandbox is a virtual environment that is totally separate from other systems. When an email is sent to a SpamTitan user, the message will be subjected to a range of checks to determine whether it is genuine, benign, and should be delivered or if it is malicious and needs to be rejected. If the message contains a suspicious attachment that is not picked up as a threat from those checks, it is sent to the sandbox.

The SpamTitan sandbox service has been designed to appear as a normal endpoint. Malicious files are opened or executed in the sandbox and any malicious code is run as it would on a standard machine. Its actions are logged and subjected to an in-depth analysis, including its self-protection mechanisms and attempts to evade detection. All actions are then assessed by advanced machine learning algorithms and the results of the analysis are then checked against a wide range of online repositories.

Opening potentially malicious files on an endpoint is dangerous, but in the isolated sandbox all risks are eliminated. Once the analysis is complete, which takes just a few minutes, if the file is determined to be benign it will be released and can be delivered to the end user. If it is malicious, the sandbox solution will automatically report the file to Bitdefender’s cloud threat intelligence service. That threat will then be blocked for all SpamTitan users, so the file will not need to be analyzed again.

This new feature greatly increases detection of elusive threats, provides end users with even greater protection, and it also helps to ensure that more genuine messages are delivered.

Businesses that want sandboxing technology usually need to purchase a separate solution. With SpamTitan, advanced emulation-based malware analysis is provided free of charge.

DMARC Email Authentication Now Included in SpamTitan

Email impersonation attacks are a major threat. They abuse trust in a known contact, company, or government organization to fool end users into taking a specific action – disclosing sensitive information, installing malware, or visiting a phishing webpage, for instance.

While SpamTitan already incorporates several mechanisms to identify email impersonation attacks, DMARC authentication has now been added to block even more threats. DMARC is a powerful tool for identifying the true sender of an email to determine if that individual is authorized to use a particular domain.

Detailed checks of the email header are performed and the sender is checked against DMARC records. If the checks are passed, the message can be delivered. If DMARC authentication fails, the message is rejected.

The new anti-spoofing feature protects SMBs and MSPs against data loss, date breaches, zero-day threats, and highly sophisticated email threats, while the sandboxing feature protects against malware, advanced persistent threats (APTs), malicious URLs, and offers insight into new threats to help mitigate risks.

Both of these features have been made available to current and new TitanHQ customers at no extra charge.

Easy Ways to Improve Cybersecurity in K-12 Schools

The poor state of cybersecurity in K-12 schools is making it too easy for criminals to conduct cyberattacks. As 2018 figures show, attacks are coming thick and fast. Action is needed to shore up security and keep cybercriminals at bay.

2018 Cyberattacks on K-12 Schools

Education has long been one of industries most commonly targeted by cybercriminals and 2018 was no exception. Last year there were several major cyberattacks on K12 schools that resulted in data theft and huge financial losses.

The 2018 State of K-12 Cybersecurity report from the K12 Cybersecurity Resource Center revealed 122 cyberattacks on K-12 schools were reported in 2018. 119 public K-12 education agencies in 38 states reported attacks. 60% of those cyberattacks resulted in the personal data of students being compromised.

North Dakota schools were hit particularly hard. In February 2018, one third of schools in the state experienced malware attacks. In many cases, the malware infections were the result of staff and students clicking on links in emails, visiting malicious websites, or opening malware-laced email attachments.

The 2019 State of Malware report from Malwarebytes reveals that in 2018, education was the number one industry targeted with Trojans and was second for ransomware attacks. Business email compromise scams are also common and many K12 school districts suffered W-2 phishing attacks and were fooled into sending scammers copies of employees’ tax information.

There have also been several successful email scams that have resulted in staff being fooled into making fraudulent transfers of school funds to criminals’ accounts. A school district in Texas was scammed out of $2 million in construction funds as a result of a phishing attack that fooled a staff member into making payments to fraudulent accounts. The high number of these types of scams prompted the FBI to issue a warning to schools in September 2018 about phishing scams that attempt to steal employees’ credentials.

K-12 schools are an attractive target for cybercriminals because attacks are relatively easy and the potential rewards are high. Student information sells for big bucks on the black market. Personal information along with Social Security numbers can be used for identity theft. It typically takes longer for identity theft to be detected with minors. If student data are stolen, thieves can rack up huge debts in students’ names over the course of several years before fraud is detected.

The State of Cybersecurity in K-12 Schools

Even though the risk of cyberattacks is high, many school leaders fail to appreciate the seriousness of the problem and how even simple changes to improve cybersecurity in K-12 schools can prevent most cyberattacks.

A Consortium for School Networking/Education Week Research Center survey in late 2017 showed that only 48% of school leaders considered the threat from phishing to be significant or very significant, with the numbers falling to under 30% for malware and ransomware attacks. Only 15% of K-12 schools have implemented a cybersecurity plan, just 29% have purchased cybersecurity products and services, and 31% had not provided end-user training.

The high value of student data, the opportunity to conduct multiple types of fraud, and poor cybersecurity defenses is a winning combination for cybercriminals. Unfortunately, there is no single solution that can be implemented to improve cybersecurity and prevent costly cyberattacks and data breaches. What is needed is an effective cybersecurity plan, policies and procedures, training, and technology.

How to Improve Cybersecurity in K-12 Schools

School budgets are usually stretched so it can be difficult to find the funds to improve cybersecurity in K-12 schools. It is therefore important to choose cybersecurity solutions wisely and select products that provide protection against the most common methods used by cybercriminals to attack schools.

Many of the attacks start with a single phishing email. It is therefore critical for K12 schools to improve email security, and for that, an advanced spam filtering solution is essential. SpamTitan blocks more than 99.9% of spam and phishing emails and is an ideal, low-cost, easy-to-implement spam filtering solution for K12 schools.

A web filtering solution is also an important cybersecurity measure. In addition to blocking students’ access to obscene content, as required for CIPA compliance, web filters can prevent users from visiting phishing websites and will block ransomware and malware downloads. The cost of a web filter can be partially offset by discounts obtained through the E-rate program.

End user training is also important. K12 schools need to include cybersecurity awareness training as part of their staff development program. Rather than providing a one-off or annual training session, training needs to be conducted regularly to keep staff up to speed on the latest threats.

Doing nothing to improve cybersecurity in K-12 schools is now simply not an option. If costly cyberattacks are to be avoided, is not improved, cybersecurity in K-12 schools must be improved.

If you want to find out more about email and web security and just how affordable these solutions can be for schools, contact the TitanHQ team today.
 

Innovative Phishing Campaign Uses Google Translate to Serve Phishing Web Pages

A phishing campaign has been detected that uses Google Translate to make phishing web pages appear legitimate when visited through mobile browsers. The novel tactic makes it harder for end users to see that the website they have been directed to is not an official website.

The phishing attack starts with an email that indicates the user’s password has been used to access their Google account from an unfamiliar device. Many users will be familiar with these messages. They are generated when a user logs into their own account using a different device or from an unfamiliar location. The messages are also triggered when a user attempts to login to their account using a VPN that has previously not been used to access the account.

In this campaign, the standard Google Security Alert has been copied exactly and includes the Google logo, standard formatting, and text that users will be familiar with. The message tells the user to click on a link – A button below the warning message – to visit their account to review the activity and take action to secure their account.

If the user is on a desktop or laptop, they will be directed to a standard phishing page which has a copy of the Google login window. It should be apparent that the user is not on the legitimate Google site as the URL clearly nothing to do with Google although end users do not always check the URLs carefully, especially when there is an urgent reason for visiting a website such as a security alert.

If the user has opened the email on a mobile device and clicks the hyperlink button, the URL displayed in the browser will be different and they are much ore likely to be fooled. The phishing webpage uses Google Translate to display a URL containing a random string of characters, but crucially, the visible part of the URL displayed in the browser starts with translate.googleusercontent.com/translate_

The URL does contain the web page which the user is on, which is a page on mediacity.co.in that clearly has nothing to do with Google, but it is detailed much later in the URL so will not be displayed to the user unless they click the address bar to check the web page. Many users will not do that since the visible part of the URL appears to be a genuine Google page.

The Google login portal that is served is an old version, but it is likely to fool many users. If Google credentials are entered in the login box, JavaScript on the web page generates an email containing the user’s login credentials and sends them to the scammer.  The user is then redirected to a further phishing web page where their Facebook login credentials are requested. This login box is a clone of the login box used by Facebook on the mobile login portal and is similarly an old version. If login credentials are entered, they are sent to the scammer via email as well. The user is then directed to a Facebook page set up by the attacker.

While the phishing campaign is unlikely to work on desktops or laptops, many mobile users will likely be fooled by the scam and will provide their Google credentials. They may not fall for the Facebook login request, as being redirected to Facebook from Google is odd, but by that time the attacker will have full access to the user’s Google account. Google accounts can contain a wealth of sensitive data and can be used for further phishing attacks on the user’s contacts.

Security awareness training will help to prevent employees from falling for phishing scams such as this. By conditioning employees to always check the sender of a message before taking any action, and to always take the time to carefully check the full URL of a website before disclosing any sensitive information, scams like this can be easily identified. Even with security awareness training, employees make mistakes. To improve protection against phishing attacks, businesses should deploy an advanced spam filter to prevent malicious messages from being delivered to corporate inboxes. A web filter is also strongly recommended. A cloud-based web filter can prevent users from accessing phishing web pages, even when they are not onsite and are using mobile devices remotely.

For further information on spam filtering and web filtering for businesses, contact the TitanHQ team today and ask about SpamTitan and WebTitan: TitanHQ’s leading spam filtering and web filtering solutions for businesses.

Malvertising Campaign Delivers New Vidar Information Stealer and GandCrab Ransomware

A malvertising campaign has been detected that delivers two forms of malware: The new, previously unknown Vidar information stealer and subsequently, the latest version of GandCrab ransomware.

The packaging of multiple malware variants is nothing new of course, but it has become increasingly common for ransomware to be paired with information stealers. RAA ransomware has been paired with the Pony stealer, njRAT and Lime ransomware were used together, and Reveton ransomware is used in conjunction with password stealers.

These double-whammy attacks help threat actors increase profits. Not everyone pays a ransom, so infecting them with an information stealer can make all infections profitable. In many cases, information can be obtained and sold on or misused and a ransom payment can also be obtained.

The latest campaign uses the Vidar information stealer to steal sensitive information from a victim’s device. The Vidar information stealer is used to obtain system information, documents, browser histories, cookies, and coins from cryptocurrency wallets. Vidar can also obtain data from 2FA software, intercept text messages, take screenshots, and steal passwords and credit/debit card information stored in browsers. The information is then packaged into a zip file and sent back to the attackers’ C2 server.

The Vidar information stealer is customizable and allows threat actors to specify the types of data they are interested in. It can be purchased on darknet sites for around $700 and is supplied with an easy to use interface that allows the attacker to keep track of victims, identify those of most interest, find out the types of data extracted, and send further commands.

Vidar also acts as a malware dropper and has been used to deliver GandCrab ransomware v5.04 – The latest version of the ransomware for which no free decryptor exists.

While many ransomware variants are delivered via spam email or are installed after access to systems is gained using brute force tactics on RDP, this campaign delivers the malicious payload through malvertising that directs traffic to a websites hosting the Fallout or GrandSoft exploit kits. Those EKs exploits unpatched vulnerabilities in Internet Explorer and Flash Player. The campaign targets users of P2P file sharing sites and streaming sites that attract large amounts of traffic.

Infection with the Vidar information stealer may go undetected. New malware variants such as this may be installed before AV software malware signatures are updated, by which time highly sensitive information may have been stolen, sold on, and misused. If GandCrab ransomware executes, files will be permanently encrypted unless a ransom is paid or files can be recovered from backups.

Businesses can protect against attacks such as these by ensuring that all operating systems and software are promptly patched. Drive-by downloads will not occur if the exploits for vulnerabilities used by the exploit kit are not present.

An additional, important protection is a web filter. Web filters prevent users from visiting websites known to host exploit kits and also sites that commonly host malicious adverts – torrents sites for instance. By carefully controlling the sites that employees can access, businesses can add an extra layer of protection while avoiding legal liability from illegal file downloads and improving productivity by blocking access to non-work-related websites.

For further information on web filters for businesses and MSPs, contact the TitanHQ team today.
 

2018 Has Seen a 4,000% Increase in Cryptocurrency Mining Malware

New figures released by anti-virus firms McAfee and Symantec have shown the extent to which hackers are using cryptocurrency mining malware in attacks on consumers and businesses.

Cryptocurrency mining malware hijacks system resources and uses the processing power of infected computers to mine cryptocurrencies – Validating transactions so they can be added to the blockchain public ledger. This is achieved by solving difficult computational problems. The first person to solve the problem is rewarded with a small payment.

For cryptocurrency mining to be profitable, a lot of processing power is required. Using one computer for mining cryptocurrency will generate a few cents to a few dollars a day; however, hackers who infect thousands of computers and use them for cryptocurrency mining can generate significant profits for little work.

The use of cryptocurrency mining malware has increased considerably since Q4, 2017 when the value of Bitcoin and other cryptocurrencies started to soar. The popularity of cryptocurrency mining malware has continued to grow steadily in 2018. Figures from McAfee suggest cryptocurrency mining malware has grown by 4,000% in 2018.

McAfee identified 500,000 new coin mining malware in the final quarter of 2017. In the final quarter of 2018, the figure had increased to 4 million. Figures from Symantec similarly show the scale of the problem. In July 2018, Symantec blocked 5 million cryptojacking events. In December, the firm blocked 8 million.

There are many different ways of infecting end users. Hackers are exploiting unpatched vulnerabilities to silently download the malware. They package coin mining malware with legitimate software, such as the open-source media player Kodi, and upload the software to unofficial repositories.

One of the easiest and most common ways of installing the malware is through email. Spam emails are sent containing a hyperlink which directs users to a website where the malware is silently downloaded. Links are similarly distributed through messaging platforms such as Slack, Discord, and Telegram. One campaign using these messaging platforms included links to a site that offered software that claimed to fix coin mining malware infections. Running the fake software installer executed code on the computer which silently downloaded the malware payload.

Unlike ransomware, which causes immediate disruption, the presence of cryptocurrency mining malware may not be noticed for some time. Computers infected with coin mining malware will slow down considerably. There will be increased energy usage, batteries on portable devices will be quickly drained, and some devices may overheat. Permanent damage to computers is a possibility.

The slowdown of computers can have a major impact for businesses and can result in a significant drop in productivity if large numbers of devices are infected. Businesses that have transitioned to cloud computing that are charged for CPU usage can see their cloud bills soar.

Anti-virus software can detect known coin mining malware, but new malware variants will be unlikely to be detected. With so many new malware variants now being released, AV software alone will not be effective. It is therefore important to block the malware at source. Spam filters, such as SpamTitan, will help to prevent malicious emails from reaching end users’ inboxes. Web filters, such as WebTitan, prevent users from accessing infected websites, unofficial software repositories, and websites with coin-mining code installed that uses CPU power through browser sessions.

 

Business Email Account Compromises Soaring

Business email compromise (BEC) attacks cost businesses billions of dollars each year, and business email account compromises are soaring.

What is a Business Email Compromise Attack?

As the name suggests, these attacks involve the hijacking of business email accounts. The primary aim is to compromise the account of the CEO or CFO, which is usually achieved through a spear phishing attack. Once the email account has been compromised, it is used to send phishing emails to other employees in the company, most commonly, employees in the accounts, finance, and payroll departments.

The emails commonly request wire transfers be made to accounts under the control of the attackers. Requests are also made for sensitive information such as the W-2 Forms of employees.

Since the emails are sent from the CEO or CFO’s own account, there is a much higher chance of an employee responding to the request than to a standard phishing attempt from an external email address. Since the emails come from within an organization, they are also much harder to detect as malicious – a fact not lost on the scammers.

With access to the email account, it is much easier to craft convincing messages. The signature of the CEO can be copied along with their style of writing from sent messages. Email conversations can be started with employees and messages can be exchanged without the knowledge of the account holder.

Fraudulent transfers of tens or hundreds of thousands of dollars may be made and the W-2 Forms of the entire workforce can be obtained. The latter can be used to submit fake tax returns in victims’ names to obtain tax refunds. The profits for the attackers can be considerable, and with the potential for a massive payout, it is no surprise that these attacks are on the rise.

Business Email Account Compromises Have Increased by 284% in a Year

FBI figures in December 2016 suggest $5.3 billion had been lost to BEC scams since October 2013. That figure had now increased to $12.5 billion. More than 30,000 complaints of losses due to BEC attacks were reported to the FBI’s Internet Crime Complaints Center (IC3) between June 2016 and May 2018.

The specialist insurance service provider Beazley has been tracking business email account compromises. The firm’s figures show business email account compromises have increased each quarter since Q1, 2017. In the first quarter of 2017, 45 business email account compromises were detected. In Q2, 2018, 184 business email account compromises were detected. Between 2017 to 2018, there was a 284% increase in compromised business email accounts.

While the CEO’s email credentials are often sought, the credentials of lowlier employees are also valuable. Any email account credentials that can be obtained can be used for malicious purposes. Email accounts can be used to send phishing messages to other individuals in an organization, and to business contacts, vendors, and customers.

Beazley notes that once one account has been compromised, others will soon follow. When investigating business email account compromises, businesses often discover that multiple accounts have been compromised. Typically, a company is only aware of half the number of its compromised accounts.

The High Cost of Resolving Business Email Account Compromises

Business email account compromises can be extremely costly to resolve. Forensic investigators often need to be brought in to determine the full extent of the breach. Each breached email account must then be checked to determine what information has been compromised. While automated searches can be performed, manual checks are inevitable. For one client, the automated search revealed 350,000 document attachments had potentially been accessed, and each of those documents had to be checked manually to determine the information IT contained. The manual search alone cost the company $800,000.

How to Protect Your Organization from Business Email Compromise Attacks

A range of measures are required to protect against business email compromise attacks. An advanced spam and anti-phishing solution is required to prevent phishing and spear phishing emails from being delivered to inboxes.

SpamTitan is an easy-to-implement spam filtering solution that blocks advanced phishing and spear phishing attacks at source. In contrast to basic email filters, such as those incorporated into Office 365, SpamTitan uses heuristics, Bayesian analysis, and machine learning to identify highly sophisticated phishing attacks and new phishing tactics. These advanced techniques ensure more than 99.9% of spam and malicious messages are blocked.

The importance of security awareness training should not be underestimated. End users should be trained how to recognize phishing attempts. Training should be ongoing to ensure employees are made aware of current campaigns and new phishing tactics. Phishing simulation exercises should also be conducted to reinforce training and identify weak links.

Multi-factor authentication is important to prevent third parties from using stolen credentials to access accounts. If a login attempt is made from an unfamiliar location or unknown device, an additional form of identification is required to access the account.

Password policies should be enforced to ensure that employees set strong passwords or passphrases. This will reduce the potential for brute force and dictionary attacks. If Office 365 is used, connection to third party applications should be limited to make it harder for PowerShell to be used to access email accounts. A web filtering solution should also be implemented to block access to phishing accounts where email credentials are typically obtained.

Defense in depth is the key to protecting against BEC attacks. For more information about email and web security controls to block BEC attacks, give the TitanHQ team a call. Our experienced advisers will recommend the best spam and web filtering options to meet the needs of your business and can book a product demonstration and set you up for a free trial.

New Phishing Campaign Bypasses Office 365 Anti-Phishing Defenses

A new phishing campaign is bypassing Office 365 anti-phishing defenses and arriving in employees’ inboxes; one of several recent campaigns to slip through the net and test end users’ security awareness knowledge.

The aim of this campaign is not to obtain login credentials or install malware. It is a sextortion scam that aims to get email recipients to make a payment to the scammers.

Sophisticated Sextortion Scam Bypasses Office 365 Anti-Phishing Controls

The scam itself is straightforward. The sender of the email claims to be a hacker who has gained access to the victim’s computer and has installed malware. That malware allowed full access to the user’s device, including control of the webcam. The email claims that the webcam was used to record the victim while he/she was accessing adult web content. The attacker claims to have spliced the webcam recording with the images/videos that were being viewed at the time. The attacker claims the video will be sent to the user’s contacts on social media and via email.

Several similar sextortion scams have been conducted in the past few months, but what makes this campaign different is the extent of the deception. In this campaign, the attacker includes the user’s password in the email body.

“Hello!
I’m a hacker who cracked your email and device a few months ago.
You entered a password on one of the sites you visited, and I intercepted it.
This is your password from [user’s email] on moment of hack: [user’s password]

The password may not be the one currently used, but it is likely to be recognized as it has been taken from a previous data breach. However, its inclusion will be especially worrying for any user who does not regularly change their password and for users that share passwords across multiple sites or reuse old passwords. Changing the password will not block access, according to the email

“Of course, you can and will change it, or already have changed it.
But it doesn’t matter, my malware updated it every time.”

For anyone who has viewed adult content on a laptop or other device with a webcam, this message will no doubt be extremely concerning. Especially, as the email contains ‘evidence’ of email compromise. The From field of the email displays the user’s own email address, indicating that the attacker has sent it from the user’s email account.

The attacker notes in the email, “Do not try to contact me or find me, it is impossible, since I sent you an email from your account.”

While scary, the attacker does not have access to the user’s email account. The From field has been spoofed. This is actually straightforward with a Unix computer set up with mail services. Mass emails can be sent out using the same email address in the From field as the Address field, giving the impression that the messages have been sent from the users’ accounts.

The hacker notes that this is not his/her usual modus operandi. “You are not my only victim, I usually lock computers and ask for a ransom. But I was struck by the sites of intimate content that you often visit.” That will be a particular worry for some users.

To prevent distribution of the video, the user must pay $892 in Bitcoin to the specified address and many email recipients have chosen to pay to avoid exposure. The Bitcoin wallet used for the scam has received 450 payments totaling 6.31131431 BTC – around $27,980. Multiple Bitcoin wallets are often used by scammers, so the actual total is likely to be far higher.

Bypassing of Office 365 Anti-Phishing Defenses a Cause for Concern

This scam may not have any direct impact on a business, as no credentials are compromised, and malware is not installed; however, what is of concern is how the messages have bypassed Office 365 phishing defenses and are arriving in inboxes. The scam was first identified in late September and the messages continued to be delivered to Office 365 inboxes, even those with Advanced Threat Protection that companies pay extra for to provide greater protection against spam and phishing emails.

This is of course just one scam. Others have similarly breached Office 365 anti-phishing defenses, many of which are much more malicious in nature and pose a very real and direct threat to businesses. Office 365 anti-phishing protections do block a lot of threats, and protection is improved with Advanced Threat Protection, but the controls are not particularly effective at blocking sophisticated phishing attempts and zero-day attacks.

The volume of phishing attacks on businesses that are now being conducted, the sophisticated nature of those attacks, and the high cost of mitigating a phishing attack and data breach mean businesses need to improve Office 365 anti-phishing defenses further. That requires a third-party spam solution.

For more than 20 years, TitanHQ has been developing security solutions to protect inboxes and block web-based attacks. During that time, our spam filtering solution, SpamTitan, has been gathering threat intelligence, analyzing spamming and phishing tactics, and protecting end users. Over the years, SpamTitan has receive many updates to improve protection against new threats and phishing tactics. Independent tests have shown SpamTitan now has a catch rate in excess of 99.9%.

The incorporation of a range of predictive techniques ensure SpamTitan is not reliant on signatures and can detect never-before seen phishing attempts and zero-day attacks, and provide superior protection against spam, phishing, malware, viruses, ransomware, and botnets for Office 365 users.

To better protect your email channel and keep your Office 365 inboxes threat free, contact TitanHQ today to schedule a full personalized demo of SpamTitan and to find out just how cost effective the solution is for SMBs and enterprises.

New HookAds Malvertising Campaign Redirects to Sites that Deliver Banking Trojans, Info Stealers and Ransomware

One of the ways that threat actors install malware is through malvertising – The placing of malicious adverts on legitimate websites that direct visitors to websites where malware is downloaded. The HookAds malvertising campaign is one such example and the threat actors behind the campaign have been particularly active of late.

The HookAds malvertising campaign has one purpose. To direct people to a website hosting the Fallout exploit kit. An exploit kit is malicious code that runs when a visitor lands on a web page. The visitor’s computer is probed to determine whether there are any vulnerabilities – unpatched software – that can be exploited to silently install files.

In the case of the Fallout exploit kit, users’ devices are checked for several known Windows vulnerabilities. If one is identified, it is exploited and a malicious payload is downloaded. Several malware variants are currently being delivered via Fallout, including information stealers, banking Trojans, and ransomware.

According to threat analyst nao_sec, two separate HookAds malvertising campaigns have been detected: One is being used to deliver the DanaBot banking Trojan and the other is delivering two malware payloads – The Nocturnal information stealer and GlobeImposter ransomware via the Fallout exploit kit.

Exploit kits can only be used to deliver malware to unpatched devices, so businesses will only be at risk of this web-based attack vector if they are not 100% up to date with their patching. Unfortunately, many businesses are slow to apply patches and exploits for new vulnerabilities are frequently uploaded to EKs such as Fallout. Consequently, a security solution is needed to block this attack vector.

HookAds Malvertising Campaign Highlights Importance of a Web Filter

The threat actors behind the HookAds malvertising campaign are taking advantage of the low prices offered for advertising blocks on websites by low quality ad networks – Those often used by owners of online gaming websites, adult sites, and other types of websites that should not be accessed by employees. While the site owners themselves are not actively engaging with the threat actors behind the campaign, the malicious adverts are still served on their websites along with legitimate ads. Fortunately, there is an easy solution that blocks EK activity: A web filter.

TitanHQ has developed WebTitan to allow businesses to carefully control employee Internet access. Once WebTitan has been installed – a quick and easy process that takes just a few minutes – the solution can be configured to quickly enforce acceptable Internet usage policies. Content can be blocked by category with a click of the mouse.

Access to websites containing adult and other NSFW content can be quickly and easily blocked. If an employee attempts to visit a category of website that is blocked by the filter, they will be redirected to a customizable block screen and will be informed why access has been prohibited.

WebTitan ensures that employees cannot access ‘risky’ websites where malware can be downloaded and blocks access to productivity draining websites, illegal web content, and other sites that have no work purpose.

Key Benefits of WebTitan

Listed below are some of the key benefits of WebTitan

  • No hardware purchases required to run the web filter
  • No software downloads are necessary
  • Internet filtering settings can be configured in minutes
  • Category-based filters allow acceptable Internet usage policies to be quickly applied
  • An intuitive, easy-to-use web-based interface requires no technical skill to use
  • No patching required
  • WebTitan Cloud can be applied with impact on Internet speed
  • No restriction on devices or bandwidth
  • WebTitan is highly scalable
  • WebTitan protects office staff and remote workers
  • WebTitan Cloud includes a full suite of pre-configured and customizable reports
  • Reports can be scheduled and instant email alerts generated
  • Suitable for use with static and dynamic IP addresses
  • White label versions can be supplied for use by MSPs
  • Multiple hosting options are available
  • WebTitan Cloud can be used to protect wired and wireless networks

For further information on WebTitan, for details of pricing, to book a product demonstration, or register for a free trial, contact the TitanHQ team today.

Further information on WebTitan is provided in the video below:

https://www.youtube.com/watch?v=s_c4nB0Rl_g

Stealthy sLoad Downloader Performs Extensive Reconnaissance Before Delivering Payload

The past few months have seen an increase in new, versatile malware downloaders that gather a significant amount of data about users’ systems before deploying a malicious payload. That payload is determined on the users’ system.

Marap malware and Xbash are two notable recent examples. Marap malware fingerprints a system and is capable of downloading additional modules based on the findings of the initial reconnaissance. XBash also assesses the system, and determines whether it is best suited for cryptocurrency mining or a ransomware attack and deploys its payload accordingly.

Stealthy sLoad Downloader Used in Highly Targeted Attacks

A further versatile and stealthy malware variant, known as the sLoad downloader, can now be added to that list. SLoad first appeared in May 2018, so it predates both of the above malware variants, although its use has been growing.

The primary purpose of sLoad appears to be reconnaissance. Once downloaded onto a system, it will determine the location of the device based on the IP address and performs several checks to ascertain the type of system and the software that is running and will determine whether it is on a real device or in a sandbox environment. It checks the processes running on the system, compares against a hardcoded list, and will exit if certain security software is installed to avoid detection.

Provided the system is suitable, a full scan of all running processes will be performed. The sLoad downloader will search for Microsoft Outlook files, ICA files associated with Citrix, and other system information. sLoad is capable of taking screenshots and searches the browser history looking for specific banking domains. All of this information is then fed back to the attackers’ C2 server.

Once the system has been fingerprinted, further malware variants are downloaded, primarily banking Trojans. Geofencing is used extensively by the threat actors using sLoad which helps to ensure that banking Trojans are only downloaded onto systems where they are likely to be effective – If the victim uses one of the banks that the Trojan is targeting.

In most of the campaigns intercepted to date, the banking Trojan of choice has been Ramnit. The attacks have also been highly focused on specific countries including Canada, and latterly, Italy and the United Kingdom – Locations which are currently being targeted by Ramnit. Other malware variants associated with the sLoad downloader include the remote desktop tool DarkVNC, the Ursnif information stealer, DreamBot, and PsiBot.

The sLoad downloader is almost exclusively delivered via spam email, with the campaigns often containing personal information such as the target’s name and address. While there have been several email subjects used, most commonly the emails relate to purchase orders, shipping notifications, and missed packages.

The emails contain Word documents with malicious macros in ZIP files, or alternatively embedded hyperlinks which will download the ZIP file if clicked.

The sLoad downloader may be stealthy and versatile, but blocking the threat is possible with an advanced spam filter. End user training to condition employees never to click on hyperlinks from unknown senders nor open attachments or enable macros will also help to prevent infection.  Web filtering solutions provide an additional layer of protection to block attempts to download malicious files from the Internet.

Massive Midterm Elections SEO Poisoning Campaign Identified

The U.S. midterm elections have been attracting considerable attention, so it is no surprise that cybercriminals are taking advantage and are running a midterm elections SEO poisoning campaign. It was a similar story in the run up to the 2016 presidential elections and the World Cup. Whenever there is a major newsworthy event, there are always scammers poised to take advantage.

Thousands of midterm elections themed webpages have sprung up and have been indexed by the search engines, some of which are placing very highly in the organic results for high-traffic midterm election keyword phrases.

The aim of the campaign is not to influence the results of the midterm elections, but to take advantage of public interest and the huge number of searches related to the elections and to divert traffic to malicious websites.

What is SEO Poisoning?

The creation of malicious webpages and getting them ranked in the organic search engine results is referred to as search engine poisoning. Search engine optimization (SEO) techniques are used to promote webpages and convince search engine algorithms that the pages are newsworthy and relevant to specific search terms. Suspect SEO practices such as cloaking, keyword stuffing, and backlinking are used to fool search engine spiders into rating the webpages favorably.

The content on the pages appears extremely relevant to the search term to search engine bots that crawl the internet and index the pages; however, these pages do not always display the same content. Search engine spiders and bots see one type of content, human visitors will be displayed something entirely different. The scammers are able to differentiate human and bot visitors through different HTTP headers in the web requests. Real visitors are then either displayed different content or are redirected to malicious websites.

Midterm Elections SEO Poisoning Campaign Targeting 15,000+ Keywords

The midterm elections SEO poisoning campaign is being tracked by Zscaler, which notes that the scammers have managed to get multiple malicious pages ranking in the first page results for high traffic phrases such as “midterm elections.”

However, that is just the tip of the iceberg. The scammers are actually targeting more than 15,000 different midterm election keywords and are using more than 10,000 compromised websites in the campaign. More sites are being compromised and used in the campaign each day.

When a visitor arrives at one of these webpages from a search engine, they are redirected to one of many different webpages. Multiple redirects are often used before the visitor finally arrives at a particular landing page. Those landing pages include phishing forms to obtain sensitive information, host exploit kits that silently download malware, or are used for tech support scams and include various ruses to fool visitors into installing adware, spyware, cryptocurrency miners, ransomware or malicious browser extensions. In addition to scam sites, the campaign is also being used to generate traffic to political, religious and adult websites.

This midterms elections SEO poisoning campaign poses a significant threat to all Internet users, but especially businesses that do not control the content that can be accessed by their employees. In such cases, campaigns such as this can easily result in the theft of credentials or malware/ransomware infections, all of which can prove incredibly costly to resolve.

One easy-to-implement solution is a web filter such as WebTitan. WebTitan can be deployed in minutes and can be used to carefully control the content that can be accessed by employees. Blacklisted websites will be automatically blocked, malware downloads prevented, and malicious redirects to phishing websites and exploit kits stopped before any harm is caused.

For further information on the benefits of web filtering and details of WebTitan, contact the TitanHQ team today.

New Version of Azorult Malware Being Distributed via RIG Exploit Kit

A new and improved version of Azorult malware has been identified. The latest version of the information stealer and malware downloader has already been used in attacks and is being distributed via the RIG exploit kit.

Azorult malware is primarily an information stealer which is used to obtain usernames and passwords, credit card numbers, and other information such as browser histories. Newer versions of the malware have seen cryptocurrency wallet-stealing capabilities added.

Azorult malware was first identified in 2016 by researchers at Proofpoint and has since been used in a large number of attacks via exploit kits and phishing email campaigns. The latter have used links to malicious sites, or more commonly, malicious Word files containing malware downloaders.

Back in 2016, the malware variant was initially installed alongside the Chthonic banking Trojan, although subsequent campaigns have seen Azorult malware deployed as the primary malware payload. This year has seen multiple threat actors pair the information stealer with a secondary ransomware payload.

Campaigns have been detected using Hermes and Aurora ransomware as secondary payloads. In both campaigns, the initial aim is to steal login credentials to raid bank accounts and cryptocurrency wallets. When all useful information has been obtained, the ransomware is activated, and a ransom payment is demanded to decrypted files.

A new version of the Azorult was released in July 2018 – version 3.2 – which contained significant improvements to both its stealer and downloader functions.  Now Proofpoint researchers have identified a new variant – version 3.3 – which has already been added to RIG. The new variant was released shortly after the source code for the previous version was leaked online.

The new variant uses a different method of encryption, has improved cryptocurrency stealing functionality to allow the contents of BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore, and Exodus Eden wallets to be stolen, a new and improved loader, and an updated admin panel. The latest version has a lower detection rate by AV software ensuring more installations.

The RIG exploit kit uses exploits for known vulnerabilities in Internet Explorer and Flash Player, which use JavaScript and VBScripts to download Azorult.

If your operating systems and software are kept fully patched and up to date you will be protected against these exploit kit downloads as the vulnerabilities exploited by RIG are not new. However, many companies are slow to apply patches, which need to be extensively tested. It is therefore strongly advisable to also deploy a web filtering solution such as WebTitan to provide additional protection against exploit kit malware downloads. WebTitan prevents end users from visiting malicious websites such as those hosting exploit kits.

The latest version of Azorult malware was first listed for sale on October 4. It is highly probable that other threat actors will purchase the malware and distribute it via phishing emails, as was the case with previous versions. It is therefore strongly advisable to also implement an advanced spam filter and ensure that end users are trained how to recognize potentially malicious emails.

DanaBot Trojan Now Targeting Customers of U.S. Banks

In May, security researchers at Proofpoint discovered a spam email campaign that was distributing a new banking Trojan named DanaBot. At the time it was thought that a single threat actor was using the DanaBot Trojan to target organizations in Australia to obtain online banking credentials.

That campaign has continued, but in addition, campaigns have been identified in Europe targeting customers of banks in Italy, Germany, Poland, Austria, and the UK. Then in late September, a further DanaBot Trojan campaign was conducted targeting U.S. banks.

The DanaBot Trojan is a modular malware written in Delphi that is capable of downloading additional components to add various different functions.

The malware is capable of taking screenshots, stealing form data, and logging keystrokes in order to obtain banking credentials. That information is sent back to the attackers’ C2 server and is subsequently used to steal money from corporate bank accounts.

An analysis of the malware and the geographical campaigns shows different IDs are used in the C2 communication headers. This strongly suggests that the campaigns in each region are being conducted by different individuals and that the DanaBot Trojan is being offered as malware-as-a-service. Each threat actor is responsible for running campaigns in a specific country or set of countries. Australia is the only country where there are two affiliates running campaigns. In total, there appears to currently be 9 individuals running distribution campaigns.

The country-specific campaigns are using different methods to distribute the malicious payload, which include the new Fallout exploit kit, web injects, and spam email. The latter is being used to distribute the Trojan in the United States.

The U.S. campaign uses a fax notice lure with the emails appearing to come from the eFax service. The messages look professional and are complete with appropriate formatting and logos. The emails contain a button that must be clicked to download the 3-page fax message.

Clicking on the button will download a Word document with a malicious macro which, if allowed to run, will launch a PowerShell script that downloads the Hancitor downloader. Hancitor will then download the Pony stealer and the DanaBot Trojan.

Proofpoint’s analysis of the malware revealed similarities with the ransomware families Reveton and CryptXXX, which suggests that DanaBot has been developed by the same group responsible for both of those ransomware threats.

The U.S. DanaBot campaign is targeting customers of various U.S. banks, including RBC Royal Bank, Royal Bank, TD Bank, Wells Fargo, Bank of America, and JP Morgan Chase.  It is likely that the campaigns will spread to other countries as more threat actors are signed up to use the malware.

Preventing attacks requires defense in depth against each of the attack vectors. An advanced spam filter is required to block malspam. Users of Office 365 should increase protection with a third-party spam filter such as SpamTitan to provide better protection against this threat. To prevent web-based attacks, a web filtering solution should be used. WebTitan can block attempts by end users to visit websites known to contain exploit kits and IPs that have previously been used for malicious purposes.

End users should also trained never to open email attachments or click on hyperlinks in emails from unknown senders, or to enable macros on documents unless they are 100% certain that the files are genuine. Businesses in the United States should also consider warning their employees about fake eFax emails to raise awareness of the threat.

Fallout Exploit Kit Used to Deliver New GandCrab v5 Ransomware Variant

A new version of GandCrab ransomware (GandCrab v5) has been released. GandCrab is a popular ransomware threat that is offered to affiliates under the ransomware-as-a-service distribution model. Affiliates receive a cut of the profits from any ransoms payed by individuals they manage to infect.

GandCrab was first released in January 2018 and fast grew into one of the most widely used ransomware variants. In July it was named the top ransomware threat and is regularly updated by the authors.

There have been several changes made in GandCrab v5, including the change to a random 5-character extension for encrypted files. The ransomware also uses an HTML ransom note rather than dropping a txt file to the desktop.

Bitdefender released free decryptors for early versions of the ransomware, although steps were taken by the authors to improve security for version 2.0. Since version 2.0 was released, no free decryptors for GandCrab ransomware have been developed.

Recovery from a GandCrab v5 infection will only be possible by paying the ransom – approximately $800 in the Dash cryptocurrency – or by restoring files from backups. Victims are only given a limited time for paying the ransom before the price to decrypt doubles. It is therefore essential that backups are created of all data and for those backup files to be checked to make sure files can be recovered in the event of disaster.

Since this ransomware variant is offered under the ransomware-as-a-service model, different vectors are used to distribute the ransomware by different threat actors. Previous versions of the ransomware have been distributed via spam email and through exploit kits such as RIG and GrandSoft. GandCrab v5 has also been confirmed as being distributed via the new Fallout exploit kit.

Traffic is directed to the exploit kit using malvertising – malicious adverts that redirect users to exploit kits and other malicious websites. These malicious adverts are placed on third party advertising networks that are used by many popular websites to provide an extra income stream.

Any user that clicks one of the malicious links in the adverts is redirected to the Fallout exploit kit. The Fallout exploit kit contains exploits for several old vulnerabilities and some relatively recent flaws. Any user that has a vulnerable system will have GandCrab ransomware silently downloaded onto their device. Local files will be encrypted as well as files on all network shares, not just mapped drives.

Whenever a new zero-day vulnerability is discovered it doesn’t take long for an exploit to be incorporated into malware. The publication of proof of concept code for a Task Scheduler ALPC vulnerability was no exception. Within a couple of days, the exploit had already been adopted by cybercriminals and incorporated into malware.

The exploit for the Task Scheduler ALPC vulnerability allows executable files to be run on a vulnerable system with System privileges and has been incorporated into GandCrab v5. The exploit is believed to be used to perform system-level tasks such as deleting Windows Shadow Volume copies to make it harder for victims to recover encrypted files without paying the ransom. Microsoft has now issued a patch to correct the flaw as part of its September Patch Tuesday round of updates, but many companies have yet to apply the patch.

The most important step to take to ensure that recovery from a ransomware attack is possible is to ensure backups are created. Without a viable backup the only way of recovering files is by paying the ransom. In this case, victims can decrypt one file for free to confirm that viable decryption keys exist. However, not all ransomware variants allow file recovery.

Preventing ransomware infections requires software solutions that block the main attack vectors. Spam filtering solutions such as SpamTitan prevent malicious messages from being delivered to inboxes. Web filters such as WebTitan prevent end users from visiting malicious sites known to host exploit kits. Remote desktop services are often exploited to gain system access, so it is important that these are disabled if they are not required, and if they are, they should only be accessible through VPNs.

Patches should be applied promptly to prevent vulnerabilities from being exploited and advanced antimalware solutions should be deployed to detect and quarantine ransomware before files are encrypted.

Lire cet article en français.

Viro Botnet Malware Encrypts Files, Logs Keystrokes and Hijacks Email Accounts

A new malware threat – named Viro botnet malware – has been detected that combines the file-encrypting capabilities of ransomware, with a keylogger to obtain passwords and a botnet capable of sending spam emails from infected devices.

Viro botnet malware is one of a new breed of malware variants that are highly flexible and have a wide range of capabilities to maximize profit from a successful infection. There have been several recently discovered malware variants that have combined the file-encrypting properties of ransomware with cryptocurrency mining code.

The latest threat was identified by security researchers at Trend Micro who note that this new threat is still in development and appears to have been created from scratch. The code is dissimilar to other known ransomware variants and ransomware families.

Some ransomware variants are capable of self-propagation and can spread from one infected device to other devices on the same network. Viro botnet malware achieves this by hijacking Outlook email accounts and using them to send spam email containing either a copy of itself as an attachment or a downloader to all individuals in the infected user’s contact list.

Viro botnet malware has been used in targeted attacks in the United States via spam email campaigns, although bizarrely, the ransom note dropped on the victims’ desktops is written in French. This is not the only new ransomware threat to include a French ransom note. PyLocky, a recently detected new ransomware threat that masquerades as Locky ransomware, also had a French ransom note. This appears to be a coincidence as there are no indications that the two ransomware threats are related or are being distributed by the same threat group.

With Viro botnet, Infection starts with a spam email containing a malicious attachment. If the attachment is opened and the content is allowed to run, the malicious payload will be downloaded. Viro botnet malware will first check registry keys and product keys to determine whether its encryption routine should run. If those checks are passed, an encryption/decryption key pair will be generated via a cryptographic Random Number Generator, which are then sent back to the attacker’s C2 server. Files are then encrypted via RSA and a ransom note is dropped on the desktop.

Viro botnet malware also contains a basic keylogger which will log all keystrokes on an infected machine and send the data back to the attacker’s C2 server. The malware is also capable of downloading further malicious files from the attacker’s C2.

While the attacker’s C2 server was initially active, it has currently been taken down so any further devices that are infected will not have data encrypted. Connection to the C2 server is necessary for the encryption routine to start. Even though the threat has been neutralized this is expected to only be a brief hiatus. The C2 is expected to be resurrected and larger distribution campaigns can have been predicted.

Protecting against email-based threats such as Viro botnet malware requires an advanced spam filtering solution such as SpamTitan to prevent malicious messages from being delivered to end users.  Advanced antimalware software should be installed to detect malicious files should they be downloaded, and end users should receive security awareness training to help them identify security threats and respond appropriately.

Multiple backups should also be created – with one copy stored securely offsite – to ensure files can be recovered in the event of file encryption.

MagnetoCore Malware Campaign Sees 7,339 Magneto Stores Infected with Payment Card Skimmer

A massive MagnetoCore malware campaign has been uncovered that has seen thousands of Magneto stores compromised and loaded with a payment card scraper. As visitors pay for their purchases on the checkout pages of compromised websites, their payment card information is sent to the attacker’s in real time.

Once access is gained to a website, the source code is modified to include the MagnetoCore malware, which is hidden among legitimate files in the Magnetocore.net domain.

The hacking campaign was detected by Dutch security researcher Willem de Groot. Over the past six months, the hacker behind the campaign has loaded MagnetoCore malware on at least 7,339 Magneto stores. The number of compromised websites is believed to be increasing at a rate of around 50 or 60 new stores per day.

Site owners have been informed of the MagentoCore malware infections, although currently more than 5,170 Magneto stores still have the script on the site.

The campaign was discovered when de Groot started scanning Magneto stores looking for malware infections and malicious scripts. He claims that around 4.2% of Magneto stores have been compromised and contain malware or a malicious script.

While a high number of small websites have been infected, according to de Groot, the script has also been loaded onto the websites of multi-million-dollar publicly traded companies, suggesting the hacker behind the attack has been able to steal tens, or most likely, hundreds of thousands of payment cards.

With a full set of payment card data selling for between $5 and $30 per card on darknet marketplaces, the individual(s) or hacking group behind the campaign has likely made a substantial profit.

Further information on the threat actor(s) responsible for the attacks has come from RiskIQ, which reports that the MagnetoCore malware campaign is part of much larger payment card scraping campaign known as MageCart. RiskIQ reports that MageCart has been in operation since at least 2015 and says the campaign being run by three groups. One of the groups was responsible for the TicketMaster breach reported in June that affected 5% of its customers.

All three groups are using the same tactics as part of a single campaign. It is likely the MagnetoCore malware campaign is being run by the same individuals responsible for MageCart.

Access to the sites is gained through a simple but time-consuming process – Conducting a brute force attack to guess the password for the administrator account on the website. According to de Groot, it can take months before the password is guessed. Other tactics known to be used are the use of malware such as keyloggers to obtain the login credentials and the exploitation of vulnerabilities in unpatched content management systems.

Preventing website compromises requires the use of very strong passwords and prompt patching to ensure all vulnerabilities are addressed. CMS systems should also be updated as soon as a new version is released.

It is also important for site owners to conduct regular scans of website CMSs to search for malicious scripts or code alterations, and to use a security solution that alerts the webmaster when a code change is detected on a website.

Unfortunately, finding out that a site has been compromised and removing the malicious code will not be sufficient. A painstaking check of the codebase is required as multiple backdoors are often added to compromised websites to ensure access can still be gained should the malicious code be discovered and removed.