Website Filtering
Our website filtering category includes the latest news and advice on content filtering: Restricting access to inappropriate online content such as pornography, blocking illegal activities such as copyright-infringing file downloads and blocking other potentially harmful or productivity-draining web content.
This news section also includes updates on web-based threats including ransomware, malware and phishing websites. While spam email is the current number one attack vector and the most common medium used for phishing, organizations should not neglect Internet threats such as exploit kits and malvertising. Articles on the latest threats and possible mitigations are also included in this category.
You will also find useful tips and advice on Internet content filtering and how best to protect your organizations using a web filtering solution. Many of the news items in this section are particularly relevant to Managed Service Providers (MSPs) looking to increase revenue and provide a more comprehensive range of security solutions to their clients.
by G Hunt |
April 18, 2025 |
Network Security, Website Filtering
A Gootloader malware campaign has been identified that uses Google Ads for initial contact with businesses, luring them in with realistic ads on a legitimate and trusted platform and tricking them into installing malware. Gootloader is a type of malware used to gain initial access to devices. First identified in 2020, the malware is used to attack Windows-based systems and deliver additional malware payloads. For example, the malware has been used to deliver Gootkit, a banking Trojan with information-stealing capabilities, and Gootloader is part of an “initial access as a service” platform, providing cybercriminal groups with the access they need to achieve their aims. For instance, access can be sold to ransomware groups.
Historically, Gootloader malware has been distributed via search engine (SEO) poisoning, which abuses Google and other search engines. This technique involves manipulating search engines to get malicious sites to appear high up in the search engine listings for key terms. By using SEO techniques, malicious sites appear high in the listings, giving Internet users the impression that the website is legitimate while also ensuring that enough people see the listing and click.
The latest campaign uses Google Ads to achieve the same purpose – getting a malicious site in front of users and giving them a reason to download a file. In this campaign, small businesses and other potentially high-value targets can be infected, which will be of interest to ransomware groups. Google performs checks of advertisers, and the company is usually able to prevent malicious adverts from appearing on the network; however, from time to time, those checks fail.
In this case, the campaign is attributed to a legitimate-sounding advertiser called Med Media Group Limited, which uses legal document templates such as contracts and non-disclosure agreements to attract small businesses. Fake websites are used in the campaign that appear legitimate, such as lawliner[.com]. The campaign has been configured to display ads for searches for legal documents, with the adverts claiming they provide a free template for the document with no sign-up required and no registration needed.
If the ad is clicked, the user is directed to a legitimate-looking and professional webpage. They are asked to enter their email address, and a link is sent via email for them to download the required document. The link directs the user to a different website, which triggers the download of a zip file containing a file that appears to be the document they require. For instance, the ad offering a non-disclosure agreement contains a file called non_disclosure_agreement_nda.js. The email directs the user to a site called skhm[.]org. The footer of the email claims the service is SKHM (Store, Keep, Host & Mail), and a mailing address is included along with a contact mobile phone number for a UK company called ENDOLE LTD.
The provision of a company name and contact information adds legitimacy, and if the provided number is called, they will be told that the company and the file are legitimate; however, that is certainly not the case. The downloaded file is JavaScript, and if it is executed, it will deliver Gootloader malware, which will establish persistence and reach out to its command-and-control server. After conducting reconnaissance to discover the local and networked environment, it will deliver secondary malware payloads.
The key to avoiding Gootloader infections is security awareness. There are several red flags with this campaign, although they can easily be missed. Registration on a site is usually required in order to get something for free. The site where the download occurs is different from the site used for the ad campaign, and the file is delivered in a zip file rather than a standard Word document or PDF. Further, a close look at the file will reveal it is an executable .js file, and a warning will be generated if an attempt is made to open the file, requiring confirmation before the file is executed.
Businesses should ensure that security awareness training is provided to employees to explain all of these red flags and other ways that cybercriminals use to distribute malware and phish for sensitive data. The SafeTitan security awareness training and phishing simulation platform makes it easy to create and automate training courses and phishing simulations. Businesses should also consider using a DNS filter to restrict access to malicious websites and block malware downloads from the Internet. The WebTitan DNS filter allows category-based filtering, preventing users from visiting certain risky categories of websites and websites serving no work purpose. WebTitan is constantly fed threat intelligence from a vast network of end users and will block access to malicious websites within a few minutes of a website or webpage being determined to be malicious, including redirects to malicious sites from compromised, legitimate websites. The solution can also be configured to prevent file downloads from the internet by file type, thus helping to prevent malware downloads. TitanHQ also offers a full suite of cybersecurity solutions, including anti-spam software with email sandboxing, anti-phishing protection, and email encryption and email archiving solutions.
by G Hunt |
March 4, 2025 |
Phishing & Email Spam, Spam Software, Website Filtering
There has been a surge in infostealer malware infections, with detections up almost 60% from the previous year. Infostealers gather system information, stored files, and sensitive data and exfiltrate the information to their command and control server. Once installed, they can remain undetected for long periods of time, exfiltrating sensitive data such as usernames and passwords by logging keystrokes, with some variants capable of taking screenshots and capturing audio and video by taking control of the microphone and webcam.
The majority of infostealers are used to attack Windows systems; however, a new infostealer called FrigidStealer has been identified that is being used to target Mac users. FrigidStealer is capable of stealing saved cookies, password-related files in the Safari and Chrome browsers, and login credentials, along with cryptocurrency wallet credentials, Apple Notes containing passwords, documents, spreadsheets, text files, and other sensitive data from the user’s home directory. The gathered data is added to a compressed file in a hidden folder in the user’s home directory and is exfiltrated to its command and control server.
The threat actor behind the campaign distributes FrigidStealer under the guise of important web browser updates on compromised websites. The threat actor injects malicious JavaScript into the HTML of the webpage which generates a fake browser update notification to website visitors. The notifications warn the user that they must update their browser to continue to view the page, with the displayed notification tailored to the browser in use.
The notifications look professional, include the appropriate logos for either Google Chrome or Safari, and contain an update button that the user must click to proceed. Clicking the button will trigger the download of an installer (DMG file), which must be manually launched. The user is required to enter their password to get around macOS Gatekeeper protections. If the password is entered, the file is executed and FrigidStealer is delivered.
A similar campaign is being conducted targeting Windows users. The Windows campaign uses similar techniques, although it tricks the user into downloading and executing an MSI installer, which delivers one of two different info stealers, Lumma Stealer or DeerStealer. The threat actor is also targeting Android devices in a similar way, delivering an APK file that contains the Marcher banking Trojan.
With infostealer infections soaring, businesses need to make sure they have the right security solutions in place and should be providing regular security awareness training to the workforce. Employees should be instructed to never download browser updates when prompted to do so on websites or run any suggested commands on their devices, as the updates and commands are likely to be malicious.
A web filter is strongly recommended for controlling access to the Internet and blocking visits to malicious websites. The WebTitan DNS filter can used to protect users on or off the network and is constantly updated with threat intelligence on new malicious websites. If an attempt is made to visit a known malicious website, that attempt will be blocked. The web filter can also be configured to block file downloads from the internet by file type, allowing IT teams to prevent employees from downloading executable files.
While this is a web-based campaign, information stealers are commonly distributed in phishing emails, either through malicious attachments or embedded hyperlinks. TitanHQ’s SpamTitan cloud-based anti-spam service is a powerful AI-driven email security solution with email sandboxing and advanced threat detection capabilities. SpamTitan outperformed all other tested solutions in recent tests by VirusBulletin, blocking 100% of phishing emails and 100% of malware.
by G Hunt |
February 28, 2025 |
Security Awareness, Website Filtering
A China-based ransomware group, Silver Fox, that has primarily targeted individuals in China, Taiwan, and Hong Kong, has been expanding its attacks outside of those regions and is now conducting attacks more broadly on multiple industry sectors. Silver Fox uses ransomware in its attacks and is focused on file encryption, demanding payment to obtain the keys to decrypt files. While the group does engage in double extortion tactics, stealing data and threatening to leak that data if the ransom is not paid, data theft is limited. Highly sensitive data is not generally stolen.
Many ransomware groups breach networks and spend time moving laterally to infect the maximum number of devices possible and also spend time locating sensitive data to exfiltrate. It is often the data theft and threat of publication that is the main driver behind ransom payments, so much so that some ransomware groups have abandoned the file encryption element of their attacks. In contrast, Silver Fox is focused on quick attacks, often breaching networks and encrypting files on the same day. The group even abandons attacks if lateral movement is not possible or if strengthened security is encountered.
Silver Fox primarily gains initial access to victims’ networks by deploying a remote access Trojan called ValleyRAT. ValleyRAT was first identified in 2023 and is believed to be a malware tool developed by Silver Fox, and its function is to give Silver Fox remote access to networks. The group has extensively targeted individuals in accounting, finance, and sales since those employees are likely to have access to sensitive data that can be quickly and easily stolen.
ValleyRAT is delivered by multiple means, indicating Silver Fox is trying to infect as many users as possible. One of the main methods used for distribution is fake installers for popular software. For instance, the group has been observed using fake installers for EmEditor (a Windows text editor), DICOM software (for viewing medical images), and system drivers and utilities. The group has also been observed using a spoofed website offering the Google Chrome browser, which prompts the user to download a ZIP file containing a Setup.exe file, which installs ValleyRAT.
The methods used to drive traffic to these fake downloads are unclear, although traffic to the fake Google Chrome download site is thought to be generated through malvertising and SEO poisoning, where malicious adverts are displayed for key search terms related to Chrome and web browsers that redirect users to the drive-by download site. SEO poisoning may be used, where black hat SEO techniques are used to get web pages to appear in the search engine listings for key search terms. If the user is tricked into executing the fake installer, they will be infected with ValleyRAT and a ransomware attack will rapidly follow.
Since the group is focused on rapid attacks involving minimal effort, the best defense is to strengthen baseline security and make lateral movement difficult through network segmentation. To prevent ValleyRAT downloads, web security needs to be improved to block attempts by users to visit the malicious websites. A web filter is an ideal tool for blocking access, including redirects through malvertising and SEO poisoning. A web filter such as WebTitan can also be configured to block downloads of certain files from the Internet and restrict access to websites by category – software download sites for example. Ongoing (and regular) security awareness training is also vital to teach employees about the risk of downloading software from the Internet, raise awareness of phishing, and teach security best practices, adding an important human layer to your security defenses.
TitanHQ’s web filter, WebTitan, is easy to implement and use, is automatically updated with the latest threat intelligence, and provides exceptional protection against web-based threats. When coupled with the SafeTitan security awareness training and phishing simulation platform, businesses will be well protected against ValleyRAT malware and other web-delivered malware payloads. Give the TitanHQ team a call to discuss these and other cybersecurity solutions to better protect you against the growing malware threat.
by G Hunt |
February 26, 2025 |
Phishing & Email Spam, Security Awareness, Website Filtering
A ransomware group called EncryptHub has been accelerating attacks and is now known to have breached the networks of more than 600 organizations worldwide. EncryptHub has been active since June 2024 and gains initial access to victims’ networks via spear phishing attacks, with initial contact made via SMS messages rather than email.
The group impersonates commonly used corporate VPN products such as Palo Alto GlobalProtect and Cisco AnyConnect as well as Microsoft 365, and drives traffic to its malicious domains by making contact via personalized SMS messages (smishing) or the phone (vishing).
If vishing is used and the victim is contacted by phone, EncryptHub impersonates a member of the IT helpdesk and uses social engineering techniques to trick them into disclosing their VPN credentials. The phone number is spoofed to make it appear that the call is coming from inside the company or Microsoft Teams phone numbers are used. The victim is told that there is a problem with the corporate VPN that needs to be resolved, and if the scam works, the user is sent a link via SMS that directs them to a domain that resembles the VPN solution used by that company. If the user enters their credentials, they are used in real-time to log in, and if there are any multifactor authentication prompts, the threat actor is able to obtain them on the call. After successfully gaining access, the user is redirected to the genuine login page for their VPN, and the call is terminated.
Another tactic used by the group involves SMS messages with a fake Microsoft Teams link with the goal of capturing their Microsoft 365 credentials. The user is directed to a Microsoft Teams-related login page and the threat actor exploits Open URL parameters on microsoftonline.com to harvest email addresses and passwords, while the user believes they are interacting with the legitimate Microsoft service. Once access is gained, the group uses PowerShell scripts and malware to gain persistence, then moves laterally, steals data, deploys the ransomware payload, and issues a ransom demand.
The group’s tactics are highly effective, as in contrast to spear phishing via email, it is difficult to block the initial contact via SMS or over the phone. The key to preventing these attacks is improving the security awareness of the workforce and using a web filter to prevent the phishing domains from being accessed by employees. TitanHQ’s web filter, WebTitan, is a DNS-based web filtering solution that is constantly updated with the latest threat intelligence from multiple sources to provide up-to-the-minute protection against new phishing domains. Any attempt to visit a known phishing domain or other malicious site will be blocked, with the user directed to a locally hosted block page.
Regular security awareness training for the workforce is vital to teach security best practices and raise awareness of the tactics used by cybercriminals to breach corporate networks. With the SafeTitan security awareness training platform, businesses can easily create training programs tailored for individuals, roles, and departments, and automate those campaigns so they run continuously throughout the year, delivering training in small chunks on a weekly or monthly basis. It is easy to incorporate new training in response to changing threat actor tactics to increase awareness of specific threats. The platform also includes a phishing simulator for running phishing simulations on the workforce to reinforce training and identify knowledge gaps. If a phishing simulation is failed, training is automatically delivered to the user in real time, relevant to the threat they failed to identify. This ensures training is delivered at the point when it is likely to be most effective.
For more information on TitanHQ solutions, including the WebTitan DNS filter and the SafeTitan security awareness training platform, give the TitanHQ team a call today. Both solutions are available on a free trial to allow you to assess them fully before making a purchase decision.
by G Hunt |
June 26, 2024 |
Website Filtering
A malvertising campaign has been identified that targets users looking to download popular software such as Google Chrome and Microsoft Teams and delivers a backdoor malware called Oyster. The threat actor has registered lookalike domains that offer the software to download; however, the installer delivers the backdoor, with PowerShell used for persistence. After the malware is executed, the legitimate software is installed. Since the user gets the software they are expecting, they are unlikely to realize that their device has been infected.
The Oyster backdoor has been linked to the Russian threat group behind the infamous TrickBot Trojan. Once installed, the malware connects with its command-and-control server, gathers information about the host, and allows the threat actors to remotely execute code on the infected device. According to researchers at Rapid7 who identified the campaign, the threat actor has been observed delivering additional malware payloads on infected devices.
Malvertising is a common method of malware delivery that takes advantage of a lack of security awareness and attentiveness. Threat actors create adverts on legitimate ad networks for popular software solutions and pay to have their ads appear when users search for the software solutions they are impersonating. Just because an advert appears at the top of the search engine listings on Google or Bing it does not mean that the advert is legitimate. Clicking the link will direct the user to a site that is a carbon copy of the legitimate website that it spoofs, where they can download the software installer. These campaigns can be identified by the domain, which should be carefully checked to make sure it is the website of the official software provider.
Typosquatting is also commonly used, where threat actors register almost identical domains to the company they are impersonating. The domains usually have a transposed or missing letter. If the domain is not carefully checked, the user is unlikely to realize they are not on the official website. Threat actors use black hat search engine optimization techniques to get the websites to appear high up in the search engine listings.
By targeting software downloads, where the user is expecting to download an installer, the threat actor does not need to convince the user to execute the malicious file. If they fail to identify the scam before downloading the installer, their device is highly likely to be infected. Security awareness training should cover the methods used by threat actors to distribute malware over the Internet and should condition employees to always carefully check the domain to make sure it is the legitimate vendor’s website. Rather than develop a security awareness training program from scratch, businesses should consider using a vendor that can provide a comprehensive training platform that is constantly updated with new training content covering new attack methods and scams. A security awareness training program should run continuously, to build awareness, teach security best practices, and ensure that employees are constantly reminded of the importance of security.
In addition to training, technical measures should be implemented. A web filter should be used to prevent access to known malicious web pages and block downloads of executable files from the Internet, with policies implemented that require any software to be provided through or by the IT team. TitanHQ can help to improve your defenses against malware with a suite of cybersecurity solutions, including the SafeTitan security awareness training and phishing simulation platform, the WebTitan web filter to prevent access to malicious websites, SpamTitan email security with sandboxing to block malicious emails, and PhishTitan to improve phishing detection and mediation for businesses that use Microsoft 365.
For more information about these and other cybersecurity solutions from TitanHQ, give the sales team a call. All TitanHQ SaaS solutions are available on a free trial to allow you to test them in your own environment before making a purchase decision, with customer support provided throughout the trial.
by G Hunt |
September 7, 2022 |
Industry News, Website Filtering
WebTitan Cloud is an award-winning DNS filter that prevents access to malicious websites and allows businesses to control the web content users can access with precision. This week, TitanHQ has announced the release of a new version of WebTitan Cloud, that includes new features to improve usability, security, protection for remote workers, and provides greater insights into DNS requests. These new features now form part of an industry-leading feature set that is in a cloud-delivered solution that is easy to set up, use, and maintain.
New UI with Advanced Reporting Features
If you are a current WebTitan Cloud user, the first change you will notice is the new user interface which provides easy access to all WebTitan Cloud features. The enhancements provide intuitive, advanced, relevant, and easy-to-digest data, through new interactive reports and data visualization tools, which are embedded into the UI to improve the user experience.
The advanced security reports show malware-infected clients, malware-infected domains, malware-infected users, blocked phishing sites, blocked phishing domains, and blocked phishing sites by user, and the view can be customized by date and client IP. New reports show behavior, blocked sites, and trends to provide insights into network use and threats. These reports have been added based on the feedback received by WebTitan Cloud users.
Interactive Threat Intelligence with DNS Data Offload
The latest version of WebTitan Cloud provides users with easier access to valuable threat intelligence to aid IT decision-making, network troubleshooting, and security planning. Users can now list DNS request history on screen, download DNS request logs, view all DNS data to gain valuable insights into activity, and easily extract DNS query data for sophisticated integrations and advanced data analysis.
DNSSEC Security Enhancements
WebTitan Cloud now benefits from security enhancements to protect against DNS attacks by strengthening authentication using Domain Name System Security Extensions (DNSSEC). DNSSEC uses digital cryptographic signatures to verify the origin and integrity of data during the DNS resolution process to protect against malicious DNS poisoning attacks. Users of WebTitan Cloud can implement DNSSEC through a simple and straightforward process to improve security.
WebTitan OTG Improvements for Protecting Off Network Users
The WebTitan On-the-Go (OTG) agent allows users to extend the protection of WebTitan Cloud to off-network users, no matter where they connect to the Internet. WebTitan OTG was introduced some time ago; however, the latest release includes several enhancements. The JSON Config filters have been replaced for OTG devices, and the agent used to protect, manage, and monitor off-network users has been significantly improved. It is also much easier to add and update exceptions to OTG devices through an easy-to-use interface.
“This WebTitan release is hitting so many key pillars of success for TitanHQ. The data offload feature has been requested by many customers and creates real differentiation for our solution in the market. This coupled with our new advanced reporting were major requests from our MSP customers,” said Ronan Kavanagh, CEO of TitanHQ. “Finally, security is at the heart of what we do and are, the addition of DNSSEC just continues to add to our credentials.”
by G Hunt |
January 17, 2022 |
Internet Security, Spam Software, Website Filtering
Managed Service Providers have a great opportunity on January 21, 2022, to discover some of the key products they can incorporate into their service stacks to help grow their business and provide even better value to their clients.
The Channel Pitch Livestream Event is totally free of charge for MSPs, MSSPs, ISPs, VARs, IT solution providers, and consultants and will introduce attendees to products from 7 innovative technology vendors that have been specifically curated for the Chanel Pitch event. The technology vendors have had their solutions adopted by some of the most successful MSPs and are being used to better protect their clients, improve efficiency, and significantly improve their bottom lines.
The event is being hosted by Serial Tech Entrepreneur Kevin Lancaster and Channel Evangelist Matt Solomon, both of whom are highly esteemed MSP industry professionals. They will be introducing 7 emerging technology vendors, each of which will give a 7-minute presentation on a key product for MSPs and other service providers.
TitanHQ is happy to announce that Conor Madden, Director of Sales, will be hosting one of the 7-minute presentations to introduce MSPs to TitanHQ’s award-winning cybersecurity solutions that have been proven to help MSPs significantly improve their profits while also ensuring downstream businesses are well protected from cyber threats.
The LiveStream Event will take place on January 21, 2022, at 4.00 p.m. GMT, 11 a.m. EST, 8 a.m. PST and attendees will be able to see presentations from the following vendors:
- TitanHQ – Email and Web Security
- Hook Security – Security Awareness Training
- Nerdio – Azure
- Nuvolex – XaaS Management
- Speartip – SOC
- Threatlocker – Application Whitelisting
- Zomentum – Sales Automation
Attendees will be able to engage directly with vendors or provide 100% anonymous feedback.
by G Hunt |
May 14, 2021 |
Industry News, Internet Security, Website Filtering
TitanHQ has announced the release of a new version of WebTitan Cloud that includes new security features, easier administration, and the introduction of WebTitan OTG (on-the-go) for Chromebooks for the education sector.
One of the main changes introduced with WebTitan Cloud version 4.16 is the addition of DNS Proxy 2.06, which supports filtering of users in Azure Active Directory. This is in addition to on-premise AD and directory integration for Active Directory. The support for Azure Active Directory will make it easier for customers to enjoy the benefits of WebTitan Cloud, while making management easier and less time-consuming. Support for further directory services will be added with future releases to meet the needs of customers.
Current WebTitan customers do not need to do anything to upgrade to the latest version of WebTitan, as updates to WebTitan Cloud are handled by TitanHQ and users will be upgraded to the latest version automatically to ensure they benefit from improved security, the latest fixes, and new functionality.
The latest WebTitan Cloud release has allowed TitanHQ to introduce a new solution specifically to meet the needs of clients in the education sector – WebTitan OTG (on-the-go) for Chromebooks.
The use of Chromebooks has grown significantly over the past year, which corresponds with an increase in student online activity. WebTitan OTG for Chromebooks allows IT professionals in the education sector to ensure compliance with federal and state laws, including the Children’s Internet Protection Act (CIPA), and ensure students can use their Chromebooks safely and securely.
WebTitan OTG for Chromebooks is a DNS-based web filtering solution that requires no proxies, VPNs or any additional hardware and since the solution is DNS-based, there is no impact on Internet speed. Once implemented, filtering controls can be set for all Chromebook users, no matter where they connect to the Internet. The controls will be in place in the classroom and at home and all locations in between.
Administrators can easily apply filtering controls for all students, different groups of students, and staff members, including enforcing Safe Search. The solution will block access to age-inappropriate content, phishing web pages, malicious websites used for distributing malware, and any category of website administrators wish to block. Chromebooks can also easily be locked down to prevent anyone bypassing the filtering controls set by the administrator.
WebTitan OTG for Chromebooks delivers fast and effective user- and device-level web filtering and empowers students to discover the Internet in a safe and secure fashion. Reports can be generated on demand or scheduled which provide information on Chromebook user locations, the content that has been accessed, and any attempts to bypass filtering, with real-time views of Internet access also possible.
“This new release comes after an expansive first quarter. The launch of WebTitan Cloud 4.16 brings phenomenal new security features to our customers,” Said TitanHQ CEO, Ronan Kavanagh. “After experiencing significant growth in 2020, TitanHQ expects these product enhancements and new features to make 2021 another record-breaking year.”
