Keeping up-to-date with cybersecurity news can help protect organizations from online threats such as malware downloads and phishing campaigns. By being aware of type of threats that exist, how they operate, and what damage they can do, organizations can take precautions against the threats, educate their employees to be aware of online security, and strengthen their online defenses.
The most effective way of preventing attacks by cybercriminals is to stop Internet users from receiving emails containing phishing links or visiting websites that harbor viruses. This can be achieved with an email filter and an Internet content filter – both solutions having mechanisms in place to protect organizations and ensure they are not featured in future in our cybersecurity news section.
The massive increase employees working reportedly has not been missed by cybercriminals, who are actively targeting these workers using a variety of tactics to fool them into disclosing their credentials or installing malware. Phishing attacks remain the most common method used to attack remote workers, but there has also been a notable increase in malvertising during the COVID-19 pandemic.
Malvertising is the practice of creating malicious adverts which are syndicated across legitimate websites through third-party ad networks. The malicious adverts are used to redirect website visitors to webpages where credentials are harvested, malware is downloaded, or to other scams to obtain fraudulent payments or charitable donations.
Several COVID-19 themed ploys have been used in these malvertising campaigns to trick people into downloading malware. These scams prey on fears about SARS-CoV-19, often spoofing WHO and other COVID-19 authorities to add legitimacy to the campaigns. A common theme is an offer of important advice on how to protect against COVID-19.
There rise in malvertising activity during the COVID-19 pandemic has been significant, with some reports indicating the number of malicious adverts have doubled in March compared to standard levels of malicious advert activity prior to the pandemic.
A malvertising campaign was recently identified that spoofed the anti-malware software vendor Malwarebytes. The campaign claimed the user’s computer was infected with malware and a download of Malwarebytes’ software was required to remove the infections. The malicious webpage used for the scam was on a malwarebytes-free domain that was registered on March 29, 2020. The site used a copycat template created from stolen branding from the genuine site. Any individual that landed on the website that was using the Internet Explorer browser was redirected to a webpage hosting the Fallout exploit kit that silently downloads the Raccoon information stealer.
There was a major increase in domain registrations related to COVID-19 in March. While not all of these websites are currently being used for nefarious purposes, many are being used for scamming. NTT recently issued an alert stating that around 2,000 COVID-19 domains are being set up each day and there has been a significant rise in phishing attacks directing users to newly registered domains. The TrickBot Trojan accounts for the majority of malware infections from these sites. Figures from Palo Alto Networks’ Unit 42 team show there was a 656% increase in the number of new COVID-19 related domains registered in March.
The increase in web-based attacks calls for improvements to cybersecurity defenses to protect remote employee’s devices from malware infections. A download of malware onto a user’s device could easily see the malware transferred to the network when the user connects.
One of the easiest and most effective ways of blocking these attacks is to implement a web filtering solution such as WebTitan Cloud. With WebTitan Cloud in place, when a user attempts to visit a malicious website, or when an attempt is made to redirect a user through malvertising, rather than arriving on the website the user will be directed to a local block page.
WebTitan Cloud also allows filtering controls to be applied to control the types of websites employees can visit on their corporate-owned devices. Controls can be applied to block access to risky websites such as torrents and peer-to-peer file sharing sites, which are also being used to distribute malware.
WebTitan Cloud is a DNS-based filter that conducts filtering at the DNS lookup stage of a web request. Applying filtering controls and restricting access to certain categories of website involves no latency, which is especially important during lockdown when employees typically have far less bandwidth available than at the office.
WebTitan Cloud does not require the installation of a clients and the solution can be set up and configured in minutes to protect all workers, no matter where they choose to access the internet.
If you are interested in improving internet security and want to find out more about WebTitan Cloud and DNS filtering, call TitanHQ today to book a product demonstration, register for a free trial, and start protecting your employees from online threats.
New research has recently been published which suggests there has been a lack of security awareness training for remote workers, even with the massive increase in people working from home due to the COVID-19 pandemic and the increased threat level.
Many companies have had to make major changes to policies and allow most employees to work from home, even though doing so introduces cybersecurity risks. While this is seen by many as a temporary measure due to the pandemic, there is currently some debate about how long lockdown measures will be in place. It could well be many months before lockdowns are eased and there is a return to “normal” working life. It may also be difficult to convince workers to return to the office when measures are eased, or at least until a vaccine for the virus has been developed. That could well be a year or most likely much longer.
In the meantime, remote workers are not just encountering the odd phishing email. These workers are being actively targeted by cybercriminals and APT groups. It is important to ensure that technical controls are up to scratch and are blocking threats but also to train workers to recognize threats such as phishing.
Technical Controls Will Not Block 100% of Cybersecurity Threats
Technical solutions can block most malware and phishing attacks on remote workers and will protect devices and the networks to which those devices connect. TitanHQ has developed two solutions that provide excellent protection from email and web-based threats, and there has been a massive increase in demand for those solutions during the COVID-19 pandemic from businesses and managed service providers (MSPs).
When these solutions are coupled with other cybersecurity protections such as firewalls, antivirus software, and intrusion detection systems, businesses will be well protected; however, no matter how many layers are added to your defenses, security awareness training for remote workers should still be provided. Employees are the last line of defense and require training to help them identify threats that bypass your technical defenses.
Employees are a Weak Link, but Neglecting Security Awareness Training for Remote Workers is a Mistake
One study recently conducted on IT workers by Apricorn revealed 57% of IT decision makers in the United Kingdom believe remote workers are a security risk and will expose organizations to data breaches and that there is apathy among IT leaders about training the workforce as employees are not concerned about security. 34% of IT leaders said their remote workers do not care about security, but that is not a reason not to provide training. It is a reason to reinforce training and get employees to buy into the company’s security strategy.
Another survey, conducted by Promon on 2,000 remote workers in the United Kingdom, confirmed those findings. The study revealed 66% of employees have not been provided cybersecurity training in the last 12 months, even though cybercriminals are actively targeting remote workers. It is also concerning that 77% of respondents were not worried about the security threat from working from home. The survey also revealed that 61% of employees are using personal devices to work from home instead of corporate-issued devices, which typically have far fewer protections in place to block threats.
Given the numbers of employees working from home due to COVID-19 and the increase in threats targeting those workers, now is the time to be stepping up training and to make sure employees are working in a secure environment. TitanHQ can help you better protect employees and the devices they use to work from home, but you should also ensure that cybersecurity training is reinforced.
Cybercriminals are taking advantage of the 2019 Novel Coronavirus pandemic and are exploiting fear to spread malware and steal data. These tactics many not be new, but these campaigns pose a significant threat in the current climate of global fear and worry.
People are naturally worried about contracting COVID-19 and will be concerned about the wellbeing of their friends and family members. Many people crave new information to help avoid them avoid illness and protect their families. If that information arrives in an inbox, email attachments may be opened, and links clicked to malicious websites.
Even when training is provided to employees and they are taught not to respond to unsolicited messages, open email attachments, or click links in emails from unknown senders, mistakes can still be made. During the COVID-19 crisis, stress levels are high, and this can easily lead to decisions being taken that would not normally be made.
Businesses have been forced to allow their employees to work from home, many of whom are now working in a home environment where there are many distractions. Many people do not have home offices where they can quietly work, and a challenging working environment also makes mistakes more likely. Those mistakes can prove very costly.
Phishing campaigns are being conducted targeting home workers as they are seen as low-hanging fruit and an easy way to gain access to business networks to install malware, ransomware, and steal sensitive data. Several campaigns have been detected that offer important advice on the 2019 novel coronavirus that impersonate authorities on disease control and prevention such as the U.S. Centers for Disease Control and Prevention (CDC), U.S. Department of Health and Human Services, UK National Health Service, and the World Health Organization (WHO). The phishing campaigns are credible, claim to offer important advice, and are likely to be opened by many individuals. These campaigns seek remote access credentials and distribute malware.
Coronavirus maps that display the number of cases per country are being used on many websites, including a legitimate COVID-19 case tracking map on Johns Hopkins University website. One campaign has been detected that uses a carbon copy map and urges users to download a desktop application that allows them to track new cases. The application installs the information-stealing AZORult Trojan. As the COVID-19 crisis has deepened, these phishing and malspam campaigns have increased significantly.
With more people working from home and self-isolating, the risk of malware and phishing attacks has increased significantly. It is therefore important for businesses to make sure that they are properly protected and manage risk. During this difficult time, it is important to provide security awareness training to staff to keep them aware of the threat of cyberattacks and to help them identify malicious messages. Phishing simulation exercises are a useful way of assessing risk and identifying individuals that require further training.
It is also important to implement additional control measure to block attacks at source. There are two main attack vectors being used to target remote workers: Email and the web. Due to the high risk of mistakes by employees it is essential for businesses to have an effective email security solution in place.
The key to improving email security is defense in depth. Layered defenses will greatly improve resilience to phishing and malware attacks. If you are using Office 365 and have yet to augment protection with a third-party email security solution, now is the ideal time. One 2019 study showed that Office 365 protections only block around 75% of phishing attempts. Given the increase in phishing volume, a great many malicious emails will land in inboxes unless protection is improved.
The more time people spend online, the greater the risk. With many workers housebound and self-isolating, online time has increased considerably. Unsurprisingly, the of number of malicious domains being used to distribute malware has increased and drive-by malware attacks have spiked. With corporate laptops being used at home, steps should be taken to limit what employees can do on those laptops. Blocking access to ‘risky’ websites such those distributing pirated TV shows and movies will help to reduce the risk of a malware download, along with controls to prevent the downloading of risky file times such as software installers and executable files.
A web filtering solution will allow you to control the sites that remote employees can access on their corporate laptops and prevent malicious websites from being visited. A cloud-based web filtering solution is the ideal choice as it can be easily implemented to protect all remote workers, without causing any latency issues.
TitanHQ can help you protect your telecommuting workers from email and web-based threats. SpamTitan is a powerful email security solution that compliments Office 365 anti-spam and anti-phishing controls and enhances protection against phishing, spear phishing, and zero-day malware. WebTitan is a cloud-based DNS filtering solution that is simple to implement that allows you to carefully control the online activities of remote employees and block drive-by malware downloads and other web-based threats.
Both solutions can be implemented in a matter of minutes and will greatly improve protection against web and email-based threats. For further information, to book a product demonstration, or to register for a free trial, contact TitanHQ today.
During this unprecedented time of uncertainty, the health and safety of our employees, customers, partners and their families is one of our main focuses and concerns. Team TitanHQ are fully committed to supporting our partners and customers. The benefits from our email and web security products are even more relevant and important now.
Our fantastic team has jumped at the challenge with vigor and we have mobilized our workforce so that it’s business as usual over this unusual phase. We are taking advice from the government on best practice and have a task force in place to manage our progress.
Customers and partners can rest assured that support teams will continue to be available and product teams are working as normal. If you have any questions or concerns about products, or technical support, please contact us in the usual way. The support team has been trained to be aware of special customer concerns during this period and will escalate any question to the appropriate responsible person or department.
We are aware that this is a sensitive time and we will make sure to go the extra mile to make it easier for our customers. All of us at TitanHQ wish you good health and thank you for your continued support.
A recent phishing attack on an 8,600-student school district in Texas ended up costing an astonishing $2.3 million. The Manor Independent School District phishing attack started in November 2019 and continued through December.
The attack was an example of a highly effective – and highly lucrative – email scam known as business email compromise (BEC) or vendor email compromise, if the attack is conducted through a vendor.
A BEC/VEC scam involves the use of a legitimate business email account to send emails to individuals within the organization (BEC) or to its clients (VEC) requesting a bank transfer. BEC attacks are also conducted to make changes to payroll or requests are sent via email asking for sensitive information such as W-2 forms for use in tax fraud.
The scam starts by sending phishing emails to individuals in the targeted organization. Emails are sent containing a credible ploy to get the recipient to click a hyperlink that directs them to a specially crafted webpage. That webpage is usually a carbon copy of a legitimate website, but on a different domain, that has been set up to harvest credentials.
Attackers often spoof Microsoft to capture Office 365 credentials. When the user visits the website via the hyperlink embedded in the email, they are presented with the standard login prompt that they receive when attempting to login to their Office 365 account. When the credentials are entered, they are captured by the attackers. The attackers then use the credentials to access the email account. The account is then used in the second phase of the attack.
Oftentimes, when attackers gain access to an email account, they set up a mail forwarding rule that will see all messages in the email account forwarded to the attackers. They check the emails until they find something of interest, such as contractors that are performing construction works.
Attackers often insert themselves into legitimate email conversations. Both parties believe they are communicating with each other, when the reality is they are communicating with the scammer. The scammer then asks for payments to be sent to a different email account. These conversations can span many messages and email exchanges can continue for several days or weeks. Since the scammer has full control of one of the email accounts, it is likely that the scam will not be detected until it is too late.
It is unclear whether a vendor’s email account was compromised in the Manor Independent School District phishing attack or if this was a standard BEC attack, with emails sent to the billings department requesting a bank account change. Details on the specifics of the phishing attack have not been released. What is known is that the bank account details of a vendor were changed, and the school district made three separate payments over the space of the following month before the scam was identified and the school district discovered it had been scammed out of $2.3 million.
A defense in depth strategy is required to prevent attacks such as this from succeeding. Technical defenses are essential. An advanced spam filter should be implemented that scans all incoming and outgoing messages, multi-factor authentication should be implemented to prevent stolen credentials from being used to remotely access accounts, and end user training is required to raise awareness of the threat. Policies and procedures should also be implemented that require all bank account changes to be verified, via telephone, before they are authorized.
Ransomware attacks slowed in 2018 but the malicious file-encrypting malware is back with a vengeance. Ransomware attacks on educational institutions have soared this year, and as the attackers are well aware, these attacks can be extremely profitable.
There have been 182 reported ransomware attacks so far this year and 26.9% of those attacks have been on school districts and higher education institutions. The increase has seen education become the second most targeted sector behind municipalities (38.5%) but well ahead of healthcare organizations (14.8%).
The reason why the number of ransomware attacks on educational institutions, healthcare, and municipalities is so high compared to other sectors is because attacks are relatively easy to perform and there is a higher than average chance that the ransoms will be paid.
Attacks on municipalities mean they can’t access computer systems, and essential services grind to a halt. Police departments can’t access criminal records, courts have to be shut down, and payments for utilities cannot be taken. If hospitals can’t access patient data, appointments have to be cancelled out of safety concerns. In education, teachers cannot record grades and student records cannot be accessed. Administration functions grind to a halt and a huge backlog of work builds up.
Some of the recent ransomware attacks on school districts have seen schools forced to send students home. Monroe-Woodbury Central School District in New York had to delay the start of the school year due to its ransomware attack. If students need to be sent home, there is often backlash from parents – Not only because their children are not getting their education, but childcare then needs to be arranged.
The costs of these attacks are considerable for all concerned. Each day without access to systems costs schools, universities, municipalities, and hospitals a considerable amount of money. Downtime is by far the biggest cost of these attacks. Far greater than any ransom payment.
It is no surprise that even when ransom demands are for tens or hundreds of thousands of dollars, they are often paid. The cost of continued losses as a result of the attacks makes paying the ransom the most logical solution from a financial perspective. However, paying the ransom sends a message to other cybercriminals that these attacks can be extremely profitable, and the attacks increase.
The huge cost of attacks has seen educational institutions take out insurance policies, which typically pay the ransom in the event of an attack. While this is preferable financially for the schools, it ensures that the attackers get their pay day. Some studies have suggested that attackers are choosing targets based on whether they hold insurance, although the jury is out on the extent to which that is the case.
In total, 49 school districts and around 500 K-12 schools have been affected by ransomware attacks this year. While the ransomware attacks on school districts have been spread across the United States, schools in Connecticut have been hit particularly hard. 7 districts have been attacked, in which there are 104 schools.
Prevention of these attacks is key but securing systems and ensuring all vulnerabilities are identified and corrected can be a challenge, especially with the limited budgets and resources of most schools. Cybersecurity solutions need to be chosen wisely to get the maximum protection for the least cost.
A good place to start is by addressing the most common attack vectors, which for ransomware is Remote Desktop Protocol and email-based attacks.
Remote Desktop Protocol should be disabled if it is not required. If that is not possible, connection should only be possible through a VPN. Rate limiting should also be set to block access after a number of failed login attempts to protect against brute force password-guessing attacks.
Email security also needs to be improved. Massive spam campaigns are being conducted to distribute the Emotet banking Trojan, which serves as a downloader for Ryuk ransomware and others. Embedded hyperlinks in emails direct end users to sites where they are encouraged to download files that harbor malware, or to exploit kits where ransomware is silently downloaded.
Advanced spam filters should be deployed that incorporate sandboxing. This allows potentially suspicious email attachments to be checked for malicious activity in a safe environment. DMARC email authentication is also important as it is one of the best defenses against email impersonation attacks. SpamTitan now incorporates both of these measures.
A DNS based content filtering solution is also beneficial as an additional protection against malware downloads and phishing attacks. Not only can the content filter be used to ensure compliance with CIPA, it will prevent end users from visiting malicious websites where ransomware is downloaded.
Email attacks usually require some user interaction, which provides another opportunity to block the attacks. By educating all staff and students on the risks, they can be prepared for when malicious emails arrive in their inboxes and will be conditioned how to respond.
It is often the case that breached entities only implement these measures after an attack has occurred to prevent any further attacks from succeeding. By taking a more proactive approach and implementing these additional security measures now, costly, disruptive attacks can be avoided.
For more information on ransomware defenses such as email and DNS filters for educational institutions, give the TitanHQ team a call today. You are likely to find out that these security measures are far cheaper than you think… and naturally a great deal less expensive than having to deal with an attack.
2017 was a bad year for ransomware attacks, but as 2018 progressed it was starting to look like the file-encrypting malware was being abandoned by cybercriminals in favor of more lucrative forms of attack. Between 2017 and 2018 there was a 30% fall in the number of people who encountered ransomware compared to the previous year, and the number of new ransomware variants continued to decline throughout 2018; however, now, that trend has been reversed.
2019 has seen a sharp increase in attacks. Figures from Malwarebytes indicate there was a 195% increase in ransomware attacks in Q1, 2019 and that increase has continued in Q2. A new report from Kaspersky Lab has shown that not only are attacks continuing to increase, the number of new ransomware variants being used in these attacks is also increasing sharply.
Kaspersky Lab identified 16,017 new ransomware modifications in Q2, 2019, which is more than twice the number of new ransomware modifications detected in Q2, 2018. In addition to updates to existing ransomware variants, Q2, 2019 saw 8 brand new malware families detected.
Kaspersky Lab tracked 230,000 ransomware attacks in Q2, which represents a 46% increase from this time last year. Far from ransomware dying a slow death, as some reports in 2018 suggested, ransomware is back and is unlikely to go away any time soon.
Not only are attacks increasing in frequency, ransom demands have increased sharply. Ransom demands of hundreds of thousands of dollars are now the norm. Two Florida cities paid a combined total of $1 million for the keys to unlock files encrypted by ransomware. Jackson County in Georgia paid $400,000 for the keys to unlock the encryption that crippled its court system, and recently, a massive ransomware attack that impacted 22 towns and cities in Texas saw a ransom demand of $2.5 million issued.
Earlier this year, the developers of GandCrab ransomware shut down their popular ransomware-as-a service offering. They claimed to have made so much money from attacks that they have now taken early retirement. Despite GandCrab ransomware being one of the most widely used ransomware variants for the past 18 months, the shut down has not been accompanied with a reduction in attacks. They continue to increase, as other ransomware-as-a-service offerings such as Sodinokibi have taken its place.
Ransomware attacks are increasing because they are profitable, and as long as that remains the case, ransomware is here to stay. Businesses are getting better at backing up their data but recovering files from backups and restoring entire systems is a difficult, time-consuming, and expensive task. When major attacks are experienced, such as those in Texas, recovering systems and files from backups is a gargantuan task.
Attackers realize this and set their ransom demands accordingly. A $400,000 ransom demand represents a sizable loss, but it is a fraction of the cost of recovering files from backups. Consequently, these sizable ransoms are often paid, which only encourage further attacks. It is for this reason that the FBI recommends never paying a ransom, but for many businesses it is the only option they have.
Businesses naturally need to develop plans for recovering from an attack to avert disaster in the event of ransomware being installed on their network, but they must also invest in new tools to thwart attacks. At the current rate that attacks are increasing, those tools need to be implemented soon, and that is an area where TitanHQ can help.
To find out more about email and web security solutions that can block ransomware and protect your network, give the TitanHQ team a call.
A new phishing campaign has been detected which uses Microsoft Office 365 voicemail notifications as a lure to get users to open a malicious HTML file attached to the email.
The phishing emails are very realistic. The emails include the Microsoft and Office 365 logos, use the Microsoft color scheme, and Microsoft contact information. The messages inform the recipient that they have received a new voicemail message. The caller’s number and length of the voicemail message is included, along with the time and date of the message. In order to access that message, the user is required to open a HTML file attached to the email.
Many phishing campaigns use Word documents or Excel spreadsheets containing malicious macros or embedded hyperlinks that direct users to a phishing web page where credentials are harvested. Through security awareness training employees are told to look out for thee commonly used file types. HTML files are likely to be familiar to employees, but since these file types are not often used in phishing campaigns, employees may believe the attached file to be benign, when that is definitely not the case.
The HTML file uses meta refresh to redirect the user from the local HTML file to a phishing page hosted on the Internet. That phishing page contains a highly realistic spoofed voicemail management page where users are required to enter their Office 365 credentials to access the message. Doing so hands those credentials to the attacker.
Cybercriminals are constantly coming up with new ways to trick employees into clicking links in emails or opening malicious attachments. Keeping the workforce up to date on these threats is important. If employees are aware of the types of scam emails, they are likely to receive they will be more likely to correctly identify an email as malicious if it arrives in their inbox.
Keeping the workforce 100% up to date on the latest scams will not be possible as new scams and lures are constantly being developed. It is therefore important to ensure that you have an advanced spam filtering solution in place that can block these messages to ensure they never test employees.
SpamTitan incorporates DMARC to block email impersonation attacks, dual antivirus engines to identify known malware, and a sandbox where suspicious attachments can be executed safely and studied for malicious actions. In addition, a range of checks are performed to assess the content of messages and embedded hyperlinks for any malicious actions.
With SpamTitan in place, businesses will be able to block more than 99.97% of spam and phishing emails, and 100% of known malware.
If you want to improve protections against phishing attacks and ensure fewer malicious messages reach your Office 365 inboxes, give the TitanHQ team a call to find out more about SpamTitan email security and other measures you can take to improve your security posture and block these sophisticated phishing attacks.
The FBI’s Internet Crime Complaint Center (IC3) has issued a warning about the increasing number of phishing websites using HTTPS.
The green padlock next to a URL once gave an impression of security. Now it is a false sense of security for many internet users.
HTTPS or Hyper Text Transfer Protocol Secure to give it its full name, indicates the website holds a valid certificate from a trusted third-party. That certificate confirms that the website is secure and any data transmitted between the browser and the website will be encrypted to prevent interception in transit.
The public has been taught to look for the green padlock and HTTPS before entering card details or other sensitive information. However, the padlock does not mean that the website being visited is genuine. It only means any information transmitted is secured in transit between the browser and the website.
If you are buying a pair of shoes from Amazon, all well and good. If you are on a website controlled by a cybercriminal, HTTPS only means that the cybercriminal will be the only person stealing your data.
Cybercriminals create realistic phishing webpages that imitate well-known brands such as Microsoft and Google to obtain login credentials or banks to obtain banking information. These phishing pages can be set up on dedicated phishing websites or phishing kits can be added to previously compromised websites. Traffic is then generated to those webpages with an email phishing campaign.
If one of the links in the email is clicked, a user will be directed to a website that requests some information. If the website starts with HTTPS and displays the green padlock, the user may mistakenly believe the site is genuine and that it is safe to disclose sensitive information.
The IC3 alert was intended to raise awareness of the threat from HTTPS phishing and make the public aware of the true meaning of the green padlock and never to trust a website because it starts with HTTPS.
Businesses should take note and make sure they include HTTPS phishing in their security awareness training programs to raise awareness of the threat with employees.
A web filter can greatly reduce the risk of HTTPS phishing attacks, provided the web filter has the capability to decrypt, scan, and re-encrypt HTTPS traffic.
WebTitan provides real-time protection against web-based attacks and uses a constantly updated database of 3 million known malicious sites to block attempts to visit phishing websites. WebTitan is capable of SSL inspection and can inspect HTTPS traffic, block specific applications within a webpage, and display alerts or block sites with fake https certificates.
If you want to improve protection against web-based attacks, contact the TitanHQ team today for more information about WebTitan.
While it is good news the GandCrab ransomware operation has been shut down, ransomware attacks are on the rise and a new threat has been detected: Buran ransomware.
Buran ransomware lacks some of the common features of more successful ransomware strains. The ransomware does not make any attempt to hide its activity and it doesn’t attempt to hamper recover by deleting Windows shadow copies. However, it is capable of encrypting a wide range of file types and there is currently no free decryptor available to unlock encrypted files.
Buran ransomware is being spread via the RIG exploit kit, with traffic to that exploit kit generated using a malvertising campaign. Malicious adverts have been injected into legitimate ad networks and are being displayed on a range of different websites. The malvertising campaign was identified by security researcher nao_sec.
The malvertising campaign directs web browsers to a domain hosting RIG, which attempts to exploit several vulnerabilities in Internet Explorer. If an unpatched vulnerability exists, Buran ransomware will be downloaded and executed.
An analysis of the malware suggests it is a new variant of Vega ransomware that was previously used in a campaign in Russia.
While Buran ransomware may not be a long-term successor to GandCrab ransomware, there are many threat actors moving to fill the void. Sodinokibi ransomware attacks are increasing and the ransomware developers are also using a malvertising campaign on the PopCash ad network to deliver traffic to domains hosting the RIG exploit kit.
Exploit kits can only download malware if they have been loaded with an exploit for a vulnerability that has not been patched on a visitor’s computer. The primary defense against these attacks is to ensure that all Windows security updates are applied promptly, along with updates and patches for plugins and other browsers.
There is invariably a delay between a patch being issued and all devices being updated. To provide protection until patches are applied, and to protect against zero-day exploits, a web filtering solution is recommended. A web filter can be used to control the websites that can be visited by employees and can block access to known malicious websites to prevent attacks on vulnerable computers.
TitanHQ is a leading provider of email security, web security, and email archiving solutions to SMBs and managed service providers (MSPs) serving the SMB market. Over the past five years, TitanHQ has significantly expanded its customer base and its solutions now protect over 7,500 businesses and are offered by more than 1,500 MSPs around the world.
TitanHQ works closely with European partners and businesses and has been expanding its footprint throughout the EU. TitanHQ is working towards becoming the leading email and web security solution provider in Europe and as part of that process, the company has recently entered into a new partnership with the French Value Added Distributor Exer.
Exer is one of the leading VADs in France and works with more than 600 value added resellers and integrators in the country. The company specializes in network security, mobile security, Wi-Fi and managed cybersecurity services and helps French VARs better serve their clients.
Under the new partnership agreement, Exer will start offering TitanHQ’s three cloud-based solutions to French VARs: SpamTitan, WebTitan, and ArcTitan.
SpamTitan is an award-winning spam filtering solution that keeps inboxes free from spam emails and malicious messages. The solution is regularly updated to incorporate further controls to ensure that it continues to provide superior protection against an ever-changing email threat landscape. The solution now blocks more than 7 billion spam and malicious messages every month and helps to keep businesses protected from phishing and malware attacks.
WebTitan is a cloud-based DNS filtering solution that protects businesses from a wide range of malicious web content. The solution can also be used to carefully control the types of web content that users can access through company wired and wireless networks. The solution now blocks more than 60 million malicious websites every month and prevents malware downloads, controls bandwidth use, and enforces acceptable internet usage policies, .
ArcTitan is a cloud-based email archiving solution that helps businesses securely store emails to ensure compliance with government and EU regulations. The solution now archives and stores more than 10 million emails each month.
With these solutions, French VARs can provide their clients with even greater value and ensure they are well protected against rapidly evolving cyberthreats.
“Collaboration with TitanHQ is an opportunity to represent a brand internationally recognized on 3 key technologies: Web Content Filtering, Anti-Spam, and Email Archiving. We are eager to propose these security solutions to ours VARs,” explained Exer CEO, Michel Grunspan. “Our regional presence and our expertise will be our strength for asserting the presence of TitanHQ in the French market”
“We are pleased to be offering the Exer partner community choice, enhanced functionality and greater overall value,” explained TitanHQ Executive VP, Rocco Donnino.
Earlier this month, the FBI Internet Crime Complaint Center (IC3) released its annual Internet Crime Report, which highlights the most common attack trends and the extent of financial losses based on victims’ reports of internet crime. The report highlighted the seriousness of the threat of Business Email Compromise (BEC) attacks, which resulted in losses of more than $1.2 billion in 2018 – More than twice the losses to BEC attacks that were reported in 2017.
2019 is likely to see losses increase further still as the BEC attacks are continuing at pace. Last week, almost coinciding with the release of the report, Scott County Schools in Kentucky announced that it was the victim of a major BEC attack that resulted in a loss of $3.7 million.
The school was notified by a vendor that a recent invoice was outstanding. Further investigation revealed payment had been made, just not to the vendor in question. An email had been received that appeared to be from the vendor, which included forged documents and details of a bank account that was controlled by the scammer.
The FBI was contacted, and attempts are being made to recover the funds, although since the payment was made two weeks previously, it is unclear whether it will be possible to recover the money.
A few days later, news broke of another major BEC scam, this time on a church. St. Ambrose Catholic Parish in Brunswick, Ohio, was a victim of a BEC attack that resulted in the fraudulent transfer of $1.75 million from the Church’s renovation fund. The scam was a virtual carbon copy of the Scott County Schools BEC attack.
The church was contacted by its contractor after not having had invoices paid for two months. That was news to the church, which believed that payments had been made on time. The funds had left the church account but had been directed elsewhere. The investigation into the BEC attack revealed hackers had gained access to the church’s email system and altered the contractor’s bank and wire transfer instructions.
These are just two recent examples of major losses to BEC attacks. Many other million-dollar and multi-million-dollar losses have been reported over the past 12 months.
With potential profits in the upper hundreds of thousands or millions of dollars, it is no surprise that organized criminal gangs are turning to business email compromise scams. The scams are easier to pull off than many other crimes and the potential profits are considerably higher.
Business email compromise scams involve the impersonation of an individual or company. The scams are often conducted via email and usually include a request for a wire transfer. The scams require some research to identify a company to impersonate, but in many cases that is not particularly difficult. It would not be difficult, for example, to identify a contractor that is conducting a major renovation. The company’s banners are likely to be clearly visible around the building where the work is being completed.
Impersonating a company is far from challenging. It is child’s play to spoof an email and make it appear to have come from another domain. The scams are even more convincing if an email account is compromised. Then the email will come from a genuine account.
Gaining access to an email account requires a carefully crafted phishing email that directs the recipient to a phishing webpage that collects login credentials – such as Office 365 credentials. A single phishing email could start the scam in motion.
These BEC attacks show how critical it is for businesses to have an advanced anti-spam solution in place to prevent the initial phishing attack from succeeding and to implement multi-factor authentication for email accounts to make it harder for stolen credentials to be used to gain access to corporate email accounts.
TitanHQ has formed a strategic partnership with the GRIDHEART, which will see TitanHQ’s leading cloud-based email security, web security, and email archiving solutions made available to users of the Cloudmore Cloud Commerce platform.
GRIDHEART is a privately-owned Swedish company that delivers the world’s leading cloud-based solutions through its Cloud Commerce platform, Cloudmore.
For the past 10 years, GRIDHEART has been offering leading cloud solutions to its customers and resellers and now deals with more than 1,000 cloud partners. The Cloudmore platform makes selling cloud services easy and brings a wide range of cloud services together in a single unified platform.
The platform gives users complete centralized control over their cloud solutions and allows them to easily provision new customers, bill for services, automate processes, and obtain pre-and post-sales support. The platform provides a host of management tools to make control of SaaS and cloud computing simple.
The partnership with TitanHQ will see the Galway, Ireland-based cybersecurity firm add its leading cybersecurity solutions to the platform, through which users can manage the solutions for free.
GRIDHEART’s customers will be able to offer their clients the SpamTitan Cloud email security solution, the WebTitan web filtering solution, and the ArcTitan email security solution and provide multi-layered security to protect against email, web, and modern blended threats.
“By offering additional layers of cloud-based security through Cloudmore’ s unique Cloud Commerce platform, MSPs can procure and deploy IT services for their customers and quickly maximize their IT investment, enhance their security stack and lower operational costs for their customers,” said Rocco Donnino, Executive VP of Strategic Alliances at TitanHQ. “This agreement highlights the importance of delivering comprehensive security solutions to the MSP community through a single and powerful platform”
“TitanHQ fits the bill as a perfect partner with their razor focus on advanced threat protection via email and the web. We’ve very happy to have them on board,” said Stefan Jacobson, Sales Director of GRIDHEART.
Reputation loss after a cyberattack can have a major impact on businesses. While large companies may be able to absorb the loss of customers that results, for small to medium businesses, reputation damage and loss of customers can prove devastating.
Cybersecurity consultants and computer forensics firms can be hired to find out how an attack occurred, and new solutions can be implemented to plug the holes through which access to the network was gained. Regaining the trust of customers can be much harder to recover from. Once trust in a brand is lost, some customers will leave and never return.
When personal data has been exposed or stolen, customers feel betrayed. Company privacy policies may not be read, but customers believe that any company that collects their personal data has a responsibility to protect it. A data breach is seen as a breach of the company’s responsibility to keep personal data private and secure, and many customers will take their business elsewhere after such a privacy violation.
Reputation loss after a cyberattack can also make it hard to find new customers. Once information about a breach has been made public, it can be enough to see potential customers avoid a brand.
Extent of Reputation Loss After a Cyberattack
Radware recently conducted a survey to investigate the cost of cyberattacks on businesses. The study revealed 43% of companies that took part in the study said they had experienced negative customer experiences and reputation loss as a result of a successful cyberattack.
Previous studies suggest that as many as one third of customers will stop doing business with a company that has experienced a data breach. A study by Gemalto paints an even bleaker picture. In a global survey of 10,000 individuals, 70% claimed they would stop doing business with a company that had experienced a data breach.
The cyberattack on the telecoms company TalkTalk in 2015 – which cost the firm an estimated £77 million – caused uproar online. Customers turned to social media networks to express their rage about loss of service and the theft of their personal data. The company’s reputation took a massive hit as a result of the attack, not helped by interviews with the hackers who explained how easy it was. The firm claimed it lost around 101,000 customers as a result of the incident. Research from Kantar Worldpanel ComTech suggests 7% of its broadband customers – around 300,000 people – left the firm for another provider.
With such potential losses, it is no surprise that the Marsh and Microsoft Global Cyber Risk Perception Survey in 2018 found that reputation loss after a cyberattack was the biggest concern of companies. 59% of respondents rated it as a major concern.
Steps can naturally be taken to limit customer turnover, repair reputations, and win back customer trust, but repairing damage to a brand and winning back customers can be a long uphill struggle.
Given the high probability of a cyberattack and the potential repercussions, increased investment in cybersecurity defenses to prevent breaches should be given serious consideration.
It is not possible to prevent all cyberattacks, but it is possible to implement security solutions to protect against the most common attack vectors – email and malicious websites – and that is an area where TitanHQ can help.
The Fallout exploit kit, a toolkit used to silently deliver ransomware and malware to vulnerable devices, was first identified in September 2018. Between September and December, the toolkit was used to exploit vulnerabilities and deliver GandCrab ransomware and other malicious payloads. Towards the end of the year, the vulnerabilities most commonly exploited were a remote code execution vulnerability in the Windows VBScript engine (CVE-2018-8174) and the use-after-free vulnerability in Adobe Flash Player (CVE-2018-4878).
Around December 27, 2018, Fallout exploit kit activity stopped, but only for a few days. Now the exploit kit is back, and several updates have been made including the addition of HTTPS support, a new landing page format, and PowerShell-based malware downloads. A new exploit has also been added for a zero-day use-after-free Adobe Flash player vulnerability (CVE-2018-15982) which was patched on December 5, 2018: A vulnerability also exploited by the Underminer exploit kit.
The Fallout exploit kit is primarily delivered via malvertising campaigns – malicious adverts on third-party ad networks that are served on a variety of legitimate websites. The adverts redirect users to the exploit kit, which probes for vulnerabilities and exploits them to silently deliver malware or ransomware. The updated version of the Fallout exploit kit is delivering the latest version of GandCrab ransomware, for which there is no free decryptor. In addition to GandCrab ransomware, the Fallout exploit kit is delivering ServHelper, AZORult, TinyNuke, Dridex and Smokebot malware.
The malvertising campaigns used to generate traffic to the exploit kit include TrafficShop, Popcash, RevenueHits, and HookAds. The latter is primarily used on high-traffic adult websites that are visited millions of times a month. Users are redirected to a decoy adult site that contains the exploit kit and would be unaware that anything untoward has happened. If there is an unpatched vulnerability for which fallout has an exploit, the ransomware or malware payload will be silently downloaded.
Exploit kit activity is now much lower than in 2016 when EKs were extensively used to deliver malware, but the latest updates show EKs are still a threat and that they are regularly being updated with the latest exploits.
Exploit kits can only deliver malware if unpatched vulnerabilities are present, so prompt patching is strongly recommended. Users also need to visit the sites hosting the exploit kit. Businesses can prevent users from visiting malicious websites using a web filter.
Web filters use blacklists of websites known to host exploit kits are capable of scanning websites for malicious content. They can also prevent third-party ads from being displayed, thus preventing redirects. Since certain categories of website are often used in malvertising campaigns, adult sites and torrents sites for instance, blocking access to those categories of content with a web filter is also recommended.
For further information on web filtering and how it can protect against web-based attacks, contact the TitanHQ team today.
A Starbucks porn filter will finally be introduced in 2019 to prevent adult content from being accessed by customers hooked up to the coffee shop chain’s free WiFi network.
It has taken some time for the Starbucks porn filter to be applied. In 2016, the coffee shop chain agreed to implement a WiFi filtering solution following a campaign from the internet safety advocacy group Enough is Enough, but two years on and a Starbucks porn filter has only been applied in the UK.
Businesses Pressured to Implement WiFi Filters to Block Porn
Enough is Enough launched its Porn Free WiFi campaign – now renamed the SAFE WiFi campaign – to pressure businesses that offer free WiFi to customers to apply WiFi filters to restrict access to adult content. In 2016, more than 50,000 petitions were sent to the CEO’s of Starbucks and McDonalds urging them to apply WiFi filters and take the lead in restricting access to pornography and child porn on their WiFi networks.
After petitioning McDonald’s, the global restaurant chain took prompt action and rolled out a WiFi filter across its 14,000 restaurants. However, Starbucks has been slow to take action. Following the McDonalds announcement in 2016, Starbucks agreed to roll out a WiFi filter once it had determined how to restrict access to unacceptable content without involuntarily blocking unintended content. Until the Starbucks porn filter was applied, the coffee shop chain said it would reserve the right to stop any behavior that negatively affected the customer experience, including activities on its free WiFi network.
The apparent lack of action prompted Enough is Enough to turn up the heat on Starbucks. On November 26, 2018, Enough is Enough president and CEO, Donna Rice Hughes, issued a fresh call for a Starbucks porn filter to be implemented and for the coffee chain to follow through in its 2016 promise. Rice Hughes also called for the public to sign a new petition calling for the Starbucks porn filter to finally be put in place.
Starbucks Porn Filter to Be Applied in All Locations in 2019
Starbucks has responded to Enough is Enough, via Business Insider, confirming that it has been testing a variety of WiFi filtering solutions and has identified one that meets its needs. The Starbucks porn filter will be rolled out across all its cafes in 2019.
All businesses that offer free WiFi to their customers have a responsibility to ensure that their networks cannot be abused and are kept ‘family-friendly.’ It is inevitable that some individuals will abuse the free access and flaunt policies on acceptable use. A technical solution is therefore required to enforce those policies.
While Enough is Enough is focused on ensuring adult content is blocked, there are other benefits of WiFi filtering. A WiFi filter protects customers from malware downloads and can stop them accessing phishing websites. All manner of egregious and illegal content can be blocked.
WiFi filters can also help businesses conserve bandwidth to make sure that all customers can access the Internet and enjoy reasonable speeds.
WebTitan Cloud for WiFi – The Easy Way to Start Filtering Content on WiFi Networks
TitanHQ has long been an advocate of WiFi filtering for public WiFi hotspots and has developed WebTitan Cloud for WiFi to allow businesses to easily block access to unacceptable and illegal web content on WiFi networks.
WebTitan Cloud for WiFi allows businesses to carefully control the content that can be accessed over WiFi without involuntarily blocking unintended content. Being 100% cloud based, no hardware purchases are required and no software downloads are necessary.
The solution offers businesses advanced web filtering capabilities through an easy to use intuitive user interface. No IT consultants are required to implement and run the solution. It can be set up and operated by individuals that have little to no technical knowhow.
The solution is highly scalable and can be used to protect thousands of users, at multiple locations around the globe, all controlled through a single user interface.
If you run a business that offers free WiFi to customers and you have not yet started controlling the activities that can take place over your WiFi network, contact TitanHQ today for further information on WebTitan Cloud for WiFi.
Managed Service Providers (MSPs) that want to start offering WiFi filtering to their clients can join the TitanHQ Alliance. All TitanHQ solutions have been developed to meet the needs of MSPs and make it easy for them to add new security capabilities to their service stacks.
The biggest cyber threat to SMBs is ransomware, according to Dato’s State of the Channel Report. While other forms of malware pose a serious risk and the threat from phishing is ever present, ransomware was considered to be the biggest cyber threat to SMBs by the 2,400 managed service providers that were polled for the study.
Many SMB owners underestimate the cost of mitigating a ransomware attack and think the cost of cybersecurity solutions to prevent attacks, while relatively low, are not justified. After all, according to Datto, the average ransom demand is just $4,300 per attack.
However, the ransom payment is only a small part of the total cost of mitigating an attack. The final cost is likely to be ten times the cost of any ransom payment. Datto points out that the average total cost of an attack on an SMB is $46,800, although there have been many cases where the cost has been far in excess of that amount.
One of the most common mistakes made by SMBs is assuming that attacks will not occur and that hackers are likely to target larger businesses with deeper pockets. The reality is SMBs are being targeted by hackers, as attacks are easier to pull off. SMBs tend not to invest heavily in cybersecurity solutions as larger businesses.
Anti-Virus Software is Not Effective at Preventing Ransomware Attacks
Many SMB owners mistakenly believe they will be protected by anti-virus software. However, the survey revealed that 85% of MSPs said clients that experienced a ransomware attack had anti-virus solutions installed. Anti-virus software may be able to detect and block some ransomware variants, but since new forms of ransomware are constantly being developed, signature-based cybersecurity solutions alone will not offer a sufficient level of protection.
Many SMBs will be surprised to hear just how frequently SMBs are attacked with ransomware. More than 55% of surveyed MSPs said their clients had experienced a ransomware attack in the first six months of this year and 35% experienced multiple attacks on the same day.
Some cybersecurity firms have reported there has been a slowdown in ransomware attacks as cybercriminals are increasingly turning to cryptocurrency mining. While that may be true for some cybercriminal gangs, the ease of conducting attacks using ransomware-as-a-service means many small players have started attacking SMBs. That is unlikely to change.
92% of surveyed MSPs said they thought ransomware attacks would continue at current levels or even increase throughout this year and next.
Ransomware attacks are even being conducted on Apple operating systems. In the past year, there has been a five-fold increase in the number of MSPs who have reported ransomware attacks on macOS and iOS operating systems.
“Not only have ransomware attacks increased in recent years, but the problem may even be bigger than we know, as many attacks go unreported,” explained Jeff Howard, Founder and Owner, of the Texas MSP Networking Results. Datto suggests that only one in four attacks are reported to law enforcement.
How to Protect Against SMB Ransomware Attacks
To protect against ransomware attacks, businesses need to implement a range of solutions to block the most common attack vectors. To block email-based attacks, advanced spam filtering technology is required, and end user security awareness training is essential. To block ransomware downloads from malicious websites, web filtering software should be implemented.
Business continuity and disaster recovery technology should be implemented to ensure that a quick recovery is possible in the event of an attack, and naturally intelligent backing up is required to ensure files can be recovered without paying a ransom.
MSPs need to explain the risks to SMBs, along with the solutions that need to be installed to prevent attacks and the likely cost of recovery. Many businesses are shocked to discover the true cost of a ransomware attack.
How TitanHQ Can Help Improve Defenses Against SMB Ransomware Attacks
TitanHQ has developed two innovative cybersecurity solutions that work in tandem to block the two most common attack vectors: Email and Internet attacks. SpamTitan is a powerful spam filtering solution that combines two AV engines with intelligent scanning of incoming mail using a variety of techniques to identify malicious messages and new ransomware variants and block them at source.
WebTitan is a powerful web filtering solution that can block malvertising attacks, drive-by ransomware downloads, and prevent employees from visiting malicious websites. Both solutions should be part of an SMBs arsenal to protect against ransomware and malware attacks and both solutions should be part of an MSPs security stack.
For further information on SpamTitan and WebTitan and details of TitanHQ’s MSP offerings, contact the TitanHQ today.
This year has seen several ransomware attacks on cities and municipal targets, clearly demonstrating that the threat from ransomware has not abated, despite several analyses from cybersecurity firms that suggest hackers are moving away from ransomware and concentrating on cryptomining malware attacks.
Cryptocurrency miners have certainly become more popular and their use has increased substantially in recent months, but there is still a significant threat from ransomware.
Ransomware development may have slowed, but ransomware attacks on cities and other high value targets have not. In fact, October has seen two new ransomware attacks on cities in the United States, along with several attacks on municipal targets. In the past few months. It is clear that the threat is not going away any time soon.
$2,000 Ransom Paid to Resolve City of West Haven Ransomware Attack
The city of West Haven ransomware attack started on the morning of October 16, 2018, and by the time the attack had been contained, 23 servers had been encrypted and taken out of action. Prompt action limited the scope of the attack, although it did cause major disruption as computers on the affected network had to all be shut down.
The attack affected a critical system, and after an assessment of the situation, the decision was taken to pay the ransom. Considering the number of servers affected, the ransom demand was relatively low. The city paid $2,000 in Bitcoin for the keys to decrypt its files.
Art House, Connecticut’s chief of cybersecurity, explained that this was one of several targeted ransomware attacks on cities and municipal services in the state in recent weeks. In February, around 160 computers were affected by ransomware in more than a dozen agencies in the state according to the Department of Administrative Services, and a month later the state’s Judicial Branch was attacked and had more than 100 servers encrypted.
City of Muscatine Ransomware Attack
The West Haven ransomware attack was shortly followed by a ransomware attack on the city of Muscatine in Ohio, which saw files on several government servers encrypted. The attack is understood to have started on October 17 and caused considerable disruption especially to services at City Hall.
Few details about the attack have been made public, although it is understood that the ransom demand was not paid. Instead, IT teams have had to painstakingly rebuild affected servers and workstations and restore files from backups.
Ransomware Attack on City of Atlanta
In August one of the most serious ransomware attacks on cities occurred. The City of Atlanta was attacked with SamSam ransomware, which was manually deployed on multiple computers after access had been gained to the network. The attack occurred in March and took down computers used for many city services, causing major disruption for weeks. A ransom demand of around $50,000 was issued, although the decision was taken not to pay. Initially the cost of recovery was expected to reach $6 million. Later estimates in the summer suggest that the final cost may exceed $17 million, highlighting just how costly ransomware attacks on cities can be.
Ransomware Attacks on Municipal Services Becoming More Common
Ransomware attacks on cities are becoming more common, as are attacks on municipal targets. In October, the Onslow Water and Sewer Authority in Jacksonville, North Carolina was attacked with ransomware resulting in most systems being taken out of action. In that case, a dual attack occurred, which started with the Emotet Trojan followed by the deployment of Ryuk ransomware two weeks later. The attack is expected to disrupt services for several weeks. The Indiana National Guard also suffered a ransomware attack in October. In both cases, the ransom was not paid.
Prevention and Incident Response
One of the reasons behind the rise in ransomware attacks on cities is underinvestment in cybersecurity defenses. Too little has been spent on protecting systems and updating aging hardware and software. With many vulnerabilities left unaddressed, staff receiving insufficient training, and even basic cybersecurity defenses often found lacking, it is no surprise that the attacks are increasing.
The only way that the attacks will be stopped is by spending more on cybersecurity defenses and training to make it much harder for attacks to occur. It can certainly be hard to find the money to commit to cybersecurity, but as the City of Atlanta found out, the cost of prevention is far lower than the cost of recovery from a ransomware attack.
TitanHQ, the leading provider of web filtering, spam filtering, and email archiving solutions for managed service providers (MSPs) recently partnered with Datto Networking, the leading provider of IT solutions to SMBs delivered through MSPs.
Datto Networking has now incorporated TitanHQ’s advanced web filtering technology into the Datto Networking Appliance to provide superior protection to users on the network.
Datto and TitanHQ will be hosting a webinar on October 18, 2018 to explain how the new technology provides enhanced protection from web-based threats, and how MSPs can easily deliver content filtering to their customers.
During the webinar, MSPs will find out about the enhanced functionality of the Datto Networking Appliance.
Webinar: Datto Networking & Titan HQ Deliver Enhanced Web Content Filtering
Date: Thursday, October 18th
Time: 11AM ET | 8AM PT | 4PM GMT/BST
John Tippett, VP, Datto Networking
Andy Katz, Network Solutions Engineer
Rocco Donnino, EVP of Strategic Alliances, TitanHQ
The CloudFlare IPFS gateway has only recently been launched, but it is already being used by phishers to host malicious content.Cloudflare IPFS gateway phishing attacks are likely to have a high success rate, as some of the checks performed by end users to confirm the legitimacy of domains will not raise red flags.
The IPFS gateway is a P2P system that allows files to be shared easily throughout an organization and accessed through a web browser. Content is distributed to different nodes throughout the networked systems. The system can be used for creating distributed websites, and CloudFlare has made this process easier by offering free SSL certificates and allowing domains to be easily connected to IPFS.
If phishers host their phishing forms on CloudFlare IPFS, they benefit from CloudFlare’s SSL certificate. Since the phishing page will start with cloudflare-ipfs.com, this adds legitimacy. The CloudFlare-owned domain is more likely to be trusted than domains owned by phishers.
When CloudFlare IPFS Gateway phishing forms are encountered, visitors will be advised that the webpage is secure, the site starts with HTTPS, and a green padlock will be displayed. If the visitor takes the time to check certificate information of the web page, they will find it has been issued to CloudFlare-IPFS.com by CloudFlare Inc., and the certificate is valid. The browser will not display any warning and CloudFlare IPFS Gateway phishing content will therefore seem legitimate.
At least one threat actor is using the CloudFlare IPFS Gateway for phishing and is hosting forms that claim to be standard login pages for Office 365, DocuSign, Azure AD, and other cloud-based services, complete with appropriate logos.
If a visitor completes the form information, their credentials will be forwarded to the operator of a known phishing domain – searchurl.bid – and the user will be displayed a document about business models, strategy and innovation. This may also not raise a red flag.
The CloudFlare IPFS Gateway phishing strategy is similar to that used on Azure Blob storage, which also take advantage of legitimate SSL certificates. In that case the certificate is issued by Microsoft.
It is becoming increasingly important for phishers to use HTTPS for hosting phishing content. As more businesses transition from HTTP to HTTPS, and browsers such as Chrome now display warnings to users about insecure sites, phishers have similarly had to make the change to HTTPS. Both CloudFlare IPFS Gateway and Azure Blog storage offer an easy way to do this.
In both cases, links to the malicious forms are distributed through spam email. One of the most common ways to do this is to include an email attachment that contains a button which must be clicked in order to download content. The user is advised that the content of the file is secured, and that professional email login credentials must be entered in order to view the content. The document may be an invoice, purchase order, or a scanned document that needs to be reviewed.
The increase in use of cloud platforms to host phishing content makes it more important than ever for organizations to implement advanced phishing defenses. A powerful spam filter such as SpamTitan should be used to block the initial emails and prevent them from being delivered to end users’ inboxes. These phishing tactics should also be covered in security awareness training to raise awareness of the threat and to alert users that SSL certificates do not necessarily mean the content of a web page is legitimate. Web filtering solutions are also essential for blocking access to known malicious web pages, should a user visit a malicious link.