Internet Security News

Our Internet security news features the latest press releases from the world´s largest online security companies with details of the latest threats to be aware of and, unfortunately, Internet security news relating to significant data breaches. While some organizations will be grateful for the advanced warning of an online threat – and details of how to protect themselves against it – for some the warnings will come too late.

Consequently it is recommended to be protected against all manner of online threats with an email filter and web filter from TitanHQ. Our Internet security solutions prevent users from accessing unsafe sites via phishing emails and malvertising, and from visiting websites that are vulnerable to exploit kits and malware. As many organizations already using TitanHQ solutions would agree, it is better to be safe than sorry.

Watering Hole Attacks Deliver Keylogger and Malware Loader

A watering hole attack, as the name suggests, is a cyberattack involving a place that is frequently visited. A threat actor uses a website that is often visited by the targeted business or individual and malware is loaded to that site and will be inadvertently downloaded or executed when a user lands on the site. The website is usually compromised by exploiting an unpatched vulnerability or by obtaining website administrator credentials.

These attacks are often conducted by Advanced Persistent Threat (APT) actors in cyber espionage campaigns and one such campaign has recently been detected that has been attributed to the Chinese APT group tracked as TA423 which delivers the JavaScript-based reconnaissance tool, ScanBox. The campaign targets offshore energy firms that operate in the South China Sea.

While watering hole attacks often see malware written to disk, this campaign is different as ScanBox is executed in the web browser and requires no malware to be downloaded. Once executed, ScanBox logs keystrokes and records all activity on the infected website, including any passwords that are entered. As is often the case with these watering hole attacks, the user is directed to the website via a phishing email. In this campaign targeted individuals receive messages requesting collaboration that appear to have been sent by an Australian media organization – the fictional Australian Morning News. The website to which the user is directed includes news content that has been scraped from legitimate news outlets and landing on the site will see the user served with the ScanBox framework, which is used for reconnaissance and browser fingerprinting.

In addition to collecting information about the browser, operating system, extensions, and plugins, that attack sets up interactive connectivity establishment (ICE) communications with STUN servers, allowing communication with victim devices without having to go through network address translator (NAT) gateways and firewalls.

Watering hole attacks have been conducted by a range of different APT groups and these attacks have been the initial access vector of choice for Iranian threat actors for several years. Earlier this year, a campaign was detected that targeted Israeli websites and attempted to collect data from logistics companies involved with shipping and healthcare, and attempted to deliver malware that provided persistent access to victim devices.

Watering hole attacks can also be conducted by cybercriminal groups for distributing malware and one such campaign was recently detected that targets law firms with the goal of delivering Gootloader malware, a first-stage malware loader that can be used for delivering a variety of malware payloads. Rather than using phishing emails to drive traffic to a malicious site, compromised WordPress websites were used. Once access to the websites was gained, the threat actors used search engine optimization (SEO) techniques targeting specific search terms that are likely to be used by law firms. The SEO techniques used ensured that the malicious websites appeared high in the search engine listings for searches for legal information online, especially legal contact templates.

Defending against watering hole attacks requires a defense in-depth strategy that includes end-user security awareness training, web filtering to block access to known malicious websites, endpoint detection software, and spam filters. TitanHQ can help by providing several of these layers, including the SafeTitan security awareness training and phishing simulation platform, the WebTitan DNS-based web filter, and SpamTitan email security.

For more information, give the TitanHQ team a call. Product demonstrations can be arranged on request, and all TitanHQ cybersecurity solutions are available on a no-obligation, 100% free trial.

ChromeLoader Malware on the Rise: How to Prevent Infection

ChromeLoader is a family of malware that is extremely prevalent and persistent. The malware installs malicious browser extensions and removing them can be problematic as users are denied access to the Google Chrome extension list to prevent the removal of the malicious extensions if they are discovered. These malicious extensions are used to deliver unwanted ads, and redirect users to websites that they would otherwise not visit. At best, infection is a nuisance; however, the malware can increase the attack surface of a system and can easily lead to other malware being delivered.

ChromeLoader was first observed in January 2022 and infections are now extremely widespread. The malware is most commonly spread via sites that offer pirated software – torrents and warez sites – with the malware usually delivered through infected ISO image files. Several campaigns have been detected that advertise pirated software, games, and movies on social media networks, especially Twitter, with the posts/tweets including links to download sites. When the installation file is downloaded and installed, the user will likely get the software, operating system, or game they are expecting, but ChromeLoader and/or other malware will also be installed.

A new ChromeLoader distribution campaign has recently been detected by HP’s Wolf Security team. They report that the campaign has been active since at least March 2023 and delivers ChromeLoader, which installs a malicious adware browser extension called Shampoo. Shampoo will perform unwanted redirects to a variety of websites, including fake giveaways, games, and dating sites. These redirects can simply be annoying but can risk other malware infections. The malicious browser extension is also difficult to uninstall as the user will be prevented from accessing Chrome Extensions.  If the user does manage to uninstall the adware, it will simply be reloaded when the device is rebooted via a Windows scheduled task. According to HP, this campaign uses a network of malicious websites that offer pirated material. The download sites deliver VBScripts that execute PowerShell scripts that fetch Shampoo and install the malicious Chrome extension. While this campaign only installs adware at present, tactics could change, and more damaging malware could be delivered.

While ChromeLoader could be distributed in multiple ways, the primary method of delivery is via pirated software, so the easiest step to take to prevent infection is never to download pirated material and to only install software/operating systems from official sources. Businesses should implement controls to prevent illegal software downloads. These downloads carry a high risk of installing malware and pirated software is also a legal risk. Businesses should also implement controls to prevent the use of shadow IT – IT solutions that are installed without the knowledge of the IT department, as they can introduce vulnerabilities that can be exploited by malicious actors.

The IT department should have a list of all versions of software and operating systems used by the company. When patches or updates are released, the IT department will need to ensure that the company is running the latest versions. If the IT department is unaware that employees have downloaded programs, vulnerabilities could easily go unaddressed. Employees may install additional software to make their jobs easier and improve productivity, but it introduces considerable security and legal risks.

How to Prevent ChromeLoader Infections

One way that businesses can control shadow IT and prevent ChromeLoader infections is to implement controls to use a web filter such as WebTitan Cloud. WebTitan Cloud is used to control access to the Internet. Categories of websites can be blocked such as torrents/warez sites, along with other risky websites that serve no work purposes. URLs and domains that are known to be malicious are blocked automatically. WebTitan is constantly updated with new malicious websites as soon as they are discovered. WebTitan Cloud can also be configured to block certain file downloads from the Internet, such as executable files that are used to install software (.msi, .iso etc) to control shadow IT along with other executable files that are often used for malware installation (.js, .exe, etc).

WebTitan Cloud is easy to implement and requires no additional hardware, configuration is very straightforward, and this is a low-cost solution that will provide excellent protection against web-based threats. For more information on WebTitan Cloud or to arrange a product demonstration, give the TitanHQ team a call. WebTitan Cloud is also available on a free trial to let you put the solution to the test before deciding on a purchase.

Search Engine Poisoning for Malware Distribution

There has been a notable increase in search engine poisoning for distributing malware. Search engine poisoning is the term given to the manipulation of search engine results to display links to malicious websites. These websites can be used to phish for sensitive information, but this technique is most commonly used for distributing malware.

Search engine poisoning can be achieved in different ways. One of the ways search engine poisoning is used to target businesses is to create a webpage and use search engine optimization techniques to target specific search queries. It can take a lot of time an effort to get webpages appearing in the organic search results for key search terms, but since the queries typically targeted have little competition, it is quite easy to get pages appearing high up in the organic search engine listings. Attackers typically target low volume business search queries, such as searches for contract templates, forms, and agreements. Since the person performing the search is looking to download the content, they can easily be tricked into downloading a malicious file. Oftentimes the user will get the file they are looking for but will silently install malware when the file is opened.

Google is well aware that the higher up a webpage is in the search results, the more likely it will be visited. The prime spots are at the very top of the search engine results, and that area is reserved for sponsored links. Getting a malicious site in these links will maximize the traffic to a website, and advertisers compete for these advertising slots through the Google Ads online advertising platform. Advertisers can bid for these slots for key search terms that they want to target.

Google Ads are increasingly being used by malicious actors as an alternative method of search engine poisoning, and they achieve the greatest success when they target popular software downloads. An attacker will create a website advertising a popular software solution, often cloning the website of a legitimate brand. They will offer a download of that software on the site but will alter the installation file so that in addition to installing the software, malicious code will be executed silently which will install malware.

The domain names used closely mirror those used by the legitimate brand, and typically include the brand name with additional characters or words to make it appear that the domain is official. The file downloads are usually signed with invalid certificates, and while invalid, have been issued to recognizable brands. If the warning signs are ignored and the installation file is executed, malware will be installed.

The key to defending against these attacks is to prevent these malicious files from being downloaded, and ideally, prevent users from visiting the malicious websites. The early stages of the attack can be blocked with an ad blocker or web filter. A web filter can be configured to prevent a user from visiting the malicious website, whereas an ad blocker will only block the adverts and will not block search engine poisoning in the organic listings. A web filter can also be configured to block downloads of certain file types, such as executable files. In addition to blocking search engine poisoning, preventing downloads of executable files will help IT teams to control shadow IT – unauthorized software installations.

These methods of malware distribution should also be covered in security awareness training. Businesses should teach their employees security best practices and make them aware of risks such as phishing and email-based attacks, and search engine poisoning and other web-based attacks. Security awareness training adds an important layer of protection and helps to improve human defenses, which is vital as the majority of cyberattacks are the result of human error.

TitanHQ can help improve security through its portfolio of cybersecurity solutions which include SpamTitan Email Security, WebTitan Web Filtering, and the SafeTitan Security Awareness Training and Phishing Simulation platform. For more information, to arrange a product demonstration, or to register for a free trial with full product support, give the TitanHQ team a call today.

AI Chatbots are Being Used to Create Perfect Phishing Emails

Identifying phishing attempts used to be fairly straightforward for end users. The messages often contain grammatical errors and spelling mistakes that had been inadvertently included in the messages.  Phishing campaigns are often conducted by individuals who do not speak English as a first language, so errors will inevitably be made and it is those errors that make it fairly easy for people to spot a phishing attempt.

Those errors may soon become a thing of the past thanks to artificial intelligence tools such as ChatGPT. ChatGPT and other large language model AI tools can be used to create perfect English (or other languages) and therefore convincing text for use in phishing and social engineering attacks. Evidence is growing that these tools are being adopted by malicious actors to create phishing content that is indistinguishable from the content that a human could create, and in many cases, it is even better.

Europol has recently issued an alert about the malicious use of these AI tools for phishing and warned that the problem is likely to get worse. It is not just a case of being able to draft a grammatically correct email devoid of spelling mistakes, but that these AI chatbots can write emails in whatever style the threat actor wants, including in an authoritative tone as one would expect from an official government communication.

The biggest threat is likely to be highly targeted emails – spear phishing. Spear phishing has a far higher success rate than standard phishing attempts, as emails are carefully crafted to attack a very small number of individuals. That requires considerable research to ensure that the scam is convincing and the email will likely be opened and the request followed. The ability of AI tools to create spear phishing emails should not be underestimated. The messages these tools can generate can be exactly what a threat actor needs and the process can be largely automated, which means a higher success rate and more attacks.

These tools are significantly lowering the barrier of entry for conducting phishing attacks, and while there are restrictions in place to prevent the malicious use of these AI tools, they are being bypassed. You can ask ChatGPT to write a phishing email but it won’t, but you can create the phishing content if you are not so direct. The cybersecurity firm Darktrace says it has found evidence of phishing emails increasingly being written by chatbots, and not only does that make it easier for cybercriminals to create convincing messages, they also allow much longer messages to be created than was previously possible. The company reports that phishing email volume is down, which it suggests could be due to threat actors being able to write better, more linguistically complex emails and opt for quality over quantity. Chatbots have also been used to write malicious scripts that could be used as ransomware or for information-stealing malware. Researchers have created examples of both using the engine that powers ChatGPT.  Europol paints “a grim outlook” as phishing emails will become a lot harder for people to identify. Tools have been developed that are capable of detecting AI-written content but they are not reliable and as AI chatbots become more advanced, these tools will likely become even more unreliable.

So while the outlook may not be too good, the advances in AI technology mean businesses will need to up their game and that means ensuring that they provide security awareness training to the workforce and keep them abreast of the changing tactics used by threat actors. Training should also emphasize that employees should not implicitly trust any communication and should assume that it might be a scam. Training should cover security best practices and businesses will need to improve their technical defenses and implement further solutions to identify and block the various stages of a phishing attempt, such as advanced spam filtering (SpamTitan includes an AI-based component for detecting phishing attempts), a web filter, multi-factor authentication and to ensure that patches are applied promptly and all software is kept up to date.

Rig Exploit Kit Delivering Malware with Highest-Ever Success Rate

Exploit kits are no longer as popular as they once were, but they are still being used as a vehicle for distributing malware. An exploit kit is a program loaded on an attacker-controlled website that is able to scan for vulnerabilities when visitors land on the site and exploit those vulnerabilities to silently deliver malicious payloads. Exploit kits were first detected in 2006 and were once one of the most common ways that malware was distributed, typically exploiting vulnerabilities in browsers and browser applications such as Adobe Flash, Microsoft Silverlight, Java, and Active X to deliver information stealers, remote access Trojan’s and ransomware.

Since 2017, exploit kits have been in decline, in a large part due to Adobe Flash reaching end-of-life. Adobe Flash vulnerabilities were among the most exploited vulnerabilities. Today, exploit kits are still used for distributing malware, most commonly crypto-mining malware, although under the exploit-kit-as-a-service model, they are used to deliver a variety of payloads.

Today, some of the most successful exploit kits are now fileless. They write no files to the disk, instead they load malicious code into the memory. Traffic to these exploit kits is most commonly generated through malvertising – malicious adverts displayed on legitimate websites, either through the third-party ad blocks that website owners use to increase revenue or through compromised websites.

In recent years, the RIG exploit kit has been one of the most successful. The RIG exploit kit first appeared in 2014 and was active until 2017, when a coordinated operation led by RSA Research successfully shut down and removed its infrastructure. According to the researchers who were part of that takedown, the operators of RIG had successfully hacked hundreds of hosting accounts – mostly on GoDaddy – and hid their malicious code inside hidden subdomains – shadow domains –to avoid detection. The RIG exploit kit was loaded onto tens of thousands of active shadow domains. The operators are thought to have gained access to those hosting accounts by conducting phishing attacks to steal credentials and through brute force attacks on hosting accounts with weak passwords.

A compromised site has malicious code injected that loads JavaScript from a malicious domain. When a visitor lands on the site, a check is performed to see if the user should be targeted – such as being in the right geographical region – then the exploit will be loaded. If successful, malicious code will be written to the user’s disk and executed, and the code will deliver the required payload. Exploit kits are offered to cybercriminal groups under the exploit-as-a-service model, where they either rent access or pay to have their payloads delivered. Attacks are automated and aside from a user visiting a malicious website hosting the exploit kit, no user interaction is required to deliver malware.

The RIG exploit kit was rebuilt after the takedown and was resurrected in 2021, then temporarily shut down, before returning in 2022 with a new exploit arsenal. According to researchers at the cybersecurity firm PRODAFT, the RIG exploit kit has never been more successful, achieving a successful exploitation rate of 30% in 2022. The exploit kit is being updated weekly or monthly with new exploits and has been used to deliver a range of payloads including banking Trojans such as Dridex and IdecID, information stealers such as Racoon stealer and AzoRult, malware downloaders such as WastedLoader, and ransomware such as Royal. The most successful recent exploit was for the Internet Explorer vulnerability – CVE-2021-26411. RIG remains highly active, with the researchers reporting a 22% successful exploitation rate in the past two months.

Exploit kits exploit vulnerabilities in browsers and browser applications, so the best defense is to ensure browsers are kept up to date; however, employees often install browsers and plug-ins without the knowledge of the IT department, and these may never be updated. As an additional protection, businesses should consider a web filter, which can block the adverts that drive traffic to malicious websites, block access to those sites through filtering controls, and also block malware downloads.

Businesses That Do Not Provide Cybersecurity Awareness Training are Taking a Huge Risk

Most people are aware of the importance of cybersecurity and the need to take care when opening emails, browsing the internet or downloading apps on their mobile phones. If you ask anyone whether they are knowledgeable about cybersecurity and if they can recognize a malicious website or email, there’s a high chance that they will say yes.

A recent survey conducted by AT&T on 2,000 U.S. adults confirms that. 70% of the respondents to the survey said they were knowledgeable about cybersecurity, two-thirds of people said they know how hackers gain access to sensitive information on devices, and 69% of people said they were able to recognize suspicious websites at a glance.

However, despite being aware of the importance of cybersecurity, cybersecurity best practices are not always followed. People take considerable risks with email and the Internet, and the survey suggests that the confidence in the ability to recognize scams, malicious websites, and suspicious emails is misplaced.

While most people claim to be able to recognize a suspicious website, only 45% of respondents said they knew those sites carried a risk of identity theft. 46% of respondents were unaware of the difference between active and passive cybersecurity threats. Passive cybersecurity threats are those where a threat actor simply monitors communications and gathers sensitive information, whereas an active attack involves some action or modification of communications. An example of a passive attack is a malicious actor eavesdropping on a connection to a website via an evil twin Wi-Fi access point. An example of an active attack would be a malware attack.

The average person lands on 6.5 malicious websites or suspicious social media accounts every day and in many cases, those sites are accessed deliberately. Suspicious websites include those that start with HTTP rather than HTTPS, which means the connection between the web browser and the website is not encrypted. Suspicious sites include those with lots of pop-ups, or unverified sites and social media accounts.

39% of respondents said they accessed suspicious streaming websites to view major sporting events, 37% would download files from suspicious websites if they wanted to find a song or video game that they couldn’t find elsewhere, and these sites would be used to make purchases if they were offering a big discount. Considering that 70% of people said they were knowledgeable about cybersecurity, it is alarming that less than 40% of people consider common security risks when accessing the Internet. Only 32% of people considered the possibility of a network intrusion and just 31% of people considered whether an app or software could be malicious. The survey also revealed people take big security risks with passwords. 42% of people reuse passwords on multiple websites and alarmingly, 31% of people use a birthday as a password.

Businesses should take note of this survey. The survey was conducted on a sufficiently large number of people that it should be considered representative of the population as a whole and makes it clear that there is a need for cybersecurity awareness training to be provided by employers to bring the level of knowledge about cybersecurity up to scratch and be taught the importance of following cybersecurity best practices. Even people who are aware of the risks will take shortcuts for convenience, so businesses should also consider restricting access to certain websites.

If you want to improve cybersecurity, you should start with the human element and try to eradicate risky behaviors. TitanHQ offers businesses a comprehensive cybersecurity awareness training platform – SafeTitan – that covers all aspects of security and cybersecurity in the workplace. The platform can be used to improve understanding of risks and teach the best practices that should be followed at all times. The training content is gamified, interactive, and fun, and has been shown to be highly effective at eradicating risky behaviors. SafeTitan is the only behavior-driven security awareness training platform that delivers intervention training in real-time in response to risky behaviors by employees. When a risky action is taken, the platform automates the intervention and delivers the relevant snippet of the company policy and training content specific to that risk or threat.

Businesses can also take advantage of WebTitan Cloud – a DNS-based web filtering solution that prevents employees from accessing known malicious websites. When an attempt to visit a malicious website is made, the connection to the site will not be made and the user will be informed that the site has been blocked. Businesses can also use the category-based filters in WebTitan Cloud to prevent employees from accessing certain types of websites, such as those that carry a risk of malware infections. Peer-to-peer file sharing networks for example.

By educating the workforce on cybersecurity and implementing controls to restrict access to risky websites, businesses will be able to prevent more costly cyberattacks and data breaches. For more information on cybersecurity awareness training and web filtering, give the TitanHQ team a call.

Bumblebee Loader Fast Becoming the Delivery Vehicle of Choice for Ransomware Gangs

Ransomware gangs gain initial access to business networks using a variety of techniques, with phishing one of the most common methods of gaining initial access to business networks. Phishing is used to obtain credentials, especially for cloud-based services and applications. Phishing emails are often used to deliver malware loaders. Once installed, the malware loader drops malicious payloads which ultimately results in a network-wide ransomware attack.

A relatively new malware loader – Bumblebee – is now gaining popularity with ransomware gangs and is known to be used by some of the highest profile ransomware operations. According to Symantec, Bumblebee Loader is known to be used by Conti, Quantum, and Mountlocker, and possibly others, and has fast become the ransomware delivery vehicle of choice.

The BumbleBee loader is primarily delivered via phishing emails and is used to create a backdoor in victims’ networks, allowing the attacker to take control of devices and execute commands. Bumblebee has been observed delivering the Cobalt Strike attack framework, which is used for lateral movement within networks. Once a sufficiently high number of devices and systems have been compromised, the BumbleBee loader drops the ransomware payload. After sensitive data has been exfiltrated from the victim’s systems, the file encryption process is initiated.

According to Symantec, the Bumblebee loader has replaced several other malware variants that have proven popular with ransomware gangs in the past, such as the TrickBot Trojan and BazarLoader. The replacement of those malware variants with Bumblebee the loader appears to have been pre-planned. If the Bumblebee loader is detected on any device, rapid action should be taken as it is likely that the malware could lead to a ransomware attack.

The Growing Threat of Ransomware Attacks

Ransomware attacks on businesses increased significantly in 2021. The Federal Bureau of Investigation (FBI) reported in its 2021 Internet Crime Report that the FBI Internet Crime Complaint Center (IC3) received 2,084 reports of ransomware attacks between January 1 and July 31, 2021, which represents a 62% increase year-over-year. The 2021 Ransomware Study by IDC found that 37% of global organizations had suffered at least one ransomware attack in 2021. Verizon reported in its 2021 Data Breach Investigations Report that the number of ransomware attacks doubled in 2021, and ransomware is now involved in 10% of all data breaches.

Ransomware attacks are being conducted on businesses in all industry sectors, with education, retail, professional and legal services, government, IT, manufacturing, energy, healthcare, and the financial services the hardest hit. Attacks can be extremely damaging to businesses and can cost millions of dollars to mitigate. Many businesses have been forced to close as a result of an attack.

How to Protect Against Ransomware Attacks

Many ransomware gangs operate under the ransomware-as-a-service model, where affiliates are recruited to conduct attacks in exchange for a cut of any ransom payments they generate. Having many affiliates conducting attacks means more attacks can be conducted than if ransomware gangs operated alone. Affiliates have specialist skills and excel at certain types of attacks. That means defending against attacks means blocking multiple attack vectors, which means multiple security solutions need to be deployed.

Defending against ransomware attacks requires a defense in-depth approach involving multiple layers of protection. An email security solution – such as SpamTitan – should be used for blocking attacks via email, such as emails distributing the Bumblebee loader. A DNS filter such as WebTitan should be deployed to block attacks over the Internet and prevent employees from visiting malicious and risky websites.

It is important to educate the workforce about the threat of phishing, malware, and ransomware, and train the workforce on how to recognize and avoid threats such as phishing and social engineering. TitanHQ offers the SafeTitan security awareness training and phishing simulation platform for creating a security-aware workforce.

Vulnerabilities are often exploited, so it is important to ensure that patches and software updates are applied promptly. In the event of an attack succeeding, businesses need to be able to recover quickly. One of the biggest causes of losses in ransomware attacks is lost business due to the disruption caused by an attack, not the cost of the ransom payment. To minimize damage and ensure the fastest possible recovery, an incident response plan should be developed that specifically covers ransomware attacks and that plan should be regularly tested in tabletop exercises.

It is naturally also vital for backups to be created of all data to ensure data can be recovered in the event of an attack. Multiple copies of data should be made, the backups need to be tested to ensure file recovery is possible, and the backups should be stored on a non-networked device, with one copy stored securely offsite.

Malicious QR Codes are Being Used for Phishing and Malware Distribution

Cybercriminals are constantly developing new tactics to trick individuals into divulging sensitive information or installing malware. One of the latest tactics to be observed is the use of QR codes to direct people to malicious websites where sensitive information is harvested or to sites hosting malware.

A QR code is a machine-readable matrix barcode that is often used for tracking products in a supply chain, but in recent years has been adopted as a convenient way to direct people to web resources without them having to enter a URL or click a link. QR codes have been widely adopted during the COVID-19 pandemic for carrying out contactless operations, such as registering attendance at a venue and for viewing menus in restaurants to help prevent the spread of COVID-19.

Many smartphones have in-built QR code readers and apps can be downloaded for free to allow QR codes to be read. When a smartphone camera picks up a QR code, the user will be directed to whatever web resource has been programmed into the code. While QR codes have many important uses, QR codes can be easily tampered with to direct individuals to malicious websites.

Phishing emails often contain links to malicious websites that have been masked by changing the text in the hyperlink. Hovering a mouse arrow over the hyperlink on a computer will display the URL to which the user will be directed; however, with a QR code the user may be instantly directed to the website and could be prompted to enter their banking credentials, Microsoft 365 credentials, or other sensitive information.

Since QR codes are often used to direct individuals to hosted files, such as PDF restaurant menus, it would be easy to trick people into downloading malicious files through QR codes. The malware could provide a cybercriminal with access to the victim’s mobile device, allowing them to steal sensitive information such as passwords or bank account information.

Many businesses use QR codes to direct customers to websites where payments can be processed, and the use of QR codes for this purpose has increased significantly during the pandemic to avoid contact with Point-of-Sale card readers. QR codes could be abused to direct customers to malicious websites that mimic those used by the business in order to steal payment card information.

The Federal Bureau of Investigation (FBI) has recently issued a warning about the increase in the use of QR codes for conducting malicious activities. The FBI emphasized that QR codes are not malicious in nature but can be abused, so precautions should be taken when using QR codes and not to assume that QR codes are secure.

A study conducted by Ivanti in 2021 revealed 87% of people felt secure conducting financial transactions using QR codes. Given the rise in abuse of QR codes, that confidence is worrying. As with embedded hyperlinks in emails, it is important to exercise caution and to check the URL of the resource that the user is directed to before taking any actions. The domain should be checked to ensure it is correct, and care should be taken to look for any typos or misplaced or substituted letters.

The FBI recommends checking a QR code before scanning to make sure it has not been doctored with, such as by overlaying a sticker on the original QR code. If prompted to download a file after using a QR code, be aware that the file may be malicious. If prompted to download an app, it is more secure to visit an official app store. It is also not necessary to download a QR scanner on most mobile phones, as this increases risk. The apps may be malicious, and many automatically direct users to a resource without requiring confirmation or providing information about the URL that the user will be directed to.

Businesses can protect their corporate-owned devices against QR code scams by installing a web filter. A web filter such as WebTitan can be used to prevent mobile devices from being used to visit malicious websites or web pages that violate acceptable internet usage policies. WebTitan will protect against any redirect to a malicious website, whether via a link in a phishing email or QR code and will also block malware downloads and potentially malicious files.

Phishing Campaign Uses Spoofed Government Unemployment Websites for Fraud and Malware Distribution

A phishing campaign has been identified that uses spoofed unemployment benefits websites to trick people into disclosing sensitive personal and financial information. These websites have been designed to closely resemble official U.S. government websites that are used to apply for unemployment benefits.

Individuals arriving on the websites are prompted to enter personal and financial information as part of the claims process. The information provided can be used by the scammers to file fraudulent unemployment benefits claims and have payments directed to their accounts. The credentials and information harvested through the sites can also be used or sold to other cybercriminals to commit identity theft and fraud, with some of the sites used for installing malware onto victims’ devices, including ransomware.

The U.S. Federal Bureau of Investigation (FBI) has received an increased number of complaints about these scams through its Internet Crime Complaints Center in recent weeks, prompting the FBI to issue an alert about the scams. At the time of issuing the alert, the FBI had identified 385 domains hosted on the same IP address, 8 of which impersonated official government websites that host unemployment benefit platforms. Those sites have an .xyz top-level domain (TLD) rather than .gov, and mostly impersonate state-level websites.

The malicious websites include employ-nv[.]xyz, gov2go[.]xyz, illiform-gov[.]xyz, mary-landgov[.]xyz, and newstate-nm[.]xyz, which were all still active at the time of the alert, along with employ-wiscon[.]xyz, marylandgov[.]xyz, and newstatenm[.]xyz which are no longer active.

Campaigns such as this are nothing new, but the number of complaints received about the scams is increasing, as are the number of reported cases of identity theft. Figures from the U.S. Federal Trade Commission show identity theft reports doubled between 2019 and 2020, with more than 1.4 million reports received last year.

Several steps can be taken to avoid becoming a victim of these scams. It is important to exercise caution when visiting any website and ensure that the spelling of the web address is correct, and the website has a .gov TLD. The U.S. government does not use .xyx TLDs on its websites.

While the padlock icon next to a URL is a sign that the site has an SSL certificate and the connection between the website and the browser is secure, it does not indicate the website is genuine. Cybercriminals often obtain SSL certificates for their websites to make them appear to be legitimate. The padlock should be present before any sensitive data is disclosed to avoid interception of that information, but other checks should be performed to make sure the site is genuine.

Malware downloads can be blocked by using antivirus software, which should be set to update automatically. Any security updates should be applied promptly, and browsers and plugins regularly updated to the latest version. To prevent stolen credentials from being used to access accounts, multi-factor authentication should be implemented and strong passwords should be set on accounts.

It is important to stop and think before taking any action suggested on a website or in an email. In the case of the latter, never open attachments in emails or click links to websites in messages from unknown individuals. Even if an email appears to have been sent by a trusted individual, checks should be performed on the email header information, especially in unsolicited messages.

Many of these campaigns target individuals, but employees are often targeted in phishing attacks that seek email credentials and other sensitive business information. In addition to providing security awareness training to the workforce and implementing an advanced email security solution such as SpamTitan, businesses should consider implementing a web filter.

WebTitan is a powerful DNS-based web filtering solution that is used by many businesses and Managed Service Providers to improve Internet security. Web filters are used to control the content that users can access over wired and wireless networks. They block attempts to visit known malicious websites, can be configured to block access to risky categories of websites, and also block malware downloads. They serve as an important extra layer of security to block phishing attacks and provide greater protection than email security solutions alone.

If you want to improve protection against phishing and web-based attacks, give the TitanHQ team a call today to find out more about SpamTitan Email Security and WebTitan Web Filtering.

If you already have email and web security solutions in place, you might be surprised to find out that you can get the same or better protection and a much-reduced price with TitanHQ solutions.

Benefits of DNS Filtering with Web Filtering Myths Busted

To those unfamiliar with DNS filtering, it is a form of web filtering that is used to filter out unwanted and undesirable web content, whether that is webpages containing objectionable material such as pornographic images or cyber threats such as websites used for phishing or malware distribution.

The Domain Name System (DNS) is what makes it possible for websites to have easy-to-remember domain names. A domain name, such as google.com, is easy for people to remember, but no use to a computer, which requires an IP address to find that resource on a remote server. The DNS is used to convert a domain name into its corresponding IP address, and DNS filtering is web filtering that takes place at the DNS lookup stage of a web request before a connection is made to the server hosting the web content.

DNS Filtering Myths

DNS filtering has several advantages over standard web filtering. Filtering occurs before any content is downloaded, which is better for speed and security. With DNS filtering, there is next to no latency – page load speeds are unaffected.

Many businesses fail to appreciate the importance of DNS filtering, after all, what is the point of blocking malware and ransomware threats on the Internet when antivirus software is installed on all end points? While AV software is effective at blocking known malware threats, it will not block new threats that have not been seen before, as the signatures of those malware variants are not in the virus definition lists of AV software. New variants of old malware versions are constantly being released to bypass signature-based AV defenses, so additional protection is needed. DNS filters can block these threats based on the reputation of IP addresses and will block downloads of file types associated with malware.

DNS filtering also improves defenses against phishing attacks, which all too commonly result in costly data breaches. Phishers are constantly devising new methods to get their emails into inboxes and trick end users into clicking on links and disclosing their credentials. Spam filters will block most of these messages but not all, and security awareness training only goes so far. A web filter will block access to phishing content and can significantly improve an organizations’ phishing defenses. When links to phishing websites are clicked the request is blocked and DNS filter logs will show which links were clicked. That can help to improve the effectiveness of spam filters and security awareness training programs.

DNS filters are also used for content control. Most businesses will have acceptable Internet usage policies in place, and employees will be aware of the risks of accessing prohibited web content, but DNS filters are ideal for enforcing those policies. Thew can prevent lawsuits from downloads of copyright infringing cracked software and other pirated content onto business network or users’ devices.

There is a common misconception that DNS filtering is complicated and time consuming when that is not the case. A DNS filtering solution is actually very quick and easy to configure. Simply point the DNS to the service provider, and you can set your filtering controls quickly and easily through the user interface. WebTitan for instance can be up and running in around 30 minutes and after the initial set up and little ongoing maintenance is required.

Another common misconception is that DNS filters are easy to bypass. While no web filtering solution is impossible to bypass, it is fairly easy to ensure that most users will not be able to bypass the filtering controls. You just need to configure the solution to block proxies and anonymizers and lock down the DNS settings. It is also recommended to block DNS requests to anything other than your approved DNS service at the firewall for good measure.

If you have your own, locally hosted, internal DNS server, you should allow only port 53/UDP outbound requests from your internal DNS server’s internal IP address to the external IP addresses of the primary and secondary DNS servers that your internal DNS server is configured to use. That means local computers query your local DNS server, and only your DNS server queries the web filtering DNS service on the Internet.

Key Benefits of DNS Filtering

  • Block access to malicious and risky websites with no latency
  • Enforce acceptable Internet usage policies
  • Block malware downloads and file downloads associated with malware
  • Prevent users from visiting phishing websites
  • Block copyright infringing file downloads
  • Protect against zero-day malware threats
  • Have highly granular control over the content that network users can access
  • Protect employees and devices when they are working off-site
  • Stop employees from accessing productivity-draining websites

DNS Filtering with WebTitan

WebTitan Cloud offers a quick, easy, and painless way for businesses to filter the Internet and block malicious and undesirable web content. WebTitan can be used to apply filtering controls to users of wired and wireless networks, with controls effective no matter where employees use their devices to access the Internet – in the office, while travelling, or working remotely.

WebTitan Cloud uses three mechanisms for filtering the Internet – First there are SURBL & URIBL filters to block access to known malicious web content, then there are category filters – 53 pre-set categories plus customizable categories – that are used to block content such as pornography, gambling, gaming, and dating sites, and the third tier involves keyword filters that fine tune category controls and block sites based on the presence of keywords and web pages that exceed certain keyword scores.

WebTitan Cloud can be configured to block certain files from being downloaded, acceptable Internet usage policies can easily be applied, and sites can be easily blacklisted using third-party blacklists, or whitelisted to ensure they can always be accessed.

When an attempt is made to visit a prohibited website, the request will be denied, and the user will be directed to a customizable local block page. All web activity is logged, and it is easy to see what requests have been made, the access attempts that have been allowed or blocked, and what content has been viewed, with extensive reporting and real time views of Internet activity.

The result is total control over what users can access and full visibility into Internet activity, while greatly improving cybersecurity by blocking web-based threats.

With WebTitan you get:

  • Best-in-class malicious URL detection
  • Malware, phishing, and ransomware protection
  • Real-time filtering
  • Instant categorization of web content
  • Infinitely scalable DNS filtering
  • Flexible policies
  • An extensive web filtering API allowing incorporating into existing monitoring systems
  • Immediate live updates
  • Zero-day updates to protect your customers as threats arise.
  • No bandwidth limits
  • No latency issues
  • Remote management and monitoring
  • SSL is supported
  • Multiple hosting options
  • Flexible pricing policies
  • Low-cost web filtering

For more information about DNS filtering in general, the WebTitan suite of DNS filtering solutions, or to book a product demonstration or to register for a free trial, give the TitanHQ team a call.

DoppelPaymer RaaS Rebrands as Grief Ransomware

Ransomware gangs have been feeling the heat following the DarkSide ransomware attack on Colonial Pipeline in May that forced the company to shut down its fuel pipeline serving the U.S. East Coast for a week. Any attack on critical infrastructure is likely to draw a response from the U.S. government, so it is no surprise that ransomware gangs faced a great deal of scrutiny after the attack. The DarkSide group shut down following the attack, and several other ransomware gangs went quiet.

DoppelPaymer was one of the gangs that appeared to be laying low. Around a week after the Colonial Pipeline attack the group went quiet and no further updates were posted on the group’s data leak site after May 6, 2021.

It is not uncommon for ransomware operations to go quiet for a few weeks, but they usually return. In many cases, the threat group reappears with a tweaked ransomware variant that is used under a new name, as has happened with DoppelPaymer.

DoppelPaymer attacks often start with a phishing email with links or attachments that install other malware variants, which in turn deliver the ransomware payload. Prior to the Emotet botnet being shut down, that banking Trojan was used to deliver DoppelPaymer, as well as Dridex.

Security researchers investigating a new ransomware-as-a-service operation called Grief (PayorGrief) that appeared in June identified striking similarities between Grief and DoppelPaymer, leading them to the conclusion that they are one and the same.  A sample of the malware was found that dates back to May 17, indicating the group had only stopped attacks for a very short period of time.

Grief and DoppelPaymer both have the same encrypted file format and are both distributed in phishing emails via the Dridex botnet, with one of the analyzed Grief samples also found to link to the old DoppelPaymer portal, although the samples identified since point to a separate Grief RaaS portal. Analyses of the code and the leak site also revealed further similarities such as the use of identical encryption algorithms and matching General Data Protection Regulation (GDPR) warnings for non-paying victims about GDPR penalties. The group appears to have been quite active in the short time since the new RaaS was launched, with 12 victims already listed on the group’s data leak site.

The best way to protect against DoppelPaymer ransomware attacks is to concentrate on blocking the initial attack vector – the phishing emails that deliver Dridex, which in turn delivers the ransomware. That requires an advanced anti-spam solution with machine learning capabilities and sandboxing. SpamTitan has these capabilities and many more detection mechanisms that ensure 100% of known malware threats are identified and blocked and new malware threats are identified even before their signatures are known.

For further information on improving your defenses against ransomware, malware, botnets, phishing, and other email- and web-based threats, give the TitanHQ team a call.

Crackonosh Malware Turns Devices into Cryptocurrency Mining Rigs

A new malware dubbed Crackonosh is being used in attacks on gamers with the goal of hijacking the resources on their computers to turn them into cryptocurrency mining rigs.

Cryptocurrency prices have been soaring in recent months, with many reaching record prices. That makes mining cryptocurrency profitable, and even more so when using the powerful computers of gamers without their knowledge. The gamers cover the electricity costs and supply the hardware, while the coin mining profits go to the scammers.

Getting malware onto gamers’ devices is the key to this scam, and what better way to do that than to offer gamers free versions of popular games such as Grand Theft Auto V, Pro Evolution Soccer 2018, or NBA 2K19. These cracked games can be installed without having to make a purchase, with the games offered free in forums. Currently, most infections have come via forums, but games could easily be hosted on a website and traffic driven to those sites through malicious adverts in the search engines or third-party ad blocks on any number of high traffic websites.

The games are legitimate, although they have been cracked to allow them to be installed without having to purchase the game key. The correct game will be installed but bundled into the installer are several other files that will execute in the background and install Crackonosh malware, which is capable of disabling certain antivirus programs to ensure it is not detected, including Windows Defender. It also disables Windows Update to ensure that Windows Defender is not reactivated. Since the malware creates and stores an icon in the system tray, the user will most likely be unaware that their antivirus software has been disabled.

One of the main aims of Crackonosh malware is to deliver a legitimate cryptomining program named XMRig, although in this case, XMRig is used to hijack the CPU and GPU of victims’ devices and use those resources for generating cryptocurrency. Using XMRig on one gaming computer will not make much money, but at scale the operation is hugely profitable.

The malware distribution campaign has proven successful, with the malware found in more than a dozen countries, with the highest numbers of infected computers in the Philippines, Brazil, India, Poland, United States, and the United Kingdom. As of December 2020, there were more than 220,000 devices infected with Crackonosh malware and those devices had been used to generate at least $2 million in Monero coins at today’s prices.

This malware campaign targets gamers as their computers are well suited to mining cryptocurrency. Once infected, users are likely to experience a serious reduction in performance and much higher electricity bills, but cryptocurrency mining can also cause computers to overheat, components can wear out from overuse, and devices will ultimately fail.

It is not only cryptocurrency mining malware than can be installed along with cracked software. Any number of other malware variants could be delivered. Another recently identified campaign also uses cracked software as the cover but delivers a malware loader dubbed MosaicLoader. MosaicLoader is used to deliver cryptocurrency miners as well as Remote Access Trojans, cookie stealers, backdoors, and any other malware than the MosaicLoader operator sees fit to deliver.

Installing cracked software and games carries a risk of malware infections, and that is particularly bad news for businesses, especially those that have a BYOD policy or allow their employees to work remotely on corporate-issued devices.

Preventing malware infections such as Crackonosh or MosaicLoader should start with education. Employees should be told about the risks of installing cracked software or other unauthorized software on devices. Technical measures are also required. To block downloads from the Internet, it is worthwhile installing a DNS filter. DNS filters can be used to block content at the DNS lookup stage of a web request, before any content is downloaded.

They can block access to certain categories of websites – gaming sites and forums for examples – or specific files from being downloaded, such as game and software installers. DNS filters also use a variety of methods to assess whether sites are malicious and will block access to URLs and IP addresses known to be used for illegal and malicious purposes.

If you want to improve your defenses against malware, contact TitanHQ today. TitanHQ’s advanced spam filtering solution – SpamTitan – and DNS filter – WebTitan – block malware at source and keep you protected from phishing, ransomware, and other email and web based threats.

Cost of a Ransomware Attack? $600 Million for Ireland’s Health Service Executive

Ransomware is now one of the biggest threats faced by businesses. When hackers gain access to business networks, it is now common for large quantities of data to be stolen prior to file encryption. Ransomware gangs know all too well that businesses with good backup policies will be able to restore their encrypted data from backups, but they will need to pay the ransom in order to prevent the release or sale of the stolen data. Even when files can be recovered from backups, many businesses feel they have no alternative other than paying the ransom to ensure stolen data are deleted. Data from Coveware indicates 70% of ransomware attacks now involve data theft.

Ransomware attacks are incredibly costly, even if the ransom is not paid. Universal Health Services Inc. in the United States suffered a Ryuk ransomware attack in September 2020 and the health system choose not to pay the ransom. Add up the recovery costs which included data restoration, cybersecurity consultants, notification letters to patients, and the loss of many services during the remediation process, and the cost of the attack rose to $67 million.

While expensive, that high cost is just a fraction of the cost of the recent Conti ransomware attack on Ireland’s Health Service Executive. The May 2021 ransomware attack caused massive disruption to healthcare services in Ireland. Without access to patient records, patient safety was put at risk, non-urgent appointments had to be cancelled, and there were major delays getting test results.

A few days after issuing a ransom demand of €20 million, the Conti ransomware gang gave the HSE the decryption tools free of charge. Even with the valid tools to decrypt data, recovery has been slow and incredibly costly. It has been around a month since the tools were provided to decrypt files, but many systems are still inaccessible. HSE Chief executive Paul Reid said it is likely to take months before all systems are brought back online.

Simply eradicating the attacker from the network and recovering encrypted data is only part of the story. IT systems need to be upgraded, security greatly improved, and a security operation center needs to be set up to monitor the network to prevent any further attacks. The initial costs incurred as a result of the attack were reported to be well over €100 million, but the overall cost of the attack is expected to rise to around half a billion Euros – Around $600 million.

An attack on such a major healthcare provider is naturally going to be incredibly costly, but ransomware attacks on small businesses can be catastrophic. Following a ransomware attack, an estimated 60% of small businesses fail within 6 months. One study showed the cost of remediating a ransomware attack doubled between 2020 and 2021, with the average cost now around $1.85 million. Attacks are also increasing. An analysis of the data leak sites used by ransomware gangs by cybersecurity firm Mandiant showed there has been a 422% increase in ransomware-related data leaks between Q1, 2020 and Q1, 2021.

How to Improve Your Defenses Against Ransomware

The most prolific ransomware gangs operate under the ransomware-as-a-service model. The creators of the ransomware do not conduct attacks, instead they employ affiliates to do they attacks for them. That means more attacks can be conducted. The creators run the operation and take a cut of any ransom payments generated, with the affiliates retaining the bulk of the ransom payments from their attacks.

Affiliates conduct attacks using a variety of methods and no two attacks will be exactly the same. Preventing ransomware attacks therefore requires a range of different measures to block all of the attack vectors, but the best place to start is by improving phishing defenses. Phishing emails are increasingly used as the initial entry point into business networks, so if these malicious emails can be blocked at the email gateway, they will not be delivered to inboxes where they can be opened by employees.

That is an area where TitanHQ can help. TitanHQ has developed two advanced solutions that are effective at preventing ransomware attacks. SpamTitan is a powerful email security solution that filters out malicious messages to stop them from causing harm. Rather than be delivered, emails with malicious links and attachments are quarantined.

WebTitan is a DNS-based web filtering solution that complements SpamTitan to provide even greater protection against ransomware and malware attacks. WebTitan prevents employees from visiting the malicious websites where malware and ransomware are downloaded.

Both solutions are consistently given top marks on software review sites such as G2 Crowd, with the solutions given a maximum of 5 stars by users of Spiceworks and Capterra. SpamTitan has also received over 37 consecutive Virus Bulletin Spam awards.

If you want to improve your defenses against phishing, ransomware, and web-based attacks, give the TitanHQ team a call. If you would like more information about protecting against attacks, also be sure to attend the upcoming TitanHQ/Osterman Research webinar on June 30, 2021:

How to Reduce the Risk of Phishing and Ransomware. REGISTER YOUR PLACE HERE.

WebTitan OTG (on-the-go) for Chromebooks Now Available with WebTitan Cloud Update

TitanHQ has announced a new version of WebTitan Cloud has been released that brings new features and improved security.

The release of WebTitan Cloud version 4.16 has allowed TitanHQ to introduce a new web filtering solution for the education sector – WebTitan OTG (on-the-go) for Chromebooks.

The use of Chromebooks has been steadily increasing, especially in the education sector where they are a cost-effective option for schools to allow students to access the Internet. Internet access is important in education, but it is vital that students can access the Internet safely and securely. Controls need to be implemented to prevent students from accessing age-inappropriate content such as pornography, devices need to be protected from malware and ransomware, and phishing and other malicious websites should be blocked.

WebTitan OTG for Chromebooks allows IT professionals in the education sector to easily implement web filtering controls for individuals, user groups, or globally to ensure compliance with federal and state laws, including the Children’s Internet Protection Act (CIPA) and protect their students and their devices from threats.

WebTitan OTG for Chromebooks, like other WebTitan products, is a DNS-based web filter that applies filtering controls at the DNS lookup stage of web requests. That means there is no latency – Internet speed is unaffected. Since WebTitan is entirely cloud-based, there is no need for any additional hardware and the solution requires no proxies or VPNs.

Set up is easy and user and device level web filtering for Chromebooks can be set up in just a few minutes. The solution provides protection for students regardless of where the Internet is accessed – students will have access to a clean, safe, filtered Internet in the classroom and at home, and it is also easy to lockdown Chromebooks to prevent any bypassing of filtering controls. Administrators also have full visibility into Internet access, including locations, web pages visited, and attempts made to visit prohibited content.

Support Added for in Azure Active Directory

WebTitan Cloud version 4.16 includes DNS Proxy 2.06, which supports filtering of users in Azure Active Directory, as well as on-premise AD and directory integration for Active Directory, with further directory services due to be added to meet customers’ need.

Current WebTitan customers will be automatically updated to the latest version of WebTitan Cloud and will have instant access to the new features and the latest fixes will be applied automatically.

“This new release comes after an expansive first quarter. The launch of WebTitan Cloud 4.16 brings phenomenal new security features to our customers,” Said TitanHQ CEO, Ronan Kavanagh. “After experiencing significant growth in 2020, TitanHQ expects these product enhancements and new features to make 2021 another record-breaking year.”

Worrying Number of Employees Using Work Devices for Non-Work Purposes

The pandemic forced many businesses to accelerate their digital transformation strategies to support an at home workforce and survive the pandemic; however, this new approach to working was not without risk.

Cybercriminals took advantage of companies that failed to address vulnerabilities, with some of the most widely exploited vulnerabilities in 2020 in remote access solutions such as the Pulse Secure VPN. Brute force attacks against Remote Desktop Protocol skyrocketed as more businesses switched to remote working, and while many businesses have opened their offices once again, the brute force attacks are still occurring at levels far above those before the pandemic.

Threat actors also stepped up their attacks on remote workers early on in the pandemic and attacks are continuing as lockdowns persist and employees continue to work from home. Many businesses address these risks through security awareness training and teach employees cybersecurity best practices and how to identify threats such as phishing. A little security awareness can go a long way and can be the difference between a threat being recognized and avoided or a link in a phishing email being clicked without thinking by an employee.

There are many threats that businesses may not be aware of, one of which was highlighted by a recent YouGov survey. Throughout a large part of the pandemic, schools have been closed and children have been home schooled. The survey revealed a quarter of UK workers have allowed their children to use their corporate device as part of home schooling and for other purposes such as socializing and gaming.

An employee may be aware not to engage in risky online activities, but children using work devices for Internet access leaves businesses vulnerable to cyberattacks. The survey, conducted on 2,000 UK employees, also revealed 70% of employees could access social media websites on their corporate devices and despite being one of the most fundamental aspects of security, 74% of employees said they did not use a unique password for all accounts.

During the pandemic when employees are isolated and may ben struggling with home schooling as well as working, it is understandable for employers to take a more relaxed view on the use of work computers for non-work purposes, but risks do need to be managed. Having no visibility into Internet access and failing to implement any controls over the content that can be accessed by remote workers and other household members on work laptops is a serious risk, and one that could easily lead to a malware or ransomware attack.

One of the ways that security can be improved for remote workers is to place certain restrictions on uses of corporate laptops with a web filter. A web filter such as WebTitan gives IT teams visibility into the sites that their employees are accessing, which allows them to identify potential risks and apply controls to reduce those risks to an acceptable level.

WebTitan can be used to prevent downloads of certain file types to reduce the risk of a malware infection and to block access to high-risk websites, such non-sanctioned file sharing services. Categories of website can be blocked at the click of a mouse, such as social media websites, and it is straightforward to block messenger services.

WebTitan is a powerful, yet easy to use security solution that is easy to apply to protect devices issued to employees no matter where they work and can greatly improve security with a remote workforce as well as when employees return to the office.

For further information on improving security for remote workers, including web filtering and email security, give the TitanHQ team a call. You can also sign up for a free trial of WebTitan here and immediately reduce risk.

TitanHQ Wins 3 Expert Insights’ 2021 Best-Of Awards for SpamTitan, WebTitan, and ArcTitan

TitanHQ has announced that three of its cybersecurity solutions have been named winners at the 2021 Expert Insights’ Best-Of” Awards, beating some of the best-known email security, web security, and email archiving products on the market.

For more than 25 years, TitanHQ has been developing innovative cybersecurity solutions to protect businesses from email and web-based threats to their networks and data. TitanHQ’s multi-award-winning products are used by more than 8,500 businesses in over 150 countries, and 2,500 Managed Service Providers (MSPs) offer TitanHQ solutions to their customers to protect them from phishing, malware, ransomware, botnets, viruses, and other cyber threats.

Expert Insights is a respected website that was created in 2018 to help businesses research and select the best cybersecurity solutions to protect their networks and data from cyber threats. Through impartial product reviews, advice from cybersecurity experts, and industry analysis, IT leaders can discover the best cybersecurity solutions to meet their unique needs. The website helps more than 40,000 businesses a month with their research into cybersecurity products and services.

Each year, Expert Insights recognizes the leading cybersecurity service and solution providers and their products at the Expert Insights’ Best-Of” Awards. Technical experts with decades of experience in the cybersecurity industry assess products based on several factors, including ease of use, range of features, the protection provided, and market position, as well as how each product is rated by verified business users. The top products then receive an Expert Insights’ Best-Of” Award.

This year, TitanHQ was recognized by Expert Insights for the powerful threat protection provided by its products, the ease-of-use of the solutions, and their cost-effectiveness, which is why the solutions have proven to be so popular with enterprises, SMBs and MSPs looking for comprehensive protection against email and web-based threats.

“2020 was an unprecedented year of cybersecurity challenges, with a rapid rise in remote working causing a massive acceleration in cybercrime,” said Expert Insights CEO and Founder Craig MacAlpine. “Expert Insights’ Best-Of awards are designed to recognize innovative cybersecurity providers like TitanHQ that have developed powerful solutions to keep businesses safe against increasingly sophisticated cybercrime.”

WebTitan, TitanHQ’s powerful DNS-filtering solution was named a winner in the Web Security category, the SpamTitan anti-phishing and anti-spam solution was named a winner in the Email Security Gateway category, and ArcTitan was named a winner in the Email Archiving category.

“The recent pandemic and the growth of remote working initiatives have further highlighted the need for multiple layers of cybersecurity and our award-winning solutions form key pillars in this security strategy,” said Ronan Kavanagh, CEO, TitanHQ. “We will continue to innovate and provide solutions that MSPs can use to deliver a consistent, secure and reliable experience to their customers.” 

 

How Does DNS Filtering Work?

DNS filtering – or Domain Name System filtering to give it its full title – is a technique of blocking access to certain websites, webpages, and IP addresses. The DNS is what allows easy to remember domain names to be used – such as Wikipedia.com – rather than typing in very difficult to remember IP addresses – such as 198.35.26.96. The DNS maps IP addresses to domain names to allow computers to find web resources.

How DNS Filtering WorksWhen a domain is purchased from a domain register and that domain is hosted, it is assigned a unique IP address that allows the site to be located. When you attempt to access a website, a DNS query will be performed. Your DNS server will look up the IP address of the domain/webpage, which will allow your browser to make a connection to the web server where the website is hosted. The webpage will then be loaded. The actual process involves several different steps, but it is completed in a fraction of a second.

So how does DNS Web Filtering Work?

With DNS filtering in place, rather than the DNS server returning the IP address if the website exists, the request will be subjected to certain controls. DNS blocking occurs if a particular webpage or IP address is known to be malicious. The DNS filter will use blacklists of known malicious websites, previous crawls of new websites and web pages, or web content will be assessed in real time if the web page or website has not previously been crawled and categorized. If the website trying to be accessed is determined to be malicious or otherwise violates pre-defined policies, instead of the user being connected to the website, the browser will be directed to a local IP address that displays a block page explaining why the site cannot be accessed.

This control could be applied at the router level, via your ISP, or by a web filtering service provider. In the case of the latter, the user – a business for instance – would point their DNS to the service provider. That service provider maintains a blacklist of malicious webpages/IP addresses and access to those sites is prevented.

Since the service provider will also categorize webpages, the DNS filter can also be used to block access to certain categories of webpages – pornography, child pornography, file sharing websites, gambling, and gaming sites for instance. Provided a business creates an acceptable usage policy (AUP) and sets that policy up with the service provider, the AUP will be enforced. Since DNS filtering is low-latency, there will be next to no delay in accessing safe websites that do not breach an organization’s acceptable Internet usage policies.

Block web-based threats and carefully control online activities. Sign up for a free WebTitan demo today.
Book Free Demo

Will a DNS Filter Block All Malicious Websites?

Unfortunately, no DNS filtering solution will block all malicious websites, as in order to do so, a webpage must first be determined to be malicious. If a cybercriminal sets up a brand-new phishing webpage, there will be a delay between the page being created and it being checked and added to a blacklist. However, a DNS web filter will block the majority of malicious websites.

The purpose of a web filter is to reduce risk, not eradicate it entirely. Since the vast majority of malicious web content will be blocked, risk can be significantly reduced and there will only be a low chance of a website being accessed that violates your policies.

Can a DNS Filtering Service be Bypassed?

The short answer is yes. Proxy servers and anonymizer sites could be used to mask traffic and bypass the DNS filter. Your DNS filtering service should allow you to easily block access to anonymizer websites and prevent the use of proxy servers and virtual private networks (VPNs). Configuring the DNS filtering service to block access to these services will prevent all but the most determined employees from bypassing the DNS filtering service.

The other key way of bypassing a DNS filtering service is to manually change the DNS settings locally, so it is important for these settings to be locked down. Determined individuals may be able to find a way to bypass DNS filtering, but for most end users, a DNS filter will block any attempt to access forbidden or harmful website content.

There may be a legitimate need to bypass a DNS filtering service. Some DNS content filtering solutions have a feature that allows administrators to temporarily remove content filtering controls. WebTitan Cloud uses cloud keys for this. The cloud key can be issued to a user to bypass content filtering settings for a set time period, such as if research needs to be conducted.

Block web-based threats and carefully control online activities. Sign up for a free WebTitan demo today.
Book Free Demo

DNS Content Filtering for CIPA Compliance

Schools and libraries in the United States are required to comply with the Children’s Internet Protection Act (CIPA) in order to receive E-rate discounts and qualify for federal grants.  There are several requirements of CIPA, one of the most important being to block or filter Internet access to prevent access to images that are obscene, involve child pornography or child abuse, or could otherwise be harmful to minors.

DNS content filtering is the easiest and most cost-effective way of complying with this requirement of CIPA and applying content filtering controls for both wired and Wi-Fi networks. DNS content filtering solutions require no hardware purchases, no software needs to be installed, and they are easy to implement and maintain. DNS content filtering solutions have highly granular filtering controls and allow precision control over content, without overblocking.

DNS Web Filtering Software from TitanHQ

Now you have a better idea about how DNS filtering works, we will introduce you to WebTitan Cloud. WebTitan Cloud is a powerful, easy to implement DNS filtering solution that allows you to filter the internet and block access to malicious content and enforce your acceptable internet usage policies. Being DNS-based, there are no hardware requirements and no software downloads are required. To get started you simply point your DNS to WebTitan, set your filtering parameters through an easy to use web-based interface, and you will be filtering the internet in minutes.

WebTitan Cloud can be used to protect users on and off the network, so it is the perfect choice for protecting remote workers from online threats as well as office staff. The WebTitan  DNS web filtering solution – WebTitan Cloud – is a feature-rich, cloud-based solution with a low maintenance overhead and a three-tiered filtering mechanism for maximum granularity. Universally compatible and infinitely scalable, WebTitan Cloud has SSL inspection to provide the highest level of defense against online threats.

WebTitan Cloud can be integrated with multiple management applications (Active Directory, LDAP, etc.) for easier administration. WebTitan can also be  remotely configured and adjusted from any Internet-enabled device. An unlimited number of users can be filtering at any time.

Block web-based threats and carefully control online activities. Sign up for a free WebTitan demo today.
Book Free Demo

Try DNS Filtering Software with SSL Inspection for Free

If you would like to evaluate the benefits of the WebTitan DNS filtering solution in your own environment, please get in touch. Our team of experienced security professionals will answer any questions you have about DNS Internet filtering  and guide you step by step through the process of registering for your free trial.

Once you are registered, we will walk you through the process of redirecting your DNS to receive our service. There are no credit cards required, no contracts to sign and no commitment from you to continue with our DNS filtering software once the trial period is over. Simply call us today, and you could be adding an extra level of security to your organization´s web browsing activity within minutes.

WebTitan incorporates an intelligent AI-based component that provides real-time classification of websites for precision control over the content that can be accessed. WebTitan Cloud provides real-time categorization of over 500 million websites, and 6 billion web pages in 200 languages, including coverage of Alexa 1 million most visited websites. Industry leading antivirus is also incorporated to identify and block malware and ransomware threats. A full suite of reports gives you full visibility into the online activities of your employees and any guest users of your network. The reports can be scheduled or run on demand.

These and more features will allow you to block web-based threats and carefully control online activities for only a few dollars per user per year.

Why WebTitan is a Vital DNS Web Security Layer for Your Business

  • DNS Security Layer – Filter URLs, detect malicious threats, create flexible policies, and more with an API driven DNS security filter
  • Full Path Detection – Provide analytical credibility to any activity marked as malicious with page and path-level reporting.
  • User Identification – Assign custom policies to a user or group of users with uniquely identifiable user names.
  • Scaleable Support – Handle any volume of usage with no latency and receive support from our top-class team.
  • Reporting – full suite of reports including behavior, trend and security reports.
  • API Driven – robust API set that allows our MSP customers to easily incorporate WebTitan DNS filtering directly into their existing cloud offering.
  • URL Filtering – block access to websites known to contain malware.
  • Remote & Roaming Users – allows off-network roaming by users while continuing to apply their policy.
  • Content Filtering – highly granular content controls with multiple integration options and comprehensive malware protection.
  • AI Threat Intelligence – real time AI driven DNS protection from malicious online threats such as viruses, malware, ransomware, phishing attacks and botnets.

What WebTitan Customers Have to Say

“WebTitan is an outstanding tool for most reliable content filtering. The monitoring feature of this specific product is quite unique that totally monitors all the process of online working and also secures all the data. Additionally, its set-up is superb easy and it can be done in just few minutes that save my time and energy as well.” Kristie H. Account Manager

“WebTitan is fairly easy to setup. It is available as a cloud based solution or on prem. You can get as simple or as complicated with your filtering as you like, it will handle most situations with ease. [It] has provided us with a stable web filtering platform that has worked well for us for many years. “Derek A. Network Manager

If you have yet to implement a web filtering solution, are unhappy with your current DNS filtering service, or you have questions about DNS content filtering, contact the TitanHQ team today and ask about WebTitan Cloud.

Why not try our web filtering solution for free?

 

How Does DNS Filtering Work FAQ

What 3 things are most important about employee internet access?

Employees need internet access to complete their work duties, but it is essential to develop an acceptable Internet usage policy and get employees to sign it, that policy should be enforced using a web filtering solution, and you should have a sanctions policy for when employees violate the rules.

What is best, a web filtering appliance of cloud-based web filter?

Both options will provide clean, safe Internet access, but cloud-based web filtering does not require the purchase of a costly appliance, it is more flexible and scalable, and there is no patching burden. For SMBs and MSPs, cloud-based web filtering is the easiest and most cost-effective Internet filtering solution.

Does web filtering slow Internet speed?

Some web filtering solutions involve a degree of latency, but a DNS filtering solution will not slow internet speed as all filtering takes place at the DNS lookup stage of a web request before any content is downloaded. Filtering occurs in the same time as it takes to perform a standard DNS lookup so there is no latency.

How can I provide DNS filtering as a managed service as an MSP?

Adding the WebTitan DNS filtering service to your service stack couldn’t be easier. WebTitan is can be set up in minutes, APIs allow easy integration into your existing back office systems, you will be provided with a white label version ready to take your branding, and you can even host the solution in your own environment.

How much does DNS content filtering cost?

There is considerable variation in price between different web filtering solutions. The most expensive solution will not necessarily be the best option for your business. Price depends on contract term, the number of users, and add-ons. TitanHQ’s DNS content filtering solution, WebTitan, typically costs around $1 per user, per month.

DanaBot Trojan Phishing Campaign Resumes with Phishing and Internet Distribution

A phishing campaign is underway which is distributing a new variant of the DanaBot Trojan. The DanaBot Trojan was first identified in May 2018 and has been actively distributed via phishing emails for more than two years. In the summer of 2020, activity slowed but the campaigns resumed in October.

DanaBot is a modular banking Trojan used in targeted geographical attacks on businesses. The first variant that emerged in 2018 was used in targeted attacks in Australia, while the second variant was primarily used in attacks on U.S. companies. Attacks have also been conducted in Europe, primarily in Ukraine, Austria, Poland, Italy, and Germany.

The latest variant is the fourth to be identified and has been released around a year after the third variant was identified in February 2019. The latest variant has had several technical anti-analysis changes made to the main component of the malware and its method of maintaining persistence has changed. The latest variant now achieves persistence through a LNK file loaded into the user’s startup folder, which launches the malware when the device is booted.

Affiliates are used to conduct campaigns distributing the DanaBot Trojan under the malware-as-a-service model. Several new affiliate IDs have been added which suggests the malware-as-a-service operation is growing. It is therefore probable that DanaBot will grow into a much bigger threat in 2021.

Previously, DanaBot has been primarily distributed via spam emails that deliver a malware dropper, which downloads the banking Trojan via a multi-stage process. It now appears that the malware is being distributed via websites that offer cracks and software keys for pirated software such as graphics software, VPNs, antivirus software, and games.

Protecting Against Banking Trojans by Blocking Malware Delivery

Protecting against DanaBot and other Trojans requires a range of security measures. Two of the most important are an advanced spam filter and a web filtering solution. The spam filter will detect malicious emails that attempt to deliver the malware dropper, while the web filter will block access to the websites that are used to download the malware.

TitanHQ has developed a spam filtering solution – SpamTitan – that provides protection against known and unknown malware variants and a web filter – WebTitan – that prevents users from accessing malicious websites and categories of website commonly used to distribute malware.

With both of these cost-effective cloud-based cybersecurity solutions implemented, businesses can block the two most common vectors used to distribute malware and keep their networks and devices well protected.

For further information on both solutions, details of pricing, and to register for a free trial of the full solutions, give the TitanHQ team a call.

How is the Cyber Threat Landscape Likely to Change in 2021?

COVID-19 presented many new opportunities for cybercriminals, many of which have proven to be highly successful. In the early days of the pandemic, when it became clear that the new coronavirus was spreading beyond the borders of China and concern about the virus grew, cybercriminals switched from their normal phishing campaigns and started adopting COVID-19 lures.

Phishing campaigns were conducting offering advice about the virus, potential cures, and advice as people craved information that was in short supply. Fake COVID-19 tracking apps and websites were set that collected sensitive information or installed malware, and PPE shortages saw fake shops set up offering non-existent supplies. Then there were fake charities, disinformation campaigns, and phishing scams related to job retention schemes, self-employment income support, government coronavirus loans, and fake tax rebates.

The move to remote working due to the pandemic saw hackers targeting vulnerabilities in remote working solutions such as VPNs and throughout 2020, ransomware gangs have been extremely active, especially in Q3 and Q4, 2020 when attacks soared.

As we move into 2021, cybercriminals are likely to continue to exploit the pandemic to steal credentials, access sensitive data, and spread malware and ransomware, so it is important for businesses not to let their guard drop and to continue to ensure that they have appropriate protections in place to block threats.

The Cyber Threat Landscape in 2021

The high level of ransomware attacks in the last quarter of 2020 is likely to continue in 2021. There are no signs that cybercriminals will reduce attacks, as they are still proving to be profitable. The healthcare industry is likely to continue to be targeted, with cyberattacks on pharmaceutical and clinical research firms also extremely likely.

Now that COVID-19 vaccines have been approved and are starting to be rolled out, cybercriminals have yet another opportunity. The vaccine rollout is likely to take many months and it could well be the autumn or later before most people receive the vaccine. Cybercriminals have already adopted COVID-19 vaccine lures to obtain sensitive information and spread malware and ransomware.

These COVID-19 vaccine scams have impersonated the World Health Organization, Centers for Disease Control and Prevention, and vaccine manufacturers, and are likely to increase over the coming weeks and months. Campaigns have been identified in 2021 that impersonate public health authorities and trick users into clicking links and download files that install Trojans when opened.

We are also likely to see the scams offering financial support, virus information, and infection alerts continue, and offers of fake vaccine can be expected over the coming weeks and months.

One vaccine-related scam to be recently identified involved messages sent to businesses asking recipients to click a link to confirm their email in order to receive the vaccine. Clicking the link directed them to a phishing website where Microsoft 365 credentials were harvested.

Since many employees will continue to work from home in 2021 until the risk of infection is reduced, attacks on remote working infrastructure are also likely to continue.

There is good reason to be hopeful in 2021 now that the vaccines are starting to be rolled out, but it is important for businesses not to let their guard down and to ensure that they have adequate protections in place to identify and block current and new threats.

Many scams are conducted via email, as it is the easiest way for cybercriminals to obtain the credentials they need to gain a foothold in business networks. It is therefore important to ensure that email security is up to scratch and an advanced spam filtering solution is in place that can block phishing and malware threats. If it is possible to implement multi-factor authentication, this should be widely used, especially on email accounts and remote access solutions.

Web filtering solutions are an important cybersecurity measure to deploy to block the web-based component of phishing attacks and to prevent malware and ransomware downloads over the internet. Web filters can be used to block access to known malicious websites and restrict access to risky websites, and cloud-based solutions are easy to deploy to protect both office-based and remote workers.

With many employees still working remotely, it is important to provide regular updates on threats and security awareness training on the threats they are likely to face. Patches and software updates should be applied promptly to prevent cybercriminals exploiting vulnerabilities, especially in remote access solutions such as VPNs which are being actively targeted.

Since ransomware attacks are an ever-present risk, ensure your critical data is regularly backed up and test your backups to make sure data recovery is possible in the event of disaster. A good strategy to adopt is the 3-2-1 approach. Make three backups, store on 2 separate media, and make sure one copy is stored on a non-networked device.

The 2021 threat outlook may be bleak, but with preparation and the above solutions in place, it is possible to prevent most attacks, detect attacks in progress, and recover quickly should an attack succeed.

WastedLocker Ransomware Delivered Using Fake Software Updates

The notorious cybercriminal organization Evil Corp, which was responsible for the Dridex and Zeus banking Trojans and BitPaymer ransomware, have started using a brand new ransomware called Wastedlocker, so named due to the .wasted extension which is used on encrypted files.

Evil Corp has been relatively quiet in recent months following the indictment of two high-profile members of the group by the U.S. Department of Justice in December 2019 for their role in the creation and distribution of Dridex and Zeus. The group bounced back with relatively low-level campaigns in January, but there has been little activity since. It appears that the time has been spent developing WastedLocker ransomware, which appears to have been mostly written from scratch.

WastedLocker ransomware was first used in May 2020 and is believed to be a replacement for BitPaymer ransomware. In the short space of time that the new ransomware has been in use, attacks have been conducted on at least 31 organizations, according to data from Symantec. Most of the victims are located in the United States, eight of which are Fortune 500 companies and 11 are publicly listed. Attacks have been conducted on companies operating in a wide range of industry sectors, with the manufacturing, information technology, and media and telecommunications sectors experiencing the highest number of attacks.

Evil Corp appears to be targeting large organizations with deep enough pockets to pay the sizeable ransom demand, which has ranged from $500,000 to $10 million in some cases. In contrast to many other ransomware operators, Evil Corp does not steal data prior to file encryption, although that could well change in the future. The group certainly has the technical skill to adopt that tactic, but it appears that they have refrained from doing so to stay under the radar.

WastedLocker ransomware is downloaded using the JavaScript framework SocGholish under the guise of a browser update. Symantec has identified more than 150 websites that have been compromised that are being used as part of the campaign to deliver the ransomware payload. Once a network has been compromised, the attackers use living-off-the-land tactics to move laterally and gain access to as many endpoints as possible, including tools such as PsExec and PowerShell. The gang has been observed using the penetration testing tool Cobalt Strike to log keystrokes and obtain credentials and escalate privileges, before the WastedLocker ransomware is executed and files across the network are encrypted.

In addition to encrypting endpoints, the group is targeting database services, file servers, virtual machines and cloud environments to cause maximum disruption to maximize the probability of the ransom being paid. The group is careful and patient, often waiting several months before their ransomware encryption routine is triggered.

Evil Corp is one of many threat actors to have adopted ransomware, with attacks on businesses having increased over the past few months. Around 15 groups are now conducting manual ransomware attacks in which data is stolen prior to file encryption and threats are issued to publish or sell the stolen data if the ransom is not paid. This tactic has been effective, with around half of businesses paying the ransom.

The University of California San Francisco is one of the latest victims that has been forced to pay the ransom to recover data encrypted in the attack. That ransomware attack involved NetWalker ransomware, and data was stolen in that attack prior to encryption. Without access to essential research data, the university had little option other than paying the $1.14 million ransom.

Organizations are attacked in a variety of ways, often using brute force tactics on RDP or exploiting vulnerabilities in VPNs, but there has also been an increase in email-delivered ransomware and drive-by malware downloads, highlighting the need for advanced email and web security solutions, which is an area where TitanHQ can help.