Web Filtering

Web filtering is an ideal solution to prevent Internet users from visiting unsafe website that potentially harbor viruses and malware. A web filter works by comparing a request to visit a website against a list of predetermined parameters. If the request fails to pass the criteria defined by the parameters, the request is denied.

This process prevents Internet users from accessing websites they have been invited to visit in a phishing email or when clicking on an advertising link. Web filtering can also be configured to prevent cyberslacking, to block certain types of files from being downloaded or bandwidth-hogging web applications from being used.

To find out more about how your organization can strengthen its online defenses, enhance productivity and limit bandwidth loss, speak with one of our team today about web filtering.

University Students Call for WiFi Filters to Block Pornography

The students of Notre Dame University in Indiana are calling for WiFi filters to block pornography on public WiFi hotspots at the university. The campaign has attracted more than 1,000 signatures and now Enough is Enough has added its backing to the campaign.

Pressure Mounting on WiFi Hotspot Providers to Implement Content Controls

There have been calls for coffee shops, restaurants, and other providers of WiFi filters to block pornography. One campaign targeting Starbucks has recently proven to be successful. A campaign led by the pressure group Enough is Enough helped to convince the global coffee shop chain to finally implement WiFi filters to block pornography, albeit more than two years after the initial promise was made. A similar campaign in 2016 resulted in WiFi filters being implemented in McDonalds restaurants.

This week, Enough is Enough has issued a fresh call for the use of WiFi filters to block pornography, this time at the University of Notre Dame in Indiana.

Support for University of Notre Dame Students Demanding WiFi Filters to Block Pornography

In October 2018, Jim Martinson, a student at the University of Notre Dame, launched a campaign calling for the University to implement a WiFi filter to block pornography on campus.  The university cannot stop students from using their own devices and data to view adult content, but Martinson believes the university should not be allowing students to freely use its WiFi networks to view pornographic material on campus.

Jim Martinson’s campaign has gathered considerable support. After writing a letter to the university from the men of Notre Dame, to which 80 fellow male students added their names, a similar letter was written by Ellie Gardey. Gardey’s letter was signed by 68 female students at the university.

In Jim Martinson’s letter to the university from the men of Notre Dame, he cites a previous university survey, conducted in 2013, which revealed 63% of male students had viewed pornography on the WiFi network of the university. That figure is in line with various national surveys that showed 64% of men and 18% of women at colleges spend at least some time each week viewing pornography. National research indicates that each month, 86% of men have at least some interactions with pornographic material. Martinson also points out that pornography has already been declared a public health crisis in five states due to the harm it causes and that the university needs to take action to protect students.

Since the letters were written, the campaign has gathered more than 1,000 signatures from staff and students. Yet even with widespread approval for university WiFi filtering, nothing has yet been done to accommodate the request.

Enough is Enough Launches its Own Campaign to Pressure the University to Take Action

Enough is Enough has now launched its own campaign to pressure the university into responding to the request and has given its backing to the Notre Dame porn free WiFi campaign.

“By implementing a filtered WiFi solution, the University of Notre Dame can stand as a leader among colleges and universities to ensure the safety of its students, faculty and others,” Explained EIE President and CEO, Donna Rice Hughes. “Having a policy prohibiting porn or sexually explicit material is not enough – taking concrete action to prevent its access is the only viable solution. Filtered WiFi will also prevent predators from accessing child pornography utilizing the University’s WiFi and flying under the radar of law enforcement.”

Blocking objectional and illegal web content is just one of the reasons why educational institutions may consider implementing a filtered WiFi solution. There are several other important reasons for exercising some control over what can happen on WiFi networks, the most important of which relates to cybersecurity. A WiFi filter not only allows certain categories of web content to be blocked, it will also prevent students from accessing phishing websites and sites known to harbor malware.

Universities and other educational institutions are being targeted by cybercriminals to gain access to sensitive data, access computers for cryptocurrency mining, and to install ransomware which encrypts entire networks and holds computer systems and data to ransom. In March 2021, the FBI issued a joint alert with DHS-CISA warning of a ransomware campaign specifically targeting the education sector using Pysa ransomware, although the Pysa gang is only one of the many threat groups targeting education.

Regardless of the categories of content that are blocked – pornography, gambling, hate speech etc. – a WiFi filter should be used to block these very real cyber threats. WiFi filters include blacklists of known malicious websites and will prevent access to malicious content to protect the WiFi network itself, and any individual who connects to it., and will create a safe and secure WiFi network for all staff and students to use.

WebTitan Cloud for WiFi – A Simple but Powerful WiFi Filtering Solution

TitanHQ has developed an easy-to-use WiFi filtering solution that is ideal for use in educational institutions. WebTitan Cloud for WiFi can be used to prevent WiFi users from accessing harmful, malicious web content that steals sensitive information or is used to distribute malicious software such as malware and ransomware. malicious content will be automatically blocked, and other blacklists will block access to illegal content such as child pornography and copyright-infringing downloads. The WiFi filter can also be used to block access to content by a specific URL or domain, category of website, keywords, or keyword density. It is also possible to block downloads of specific file types.

Highly granular controls prevent overblocking of web content and allow universities and other educational institutions to restrict access to certain types of web content with precision, such as blocking pornography without blocking educational content of a sexual nature.

WebTitan Cloud for WiFi is a cloud based solution that can be used to protect and restrict access to web content for multiple access points, even if those access point are distributed widely geographically. All of the access points can be controlled via a single, intuitive web-based user interface.

Being 100% cloud based, the solution requires no hardware or software, the cost per user is low, and the filtering controls are highly accurate. The solution provides coverage of Alexa’s top 1 million most visited websites, supports blacklists such as the child pornography/child abuse blacklist maintained by the Internet Watch Foundation, and allows 53 categories of website to be blocked with a click of a mouse.

Why WebTitan Cloud for WiFi is an Ideal WiFi Filter for Universities

  • Provides protection from phishing, malware, and ransomware attacks via the web
  • No software installations or hardware required.
  • Central control of multiple routers.
  • No restrictions on the number of users connected to the service.
  • Easy to use solution that requires no training
  • Scalable to hundreds of thousands of WiFi users
  • Customizable reports on network usage and traffic
  • No latency
  • No bandwidth restrictions.
  • Easy integration with other systems through APIs
  • Range of hosting options: WebTitan Cloud, Private cloud, or within your own data center
  • World-class customer support

For further information on WebTitan Cloud for WiFi, to book a product demonstration, or to sign up for a free trial to see the solution in action in your own environment, contact the TitanHQ team today.

WiFi Filtering and Protecting Your Brand

There are many reasons why businesses should implement a WiFi filtering solution, but one of the most important aspects of WiFi filtering is protecting your brand.

The Importance of Brand Protection

It takes a lot of hard work to create a strong brand that customers trust, but trust can easily be lost if a company’s reputation is damaged. If that happens, rebuilding the reputation of your company can be a major challenge.

Brand reputation can be damaged in many ways and it is even easier now thanks to the Internet and the popularity of social media sites. Bad feedback about a company can spread like wildfire and negative reviews are wont to go viral.

Smart business owners are proactive and take steps to protect their digital image. They are quick to detect and enforce online copyright infringements and other forms of brand abuse. They monitor social media websites and online forums to discover what people are saying about their company and how customers feel about their products and services. They also actively manage their online reputation and take steps to reinforce their brand image at every opportunity.

Cyberattacks Can Seriously Damage a Company’s Reputation

One aspect of brand protection that should not be underestimated is cybersecurity. There are few things that can have such a devastating impact on the reputation of a company as a cyberattack and data breach. A company that fails to secure its POS systems, websites, and network and experiences a breach that results in the theft of sensitive customer data can see their reputation seriously tarnished. When that happens, customers can be driven to competitors.

How likely are customers to abandon a previously trusted brand following a data breach? A lot more than you may think! In late 2017, the specialist insurance services provider Beazley conducted a survey to find out more about the impact of a data breach on customer behavior. The survey was conducted on 10,000 consumers and 70% said that if a company experienced a data breach that exposed their sensitive information they would no longer do business with the brand.

WiFi Filtering and Protecting Your Brand

The use of Wi-Fi filtering for protecting your brand may not be the first thing that comes to mind when you think about brand protection, but it should be part of your brand protection strategy if you offer WiFi access to your customers or provide your employees with wireless Internet access.

It is essential for businesses to take steps to ensure their customers are protected and are not exposed to malware or phishing websites. If a customer experiences a malware infection or phishing attack on your WiFi network the fallout could be considerable. If your employees download malware, they could give hackers access to your network, POS system, and sensitive customer data. If you offer free Wi-Fi to your customers, you need to make sure your Wi-Fi network is secured and that you protect your customers from malicious website content.

One of the most important aspects of WiFi filtering for protecting your brand is preventing your WiFi access points from being used for illegal activities. Internet Service Providers can shut down Internet access over illegal activities that take place over the Internet. That will not only mean loss of WiFi for customers but could see Internet access lost for the whole company. Your company could also face legal action and fines.

If WiFi users can access pornography and other unacceptable content, a brand can be seriously tarnished. Imagine a parent discovers their child has seen pornography via your WiFi network – The failure to prevent such actions could be extremely damaging. WiFi filters allow businesses to carefully control the content that can be accessed on their network and prevents customers from viewing harmful web content.

WebTitan Cloud for WiFi – The Easy Way to Secure Your WiFi Access Points

Implementing a WiFi filter to protect your brand and provide safe and secure Internet access for your employees and customers is a quick and easy process with WebTitan Cloud for WiFi.

WebTitan Cloud for WiFi is a powerful, yet easy to use web filtering solution for WiFi hotspots that requires no hardware purchases or software downloads. WebTitan Cloud for WiFi can be implemented and configured in just a few minutes. No technical skill required.

WebTitan Cloud for WiFi is highly scalable and can protect any number of access points, no matter where they are located. If you have business premises in multiple locations, or in different countries, WebTitan Cloud for WiFi will protect all of your access points via an intuitive web-based user interface.

WebTitan Cloud for WiFi protects against online threats, allows businesses to carefully control the types of content that WiFi users can access, allows businesses to control bandwidth use, and gives them full visibility into network usage.

If you have yet to implement a WiFi filter on your hotspots, give TitanHQ a call today for details of pricing, to book a product demonstration, and register for a free trial.

Starbucks Porn Filter to Finally be Implemented in 2019

A Starbucks porn filter will finally be introduced in 2019 to prevent adult content from being accessed by customers hooked up to the coffee shop chain’s free WiFi network.

It has taken some time for the Starbucks porn filter to be applied. In 2016, the coffee shop chain agreed to implement a WiFi filtering solution following a campaign from the internet safety advocacy group Enough is Enough, but two years on and a Starbucks porn filter has only been applied in the UK.

Businesses Pressured to Implement WiFi Filters to Block Porn

Enough is Enough launched its Porn Free WiFi campaign – now renamed the SAFE WiFi campaign – to pressure businesses that offer free WiFi to customers to apply WiFi filters to restrict access to adult content. In 2016, more than 50,000 petitions were sent to the CEO’s of Starbucks and McDonalds urging them to apply WiFi filters and take the lead in restricting access to pornography and child porn on their WiFi networks.

After petitioning McDonald’s, the global restaurant chain took prompt action and rolled out a WiFi filter across its 14,000 restaurants. However, Starbucks has been slow to take action. Following the McDonalds announcement in 2016, Starbucks agreed to roll out a WiFi filter once it had determined how to restrict access to unacceptable content without involuntarily blocking unintended content. Until the Starbucks porn filter was applied, the coffee shop chain said it would reserve the right to stop any behavior that negatively affected the customer experience, including activities on its free WiFi network.

The apparent lack of action prompted Enough is Enough to turn up the heat on Starbucks. On November 26, 2018, Enough is Enough president and CEO, Donna Rice Hughes, issued a fresh call for a Starbucks porn filter to be implemented and for the coffee chain to follow through in its 2016 promise. Rice Hughes also called for the public to sign a new petition calling for the Starbucks porn filter to finally be put in place.

Starbucks Porn Filter to Be Applied in All Locations in 2019

Starbucks has responded to Enough is Enough, via Business Insider, confirming that it has been testing a variety of WiFi filtering solutions and has identified one that meets its needs. The Starbucks porn filter will be rolled out across all its cafes in 2019.

All businesses that offer free WiFi to their customers have a responsibility to ensure that their networks cannot be abused and are kept ‘family-friendly.’ It is inevitable that some individuals will abuse the free access and flaunt policies on acceptable use. A technical solution is therefore required to enforce those policies.

While Enough is Enough is focused on ensuring adult content is blocked, there are other benefits of WiFi filtering. A WiFi filter protects customers from malware downloads and can stop them accessing phishing websites. All manner of egregious and illegal content can be blocked.

WiFi filters can also help businesses conserve bandwidth to make sure that all customers can access the Internet and enjoy reasonable speeds.

WebTitan Cloud for WiFi – The Easy Way to Start Filtering Content on WiFi Networks

TitanHQ has long been an advocate of WiFi filtering for public WiFi hotspots and has developed WebTitan Cloud for WiFi to allow businesses to easily block access to unacceptable and illegal web content on WiFi networks.

WebTitan Cloud for WiFi allows businesses to carefully control the content that can be accessed over WiFi without involuntarily blocking unintended content. Being 100% cloud based, no hardware purchases are required and no software downloads are necessary.

The solution offers businesses advanced web filtering capabilities through an easy to use intuitive user interface. No IT consultants are required to implement and run the solution. It can be set up and operated by individuals that have little to no technical knowhow.

The solution is highly scalable and can be used to protect thousands of users, at multiple locations around the globe, all controlled through a single user interface.

If you run a business that offers free WiFi to customers and you have not yet started controlling the activities that can take place over your WiFi network, contact TitanHQ today for further information on WebTitan Cloud for WiFi.

Managed Service Providers (MSPs) that want to start offering WiFi filtering to their clients can join the TitanHQ Alliance. All TitanHQ solutions have been developed to meet the needs of MSPs and make it easy for them to add new security capabilities to their service stacks.

DNS Web Filtering for MSPs – Improve Security for Your Clients and Your Bottom Line

DNS web filtering for MSPs is an easy way to improve security for your clients, save them money, and boost your profits. This post explains the benefits of a DNS-level web filter for MSPs and their clients.

DNS web filtering is a great way for MSPs to boost profits, save clients money, and better protect them from cyber threats. Web filtering is an essential cybersecurity measure that businesses of all sizes should be using as part of their arsenal against malware, ransomware, botnets and phishing attacks. However, many MSPs fail to include web filtering in their security offerings and consequently miss out on an important income stream: One that requires little effort and generates regular monthly revenue.

What Are the Benefits of Web Filtering?

There are two main benefits of web filtering: Enforcing Internet usage policies and improving cybersecurity. Employees need to be able to access the Internet for work purposes, but many employees spend a considerable percentage of their working day accessing websites that have no work purpose. Cyberslacking costs businesses dearly. Businesses that do not filter the Internet will be paying their employees to check personal mail, view YouTube videos, visit dating websites, and more. A web filter will help to curb these non-productive activities and will also prevent employees from accessing inappropriate or illegal web content which can prevent legal and compliance issues.

A recent study by Spiceworks revealed the extent of the problem. 28% of employees at large companies (more than 1,000 employees) spend more than four hours a week on personal Internet use and the percentages increase to 45% for mid-sized businesses and 51% for small businesses. The difference in those figures reflects the fact that more large businesses have implemented web filters. 89% of large companies have implemented a web filter to curb or prevent personal Internet usage and, as a result, they benefit from an increase in productivity of the workforce.

Web filtering is essential in terms of cybersecurity. The Spiceworks study revealed 90% of large companies use a web filter to block malware and ransomware infections. A web filter prevents employees from accessing websites known to be used for phishing and those that host malware.

The Spiceworks study showed just how important a web filter is in this regard. 38% of companies had experienced at least one security incident in the past year as a result of employees visiting web pages for personal use, most commonly webmail services and social media channels.

Additional benefits of web filtering include improving network performance and ensuring sufficient bandwidth is available for all users – by blocking access to bandwidth-heavy online activities such as gaming and video streaming.

From the productivity gains alone, a web filter will pay for itself. Add in the costs that are saved by preventing malware and phishing attacks and use of a web filter really is a no brainer.

Why DNS Web Filtering for MSPs is the Way Forward

MSPs have three main web filtering options open to them. An appliance-based web filter, a virtual appliance or software solution, or a DNS filter. DNS web filtering for MSPs is usually the best choice.

DNS web filtering for MSPs avoids the need for hardware purchases so there is not an initial high cost for clients or for the MSP, since a powerful appliance does not need to be installed in an MSP’s own data center. DNS web filtering for MSPs means no site visits are necessary to install the solution as no hardware is required and no software downloads are necessary. DNS web filtering is not restricted by operating systems and is hardware independent, and since there are no clients to install, there will not be any installation issues. A DNS web filter also doesn’t have any impact on Internet speed.

A SaaS DNS web filtering solution, such as WebTitan Cloud, allows MSPs to deploy the web filter for their clients in a few minutes. All that is required is to direct clients’ DNS to the cloud-based filter.

DNS web filtering for MSPs is easy to implement, simple to use, requires little management, and with WebTitan Cloud, MSPs benefit from generous margins. Improving clients’ security posture and helping them make important productivity gains could not be easier.

Why WebTitan Cloud is the Best Choice for MSPs

WebTitan Cloud has been developed to meet the needs of the SMB marketplace but the solution was developed specifically to meet the needs of MSPs. WebTitan Cloud includes a full suite of pre-configured reports (with scope for customization) to allow MSPs to show their clients the sites that have been blocked and what employees have been up to online. The reports give MSP clients total visibility into their web traffic and highlight problem areas and trends affecting network performance. The reports can be automated and sent directly to clients with no MSP involvement.

WebTitan Cloud Features

  • DNS-based web filter with no latency
  • Real-time antivirus, malware, spyware, and adware protection
  • URL filtering using pre-defined categories
  • Content blocking with the option for time-based rules
  • Integration with LDAP and Active Directory
  • Incorporates web-based application filtering
  • Supports whitelists and blacklists
  • Contains a comprehensive reporting suite
  • Full set of APIs for easy back-end integration
  • Scalable with no limits on bandwidth, number of routers, or locations
  • Support clients with dynamic or static IPs

Some of the key benefits of TitanHQ’s DNS web filtering for MSPs are detailed below:

  • WebTitan Cloud can be hosted by TitanHQ, in a private cloud on AWs, or within an MSP’s own infrastructure
  • WebTitan Cloud includes APIs to integrate with auto-provisioning, billing, and monitoring systems
  • MSPs do not need to become an ISP to use the service
  • WebTitan Cloud is scalable to hundreds of thousands of users
  • WebTitan Cloud includes multiple management roles
  • New customers and WiFi hotspots can be added and configured in minutes
  • One control panel to manage all clients
  • Intuitive controls with low management overhead
  • Eliminates the need for site visits, with no local support required
  • WebTitan Cloud can be supplied in white-label form ready for an MSP’s logos and color schemes
  • MSPs benefit from industry-leading customer service
  • Highly competitive usage-based pricing with generous margins for MSPs and aligned monthly billing

If you have yet to start offering web filtering to your clients or if you are unhappy with the usability or cost of your current solution, contact TitanHQ’s Alliance team today for full product details, details of pricing, to book a product demonstration and register for a free 14-day no obligation trial.

MSP Testimonials

“WebTitan is an outstanding tool for most reliable content filtering. The monitoring feature of this specific product is quite unique that totally monitors all the process of online working and also secures all the data. Additionally, its set-up is superb easy and it can be done in just few minutes that save my time and energy as well.” Kristie H. Account Manager

“WebTitan is fairly easy to setup. It is available as a cloud based solution or on prem. You can get as simple or as complicated with your filtering as you like, it will handle most situations with ease. It has provided us with a stable web filtering platform that has worked well for us for many years. ” Derek A. Network Manager

“WebTitan is outstanding software that helps me a lot in minimizing viruses. The thing I like most about WebTitan is that it is extremely easy to use and configure. I like its clear interface. It lets us block malicious content and spam easily. It is no doubt an amazing product helping us a lot in kicking out harmful bad stuff.” Randy Q. Software Engineer

Ransomware is the Biggest Cyber Threat to SMBs

The biggest cyber threat to SMBs is ransomware, according to Dato’s State of the Channel Report. While other forms of malware pose a serious risk and the threat from phishing is ever present, ransomware was considered to be the biggest cyber threat to SMBs by the 2,400 managed service providers that were polled for the study.

Many SMB owners underestimate the cost of mitigating a ransomware attack and think the cost of cybersecurity solutions to prevent attacks, while relatively low, are not justified. After all, according to Datto, the average ransom demand is just $4,300 per attack.

However, the ransom payment is only a small part of the total cost of mitigating an attack. The final cost is likely to be ten times the cost of any ransom payment. Datto points out that the average total cost of an attack on an SMB is $46,800, although there have been many cases where the cost has been far in excess of that amount.

One of the most common mistakes made by SMBs is assuming that attacks will not occur and that hackers are likely to target larger businesses with deeper pockets. The reality is SMBs are being targeted by hackers, as attacks are easier to pull off. SMBs tend not to invest heavily in cybersecurity solutions as larger businesses.

Anti-Virus Software is Not Effective at Preventing Ransomware Attacks

Many SMB owners mistakenly believe they will be protected by anti-virus software. However, the survey revealed that 85% of MSPs said clients that experienced a ransomware attack had anti-virus solutions installed. Anti-virus software may be able to detect and block some ransomware variants, but since new forms of ransomware are constantly being developed, signature-based cybersecurity solutions alone will not offer a sufficient level of protection.

Many SMBs will be surprised to hear just how frequently SMBs are attacked with ransomware. More than 55% of surveyed MSPs said their clients had experienced a ransomware attack in the first six months of this year and 35% experienced multiple attacks on the same day.

Some cybersecurity firms have reported there has been a slowdown in ransomware attacks as cybercriminals are increasingly turning to cryptocurrency mining. While that may be true for some cybercriminal gangs, the ease of conducting attacks using ransomware-as-a-service means many small players have started attacking SMBs. That is unlikely to change.

92% of surveyed MSPs said they thought ransomware attacks would continue at current levels or even increase throughout this year and next.

Ransomware attacks are even being conducted on Apple operating systems. In the past year, there has been a five-fold increase in the number of MSPs who have reported ransomware attacks on macOS and iOS operating systems.

“Not only have ransomware attacks increased in recent years, but the problem may even be bigger than we know, as many attacks go unreported,” explained Jeff Howard, Founder and Owner, of the Texas MSP Networking Results. Datto suggests that only one in four attacks are reported to law enforcement.

How to Protect Against SMB Ransomware Attacks

To protect against ransomware attacks, businesses need to implement a range of solutions to block the most common attack vectors. To block email-based attacks, advanced spam filtering technology is required, and end user security awareness training is essential. To block ransomware downloads from malicious websites, web filtering software should be implemented.

Business continuity and disaster recovery technology should be implemented to ensure that a quick recovery is possible in the event of an attack, and naturally intelligent backing up is required to ensure files can be recovered without paying a ransom.

MSPs need to explain the risks to SMBs, along with the solutions that need to be installed to prevent attacks and the likely cost of recovery. Many businesses are shocked to discover the true cost of a ransomware attack.

How TitanHQ Can Help Improve Defenses Against SMB Ransomware Attacks

TitanHQ has developed two innovative cybersecurity solutions that work in tandem to block the two most common attack vectors: Email and Internet attacks. SpamTitan is a powerful spam filtering solution that combines two AV engines with intelligent scanning of incoming mail using a variety of techniques to identify malicious messages and new ransomware variants and block them at source.

WebTitan is a powerful web filtering solution that can block malvertising attacks, drive-by ransomware downloads, and prevent employees from visiting malicious websites.  Both solutions should be part of an SMBs arsenal to protect against ransomware and malware attacks and both solutions should be part of an MSPs security stack.

For further information on SpamTitan and WebTitan and details of TitanHQ’s MSP offerings, contact the TitanHQ today.

How to Improve Wi-Fi Security for Hotels and Prevent Data Breaches

Most businesses are aware of the importance of securing their Wi-Fi networks; however, in some industry sectors Wi-Fi security has not been given the importance it requires. Wi-Fi security for hotels, for instance, is often lacking, even though the hospitality sector is being actively being targeted by cybercriminals who see hotel Wi-Fi as a rich picking ground.

Hotel Chains are Under Attack

Hotels are an attractive target for cybercriminals. They satisfy the two most important criteria for cybercriminals when selecting targets. Valuable data that can be quickly turned into profit and relatively poor cybersecurity which makes conducting attacks more straightforward.

In 2018, there have been several major cyberattacks on hotel groups. In November 2018, Federal Group, which runs luxury hotels in Tasmania, experienced an email security incident that exposed the personal data of some of its members. A cyberattack on the Radisson Hotel Group was also reported. In that case it resulted in the exposure of the personal information of its loyalty program members.

In August one of China’s largest chains of hotels – Huazhu Hotels Group Ltd – which operates 13 hotel brands – suffered a cyberattack that affected an estimated 130 million people.  In June one of Japan’s largest hotel groups, Prince Hotels & Resorts, experienced a cyberattack that impacted almost 125,000 customers. In 2017 there were major data breaches at Hilton, Hyatt Hotels Corporation, Trump Hotels, Four Seasons Hotels, Loews Hotels, Sabre Hospitality Solutions, and InterContinental Hotels Group to name but a few.

The Cost of a Hotel Data Breach

When a data breach occurs the costs quickly mount. Access to data and networks must be blocked rapidly, the breach must be investigated, the cause must be found, and security must be improved to address the vulnerabilities that were exploited. That invariably requires consultants, forensic investigators and other third-party contractors. Affected individuals must be notified and credit monitoring and identity theft protection services may need to be offered.

The direct costs of a hotel data breach are considerable. The Ponemon Institute calculated the average cost of a data breach in 2018 had risen to $3.86 million. That was for a breach of up to 100,000 records. Larger breaches cost considerably more.

Then there is GDPR. Fines of up to €20 million or 4% of global annual turnover (whichever is higher) can be issued for GDPR compliance failures, which includes data breaches that resulted from poor security.

What is much harder to calculate is the cost of reputation damage and the customer churn rate after a breach. Damage to a hotel chain’s reputation can be long lasting and in the highly competitive hospitality industry, it could even be disastrous.

The security firm Ping Identity recently published the results from its 2018 Consumer Survey: Attitudes and Behavior in a Post-Breach Era. 3,000 people from the USA, UK, France, and Germany were surveyed for the study, which investigated the expectations of customers and the fallout from data breaches. 78% of respondents said they would stop engaging with a brand online after a breach and 36% would stop engaging with a brand altogether. Could your hotel group weather a 78% drop in online bookings or a loss of more than a third of your customer base?

Wi-Fi Security for Hotels

Cybersecurity solutions should be implemented to protect hotel networks from cyberattacks and prevent customer’s personal information from being accessed by cybercriminals. Perimeter cybersecurity solutions such as firewalls are essential, but Wi-Fi security for hotels should not be underestimated.

Guests use the Wi-Fi network to conduct business while at the hotel, for entertainment, and communication. Guests typically bring three devices that they connect to hotel Wi-Fi networks. A hotel with 100 guests potentially means 300 devices connecting to Wi-Fi. There is a high probability that at least some of those devices will be infected with malware, which could be transferred to other guests.

Hotel guests often access types of content that they do not access at home – sites that carry a higher risk of resulting in a malware download. Hackers often exploit poor hotel Wi-Fi security to attack guests. The DarkHotel threat group is a classic example. The group targets high profile hotel guests and has been doing so for more than a decade. If Wi-Fi security for hotels is substandard, successful attacks are inevitable.

Naturally guest and business Wi-Fi networks should be separated to ensure that one does not pose a threat to the other. A VLAN should be set up for the wired network, with a separate VLAN for internal wireless access points and those used by guests.

Wi-Fi security should include WPA2 encryption to prevent the interception of data and a web filtering solution should be implemented to protect guests from phishing websites and sites hosting malware. A web filter will also allow hotels to control the types of content that can be accessed by guests and restrictions can be put in place to create family-friendly Wi-Fi access and prevent guests from accessing illegal web content.

TitanHQ Email and Wi-Fi Security for Hotels

TitanHQ is a leading provider of advanced cybersecurity solutions for hotels to protect against email-based cyberattacks and improve Wi-Fi security for hotels.

WebTitan is a powerful web filtering solution for wired and wireless networks that blocks malware downloads and prevents employees and guest Wi-Fi users from accessing malicious websites. WebTitan also allows hotels to carefully control the content that can be accessed via their Wi-Fi networks, ensuring a business-friendly and family-friendly Internet service is provided.

Key Benefits of WebTitan

WebTitan Cloud and WebTitan Cloud for Wi-Fi are 100% cloud-based web filters for hotels that require no software downloads or hardware purchases. They can be implemented in minutes and are easy to configure and maintain. They are ideal for improving Wi-Fi security for hotels and securing wired hotel networks.

WebTitan web filters allow hotels to:

  • Control the content that can be accessed by guests without slowing Internet speeds
  • Block access to pornography to create family-friendly Wi-Fi zones in communal areas
  • Prevent guests from engaging in illegal online activities
  • Prevent guests from accessing phishing websites
  • Block the downloading of viruses, malware, and ransomware
  • Create custom policies for different user groups – management, employees, guests, or individuals
  • Create custom controls for different wireless access points
  • Restrict bandwidth-draining online activities to ensure good Internet speeds for all users
  • Manage web filtering controls for multiple locations from a single web-based control panel

WebTitan is ideal for use in the hospitality sector to protect internal networks from attack and to block web-based threats that could otherwise lead to a data breach.

To find out more about improving Wi-Fi security for hotels, contact TitanHQ today. The team will be happy to provide details of the products, advise you on the best deployment options, and schedule a product demonstration. You can also sign up for a free trial to evaluate the effectiveness of TitanHQ’s web filters for hotels in your own environment.

Ransomware Attacks on Cities and Municipal Services Highlight Cybersecurity Failings

This year has seen several ransomware attacks on cities and municipal targets, clearly demonstrating that the threat from ransomware has not abated, despite several analyses from cybersecurity firms that suggest hackers are moving away from ransomware and concentrating on cryptomining malware attacks.

Cryptocurrency miners have certainly become more popular and their use has increased substantially in recent months, but there is still a significant threat from ransomware.

Ransomware development may have slowed, but ransomware attacks on cities and other high value targets have not. In fact, October has seen two new ransomware attacks on cities in the United States, along with several attacks on municipal targets. In the past few months. It is clear that the threat is not going away any time soon.

$2,000 Ransom Paid to Resolve City of West Haven Ransomware Attack

The city of West Haven ransomware attack started on the morning of October 16, 2018, and by the time the attack had been contained, 23 servers had been encrypted and taken out of action. Prompt action limited the scope of the attack, although it did cause major disruption as computers on the affected network had to all be shut down.

The attack affected a critical system, and after an assessment of the situation, the decision was taken to pay the ransom. Considering the number of servers affected, the ransom demand was relatively low. The city paid $2,000 in Bitcoin for the keys to decrypt its files.

Art House, Connecticut’s chief of cybersecurity, explained that this was one of several targeted ransomware attacks on cities and municipal services in the state in recent weeks. In February, around 160 computers were affected by ransomware in more than a dozen agencies in the state according to the Department of Administrative Services, and a month later the state’s Judicial Branch was attacked and had more than 100 servers encrypted.

City of Muscatine Ransomware Attack

The West Haven ransomware attack was shortly followed by a ransomware attack on the city of Muscatine in Ohio, which saw files on several government servers encrypted. The attack is understood to have started on October 17 and caused considerable disruption especially to services at City Hall.

Few details about the attack have been made public, although it is understood that the ransom demand was not paid. Instead, IT teams have had to painstakingly rebuild affected servers and workstations and restore files from backups.

Ransomware Attack on City of Atlanta

In August one of the most serious ransomware attacks on cities occurred. The City of Atlanta was attacked with SamSam ransomware, which was manually deployed on multiple computers after access had been gained to the network. The attack occurred in March and took down computers used for many city services, causing major disruption for weeks. A ransom demand of around $50,000 was issued, although the decision was taken not to pay. Initially the cost of recovery was expected to reach $6 million. Later estimates in the summer suggest that the final cost may exceed $17 million, highlighting just how costly ransomware attacks on cities can be.

Ransomware Attacks on Municipal Services Becoming More Common

Ransomware attacks on cities are becoming more common, as are attacks on municipal targets. In October, the Onslow Water and Sewer Authority in Jacksonville, North Carolina was attacked with ransomware resulting in most systems being taken out of action. In that case, a dual attack occurred, which started with the Emotet Trojan followed by the deployment of Ryuk ransomware two weeks later. The attack is expected to disrupt services for several weeks. The Indiana National Guard also suffered a ransomware attack in October. In both cases, the ransom was not paid.

Prevention and Incident Response

One of the reasons behind the rise in ransomware attacks on cities is underinvestment in cybersecurity defenses. Too little has been spent on protecting systems and updating aging hardware and software. With many vulnerabilities left unaddressed, staff receiving insufficient training, and even basic cybersecurity defenses often found lacking, it is no surprise that the attacks are increasing.

The only way that the attacks will be stopped is by spending more on cybersecurity defenses and training to make it much harder for attacks to occur. It can certainly be hard to find the money to commit to cybersecurity, but as the City of Atlanta found out, the cost of prevention is far lower than the cost of recovery from a ransomware attack.

The Easy Way to Block Websites at Work and Control Employee Internet Access

Many businesses want to block websites at work and exercise greater control over employee internet access. Acceptable internet usage policies can be developed and employees told what content they are allowed to access at work, but there are always some employees that will ignore the rules.

In some cases, policy violations may warrant instant dismissal or other disciplinary action, which takes HR staff away from other important duties. If staff are fired, replacements must be found, trained, and brought up to speed, and the productivity losses that result can be considerable.

The Dangers of Unfettered Internet Access

Before explaining how to block websites at work, it is worthwhile explaining the problems that can arise from the failure to exert control over the content that can be accessed through wired and wireless networks.

While extreme cases of internet abuse need to be tackled through HR, low level internet abuse can also be a problem. Any time an employee accesses a website for personal reasons, it is time that is not being spent on work duties. Checking emails or quickly visiting a social media website is unlikely to have a major impact on productivity, but when cyber-slacking increases its effect can certainly be felt. If all employees spent 30 minutes a day on personal internet use, the productivity losses would be be considerable – A business with 100 workers would lose 50 hours of working time a day, or 1,100 hours a month!

In addition to lost opportunities, internet use carries a risk. Casual surfing of the internet by employees increases the probability of users encountering malware. The accessing of personal webmail at work could easily result in a malware infection on a work device, as personal mail accounts are not protected by the filtering controls of an organization’s email security gateway. If illegal activities are taking place at work, the legal ramifications can be considerable. It will be the business that is liable in many cases, rather than the individual employee.

The easiest solution is for businesses to enforce their acceptable internet usage policies and simply block websites at work that are not required for normal working duties. Preventing end users from visiting certain categories of web content – social media websites, gaming and gambling websites, dating sites, adult content, and other NSFW web content – is the easiest solution.

Even legitimate use of the internet for work purposes carries risks. There has been a major increase in phishing attacks on businesses in recent years and mitigating attacks can prove incredibly costly. Technical solutions that are used to block websites at work to prevent cyber-slacking can also be configured to block access to phishing websites and prevent malware and ransomware downloads.

Selectively block websites at work and take control over the content that your employees can access. See how with a FREE WebTitan demo.
Book Free Demo

The Easy Way to Block Websites at Work

The easiest way to block websites in the workplace is to use a web filtering solution. This could be a physical appliance through which all internet traffic is routed, a virtual appliance installed on your existing hardware, or a cloud-based solution. The latter is a popular solution for SMBs as the cost of implementation is minimal and the web filter can be set up in a matter of minutes. All that is required is to make a simple change to point the DNS to the cloud web-filter and all traffic will be routed though the solution.

Not all businesses need to exercise the same controls over internet content, so granular controls are essential. With a cloud-based web filter such as WebTitan, it is easy to block websites at work. The administrator simply logs into the administration panel using a web browser and clicks on the checkboxes of content that they want the filter to block. Blocking adult entertainment, gambling, gaming, dating, and social media by category is common.

It is not practical to apply the same settings across the board for all employees. The marketing department, for instance, will need access to social media networks when other employees may not. With WebTitan, filtering controls can easily be set at the organization level, by user group, or for individuals.

With WebTitan Cloud you can control the internet and block threats no matter where your users access the internet. WebTitan Cloud works for users both on and off the network, so you can protect office workers and employees working remotely using the same solution.

Further Information on Blocking Websites in the Workplace

If you would like further information on how you can selectively block websites at work and take control over the content that your employees can access, speak to TitanHQ today.

Our friendly and knowledgeable sales team will be able to answer all your questions, explain in detail how WebTitan works, and suggest the best deployment option to suit your needs.

After learning about the best setup to suit your business, you can schedule a product demonstration and/or start a free trial to see WebTitan in action.

In 20 minutes your content control issues could be solved and you could be filtering the internet and blocking access to unsuitable, unsavory, and harmful web content.

 

 

The Easy Way to Block Websites at Work and Control Employee Internet Access FAQ

What is DNS Filtering?

DNS filtering is when content filtering takes place at the DNS lookup stage of a web request, when the URL is checked to find its corresponding IP address. The request is processed via the web filtering service provider and the IP address will only be returned if the web resource does not violate administrator-defined policies. Filtering takes place without any content being downloaded and there is no latency.

Can I block Facebook Messenger without blocking access to Facebook?

You can block Facebook Messenger without blocking access to Facebook with WebTitan. It is easy to prevent employees from using Facebook Messenger at work without blocking access to the entire Facebook website and the process takes just a few seconds. Just open the WebTitan Cloud administration panel, select Filtering URL keywords, and add in two blacklisted keywords.

Is it difficult to block websites in the workplace?

It is not difficult to block websites in the workplace due to category-based web filtering. Category-based web filtering makes content control simple. You simply access your cloud administration panel, navigate to category controls, and you can restrict access to 53 distinct categories of website using the checkbox options. Apply those changes and all websites in those categories will be blocked. You can also create your own custom categories.

Can web filters be bypassed by employees?

Web filters can be bypassed by employees unless controls are implemented to restrict access to proxies, VPNs, and other anonymization services. These controls will be sufficient to prevent users from bypassing filtering controls. However, you should also lock down your DNS settings to prevent users from manually changing the DNS settings to bypass the filtering controls.

Can I view user Internet activity in real time?

You can view user Internet activity in real time or retrospectively. With WebTitan you can do both with a few clicks of the mouse. All information is easily accessible via the administration portal and can either be viewed or exported with the click of a mouse.

What is the difference between web filtering and DNS filtering?

The difference between web filtering and DNS filtering is that web filtering is more granular. Web filtering allows organizations to filter the Internet by URL rather than by domain name or IP address. Therefore, if there is (for example) a news website employees need to access for their jobs, but the organization wants to block access to the sports and leisure pages of the website, the organization can blacklist just the pages it does not want employees to access. DNS filtering lacks the granularity to block selected pages of a website and can only block the whole website.

How does casual surfing increase the risk from malware?

Many websites are monetized by advertising, and it is not uncommon for cybercriminals to place ads on popular sites that are weaponized with malware, trojans, ransomware, or cryptomining scripts. Additionally, clicking on an ad can take a casual Internet surfer to a phishing site where they may be asked to create login credentials to progress to the area of interest. Many employees have poor password habits, and could use a username and password that matches a corporate account.

Which is the best type of web filtering solution for the workplace?

The best type of web filtering solution for the workplace is most often a cloud-based solution. This is because a cloud-based solution can control on-premises and remote Internet access. It is also important to be aware that the web filtering vendor most often manages cloud-based solutions. Therefore, all updates, patches, and technical issues are the responsibility of the vendor rather than the organization’s IT department – reducing the demand for internal IT support.

Selectively block websites at work and take control over the content that your employees can access. See how with a FREE WebTitan demo.
Book Free Demo

Webinar: Datto and TitanHQ Deliver Enhanced Web Content Filtering to MSPs

TitanHQ, the leading provider of web filtering, spam filtering, and email archiving solutions for managed service providers (MSPs) recently partnered with Datto Networking, the leading provider of IT solutions to SMBs delivered through MSPs.

Datto Networking has now incorporated TitanHQ’s advanced web filtering technology into the Datto Networking Appliance to provide superior protection to users on the network.

Datto and TitanHQ will be hosting a webinar on October 18, 2018 to explain how the new technology provides enhanced protection from web-based threats, and how MSPs can easily deliver content filtering to their customers.

During the webinar, MSPs will find out about the enhanced functionality of the Datto Networking Appliance.

Webinar: Datto Networking & Titan HQ Deliver Enhanced Web Content Filtering
Date: Thursday, October 18th
Time: 11AM ET | 8AM PT | 4PM GMT/BST

Speakers:
John Tippett, VP, Datto Networking
Andy Katz, Network Solutions Engineer
Rocco Donnino, EVP of Strategic Alliances, TitanHQ

Click here to sign up for the webinar

CloudFlare IPFS Gateway Phishing Forms Fool Users with Valid SSL Certificates

The CloudFlare IPFS gateway has only recently been launched, but it is already being used by phishers to host malicious content.Cloudflare IPFS gateway phishing attacks are likely to have a high success rate, as some of the checks performed by end users to confirm the legitimacy of domains will not raise red flags.

The IPFS gateway is a P2P system that allows files to be shared easily throughout an organization and accessed through a web browser. Content is distributed to different nodes throughout the networked systems. The system can be used for creating distributed websites, and CloudFlare has made this process easier by offering free SSL certificates and allowing domains to be easily connected to IPFS.

If phishers host their phishing forms on CloudFlare IPFS, they benefit from CloudFlare’s SSL certificate. Since the phishing page will start with cloudflare-ipfs.com, this adds legitimacy. The CloudFlare-owned domain is more likely to be trusted than domains owned by phishers.

When CloudFlare IPFS Gateway phishing forms are encountered, visitors will be advised that the webpage is secure, the site starts with HTTPS, and a green padlock will be displayed. If the visitor takes the time to check certificate information of the web page, they will find it has been issued to CloudFlare-IPFS.com by CloudFlare Inc., and the certificate is valid.  The browser will not display any warning and CloudFlare IPFS Gateway phishing content will therefore seem legitimate.

At least one threat actor is using the CloudFlare IPFS Gateway for phishing and is hosting forms that claim to be standard login pages for Office 365, DocuSign, Azure AD, and other cloud-based services, complete with appropriate logos.

If a visitor completes the form information, their credentials will be forwarded to the operator of a known phishing domain – searchurl.bid – and the user will be displayed a document about business models, strategy and innovation. This may also not raise a red flag.

The CloudFlare IPFS Gateway phishing strategy is similar to that used on Azure Blob storage, which also take advantage of legitimate SSL certificates. In that case the certificate is issued by Microsoft.

It is becoming increasingly important for phishers to use HTTPS for hosting phishing content. As more businesses transition from HTTP to HTTPS, and browsers such as Chrome now display warnings to users about insecure sites, phishers have similarly had to make the change to HTTPS. Both CloudFlare IPFS Gateway and Azure Blog storage offer an easy way to do this.

In both cases, links to the malicious forms are distributed through spam email. One of the most common ways to do this is to include an email attachment that contains a button which must be clicked in order to download content. The user is advised that the content of the file is secured, and that professional email login credentials must be entered in order to view the content. The document may be an invoice, purchase order, or a scanned document that needs to be reviewed.

The increase in use of cloud platforms to host phishing content makes it more important than ever for organizations to implement advanced phishing defenses. A powerful spam filter such as SpamTitan should be used to block the initial emails and prevent them from being delivered to end users’ inboxes. These phishing tactics should also be covered in security awareness training to raise awareness of the threat and to alert users that SSL certificates do not necessarily mean the content of a web page is legitimate. Web filtering solutions are also essential for blocking access to known malicious web pages, should a user visit a malicious link.

Exploit Kit Deployments and Website Attacks on the Rise

Recent research has shown that the United States is the main distributor of exploit kits and hosts the most malicious domains and cyberattacks on websites have increased sharply.

United States Hosts the Most Malicious Domains and Exploit Kits

The United States hosts the most malicious domains and is the number one source for exploit kits, according to new research conducted by Palo Alto Networks. Further, the number of malicious domains increased between Q1 and Q2 in the United States. In all countries, apart from the Netherlands, the number of malicious domains remained constant or declined.

Exploit activity is only at a fraction of the level of 2016, although the web-based kits still pose a major threat to businesses with poor patching processes and a lack of protections against web-based attacks.

Three exploit kits have been extensively used throughout Q1 and Q2, 2018: Sundown, Rig, and KaiXin. The United States is the number one source for the Sundown and Rig EKs and is number two behind China for the KaiXin exploit kit. Further, a new exploit kit was detected in Q2: Grandsoft. The United States is also the number one source for this new exploit kit.

More than twice the number of exploit kits are hosted in the United States than in Russia in second place. 495 malicious URLs were detected in the United States compared to 147 in Russia. 296 malicious URLs hosting exploit kits were detected in the United States, with Russia in second place with 139.

The Microsoft VBScript vulnerability, CVE-2018-8174, is being extensively exploited via these exploit kits. Microsoft released a patch in May 2018 to fix the flaw, but many companies have yet to install the update and are vulnerable to attack. Exploit kits are still using old vulnerabilities to install their malicious payloads. According to Palo Alto Networks’ Unit 42, two vulnerabilities are extensively used – The IE7 vulnerability – CVE-2009-0075 – and the Internet Explorer 5 vulnerability – CVE-2008-4844 – even though patches were released to fix the flaws more than 9 years ago.

The Jscript vulnerability in Internet Explorer 9 through 11 – CVE-2016-0189 – and the OleAut32.dll vulnerability – CVE-2014-6332 – have also been used in many attacks. One vulnerability known to be used in zero-day attacks was also detected.

Website Attacks on the Rise

Research conducted by SiteLock has revealed there has been a significant rise in attacks on websites in Q2, 2018. According to its study of more than 6 million websites, each website is attacked, on average, 58 times a day with one attack occurring every 25 minutes. That represents a 16% increase in website attacks since Q1, 2018.

These attacks are primarily conducted in order to install cryptocurrency mining code to hijack web visitors’ computers to generate cryptocurrency. Cases of cryptocurrency mining code insertions doubled between Q1 and Q2, while the installation of malicious JavaScript increased by 16%.

Once access is gained to a site and the miner or malicious JavaScript is deployed, it often remains undetected as many website malware detection solutions fail to detect these scripts. For website owners, there are no symptoms displayed to indicate their website has been compromised. SiteLock notes that approximately 1% of websites are infected with malware, although scans of websites revealed 9% contained at least one vulnerability that could potentially be exploited to gain access to the site to install malicious code.

Many search engines now alert users when websites have been discovered to contain malware, and Google sends warnings to site owners when malicious software is discovered. However, relatively few sites are being detected as malicious. SiteLock notes that out of 19.2 million sites that it has discovered to be hosting malicious files, only 3 million had been detected as malicious by the search engines.

The threat of exploit kit attacks and the rise in sites hosting malicious code highlights the need for businesses to deploy a web filtering solution to prevent employees from visiting these malicious sites and giving cybercriminals an opportunity to install malware on their networks.

Companies that take no action and fail to implement software solutions to restrict access to malicious sites face a high risk of their employees inadvertently installing malware. With the cost of a data breach now $3.86 million (Ponemon/IBM), the decision not to implement a web filter could prove incredibly costly.

Princess Evolution Ransomware Offered as RaaS

Princess Locker ransomware has now morphed into Princess Evolution ransomware. The latest variant is one of several cryptoransomware threats that maximize the number of infections by using an affiliate distribution model – termed Ransomware-as-a-Service or RaaS.

RaaS sees affiliates given a percentage of the ransom payments they generate, while the author of the ransomware also takes a cut of the profits. Under this business model, the author can generate a much higher number of infections, which means more ransom payments. The affiliates get to conduct ransomware campaigns without having to develop their own ransomware and the author can concentrate on providing support and developing the ransomware further. For Princess Evolution ransomware, the split is 60/40 in favor of the affiliate. The RaaS is being promoted on underground web forums and prospective affiliates.

Ransomware attacks involving RaaS use a variety of methods to distribute the malicious payload as multiple actors conduct campaigns. Spam email is usually the main delivery mechanism for RaaS affiliates as it is easy to purchase large quantities of email addresses on darkweb sites to conduct campaigns. Brute force attacks are also commonly conducted.

Princess Evolution ransomware has also been loaded into the RIG exploit kit and is being distributed via web-based attacks. These web-based attacks take advantage of vulnerabilities in browsers and browser plug-ins. Exploits for these vulnerabilities are loaded into the kit which is installed on attacker-controlled web domains. Often legitimate sites are compromised have the exploit kit loaded without the knowledge of the site owner.

Traffic is generated to the websites through search engine poisoning, malvertising, and spam emails containing hyperlinks to the websites. If a user visits the website and has an exploitable vulnerability, the Princess Evolution ransomware will be silently downloaded.

At this stage, there is no free decryptor for Princess Evolution ransomware. If this ransomware variant is downloaded and succeeds in encrypting files, recovery is only possible by paying the ransom for the keys to unlock the encryption or rebuilding systems and recovering files from backups.  The ransom demand is currently 0.12 Bitcoin – Approximately $750 per infected device.

Protecting against Princess Evolution ransomware attacks requires a combination of cybersecurity solutions, security awareness training, and robust backup policies. Multiple backups of files should be created, stored on at least two different media, with one copy stored securely off site. Infected devices may need to be re-imaged, so plans should exist to ensure the process can be completed as quickly as possible.

Cybersecurity solutions should focus on prevention and rapid detection of threats. A spam filtering solution – such as SpamTitan – will help to ensure that emailed copies of the ransomware or downloaders are not delivered to inboxes.

Care should be taken with any email sent from an unknown individual. If that email contains an attachment, it should not be opened, but if this is unavoidable, the attachment should be scanned with anti-virus software prior to opening. For greater protection, save the attachment to disk and upload it to VirusTotal for scanning using multiple AV engines.

A web filter such as WebTitan can block web-based attacks through general web browsing and by preventing end users from visiting malicious websites via hyperlinks in spam emails.

To reduce the risk of brute force attacks, strong, unique passwords should be used to secure all accounts and remote desktop protocol should be disabled if it is not required. If RDP is required, it should be configured to only allow connection through a VPN.

You should also ensure that all software, including browsers, browser extensions and plugins, and operating systems are kept patched and fully up to date.

HTTPS Phishing Websites Make Up One Third of Total

There has been a marked rise in HTTPS phishing website detections, phishing attacks are increasing, and the threat of phishing attacks is greater than ever before.

Phishing is the biggest cyber threat that businesses must now deal with. It is the easiest way for cybercriminals to gain access to email accounts for business email compromise scams, steal credentials, and install malware.

The Threat from Phishing is Getting Worse

The Anti-Phishing Working Group – an international coalition of government agencies, law enforcement, trade associations, and security companies – recently published its phishing trends activity report for Q1, 2018. The report shows that the threat from phishing is greater than ever, with more phishing websites detected in March 2018 than at any point in the past year.

In the first half of 2017, there was an average of 48,516 phishing websites detected each month. The figure rose to 79,464 phishing websites detected on average per month in the second half of the year. In the first quarter of 2018, there was an average of 87,568 phishing websites detected, with detections peaking in March when more than 115,000 phishing sites were identified.

The number of unique phishing reports received in Q1, 2018 (262,704) was 12.45% higher than in the final quarter of 2017.

Healthcare Industry Heavily Targeted

In the United States, the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers, health insurers, healthcare clearinghouses and business associates of HIPAA-covered entities to report breaches of protected health information within 60 days of the discovery of the breach. The main enforcer of HIPAA compliance, the Department of Health and Human Services’ Office for Civil Rights (OCR), publishes summaries of those breach reports. Those summaries show just how serious the threat from phishing is.

HIPAA-covered entities and business associates have reported 45 email hacking incidents in 2018 – 21.68% of all breaches reported.

Phishers Make the Move to HTTPS

PhishLabs, an anti-phishing vendor that provides a security awareness training and phishing simulation platform, has been tracking HTTPS phishing websites. The company has recently released figures showing there has been a sharp increase in HTTPS phishing websites in the past few months with HTTPS and SSL certificates now popular with phishers.

As businesses make the switch to HTTPS, the phishers have followed. In the final quarter of 2015, a little over 1% of all phishing websites were hosted on HTTPS. By the final quarter of 2016, the percentage had increased to a shade under 5%. By the end of the final quarter of 2017, 31% of phishing sites used HTTPS. The Q1, 2018 figures show HTTPS phishing websites now account for a third of all phishing websites.

HTTPS websites ensure the connection between the browser and the website is encrypted. This offers greater protection for website visitors as information entered on the site – such as credit card numbers – is secure and protected from eavesdropping. However, if the site is controlled by a cybercriminal, HTTPS offers no protection.

The Importance of SSL Inspection

Protecting against phishing attacks and malware downloads via HTTPS websites requires the use of a web filtering solution that performs SSL inspection. If a standard web filtering solution is used that is unable to inspect HTTPS websites, it will not protect employees from visiting malicious websites.

It is certainly possible to block users from accessing all HTTPS websites, which solves the problem of SSL inspection, but with more websites now using HTTPS, many valuable internet resources and essential websites for business could not be accessed.

While many businesses may be reluctant to implement SSL filtering due to the strain it can place on CPUs and the potential for slowing internet speed, TitanHQ has a solution. WebTitan includes HTTPS content filtering as standard to ensure businesses are protected from HTTPS phishing websites and other online threats while ensuring internet speeds are not adversely affected.

You can find out more about how you can protect your business from phishing websites by contacting the TitanHQ sales team and asking about WebTitan.

New Underminer Exploit Kit Delivering Coinminer Malware

Exploit kit activity may not be at the level it one was, but the threat has not gone away. Rig exploit kit activity has increased steadily in 2018 and now a new exploit kit has been detected.

The exploit kit has been named underminer by Trend Micro researchers, who detected it in July 2018. The Underminer exploit kit is being used to spread bootklits which deliver coinminer malware. The EK is primarily being used in attacks in Japan, although other East Asian countries have also seen attacks with activity now spreading beyond this region.

The underminer exploit kit was also detected by Malwarebytes researchers who note that the exploitation framework was first identified by the Chinese cybersecurity firm Qihoo360 in late 2017, when it was being used to deliver adware. Now the exploit kit is being used to deliver Hidden Bee (Hidden Mellifera) cryptocurrency mining malware. Trend Micro notes that evidence has been uncovered that strongly suggests the exploit kit was developed by the developers of Hidden Mellifera coinminer malware.

The exploit kit uses complex methods to deliver the payload with different methods used for different exploits. The developers have also incorporated several controls to hide malicious activity including the obfuscation of exploits and landing pages and the use of encryption to package exploits on-the-fly.

The EK profiles the user via a user-agent to determine if the user is of interest. If not, the user will be directed to a HTTP 404 error page. If a user is of interest, a browser cookie will be used to identify that user to ensure that the payload will only be delivered once, preventing reinfection and hampering efforts by researchers to reproduce an attack. URLs used in the attacks are also randomized to prevent detection by standard AV solutions. The coinminer is delivered via a bootkit which is downloaded through encrypted TCP tunnels.

The underminer exploit kit contains a limited number of exploits: The Adobe Flash Player exploit CVE-2018-4878, the use-after-free Adobe Flash Player vulnerability CVE-2015-5119, and the Internet Explorer memory corruption vulnerability CVE-2016-0189. Patches for all of the vulnerabilities were released in February 2018, July 2015, and May 2016 respectively.

The best defense against exploit kit attacks is prompt patching. All systems and applications should be kept 100% up to date, with virtual patching deployed on legacy systems and networks. Since there will always be a delay between the identification of a vulnerability and a patch being released, patching alone may not be sufficient to prevent all attacks, although EK developers tend to use old vulnerabilities rather than zero days.

In addition to prompt patching, cybersecurity solutions should be deployed to further reduce risk, such as a web filtering solution (WebTitan) to block users from visiting malicious websites and redirects through malvertising. In this case, one of the main ways that users are directed to the exploit kit is via adult-themed malvertising on legitimate adult websites. Using the web filter to block access to adult sites will reduce exposure.

Cybersecurity solutions should also be deployed to scan for malware installations and monitor for unusual activity and standard cybersecurity best practices should also be employed… the principle of least privilege and removing unused or unnecessary applications, plugins, and browser extensions.

The fact that a new exploit kit has been developed, and that it was recently updated with a new exploit, shows that the threat of web-based attacks has not gone away. EK activity may be at a fraction of the level of 2016, but businesses should not assume that attacks will not take place and should implement appropriate defenses to mitigate the threat.

Rig Exploit Kit Activity Continues to Rise

A recent analysis of exploit kit activity by Trend Micro has shown that while exploit kit activity is at a fraction of what it was in 2016, the threat has not gone away. Links to malicious websites hosting exploit kits are still being distributed by spam email and malicious adverts are still being used to redirect web users to malicious websites hosting exploit kits.

Most of the exploit kits that were in use in 2016 have all but disappeared – Angler, Nuclear, and Neutrino. There was a rise in Sundown activity in 2017, but activity has now stopped, and Disdain and Terror exploit kits have similarly disappeared.

The demise of exploit kits as an attack vector has been attributed, in part, to the arrests of the operators of some of the most commonly used EKs such as Angler, although there have been fewer zero-day vulnerabilities to exploit. Many of the exploits used in exploit kits are for Flash vulnerabilities, and while use of Flash is declining, the creators of exploit kits are still attempting to exploit a handful of these Adobe Flash vulnerabilities.  Many threat actors have switched to easier and less time-consuming ways of attacking businesses, but not all.

While most exploit kits are operating at a low level, the Rig exploit kit is still in use and has recently been updated once again. Further, there has been a steady increase in Rig exploit kit activity since April. Rig is most commonly used in attacks in Japan, which account for 77% of Rig activity.

The GrandSoft exploit kit is still active, although at a much lower level than Rig. This exploit kit was first seen in 2012 although activity all but disappeared until the fall of last year when it became active once again. Japan is also the country most targeted by the GrandSoft exploit kit (55% of activity), while the private exploit kit Magnitude is almost exclusively used in South Korea, which accounts for 99.5% of its activity.

For the most part, exploit kits are being used to exploit vulnerabilities that should have been patched long ago, such as the use-after-free vulnerability in Microsoft Windows’ VBScript engine (CVE-2018-8174) which was identified in April 2017 and patched in May 2017.

Internet Explorer vulnerabilities are also being exploited on vulnerable systems, with at least two exploits for IE flaws included in GrandSoft recently. Research conducted by Palo Alto networks showed that out of 1,583 URLs found in malicious emails, the majority were linked to exploit kits including Rig, Sundown, Sinowal, and KaiXin, with the latter still evolving with new exploits still being added – CVE-2016-0189 and CVE-2014-6322 – both IE VBScript flaws – the most commonly used.

Trend Micro has warned that the recent increase in zero-days – there were 119 last year – could see at least some exploits for these vulnerabilities introduced into exploit kits. MalwareBytes reported last month that a zero-day flaw in Flash Player’s ActionScript language had been incorporated into one exploit kit and was being actively used in attacks.

The fact that exploit kits are still being used strongly suggests that they are still working, which means that many systems are not being patched.

The threat from exploit kits does not appear to be going away, so it is still essential for businesses to ensure they are protecting against attacks.

Strict patch management practices are still important, as is the use of a web filter. Drive-by downloads still occur – unintentional downloads of malware by users in the belief that the files are genuine. Implementing a web filter can help to block these malware downloads, either by blocking specific file types or preventing end users from visiting known malicious websites. Web filters can also be used to block adware, which continues to plague businesses.

Benefits of Web Filtering for Businesses

Why should businesses use a web filtering solution? Listed below are three key benefits of web filtering for businesses.

Protection Against Exploit Kits

Email spam is the most common attack vector used to deliver malware, and while the threat from exploit kits is nowhere near the level in 2015 and 2016, they still pose a problem for businesses.  Exploit kits are web-based apps that are loaded onto websites controlled by cybercriminals – either their own sites or sites that have been hijacked.

Exploit kits contain code that exploits vulnerabilities in web browsers, plugins and browser extensions. When a user with a vulnerable browser visits a malicious URL containing an exploit kit, the vulnerability is exploited and malware is downloaded.

With browsers becoming more secure, and Flash being phased out, it has become much harder to infect computers with malware via exploit kits and many threat actors have moved on to other methods of attack. However, some exploit kits remain active and still pose a threat.

The exploit kits currently in use – RIG for example – contain multiple exploits for known vulnerabilities. Most of the vulnerabilities are old and patches have been available for months or years, although zero-day vulnerabilities are occasionally uploaded. Exploit kits are also updated with recently disclosed proof-of-concept code. Exploit code for two recently discovered vulnerabilities: one in Internet Explorer (CVE-2018-8174) and one in Adobe Flash (CVE-2018-4878) have been added to EKs already.

Keeping browsers and plugins up to date and using a top antivirus solution will provide a good level of protection, although businesses can further enhance security by using a web filter. Web filtering for businesses ensures that any attempt to access a website known to host an exploit kit will be blocked.

Blocking Phishing Attacks

Phishing is one of the biggest threats faced by businesses. Phishing is a method of obtaining sensitive information by deception, such as impersonating a company in an attempt to obtain login credentials or to fool employees into making wire transfers to bank accounts controlled by criminals.

A spam filter can prevent the majority of malicious messages from reaching inboxes, although some phishing emails will make it past the perimeter defenses, especially emails containing links to malicious websites. A web filter provides an additional level of protection against phishing by preventing users from visiting malicious websites sent via email and social media posts. When an attempt is made to visit a known malicious website, access will be blocked, and the user will be directed to a block screen.

A web filter can also be used to enforce safe search on search engines such as Google, Yahoo, and Bing. This will help to prevent inappropriate website content from being accessed through search and image search results.

Monitoring Internet Access and Blocking Inappropriate Websites

Employees can waste an extraordinary amount of time on the Internet. Allowing unfettered access to all website content can result in a considerable reduction in productivity. If every employee wastes an hour a day on the Internet instead of working, a company with 100 employees would lose 100 hours a day, 500 hours a week, and 26,000 hours a year. A sizeable loss.

A web filter can be used to block access to websites such as gambling, gaming, and social media sites – all major drains on productivity. Web filters can also be used to monitor Internet activity. When employees are told that the company monitors Internet use, employees will be less likely to spend time surfing the Internet instead of working.

Web filters can also be used to block not-suitable-for-work (NSFW) content such as pornography and will limit company liability by blocking illegal online activities at work, such as the downloading of copyright-protected content via P2P file sharing sites. Web filters can also limit bandwidth hogging activities such as the streaming of audio and video.

WebTitan Cloud – DNS-Based Web Filtering for Businesses

DNS-based web filtering for businesses is easy with WebTitan Cloud. WebTitan Cloud will help improve security posture, reduce company liability, and improve the productivity of the workforce. Being 100% cloud-based, the solution requires no hardware purchases, no software downloads, and can be implemented in a matter of minutes.

The solution filters websites into 53 pre-defined categories, making it easy for businesses to block specific types of content. More than half a billion URLs are categorized in the database and combined with cloud-based lookup, it is possible to ensure highly accurate content filtering without overblocking valuable content. The solution can inspect all web traffic, including encrypted sites.

The solution allows policies to be created for the entire workforce, groups, or individuals and protects employees who on and off the network. When employees use multiple devices, the content filtering controls can be applied across the board and will work whether the user is on-site or roaming.

Administrators benefit from a comprehensive reporting suite, with 55 preconfigured reports and scope for customization, with report scheduling options and the ability to view browsing in real-time.

If you want to improve your security posture, save bandwidth, reduce legal liability, block NSFW content, and improve productivity, give TitanHQ a call today and find out more about how WebTitan Cloud can benefit your business.

FAQ

How easy to implement is web filtering for business?

DNS-based web filtering is very simple to operate. Deployment consists of redirecting the organization´s Domain Name Server (30 seconds) and logging into a web-based administrative portal (another 30 seconds). Thereafter system administrators can synchronize the filtering service with an existing directory in order to apply role-based filtering policies within minutes.

How does web filtering for businesses block phishing attacks?

Strictly speaking, web filtering for businesses does not block phishing attacks - it mitigates the consequences of a phishing email avoiding detection by an email filter, and the recipient of the email clicking on a link to a malicious website. If the destination website is known to be malicious, web filtering for businesses blocks the recipient from visiting the malicious website.

How does monitoring Internet access work?

Organizations can configure web filtering solutions to monitor which websites users visit and which websites they are refused access to. While some may consider the monitoring of Internet access at work a form of employee surveillance, the information collected from Internet monitoring reports can be used to fine-tune Internet filters to create a more welcoming environment for everyone.

How do I find out what websites the web filter solution has blocked access to?

WebTitan Cloud´s monitoring logs are used to compile reports that reveal not only which websites were blocked, but the reasons why access was blocked (i.e. malicious website, contravened category policy, etc.). These reports help identify if your employees are exposing the organization to risk by attempting to visit unsafe websites, or whether they need to be reminded of acceptable Internet use policies.

What if I need to block Internet content for some people but not for others?

WebTitan Cloud has granular controls that enables system administrators to apply Internet policies by user, team, department, etc. as required. Therefore, if - for example - your marketing team requires access to social media platforms, but you want to avoid giving everybody in your organization access to Facebook and Twitter, you simply whitelist the marketing team from the social media category.

Employee Negligence is the Biggest Cybersecurity Risk for Businesses

The biggest cybersecurity risk for businesses in the United States is employee negligence, according to a recent Shred-It survey of 1,000 small business owners and C-suite executives.

The findings of the survey, detailed in its North America State of the Industry Report, show the biggest cybersecurity risk for businesses is human error such as the accidental loss of data or devices containing sensitive company information.

84% of C-Suite executives and 51% of small business owners said employee negligence was the biggest cybersecurity risk for their business. 42% of small business owners and 47% of C-suite executives said employee negligence was the leading cause of cybersecurity breaches.

Employees are the Biggest Cybersecurity Risk for Businesses in the United States

Employees often cut corners in order to get more done in their working day and take considerable security risks. Even though laptop computers can contain highly sensitive information and allow an unauthorized individual to gain access to a work network, around a quarter of U.S employees leave their computer unlocked and unattended. Documents containing sensitive information are often left unattended in full view of individuals who are not authorized to view the information.

The risks taken by employees are greater when working remotely, such as in coffee shops or at home. 86% of executives and SBOs said remote workers were much more likely to cause data breaches.

88% of C-suite executives and 48% of small business owners said they have implemented flexible working models that allow their employees to spend at least some of the week working off site. A survey conducted on behalf of the Switzerland-based serviced office provider IWG suggests that globally, 70% of workers spend at least one day a week working remotely, while 53% work remotely for at least half of the week.

Adoption of these flexible working practices is increasing, although cybersecurity policies are not being implemented that specifically cover remote workers. Even though a high percentage of workers are spending at least some of the week working remotely, the Shred-It survey shows that more than half of SMBs do not have policies in place for remote workers.

One of the most important ways that business owners and executives can improve their cybersecurity posture is through employee training, especially for remote workers. The provision of security awareness training will help to ensure that workers are aware of the organization’s policies and procedures and are taught security best practices.

However, the survey suggests training is often inadequate or in some cases nonexistent. 78% of surveyed C-suite executives and small business owners said they only provided information security training on policies and procedures once a year. Considering the risk, training needs to be far more frequent. Employees cannot be expected to retain all the information provided in a training session for the entire year. Training should cover the use of strong passwords, locking devices when they are not in use, never leaving portable devices unattended in public areas, safe disposable of electronic and physician data, and Wi-Fi security. Refresher training should be provided at least every six months.

Policies and procedures need to be developed specifically for remote workers, which cover the practices which must be adopted when working outside the office. With so many workers now spending more time working off-site, the probability of portable electronic devices being lost or stolen is greatly increased.

Businesses must ensure they maintain an accurate inventory of all devices used to access their network and implement appropriate security measures to ensure the loss or theft of those devices does not result in a data breach.

Increased use of insecure WiFi networks poses a major problem, greatly increasing the chance of a malware or ransomware download. Appropriate technologies should be implemented to protect remote workers’ devices from malicious software. TitanHQ can help in this regard.

WebTitan Cloud, TitanHQ’s 100% cloud-based web filtering solution can block malware and ransomware downloads and carefully control the websites that remote workers can access on their company-issued and BYOD devices, regardless of where the individual is located: on or off-site.

For more information on WebTitan and how it can protect your remote workers and improve your security posture, contact the TitanHQ team today for further information.

RIG Exploit Kit Now Includes Windows Double Kill Exploit Code

The RIG exploit kit, used on compromised and malicious websites to silently download malware, has been upgraded with a new exploit. Windows Double Kill exploit code has been added to exploit the CVE-2018-8174 vulnerability – a remote code execution vulnerability that was addressed by Microsoft on May 2018 Patch Tuesday.

To protect against exploitation of this vulnerability, Windows users should ensure they have applied the latest round of patches, although many businesses have been slow to update their Windows devices, leaving them vulnerable to attack.

The vulnerability is in the VBScript engine and how it handles objects in the memory. If the vulnerability is exploited, attackers would gain the same level of privileges as the current user, could reallocate memory, gain read/write access, and potentially remotely execute code on a vulnerable device. The vulnerability has been named ‘Double Kill’ and affects all Windows versions.

The Windows Double Kill vulnerability was being actively exploited in the wild when Microsoft released the update on Patch Tuesday. Initially, exploitation of the vulnerability was achieved through phishing campaigns using RTF documents containing a malicious OLE object. If activated, an HTML page was downloaded and rendered through an Internet Explorer library and the VBScript flaw was exploited to download a malicious payload. The attack could also be conducted via a malicious website. In the case of the latter, it does not matter what browser the user has set as default – on unpatched systems the IE exploit could still work.

The Windows Double Kill exploit code was posted online this week and it didn’t take long for it to be incorporated into the RIG exploit kit. End users could be directed to the RIG exploit kit through phishing campaigns, malvertising, web redirects, or potentially could visit malicious sites through general web browsing. In addition to the Windows Double Kill exploit, the RIG exploit kit contains many other exploits for a wide range of vulnerabilities. Any individual that lands on a URL with the kit installed could be vulnerable even if the latest Windows patch has already been applied.

The threat from email-based attacks is also likely to grow. The Double Kill exploit code has also been incorporated into the ThreadKit exploit builder, which is used to create malicious Office documents for use in phishing attacks.

Protecting systems against these types of attacks requires prompt patching, although many organizations are slow to apply updates out of fear of compatibility problems, which could cause performance issues. Consequently, prior to applying patches they need to be fully tested and that can take time. During that time, organizations will be vulnerable to attack.

A web filter – such as WebTitan – provides an additional level of protection while patches are assessed for compatibility. WebTitan provides protection against exploit kits and malware downloads by preventing end users from visiting known malicious sites, either through general web browsing, redirects, or via hyperlinks contacted in phishing emails.

TitanHQ Integrates its Web Filtering Platform into Kaseya’s IT Complete Suite

Managed Service Providers (MSPs) now have the option of providing an additional layer of security to their clients to protect against web-based cyberattacks now that TitanHQ’s powerful 100% cloud-based web filtering solution, WebTitan, has been incorporated into the Kaseya IT Complete suite.

The Kaseya technology alliance partner (TAP) program is highly regarded and brings together some of the world’s leading providers of IT solutions for MSPs, including Bitdefender, Cisco, and Dell.

The Kaseya IT Complete platform provides MSPs with easy access to a wide range of managed service-ready software, including cybersecurity, cloud management, endpoint management, network management, identity & access management, and disaster & recovery services. The platform makes it easy for MSPs to expand the services they provide to their clients and deliver invaluable solutions quickly and efficiently.

The platform has been developed to help MSPs increase revenue by providing profitable new services, automate the delivery of those services, and add more value by exceeding SLAs. The ease at which the solutions can be delivered saves MSPs valuable time, allowing them to free up staff to work on strategic projects.

MSPs have access to a wide range of cybersecurity solutions through the platform, but one notable gap was an easy to deploy web filtering solution. The addition of WebTitan to the Kaseya platform allows MSPs to add another layer of security to better protect their clients from web-based threats and malware and ransomware downloads. Being DNS-based, the solution can be quickly deployed with no need for any software downloads, hardware purchases, or site visits and can be deployed and configured in a matter of minutes.

The integration of WebTitan into the Kaseya IT Complete platform was completed in time for the Kaseya Connect conference, which is taking place this week in Las Vegas, Nevada. The event will be attended by some of the top MSPs from around the world.

“Kaseya is a partner we have admired for a long time and I’m delighted to announce this integration,” said Ronan Kavanagh, CEO of TitanHQ. “With over 10 million endpoints under their management it represents a massive opportunity for our business. We look forward to working with Kaseya’s MSP partners and adding our personal touch and renowned focus on great customer support.”

Adding WebTitan to our open ecosystem of partner solutions means our customers now have even greater access to best of breed technologies to meet the needs of their business. With growing concerns over malware, ransomware and phishing as key threats to MSP customers, WebTitan adds a highly effective layer of protection,” said Frank Tisellano, Jr., vice president product management and design.

Magnitude Exploit Kit Changes Payload and EITest Operations Disrupted

There have been significant developments relating to exploit kits in the past few days. The threat actors behind the Magnitude exploit kit have now changed their malicious payload, and the EITest malware distribution network that directed traffic to exploit kits has finally been sinkholed.

Magnitude Exploit Kit Switches to GandCrab Ransomware Delivery

Exploit kit activity is at a fraction of the level of 2015 and 2016, and in 2017 there was a 62% reduction in the development of exploit kits according to research from Recorded Future.

However, exploit kit activity has not fallen to zero and the malicious code is still widely used to deliver malware and ransomware underscoring the continued need for technologies to block these attacks such as web filtering solutions and the continued need to keep on top of patching.

Exploit kits often leverage vulnerabilities in Java and Adobe Flash, although more recently it has been Microsoft vulnerabilities that have been exploited due to the fall in Java vulnerabilities and the phasing out of Adobe Flash.

One exploit kit that is still being used in extensive attacks, albeit attacks that are highly geographically targeted, is the Magnitude exploit kit.

For the past seven months, the Magnitude exploit kit has been delivering the Magniber ransomware payload almost exclusively in South Korea. However, there has been a notable change in the past few days with it also being used to distribute GandCrab ransomware, with the latter not restricted geographically and capable of infecting English language Windows devices.

While early variants of GandCrab ransomware were cracked and free recovery of files was possible, there is no known decryptor for the current version of GandCrab ransomware being distributed via Magnitude. While Adobe Flash and Microsoft exploits were commonly used, Magnitude is now using a fileless technique to load the ransomware. This technique makes it much harder to detect.

According to Malwarebytes, “The payload is encoded (using VBScript.Encode/JScript.Encode) and embedded in a scriplet that is later decoded in memory and executed.” Once run, the payload is injected into explorer.exe, files are encrypted, and the infected device is rebooted.

EITest Malware Distribution Network Disrupted

There has been some major good news on the exploit kit front this week with the announcement that the EITest malware distribution network has finally been sinkholed. EITest has been active since at least 2011 and has been used to distribute all manner of malware over the years.

EITest was a major distribution network responsible for countless Kronos, Ramnit, DarkCloud and Gootkit infections, although more recently was used to deliver ransomware variants such as CryptXXX and Cerber and send users to sites running social engineering and tech support scams.

Prior to being sinkholed, EITest was redirecting as many as 2 million users a day to a network of more than 52,000 compromised websites that had been loaded with exploit kit code and social engineering scams. Most of the compromised sites were WordPress sites based in the USA, China, and Ukraine.

The threat actors behind EITest were selling traffic to other actors in blocks of between 50,000 and 70,000 visitors at a cost of $20 per thousand.

Over a 20-day period since EITest was sinkholed, more than 44 million users were directed to the sinkhole rather than malicious websites.

Now all redirects to malicious websites have stopped. The compromised websites remain active, but rather than redirecting users to malicious domains they are directing traffic to benign domains controlled by abuse.ch and brilliantit.com.