Web filtering is an ideal solution to prevent Internet users from visiting unsafe website that potentially harbor viruses and malware. A web filter works by comparing a request to visit a website against a list of predetermined parameters. If the request fails to pass the criteria defined by the parameters, the request is denied.
This process prevents Internet users from accessing websites they have been invited to visit in a phishing email or when clicking on an advertising link. Web filtering can also be configured to prevent cyberslacking, to block certain types of files from being downloaded or bandwidth-hogging web applications from being used.
To find out more about how your organization can strengthen its online defenses, enhance productivity and limit bandwidth loss, speak with one of our team today about web filtering.
Web-based malware attacks via exploit kits were commonplace in 2016, although in 2017 this mode of attack fell out of favor with cybercriminals, who concentrated on spam email to deliver their malicious payloads. Exploit kit activity is now at a fraction of the level of 2016, although 2017 did see an increase in activity using the Rig and Terror exploit kits.
Now, a recent discovery by Proofpoint could see exploit kit activity start to increase once again. A new traffic distribution system is being offered on darknet marketplaces that helps cybercriminals direct users to sites hosting exploit kits and conduct web-based malware attacks.
Traffic distribution systems – also known as TDS – buy and sell web traffic and are used to direct web users from one website to another. When a user clicks on a link that is part of a TDS system, they are directed to a website without their knowledge – a website that could host an exploit kit and trigger a malware download.
The new TDS – known as BlackTDS – requires threat actors to direct traffic to the service, which then filters that traffic and directs individuals to exploit kits based on their profile data. The service maximizes the probability of the exploit kit being able to download malware onto their device. The service can also be used to determine which malware will be downloaded, based on the profile of the user.
Threat actors that sign up to use the service can inexpensively select the exploit kits and malware they want installed with all aspects of the malware distribution service handled by the developers of BlackTDS. The developers also claim their cloud-based TDS includes fresh HTTPS domains that have not been blacklisted and that it is difficult for their cloudTDS to be detected by security researchers and sandboxes.
Using spam campaigns and malvertising, threat actors can direct traffic to BlackTDS with all aspects of drive-by downloads handled by the developers. Campaigns being run using BlackTDS have been directing users to the RIG-v, Sundown, and Blackhole exploit kits which are used to download a wide range of keyloggers, ransomware, and other malware variants.
The provision of this malicious service makes it cheap and easy for threat actors to take advantage of web-based malware distribution rather than relying on spam email to spread malicious software. It also makes it clear that exploit kits are still a threat and that web-based malware attacks are likely to become more of a problem over the coming months.
To find out more about how you can protect your business from exploit kits and web-based malware attacks, contact the TitanHQ team today and ask about WebTitan.
A new bill has been introduced that proposes mandatory use of WiFi filters in libraries in Idaho to prevent wireless networks from being used to view obscene content. Current legislation in the state only applies to wired networks.
In many other states, web filters in libraries are only required for libraries that wish to obtain discounts on their internet services under the e-Rate program. Many libraries choose not to apply for such discounts to enable them to continue to provide full access to all forms of Internet content, instead choosing to implement policies and procedures covering acceptable usage of their computers and WiFi networks.
Policies and procedures are not seen as sufficient in Idaho, which already has one of the strictest laws in the United States covering internet filtering in libraries. In 2011, legislation was introduced that made it mandatory for library web filters to be implemented on any computers that can be used by minors. The bill that was passed was scaled back, with the original bill calling for mandatory use of Internet filters on all library computers.
The new resolution was introduced by an Idaho House State Affairs committee this week along with a new bill – proposed by Rep. Lance Clow (R-Twin Falls) – that requires all libraries in the state to expand their Internet filtering controls to include their WiFi networks.
The concern is that simply connecting to library WiFi networks may allow users to gain access to obscene content. “Families are torn apart because of the proliferation of this material,” said Clow. Pornography is “creating a public health crisis.”
The resolution says the use of pornography has been “linked to a reduced desire in young men to marry, dissatisfaction in marriage, and infidelity.” The committee wholeheartedly backed the resolution and the new bill, even changing the language to make it clear that young women were also adversely affected by obscene images. A similar resolution was introduced in Utah, on which the Idaho resolution was based.
The use of WiFi filters in libraries is unlikely to cause too many problems, since many filtering solutions that have been implemented already have the capacity to filter both wired and wireless networks. Some libraries have already made the decision to implement Internet filtering controls on their WiFi networks, even though they are not currently required to do so under state laws.
The implementation of WiFi filters in libraries is a quick and easy process with a solution such as WebTitan Cloud for WiFi. WebTitan allows libraries to accurately filter Internet content to prevent obscene images from being accessed without overblocking content. The solution is easy to configure, has a low maintenance overhead, and is one of the cheapest web filtering solutions on the market.
Being DNS based, there is no need for any software installations or hardware purchases. The solution is highly scalable and there is no latency, which makes it a winning solution for libraries and their patrons. WebTitan Cloud can also be easily applied to wired networks.
For further information on WebTitan Cloud and WebTitan Cloud for WiFi, for a product demonstration, and information on a free trial of the solution, contact the TitanHQ team today.
UPDATE: April, 2019: Governor Brad Little has signed the bill into law. Libraries in Idaho will be required to implement filtering technology on their wireless networks by July 1, 2020.
WebTitan Cloud For WiFi – Web Filtering for Libraries Made Simple
WebTitan Cloud for WiFi is an award-winning WiFi filtering solution that can be implemented in minutes and used to carefully control access to inappropriate Internet content in libraries, without blocking important educational content. WebTitan Cloud for WiFi has highly granular and intuitive controls that requires no technical skill to operate. The solution often receives top marks on review platforms for the filtering capabilities, ease of implementation, ease of use, pricing, and customer support. The solution can help you comply with federal and state laws, including the Children’s Internet Protection Act (CIPA).
Some of the Important benefits for Libraries include:
Easy filtering of the Internet across multiple WiFi hotspots
Manage access points through a single web-based administration panel
Filter by website, website category, keyword term, or keyword score
Accurately block pornography
Block material contained in the child abuse image content URL list (CAIC List)
Upload blacklists and create whitelists
Block access to phishing websites
Block malware and ransomware downloads
Inspect encrypted websites with SSL certificates
Schedule and run reports on demand
Gain a real-time view of internet activity
Control bandwidth use
Integrate the solution into existing systems through a suite of APIs
Apply time-based filtering controls
World class customer service
Highly competitive pricing and a fully transparent pricing policy
Today has seen the announcement of a new partnership between TitanHQ – the leading provider of email and web filtering solutions for MSPs – and the international consulting, coaching, and peer group organization HTG. The announcement was made at the Q1 HTG Peer Groups meeting at the Pointe Hilton Squaw Peak Resort, Phoenix, Arizona.
The partnership sees TitanHQ’s web filtering solution – WebTitan; its cloud-based anti-spam service – SpamTitan; and its email archiving solution – ArcTitan made immediately available to the HTG community.
TitanHQ has developed innovative cybersecurity solutions specifically for managed service providers to help them provide even greater protection to their clients from the ever-increasing volume of email and Internet-based threats. The multiple award-winning solutions have now been adopted by more than 7,500 businesses and 1,500 MSPs, helping to protect them from malware, ransomware, viruses, phishing, botnets, and other cyber threats.
HTG is a leading peer group association that was recently acquired by the global technology giant ConnectWise. HTG helps businesses plan and execute strategies to drive forward growth and increase profits. Its consultants and facilitators share wisdom, provide accountability, and build meaningful relationships with businesses to help them succeed in today’s highly competitive marketplace.
The new partnership will see TitanHQ join HTG Peer Groups as a Gold vendor, making the firm’s MSP-friendly cybersecurity solutions immediately available to the HTG community.
“We’re delighted to welcome TitanHQ on board for 2018. As soon as the initial discussion started we knew they would make a great match for our community, as web security is a key area for our members in 2018,” said HTG Peer Groups founder, Arlin Sorensen.
HTG Peer Groups Founder Arlin Sorensen (Left); TitanHQ CEO Conor Madden (Right)
“WebTitan web filter was built by MSP’s for MSP’s and this exciting relationship with HTG Peer Groups is a continuation of that process. It allows us to listen to the opportunities and difficulties faced by MSP senior executives while also allowing us to share how we became a successful web security vendor. Our goal is to successfully engage with HTG members to build strong and long-lasting relationships,” said TitanHQ CEO, Conor Madden.
Web security is a hot topic within the managed service provider community. MSPs are being called upon to improve web security for their clients and protect against a barrage of phishing, malware, and ransomware attacks. They are also called upon to mitigate malware and ransomware attacks when they are experienced by their clients, which can be time-consuming and costly. By implementing WebTitan, TitanHQ’s award-winning web filtering solution, MSPs can substantially reduce support and engineering costs.
WebTitan serves as a barrier between end users and the Internet, blocking attempts by users to visit malicious websites where malware and ransomware is silently downloaded. WebTitan is also a powerful content filtering solution that can be used to enforce organizations’ acceptable Internet usage policies.
The web filtering solution and TitanHQ’s anti-spam solution SpamTitan have been developed specifically with MSPs in mind. The solutions can be applied and configured in under 30 minutes without the need for additional hardware purchases, software downloads, or site visits. The solutions have a low management overhead which means MSPs can protect their clients from email and web-based threats, reduce the hands-on time they need to spend on their clients and provide greater value while improving their bottom lines.
Delegate Dave A. LaRock (R) and State Sen. Richard Hayden Black (R) have proposed a new bill in the Virginia General Assembly that would require a web filter on internet-enabled devices sold or distributed in the state of Virginia.
House Bill No. 1592, also referred to as the The Human Trafficking Prevention Act, is intended to reduce the availability of pornography, which is believed will reduce the level of human trafficking in Virginia.
Mandatory Web Filter on Internet-Enabled Devices in Virginia
The bill calls for a web filter on all internet-enabled devices. The filtering mechanism would be required to block all obscene items, including obscene images, obscene performances, and obscene exhibitions, in addition to child pornography and unlawful images/videos of people that have been recorded and/or distributed without consent.
The bill does not amount to a ban on pornography in Virginia, as it would be possible for purchasers of Internet-enabled devices – which includes computers, laptops, tablets, and smartphones – to legally disable the content blocking mechanism.
To do so would require an individual to prove to the vendor or distributor of the device, by means of an official photographic ID, that they are over 18 years of age. The distributor of the device must receive a written receipt confirming a written warning has been provided advising of the dangers of unblocking the content filter.
Anyone purchasing a device must also pay a one-time digital access fee of $20 to have the web filter lifted, in addition to any fee charged by the distributor or seller of the device to remove the web filtering capability on the device.
The $20 fee would be paid into a Virginia Prevention of Human Trafficking Victim Fund, while the charges applied by the seller/distributor could be retained. The Virginia Prevention of Human Trafficking Victim Fund would be used solely for supporting victims of human trafficking and to pursue criminal prosecutions in human trafficking cases.
There will be stiff financial penalties and potentially jail time for any seller/distributor who fails to apply the web filter. Removal of the filter without paying the fee would similarly be considered an offense under the Virginia Consumer Protection Act.
There have been mixed reactions to the new bill. Proponents of the bill believe a web filter on internet-enabled devices is necessary to make it harder for state residents to access pornography and that it would also help to prevent minors from accidentally or deliberately accessing obscene website content. It is argued that making individuals pay for access to obscene content would help to eliminate temptation.
Critics of the bill have said the proposed legislation amounts to a ‘sin tax’, while many others feel that such a law would violates the human rights of Americans.
Virginia is not the first state in the US to consider such a bill. House Bill No. 1592 is a virtual carbon copy of legislation that has been proposed in several other states including Alabama, New Mexico, North Dakota and South Carolina.
According to Kaspersky Lab, one of the most dangerous threats to mobile users is Skygofree malware – A recently discovered Android malware threat that has been described as the most powerful Android malware variant ever seen.
Skygofree malware has only recently been detected, but it is the product of some serious development. Kaspersky Lab believes it has been in development for more than three years. The result is a particularly nasty threat that all users of Android devices should take care to avoid. Once it is installed on a device, it has access to a considerable amount of data. It also has some rather impressive capabilities, being capable of 48 different commands.
Among its arsenal is the ability to take control of the camera and snap pictures and take videos without the knowledge of the user. It has access to geolocation data so is capable of tracking your every move. Where you go, as well as where you have been.
Skygofree malware will steal call records and discover who you have spoken to and when and will read your text messages. The malware can also record conversations and background noise, both for telephone calls and when the user enters a specific location – based on geolocation data – that has been set by the attacker.
Whenever you are in range of a WiFi network that is controlled by the attacker, the device will automatically connect, even if WiFi is turned off. It also has access to all information in the phone’s memory, can check your calendar to tell what you have planned, and intercept WiFi traffic.
You also cannot privately communicate using WhatsApp with Skygofree malware installed. It abuses the Android Accessibility Service and can view your messages. Skype conversations are similarly not secure. As if that was not enough, the malware also serves as a keylogger, recording all data entered on the device.
With such an extensive range of functions, this powerful new malware variant is clearly not the work of an amateur. It is believed to be the product of an Italian intercept and surveillance company called Negg, that is known to work with law enforcement agencies.
Kaspersky Lab researcher Alexey Firsh said, “Given the artefacts we discovered in the malware code and our analysis of the infrastructure, we have a high level of confidence that the developer behind the Skygofree implants is an Italian IT company that offers surveillance solutions, rather like HackingTeam.”
Skygofree malware is spread via malicious websites that closely resemble those of mobile carriers. Several mobile carriers including Vodaphone have been spoofed.
Protecting against malware threats such as this is difficult. The best defense is to be extremely careful browsing the internet. However, with malicious adverts able to redirect users to malicious sites, careful browsing is no guarantee of safety.
How to Protect Your WiFi Network and Block Malicious Websites
WebTitan for WiFi offers protection from malware when users connect to your WiFi network. WebTitan for WiFi is a powerful web filtering solution that can be used to restrict access to a predefined list of websites or configured to prevent users from visiting categories of websites known to carry a high risk of containing malware. Blacklists are also used to ensure known phishing and malware-laced websites, including those used to spread Android malware, cannot be accessed via your WiFi network.
To find out more about WebTitan for WiFi, and web filtering solutions for your wired networks, contact the TitanHQ today.
A new Kentucky web filtering law have been proposed that will make it mandatory for all vendors of Internet-enabled devices in the state of Kentucky to have pornography filters installed that will prevent users from accessing adult content.
Similar laws have been proposed in other U.S. states to deal with the growing social problems that are caused by pornography. The proposed Kentucky web filtering law is virtually a carbon copy of bills that are being considered in Alabama, North Dakota, and South Carolina.
The proposed Kentucky web filtering law was introduced by Rep. Dan Johnson (R-Mt. Washington). The aim is not to make it impossible to access pornography in Kentucky, only to make it harder. If Kentuckians want to use their Internet-enabled devices to access obscene material such as pornography, they will be required to pay a fee of $20 to have the web filtering controls removed.
The fee could be paid on purchase of the device or at a later date. Lifting the web filter would require proof of age to be supplied and a consent form to be signed. This opt-in approach to adult content is seen as the best way to prevent many of the problems that arise from use of pornography, and to make it much more difficult for minors to view adult web content.
As with other similar web filtering laws that have been proposed, the fees would be directed, in part, to crime victim compensation funds as well as for law enforcement and to add to state funds.
If the Kentucky web filtering law is passed, it would make the supply of PCs and mobile phones without filtering software a Class A misdemeanour. Selling an Internet-enabled device to a minor without web filtering software to block pornography would be a class C felony,
In Alabama, the proposed laws would see the Class A misdemeanour attract a fine of up to $6,000 and a jail term of up to a year, while the Class C felony would be punishable with a $30,000 fine and up to 10 years in jail.
Laws proposed in Alabama, South Carolina and North Dakota also require a mechanism to be introduced that would allow webpages and websites that have not been blocked by the filter to be easily reported. A call center or website would need to be set up for this purpose, and the sites would need to be added to the filter within a reasonable time frame. The failure to do so would result in a fine of $500 per instance.
The new bill would need to survive a vote, but before that takes place, Rep. Johnson first needs to keep his position. Yesterday, Republicans and Democrats called for Johnson’s resignation following allegations that he sexually assaulted a 17-year old girl at his Fern Creek church.
A malware threat called LockCrypt ransomware is being used in widespread attacks on businesses in the United States, United Kingdom, and South Africa. While ransomware is commonly spread via spam email, this campaign spreads the file-encrypting malware via remote desktop protocol brute force attacks.
The LockCrypt ransomware attacks were first detected in June this year, but over the past few months the number of attacks has increased significantly, with October seeing the highest number of attacks so far this year.
LockCrypt ransomware is a relatively new malware variant, having first been seen in June 2017. Once infected, users will be unable to access their files. This ransomware variant uses RSA-2048 and AES-256 cryptopgraphy, which makes it virtually impossible to recover files without paying the ransom demand if a viable backup does not exist. To make recovery more difficult, LockCrypt ransomware also deletes Windows Shadow Volume copies. Encrypted files are given the .lock extension.
The ransom payment for this campaign is considerable – typically between 0.5 and 1 Bitcoin per encrypted server. That’s between $3,963 and $7,925 per compromised server; however, since the same login credentials are often used for RDP access on multiple servers, once one password is correctly guessed, it can be used to access multiple servers and deploy LockCrypt ransomware. One of the Bitcoin addresses used by the attackers shows one company paid a ransom of $19,000 to recover files on three of its servers.
Once access to a server is gained, ransomware is deployed; however, the attackers are manually interacting with compromised servers. AlientVault security researcher, Chris Doman, reported that for one company, in addition to deploying ransomware, the attackers “manually killed business critical processes for maximum damage.” All non-core processes on an infected server are killed.
The attacks do not appear to be targeted, instead they are randomly conducted on business servers. Businesses that are most likely to have ransomware installed are those that have failed to use complex passwords for RDP access. While it may be tempting to set an easy-to-remember password, this plays into the hands of attackers.
Other security controls such as two-factor authentication can reduce the risk from this type of attack, as can rate limiting to prevent the number of failed attempts a user can make before their IP address is temporarily – or permanently – blocked.
An additional control that system administrators can apply is to white-list certain IP addresses to restrict RDP access to authorized individuals. If that is not practical, disallowing RDP connections over the Internet from abroad can help to prevent these attacks.
While implementing controls to prevent RDP brute force attacks is vital, most ransomware variants are spread via spam email, and to a lesser extent via exploit kits and drive-by downloads. Comprehensive security defenses must therefore be deployed to reduce the risk of ransomware attacks.
These should include an advanced spam filtering solution to prevent malicious emails from being delivered, web filters to block malicious websites and drive-by downloads, end user training to raise awareness of the threat from ransomware and other forms of malware, and network monitoring technology to identify unusual server and endpoint activity.
Network activity monitoring will not prevent ransomware attacks, but it will help IT teams respond quickly and halt the spread of ransomware to other vulnerable servers and end points.
The Magnitude exploit kit is being used to deliver a new malware variant – Magniber ransomware. While the Magnitude EK has been used in attacks throughout the Asia Pacific region, the latest attacks are solely taking place in South Korea.
Ransomware and malware attacks in Europe and the Americas are primarily conducted via spam email. Exploit kits having fallen out of favor with cybercriminals over the past year. However, that is not the case in the Asia Pacific region, where exploit kit attacks are still common.
An exploit kit is a website toolkit that scans visitors’ browsers for exploitable vulnerabilities. When a vulnerability is identified, it is exploited to download malware onto the user’s system. The download occurs silently and in the case of a ransomware attack, the user is only likely to discover the attack when their files have been encrypted.
Magniber ransomware takes its name from the Magnitude EK and Cerber ransomware, the ransomware variant that it has replaced. At present, Magniber ransomware is solely targeting users in South Korea. If the operating system is not in Korean, the ransomware will not execute. While it is not unusual for ransomware campaigns to involve some targeting, it is rare for attacks to be targeted on a specific country.
Up until recently, the Magnitude exploit kit was being used to download Cerber ransomware. FireEye reports that those attacks were concentrated in the Asia Pacific region. 53% of attacks occurred in South Korea, followed by the USA (12%), Hong Kong (10%), Taiwan (10%), Japan (9%), and Malaysia (5%). Small numbers of attacks also occurred in Singapore and the Philippines. At the end of September, Magnitude EK activity fell to zero, but on October 15, the payload was updated and attacks were solely conducted in South Korea.
To avoid analysis, Magniber ransomware checks whether it is running in a virtual environment. A check is also performed to identify the system language. If the system language is Korean, data is encrypted with AES128 and encrypted files are given the .ihsdj extension. After encryption, the ransomware deletes itself. If the system language is not Korean, the ransomware exists.
At present, the Magnitude Exploit Kit has been loaded with a single exploit for CVE-2016-0189 – A memory corruption vulnerability in Internet Explorer. A patch for the vulnerability was released last year. FireEye believes the ransomware is still under development and its capabilities will be enhanced and finetuned.
To prevent attacks, it is important to ensure systems are fully patched. Businesses should make sure all network nodes are updated and are fully patched. A web filtering solution should also be used as an additional protection against this and other exploit kit attacks.
The EU’s proposed Internet copyright filter has not proven popular with digital rights groups. The Internet copyright filter provision, detailed in Article 13 of the Digital Single Market proposals, would require the Internet to be policed to prevent the online publication of copyrighted content.
At present, if an individual decides to share content online and that material is protected by copyright, the holder of the copyright can submit a request to have the material taken down. The process can take some time before the material is removed, during which time the information can be viewed and potentially downloaded.
The proposed Internet copyright filter would improve protections for copyright holders. Online service providers such as Facebook, Twitter, WordPress, YouTube, and Dropbox would be required to constantly scan uploaded content to check the material is not protected by copyright. If it is, the content would need to be removed immediately.
The Internet copyright filter would certainly go some way toward protecting the rights of copyright holders and would make it harder for music, movies, TV shows, and other video content to be uploaded and viewed by the public. Unsurprisingly, the proposed measure has attracted considerable support from the entertainment industry.
However, there has been considerable opposition to the proposed Internet copyright filter by digital rights groups such as the Electronic Frontier Foundation, Human Rights Watch, Reporters Without Borders, Open Rights Group, European Digital Rights and the Civil Liberties Union for Europe. In total, 56 organizations have added their name to an open letter to EU policymakers calling for Article 13 to be dropped.
Those organizations believe that while there are benefits to Article 13, the Internet copyright filter would be impossible to implement without also violating the freedom of expression detailed in Article 11 of the Charter of Fundamental Rights, as well as imposing excessive restrictions on citizens’ fundamental rights.
If passed, Internet companies would be forced to take down content to avoid possible legal liability, and that would undoubtedly see them erring on the side of caution and applying excessive filtering controls. Legitimate content would be deleted and Internet filtering controls would limit freedom to impart and receive information. Further, it would be difficult in practice to differentiate illegal uploads of content that violate copyright laws from legitimate uses of content.
Whether the letter will result in Article 13 being dropped remains to be seen, but if not, there are likely to be further challenges. As is mentioned in the letter, previous attempts to introduce new laws that conflict with the Charter of Fundamental Rights have been rejected by the Court of Justice. If those precedents are followed, Article 13 would likely be rendered invalid.
A Social Community Partnership employee fired for viewing pornography at work took legal action against her employer for unfair dismissal. However, Ireland’s Workplace Relations Commission (WRC) has upheld the Partnership’s decision to fire the employee, confirming the sanction was appropriate.
In May 2016, the employee was discovered to have viewed pornography on her work computer and was promptly fired for gross misconduct. While the employee denied viewing pornography at work, a review of access logs on her computer revealed pornographic websites had been accessed on seven occasions between September and November 2015.
The material accessed included depictions of rape and the abduction of girls. While viewing pornography at work is unacceptable in any office, the nature of the material that was accessed made this an egregious violation of the Partnership’s acceptable Internet usage policy, especially considering the Social Community Partnership works to support children and families.
Lack of Individual Logins Makes it Difficult to Attribute Inappropriate Internet Access to Individual Employees
The case was not clear cut, as the computers in the reception area where she worked did not require secure logins for each employee. The employee also denied that she had viewed pornography and claimed two other workers used the same computers. She also said that other employees could have used the computers when she was not at her desk.
To determine that the employee was the person responsible for violating the company’s acceptable Internet use policy, the Partnership had to compare Internet logs against the work schedule. Multiple employees were found to have been working on four of the seven occasions, but the employee was the only person scheduled to work in the reception area on three of the occasions when pornography was accessed.
The employee suggested the sites could have been popups, although the claim was rejected by her employer. To determine whether access was due to a malware infection, an external computer expert was called in to conduct a scan of the computer. The scan confirmed no malware was present that could have redirected the browser to pornographic websites.
After hearing the unfair dismissal case and the evidence against the employee, the WRC ruled that ‘on the balance of probability,’ the employee was the person responsible for accessing the material and that, under the circumstances, the decision to fire the employee was correct.
Two Thirds of Men and One Third of Women Admit to Viewing Pornography at Work
Even though viewing pornography at work is prohibited in many organizations, employees ignore company rules and access obscene material on their work computers. The actions often result in instant dismissal when they are discovered, although many employees believe they won’t be caught or do not realize Internet logs are maintained. Many choose to anonymize their Internet activity by connecting to the Internet via VPNs and other anonymizing services.
The scale of the problem has been identified by several surveys and studies. In one notable study, conducted by Proven Men Ministries in 2014, 63% of men and 36% of women admitted having accessed pornography at work on at least one occasion. Other studies in the United States and the UK have also confirmed viewing pornography at work is commonplace.
The viewing of pornography at work can cause many problems for employers. In this case, the Social Community Partnership could have lost essential government funding. Even though that didn’t happen, there has been considerable negative publicity and the expense of fighting an unfair dismissal claim.
When employees view pornography at work it can easily lead to the creation of a hostile working environment, lawsuits could be filed by other employees who have been made to feel uncomfortable by the actions of others, and when illegal pornographic material is accessed at work – child pornography for example – the consequences for employers can be severe.
How Can Businesses Prevent Employees Viewing Pornography at Work?
Acceptable Internet usage policies can be used to ensure employees who breach the rules can be fired, but they do not prevent employees viewing pornography at work. Cases such as this show just how important it is to implement technology to prevent employees from accessing inappropriate website content – not just pornography, but also other content that should not be accessed in the workplace.
The expense and problems experienced by the Social Community Partnership could have easily been avoided if a web filter had been used. A web filter is a simple method of enforcing acceptable Internet usage policies and preventing pornography and other unacceptable content from being accessed by employees. A web filter can also block the use of anonymizers such as VPNs.
Further, a web filter is easy to implement, inexpensive, and can help organizations prevent considerable productivity losses, while reducing legal liability.
To find out more about the benefits of web filtering, and how you can stop employees viewing pornography at work, contact the TitanHQ team today and ask about WebTitan.
A massive Pornhub malvertising campaign has been detected that potentially resulted in millions of malware infections in the United States, Canada, UK, Australia and beyond.
Malvertising is the term given to malicious adverts that dupe website visitors into visiting websites where malware is downloaded or to sites that are used to phish for login credentials. These malverts often appear on legitimate websites, adding to their legitimacy. The malicious sites that users are directed to can download any type of malware – keyloggers, ransomware, spyware or adware.
The Pornhub malvertising campaign was used to spread click fraud malware. The hacking group behind the campaign – KovCoreG – used the Kovter Trojan. The malware has persistence and will survive a reboot.
Pornhub is one of the most popular adult websites, attracting millions of visitors. The website uses a third-party ad network called Traffic Junky. The attackers managed to sneak their malicious adverts past the controls the ad network has in place against malvertising.
The attackers detected the browser being used and redirected users to a website tailored to their browser. The Pornhub malvertising campaign worked on users of Chrome, Internet Explorer/Edge and Firefox. The webpages, which had been expertly crafted to exactly match the colors and fonts of Google, Firefox, and Microsoft and included the relevant logos and branding. The malicious webpages indicated a critical security update was required to secure the user’s browser. Clicking to download the update, and running that update, would result in infection.
The Pornhub malvertising campaign was detected by Proofpoint, which notified the ad network and Pornhub. Both acted quickly to remediate the threat, although not before many users had been infected with malware.
A Web Filtering Solution Can Block Malvertising Attacks
Implementing a web filtering solution in the workplace is not just about preventing your employees from wasting time on Facebook. A web filter is an important part of any layered cybersecurity defense strategy. The latest Pornhub malvertising campaign is a good example of how controlling the websites your employees can access can prevent malware infections.
Unless you work in the adult entertainment industry, employees should be prevented from accessing pornography at work. Most organizations include pornography in their acceptable usage policies. However, unless a filtering solution is implemented to block access, some employees are likely to break the rules. You could have a policy in place that states accessing pornography at work will result in instant dismissal. However, if anyone breaks the rules, it is not just their job that is on the line. Your network could be infected with malware.
Of course, cybercriminals do not just use adult websites for malicious adverts. Malvertising can appear on any website that includes ad blocks from third party advertisers. Since these ad blocks are an important source of revenue, many popular websites use them – Websites that are likely to feature heavily in your Internet access logs. The New York Times website for example, or the BBC and MSN.
This Pornhub malvertising campaign required a manual download, although oftentimes users are directed to sites where malware is downloaded automatically using exploit kits. If you are fully patched, you are likely to avoid an infection, but it is easy to miss a patch. The massive Equifax data breach showed how easy it is for a patch to be missed, as did the Wannacry ransomware attacks.
Considering the cost of resolving a malware infection, phishing attack, or ransomware installation, a web filtering solution is likely to pay for itself. Add to that the increase in productivity from blocking access to certain categories of websites and the improvements to your profits can be considerable.
If you are not yet using a web filter, or are unhappy with the cost of your current solution, give TitanHQ a call today and find out more about the savings you could be making.
Email may be the primary vector used in phishing attacks, but the second quarter of 2017 has seen a massive increase in malvertising phishing attacks.
Malvertising is the term given to malicious adverts, which are often displayed on high-traffic websites via third party advertising networks. These adverts are used to direct web visitors to malicious websites, oftentimes sites containing exploit kits that probe for vulnerabilities and silently download ransomware and other malware.
These malware attacks increased between 2015 and 2016, with the total number of malvertising attacks rising by 136%. Demonstrating how quickly the threat landscape changes, between Q1 and Q2, 2017 there was a noticeable decline in malicious advert-related exploit kit and malware attacks. Exploit kit redirects fell by 24% and malware-related adverts fell by almost 43%, according to a recent study released by RiskIQ.
However, the study shows there was a massive increase in malvertising phishing attacks with cybercriminals changing their tactics. Phishing-related adds increased by 131% in Q2, 2017, but between 2015 and 2016, malvertising phishing attacks increased by a staggering 1,978%.
The websites that these adverts direct users to often promise a free gift in exchange for taking part in a survey. Genuine market research firms tend not to offer large incentives for taking part in surveys, or when they do offer an incentive, participants are entered into a draw where they stand a chance of winning a prize. When gifts are offered, to all participants it is a warning sign that all may not be as it seems. That said, many people still fall for the scams.
The aim of the surveys is to obtain sensitive information such as bank account information, Social Security numbers, usernames, passwords and personal information. The information can be used for a wide range of nefarious purposes. It is not only personal information that is sought. Cybercriminals are keen to gain access to corporate email accounts for the data they contain and to use them to send phishing emails.
When phishing attacks occur through corporate email accounts it can seriously tarnish a company’s reputation and may result in litigation if insufficient controls have been implemented to prevent such attacks from occurring.
Businesses can protect against malicious adverts and websites by implementing a web filter. A web filter can be configured to block third party adverts as well as the malicious websites that users are directed to, thus minimizing the risk of web-based malware and phishing attacks.
Many businesses are now choosing to filter the website content that their employees access purely for security reasons, although there are many other benefits to be gained from content filtering. Web filters can help employers curb cyberslacking, control bandwidth usage, and reduce legal liability.
With the cost of DNS-based content filtering low and potentially high losses from the failure to control Internet access, it is no surprise that so many businesses are now choosing to regulate what employees can do online at work.
To find out more about the full range of benefits of web filtering and to take advantage of a free trial of WebTitan, the leading web filtering solution for businesses, contact the TitanHQ today.
Why should businesses invest heavily in technology to detect ransomware attacks when a ransom payment may only be between $500 and $1,000? While that is what cybercriminals are charging as a ransom, the cost of a ransomware attack is far higher than any ransom payment. In fact, the ransom is often one of the lowest costs of a ransomware attack that businesses must cover.
The ransom payment may seem relatively small, although the latest ransomware variants are capable of spreading laterally, infecting multiple computers, servers and encrypting network shares. The ransom payment is multiplied by the number of devices that have been infected.
The Cost of a Ransomware Attack Can Run to Millions of Dollars
When businesses suffer ransomware attacks, the attackers often set their ransoms based on the perceived ability of the organization to pay. In 2016, Hollywood Presbyterian Medical Center was forced to pay a ransom of $19,000 to unlock its infection. When the San Francisco Muni was infected, hackers demanded $50,000 for the keys to unlock its payment system. In June 2017, South Korean web host Nayana agreed to pay $1 million for the keys to unlock the encryption of its 53 Linux servers and 3,400 customer websites.
These ransom payments are high, but the ransom is only one cost of a ransowmare attack. The biggest cost of a ransomware attack is often the disruption to business services while files are taken out of action. Systems can be taken out of action for several days, bringing revenue generating activities to an abrupt stop. One Providence law firm experienced downtime of three months following a ransomware attack, even though the $25,000 ransom was paid. Lawyers were stopped from working, causing a loss in billings of an estimated $700,000.
In heavily regulated industries, notifications must be sent to all individuals whose information has been encrypted, and credit monitoring and identity theft services often need to be provided. When hundreds of thousands of users’ data is encrypted, the cost of printing and mailing notifications and paying for credit monitoring services is substantial.
Once an attack has been resolved, networks need to be analyzed to determine whether any other malware has been installed or backdoors created. Cybersecurity experts usually need to be brought in to conduct forensic analyses. Then ransomware defenses need to be improved and new security systems purchased. The total cost of a ransomware attack can extend to hundreds of thousands or millions of dollars.
Ransomware is Here to Stay
As long as ransomware attacks are profitable, the threat will not go away. The use of ransomware-as-a-service allows ransomware developers to concentrate on creating even more sophisticated ransomware variants and stay one step ahead of security researchers and antivirus companies.
Anonymous payment methods make it hard for law enforcement to discover the identities of ransomware developers, and since those individuals are usually based overseas, even if they are identified, bringing them to justice is problematic.
Ransomware developers are constantly changing tactics and are developing new methods of attack. The coming months and years are likely to see major changes to how ransomware is used, and the systems that are attacked.
Ransomware attacks mostly target Windows systems, although new variants have already been developed to encrypt Mac and Linux files. Security experts predict there will also be an increase in ransomware variants targeting Macs as Apple’s market share increases, while website attacks are becoming more common. When a website is attacked, all site files, pages, and images are encrypted to prevent access. For an e-commerce business, the attacks can be devastating.
Ransomware attacks on mobile devices are now commonplace, with screen-lockers and file-encryptors used. Screen locking ransomware prevents users from accessing any apps or functions rendering the device unusable. File encrypting variants encrypt all data stored on the device. These ransomware variants are most commonly packaged with apps sold in unofficial app stores. Risk can be substantially reduced by only downloading files from official app stores and ensuring all apps are kept up to date.
Given the increase in attacks and the massive increase in new ransomware variants, businesses must improve their defenses, block the common attack vectors, backup all data, and constantly monitor for indicators of compromise.
Tips for Preventing a Ransomware Attack
Ensure users only have access to data and network drives necessary for them to perform their jobs.
Backup devices should be disconnected when backups have been performed.
Keep operating systems, software applications, and plugins up to date and fully patched.
Block access to websites known to host exploit kits using a web filter such as WebTitan.
Implement a spam filtering solution to prevent malicious emails from reaching inboxes.
Provide regular, ongoing training to all staff on the risks of ransomware and phishing.
Segment your network and restrict administrator rights.
To ensure a swift recovery from a ransomware attack, make sure you:
Create multiple backups of all files, websites, and systems.
Create three backups on two different media and store one copy offsite.
Develop a ransomware response plan that can be implemented immediately when an attack is suspected.
Earlier this year, the NeutrinoPOS banking Trojan source code was leaked, leading to several new variants of malware being created, the latest being Jimmy Nukebot. In contrast to its predecessor, which was used to steal bank card information, the latest version has lost that functionality.
However, Jimmy Nukebot can perform a wide range of malicious functions, serving as a downloader for a wide range of malicious payloads. The malware also acts as a backdoor which will allow the actors behind the new malware to monitor activity an infected device.
Security researchers at Kaspersky Lab have analysed Jimmy Nukebot infections and have seen the malware download a wide range of modules including Monero cryptocurrency mining malware, web-injects similar to those used in NeutrinoPOS, and various other modules that modify the functions of the malware. The malware can take screenshots of an infected device and exfiltrate data and could download any malicious payload onto an infected device.
Publication of the source code of malware results in an increase in its popularity. With the malware used in more attacks, the probability of it being detected is much higher. In order to evade detection, considerable modification to the malware is required. This could well be the reason why so many changes have been made to the latest iteration. The authors of Jimmy Nukebot took the original source code of the NeutrinoPOS banking Trojan and totally restructured the malware. The way the new malware has been constructed also makes static analysis much more complicated.
The new features of the malware make it a formidable threat. Jimmy Nukebot is able to learn about the system on which it is installed and use that information for exploitation, tailoring the payload it delivers based on its environment rather than performing a pre-set malicious activity immediately upon infection.
Since the malware passively collects information and responds accordingly, it is unlikely to trigger AV alerts and may remain undetected. Organizations that have the malware installed are therefore unlikely to be aware that their systems have been compromised.
Protecting against threats such as this requires advanced malware defences, although as with most malware infections, they occur as a result of the actions of end users such as opening infected email attachments, clicking hyperlinks in emails or visiting websites that silently download malware.
Improving security awareness of employees will go a long way toward preventing malware from being installed. Coupled with an advanced spam filter to block email-based threats, a web filter to block redirects to exploit kits, regular patching, the enforced use of strong passwords, and advanced anti-malware technology, organisations can protect themselves against malware threats.
The Neptune Exploit kit is being used to turn computers into cryptocurrency miners, with traffic directed to the exploit kit using a hiking-themed malvertising campaign.
Exploit kit activity has fallen this year, although these web-based attacks still pose a significant threat. Exploit kits are web-based toolkits that probe browsers and plugins for vulnerabilities that can be exploited to download malware. Simply visiting a website hosting an exploit kit is all it takes for malware to be silently downloaded.
Protecting against exploit kit attacks requires browsers, plugins and extensions to be kept 100% up to date. However, even updated browsers can be vulnerable. Exploit kits can also include exploits for zero-day vulnerabilities that have not yet been patched.
Acceptable usage policies can help organizations to prevent exploit kit attacks, although website visitors are often redirected to malicious sites from legitimate websites. One of the main ways this happens is the use of malvetisements. Many high traffic websites include advertising blocks that display third-party adverts. The advertising networks serve adverts which are displayed on member sites, with the site owners earning money from ad impressions and click throughs.
While the advertising networks have measures in place to vet advertisers, oftentimes cybercriminals succeed in submitting malicious adverts. Those adverts are then pushed out and displayed on legitimate websites. Clicking one of those malicious adverts will see the user directed to a webpage hosting the exploit kit.
Exploit kits are used to download Trojans, ransomware and other malicious code, although the Neptune exploit kit is being used to download cryptocurrency miners. Infection will see computers’ processing power used to mine the Monero cryptocurrency. Infection will result in the infected computer’s resources being hogged, slowing down the performance of the machine.
The latest Neptune exploit kit campaign uses hiking club-related adverts to drive traffic to landing pages hosting the Neptune exploit kit, which in turn uses HTML and Flash exploits to download malware. These adverts closely mimic genuine domains. FireEye reports that one such campaign mimics the genuine website highspirittreks[.]com using the domain highspirittreks[.]club. Other campaigns offer a service to convert Youtube videos to MP3 files. The imageryused in the adverts is professional and the malvertising campaigns are likely to fool many web surfers.
The exploits used in the latest campaign are all old, therefore, protecting against attacks simply requires plugins and browsers to be updated. The main exploits take advantage of flaws in Internet Explorer – CVE-2016-0189, CVE-2015-2419, CVE-2014-6332 – and Adobe Flash – CVE-2015-8651, CVE-2015-7645.
Having a computer turned into a cryptocurrency miner may not be the worst attack scenario, although exploit kits can rapidly switch their payload. Other exploit kits are being used to deliver far more damaging malware, which will be downloaded silently without the user’s knowledge. Consequently, organizations should take precautions.
In addition to prompt patching and updating of software, organizations can improve their defences against exploit kits by implementing a web filtering solution such as WebTitan.
WebTitan can be configured to block all known malicious sites where drive-by downloads take place and can prevent malvertisements from directing end users to webpages hosting these malicious toolkits.
To find out more about WebTitan and how it can improve your organization’s security posture, contact the TitanHQ team today.
India’s Central Board of Secondary Education is urging all CBSE affiliated schools to take action to improve safety for students, including implementing school web filtering technology to keep students safe online.
The Internet is home to an extensive range of potentially harmful material that can have a major impact on young developing minds. Parents can take action to keep their children safe at home by using parental control filters. However, students must receive similar or greater levels of protection while at school.
School web filtering technology can prevent students from deliberately or accidentally viewing obscene material such as pornography, child pornography or images of child abuse and other categories of potentially harmful website content. CBSE has warned school boards that when students access this material it is “detrimental to themselves, their peers and the value system.” School web filtering technology should also be implemented to prevent students from engaging in illegal activities online via school IT devices.
CBSE affiliates schools have been advised to develop guidelines for safe Internet use and make this information available to students and display the rules prominently. However, without school web filtering technology, these policies would be easy to ignore. A technological solution ensures students wishing to engage in illegal activities online, or view harmful website content, will be prevented from doing so.
Prevention is only one aspect of Internet control. Schools should also set up a monitoring system to discover when individuals are attempting to bypass Internet usage policies. A web filtering solution should therefore have the capability to generate reports of attempted accessing of prohibited material to allow schools to take action. Schools have also been advised to sensitize parents about safety norms and even go as far as suggesting disciplinary action be taken when children are discovered to have attempted to access inappropriate material.
While many school systems around the world have implemented school web filtering technology, CBSE is advising affiliated schools in India to go one step further and restrict Internet content by age groups. Schools should set filtering controls by user groups and restrict access to age-inappropriate websites. Web filtering solutions such as WebTitan allows controls to be easily set for different user groups. The solution can be used to set separate filtering controls for staff and students of differing ages with ease.
Other Internet controls that have been suggested include the rapid blocking usernames/passwords when children leave school, using antivirus solutions to reduce the risk of malware infections, using firewalls to prevent cyberattacks and the theft of children’s sensitive information, and for staff to avoid posting images and videos of their students online.
School Web Filtering Technology from TitanHQ
The benefits of implementing school web filtering technology are clear, but choosing the most cost-effective controls can be a challenge. Appliance based web filters involve a significant initial cost, there is ongoing maintenance to consider, the need for on-site IT support in many cases, and as the number of Internet users increases, hardware upgrades may be necessary.
TitanHQ offers a more cost-effective and easy to manage solution – The 100% cloud-based web filter, WebTitan. WebTitan Cloud and WebTitan Cloud for WiFi make filtering the Internet a quick and easy process. To start filtering the Internet and protecting students from harmful web content, all that is required is to point your DNS to WebTitan. Once that simple change has been made you can be filtering the Internet in minutes.
Both solutions can be easily configured to block different categories of website content, such as pornography, file sharing websites, gambling and gaming websites and other undesirable website content. The solutions support blacklists, allowing phishing and malware-infected sites to be easily blocked along with all webpages identified by the Internet Watch Foundation as containing images of child abuse and child pornography.
These powerful web filtering solutions require no software updates or patching. All updates are handled by TitanHQ. Once acceptable Internet usage policies have been set via the intuitive web-based control panel, maintenance only requires occasional updates such as adding legitimate webpages to whitelists. Even blacklists are updated automatically.
WebTitan also supports remote learning. All students’ devices can be protected while connected to a school’s wired or wireless network. To extend protection beyond the school gates, a WebTitan On-The-Go (OTG) roaming agent can be installed on devices. This will ensure that the content filtering policy will apply no matter where that device connects to the Internet.
If you are keen to implement school web filtering technology for the first time or are unhappy with your current provider, contact the TitanHQ team today and register for your no-obligation Free Trial and see the benefits of WebTitan for yourself before making a decision about a purchase.
Internet filtering laws in the United States are mostly introduced at the state level, although federal legislation has been introduced for schools and libraries – The Children’s Internet Protection Act (CIPA).
Typically, Internet filtering laws in the United States are concerned with protecting minors. Laws apply to schools and libraries, although some states also require publicly funded institutions to apply controls to block the accessing of pornography, obscene and other harmful material by minors.
However, legislation is now being considered to force vendors or suppliers of Internet-enabled devices to implement Internet filtering technology by default. The aim is not to prevent adults from accessing pornographic material on their personal devices, only to ensure that there are some controls in place. That means all vendors/suppliers of Internet-enabled devices will be required to implement a web filtering control, with the new device owners required to opt in if they wish to view pornography. Opting in must be done in writing and requires proof of age.
Consumers will also be required to pay a fee to have the Internet filtering software removed. In South Carolina, legislation has been proposed that would require consumers to pay $20 to have the pornography block removed. The legislation was filed with the South Carolina General Assembly in December 2016. Similar legislation was also proposed in Utah in 2016.
Federal Internet Filtering Laws in the United States
At the federal level, all schools and libraries are required to comply with CIPA and implement web filters to prevent minors from accessing obscene material, pornographic images, images of child abuse, and other potentially harmful material if they wish to apply for discounts under the E-rate program or accept Library Services and Technology Act grants. If organizations choose not to apply for those grants or receive E-rate discounts, Internet filtering laws in the United States do not apply, at least at the federal level.
State-Level Legislation on Internet Controls
Internet filtering laws in the United States are applied at the state level and usually concern K12 schools and public libraries. Not all states require Internet filters to be applied. Some only require policies to be introduced to restrict access.
Individual states that have introduced legislation requiring schools and libraries to implement web filters or policies to control the content that can be accessed by minors are summarized in the table below. Since state laws often change, it is strongly advisable to consult your state department for updates to state legislation.
When policies are required to control access, schools and libraries may prefer to use a software or cloud-based solution to provide a greater level of protection. State laws are only concerned with ensuring the minimum level of Internet safety for minors when venturing online.
Quick Reference Guide Detailing U.S. States with Internet Filtering Laws (2017)
State
Schools
Libraries
Arizona
Yes (Technology)
Yes (Technology or policies)
Arkansas
Yes (Policies)
Yes (Policies)
California
No
Yes (Policies)
Colorado
Yes (Policies)
Yes (Policies)
Delaware
No
Yes (Policies)
Georgia
Yes (Policies)
Yes (Policies)
Idaho
Yes (Policies and Technology)
Yes (Policies)
Indiana
No
Yes (Policies)
Iowa
No
Yes (Policies)*
Kansas
Yes (Technology)
Yes (Technology)
Kentucky
Yes (Policies)
Yes (Policies)
Louisiana
Yes (Policies)
No
Maryland
No
Yes (Policies)
Massachusetts
Yes (Policies or Technology)
No (Policies or Technology)
Michigan
No
Yes (Technology)
Minnesota
No
Yes (Technology)**
Missouri
Yes (Technology)
Yes (Technology)
New Hampshire
Yes (Policies)
No (Policies)
New York
No
Yes (Policies)
Ohio
Yes (Technology)***
No
Pennsylvania
Yes (Technology)
Yes (Technology)
Rhode Island
Yes (Policies)
No
South Carolina
Yes (Policies)
No (Under evaluation)
South Dakota
Yes (Policies or Technology)
No
Tennessee
Yes (Policies)
No
Utah
Yes (Policies)
Yes (Policies or Technology)
Virginia
Yes (Technology)
Yes (Policies)
* Libraries that apply for and receive funding through the Enrich Iowa Program
** Public libraries receiving state funding must also apply filtering controls to prevent adults from accessing obscene material including child pornography.
*** Home schooled students must also be provided with a filtering device or service
The following states have introduced legislation that requires Internet service providers to offer web filtering services to allow state residents to protect children from accessing potential harmful website content
Louisiana
Maryland
Nevada
Texas
Utah
Disclaimer
Internet filtering laws in the United States are subject to change. The Internet filtering laws in the United States detailed on this page are for information purposes only. Schools and libraries should consult their state/education departments for details of the laws that apply in their state.
A new study has shown that cybercriminals have generated ransomware profits in excess of $25 million over the past two years, clearly demonstrating why cryptoransomware attacks have soared. There is big money to be made in this form of cyber extortion. The bad news is that with so many organizations paying to recover their files, the ransomware attacks will continue and will likely increase.
Ransomware attacks are profitable because users are still failing to back up their data. Google’s figures suggest that even though the threat of data deletion or encryption is high, only 37% of computer users back up their data. That means if ransomware encrypts files, the only option to recover data is to pay the ransom demand.
Figures from the FBI estimated ransomware payments to have exceeded $1 billion in 2016; however, it is difficult to accurately calculate ransomware profits since the authors go to great lengths to hide their activities. Ransomware profits are difficult to track and companies are reluctant to announce attacks and whether payment has been made.
Two notable exceptions were the South Korean hosting company Nayana that was attacked and had 153 Linux servers and 3,400 customer websites encrypted. The firm paid 1.2 billion Won – approximately $1 million – for the keys to unlock the encryption. Recently, a Canadian company has reportedly paid a ransom of $425,000 to recover its files, although the identity of the firm is still unknown.
Now, a study conducted by Google, with assistance from Chainalysis, the University of California at San Diego, and New York University’s Tandon School of Engineering has shed some light on actual ransomware profits. The study involved an analysis using blockchains and Bitcoin wallets known to have been used to collect ransomware payments. The researchers also used reports from victims and monitored network traffic generated by victims of ransomware attacks to help track where payments were sent.
The study looked at the top 34 ransomware strains and determined more than $25 million has been collected in the past two years. 95% of payments were cashed out using the Bitcoin trading platform BTC-e.
Google has calculated Locky has earned $7.8 million in ransom payments over the past 24 months – 28% of the total payments made. Cerber is in second place with $6.9 million, followed by CryptoLocker on $2 million and CryptXXX and Sam Sam, both on $1.9 million. Spora ransomware may not have made it into the top five, although Google researchers warn that this is an up-and-coming ransomware variant and one to watch over the coming months.
In recent months Cerber ransomware has become the most widely used ransomware variant. The success of Cerber ransomware can be attributed to the skill of the developers in developing a ransomware variant that can evade detection and the affiliate model used to distribute the ransomware – Ransomware-as-a-Service (RaaS).
RaaS means any number of individuals can conduct ransomware campaigns. Kits are offered to anyone willing to conduct campaigns. Little technical skill is required. All that is required is a lack of moral fiber and the ability to send spam emails distributing the ransomware. Affiliates receive a percentage of the ransomware profits.
WannaCry ransomware certainly caused something of a storm when the worldwide attacks were conducted in May, and while there were more than 200,000 victims worldwide and some 300,000 computers affected, a flaw in the design meant the attacks could be halted and relatively few ransom payments were made. The ransomware profits from these attacks was calculated by Google to be around $100,000.
Ransomware profits from NotPetya were low, although making money was never the aim. NotPetya appeared to be ransomware, although it was actually a wiper. A ransomware demand was issued, but it was not possible to recover data on infected machines. Once this became clear, ransoms were not paid.
The success of Locky, Cerber and CryptXXX is due to the skill of the developers at evading detection. These ransomware variants are constantly evolving to stay one step ahead of security researchers. In the case of Cerber, the researchers discovered thousands of new binaries are being detected each month. There are 23,000 binaries for Cerber and around 6,000 for Locky. In total, the study involved an analysis of 301,588 binaries. The malware variants are capable of changing binaries automatically making detection difficult.
Ransomware attacks may still only make up a small percentage of the total number of malware-related incidents – less than 1% – but the threat is still severe and the attacks are likely to continue, if not increase. As long as it is profitable to develop ransomware and/or use existing ransomware variants, the attacks will continue.
Kylie McRoberts, a senior strategist with Google’s Safe Browsing team, said “Ransomware is here to stay and we will have to deal with for a long time to come.”
Stantinko malware may only have recently been detected, but it is far from a new malware variant. It has been in use for the past five years, yet has only recently been identified. During the past five years, Stantinko malware has spread to more than 500,000 devices and has been operating silently, adding infected systems to a large botnet, with the majority of infected machines in Russia and Ukraine.
The botnet has primarily been used to run a largescale adware operation. The malware installs the browser extensions Teddy Protection and The Safe Surfing, which appear to users to be legitimate apps that block malicious URLs. These apps are legitimate if downloaded via the Chrome Web Store, but they are not if they are installed by Stantinko. The Stantinko versions contain different code that is used for click fraud and ad injection.
ESET reports that additional plugins known to be installed by Stantinko malware include Brute-Force and Search Parser which are used for Joomla/WordPress brute force attacks and to anonlymously search for Joomla/WordPress sites. Remote Administrator is a fully functional back door and Facebook Bot can generate fake likes, create new accounts, or add friends on Facebook, virtually undetected.
While click fraud is the primary goal of the attackers, Stantinko malware can perform a wide range of functions. Since Stantinko includes a loader, enabling threat actors to send any code to an infected device via their C2 server and run the code.
ESET researchers say the malware uses Windows services to perform backdoor activities and brute force attacks on WordPress and Joomla websites. Once access is gained, the attackers sell on the login credentials to other cybercriminal groups, according to ESET. That’s not all. ESET says Stantinko malware could be used to perform any task on an infected host.
The malware and botnet have remained undetected for so long due to their ability to adapt to avoid being detected by anti-malware solutions. The malware also uses code encryption to avoid detection. Users would be unlikely to realize that anything untoward was happening on their machine. The tasks performed by the malware involve low CPU activity and do not slow an infected device considerably.
Infection is believed to occur through illegal file sharing, especially the downloading of pirated software. However, ESET notes that infection has occurred through fake torrent files that are actually executables.
Removal of the malware is not straightforward. The malware installs two Windows services, each of which is capable of reinstalling the other service if one is deleted. If for any reason that process fails, the attackers can reinstall those services via their C2 server.
The discovery of Stantinko malware highlights the danger of failing to prevent employees from accessing file sharing websites at work. The downloading of pirated material, even accessing torrents files, has potential to infect enterprise networks with malware. Even if anti-virus and anti-malware solutions have been deployed, there is no guarantee that malware will be detected.
Organizations can protect against these types of attacks by implementing a web filtering solution and blocking access to file sharing websites and torrents sites. If these sites cannot be accessed and pirated software downloads are blocked, infection can be prevented.
Hackers have been phishing for domain credentials and using the logins to gain access to websites and create malicious subdomains – a process called domain shadowing – and using those subdomains as gates that redirect users to sites loaded with the RIG exploit kit.
The RIG exploit kit probes for vulnerabilities in web browsers and exploits flaws to download malware. Those malware downloads usually occur silently without the users’ knowledge. All that is required for infection is an out of date browser or plugin and for the victim to be directed to a website hosting the exploit kit. RIG has primarily been used to download banking Trojans and Cerber ransomware. While use of the exploit kit is nowhere near the level of Angler prior to its demise, the Rig exploit kit is now the leading EK used by cybercriminals and activity has increased sharply in recent months.
Cybercriminals have been generating traffic to the malicious subdomains using malvertising campaigns – malicious adverts sneaked onto third party ad networks. Those ads are then syndicated across a wide range of high traffic websites and redirect visitors to the malicious subdomains. Other techniques used to drive traffic to the sites include malicious Chrome popups and iframes inserted into compromised WordPress, Drupal and Joomla! Websites.
Tens of thousands of subdomains have been created on legitimate websites that have been compromised by hackers. Cybercriminals are understood to have been obtaining login credentials to websites using malware.
The subdomains were mostly created on websites hosted by GoDaddy. The domain registrar has been working with RSA Security and independent security researchers to identify the compromised websites and take down the subdomains. In total, around 40,000 subdomains were taken down in May.
While this take down is certainly good news, it is unclear how much of an effect it will have on Rig EK operations as little is known about the RIG infrastructure and the total number of websites that have had malicious subdomains added. However, RSA Security says these takedowns have resulted in “a significant loss of capabilities to RIG operations”. RSA and GoDaddy are working to prevent cybercriminals from using domain shadowing and are monitoring for new subdomains that are created. It is unclear if sites purchased through other domain registrars have been targeted in a similar way.
Domain shadowing is a problem because content filters typically have problems identifying malicious subdomains on a genuine website. Since the subdomains only remain active for around 24 hours before being shut down, cybercriminals can avoid domain blacklisting.
However, content filters can prevent users from visiting known malicious websites and they offer protection against webpages hosting exploit kits. They can also be configured to block the downloading of specific file types.
Organizations care also strongly advised to ensure browsers and plugins are kept up to date, especially Java, Silverlight and Adobe Flash plugins. Malware downloaded by the RIG exploit kit most commonly leverages the CVE-2015-8651 vulnerability, although other common exploits include CVE-2016-0189, CVE-2015-2419, and CVE-2014-6332
