Cybercriminals have a diverse arsenal for conducting attacks. Phishing is a leading attack vector used by ransomware gangs, nation-state threat actors, and other cybercriminals, and even the protection provided by multifactor authentication is now being bypassed in some sophisticated campaigns. Unpatched vulnerabilities are often exploited to gain access to networks, then there are brute force attacks to guess weak credentials, but many attacks are conducted over the web.
Common Web-Based Threats
Malicious adverts are added to advertising networks, which see the adverts displayed in the third-party ad blocks on many of the most popular websites. Termed malvertising, these adverts redirect users to malicious websites where malware is downloaded or to phishing content. The adverts often advertise fictitious software solutions, which users are tricked into downloading and installing. Oftentimes, genuine programs are installed, albeit with malware installed in the background.
Despite the controls Google has in place for detecting malicious content, some malicious ads are displayed in the search engine listings. These malicious adverts are displayed at the top of the Google listings, so can attract considerable traffic. In the fall of 2021, one such campaign targeted cryptocurrency investors, and saw losses incurred of more than $500,000 before Google detected and removed the malicious adverts from its Google Ads platform.
Malicious websites are also displayed in the search engine listings for specific business searches, with SEO poising techniques used to get the sites to appear high up in the listings. These websites may only have a short shelf life before they are detected and removed from the listings, but they are added in such volume that they do pose a significant risk. These campaigns are commonly used for distributing malware, with users tricked into thinking they are downloading the content or program they have been searching for.
Another common web-based attack involves pirated software and copyright-infringing material that is added to peer-to-peer file-sharing networks, where the user is tricked into installing the malware in the belief they are getting licensed software for free. The product activators or cracks used for generating license codes often install malware in the background. Users may get the genuine software they are seeking, but malware is silently installed in the background.
Another tried and tested web-based attack – which has been used by cybercriminals for almost as long as the web itself – is known as typosquatting or URL hijacking. Typosquatting targets careless typists. The threat actor registers a swathe of domains that are very similar to the domains used by the brands they are spoofing. These domains often have transposed letters – Microsfot.com – for instance – or domains are registered with missing or additional letters.
These websites do not need to appear in the search engine listings as they target people who type the website into the address bar. Since these websites may look almost identical to the sites they spoof they can be very convincing. These campaigns are especially effective for targeting mobile users, as misspellings are much easier to make on mobile phones and users are much less likely to check the URL after typing.
Last weekend, a massive typosquatting campaign was discovered that included more than 200 separate domains, each of which was a clone of the brand being spoofed or a very close approximation. The domains included common misspellings and typos of 27 different brand names, including PayPal, Snapchat, Google Wallet, the Tor Project browser, and TikTok. In this campaign, the goal was to trick visitors into downloading Windows or Android malware – a banking Trojan called ERMAC that targets accounts and cryptocurrency wallets.
These are just a few examples of web-based attacks and despite the risks posed by these types of attacks, many businesses do not have the cybersecurity solutions in place to detect and block these threats. Security awareness training will go a long way toward improving defenses against these attacks and should be provided regularly to the workforce. Businesses should also consider implementing a web filter.
A web filter is a software solution that allows businesses to control the content their users can access, like a parental control filter that prevents minors from accessing age-inappropriate content. The web filter is fed extensive threat intelligence from a global network of endpoints. When a malicious site is detected, it is added to the blocklist and any attempt to connect to the site will be prevented.
Web filters such as WebTitan Cloud, TitanHQ’s DNS-based web filter, will also perform scans of websites and scores the sites on their potential to be malicious. This provides protection against new URLs that have yet to be detected as malicious. WebTitan Cloud can also be configured to block downloads of certain file types, such as executable files that are used to install “shadow IT” – software unauthorized by the IT department – and malware. Content can also be blocked by category, to help improve productivity and prevent access to inappropriate web content such as pornography.
Importantly, WebTitan Cloud protects businesses from all of the above web-based attacks. For more information on web filtering, to arrange a product demonstration, or to sign up for a free trial of the solution, give the TitanHQ team a call.