Cybercriminals use a variety of tactics, techniques, and procedures for distributing malware, and while email is one of the most common attack vectors, web-based malware attacks are becoming more common. In this article, we explore some of the ways that traffic is driven to malicious websites hosting malware and suggest ways that businesses can protect themselves against these attacks.

SEO Poisoning

SEO poisoning is the term given to the manipulation of search engine results to get malicious websites to appear high in the search engines for specific search terms, often those likely to be used by business users. Cybercriminals create a website/web page or compromise an existing website and create a page with malicious content. Cybercriminals often choose a domain name/page URL that is very similar to a brand that is being spoofed. Black hat search engine optimization techniques are used to trick search engines into ranking the page highly for a specific search term or set of search terms. Common techniques include keyword stuffing – adding many relevant keywords to the HTML and text; backlinking campaigns – adding many backlinks to a website from other websites such as via private link networks; cloaking – displaying different content to search engine crawlers than genuine visitors; and artificially increasing click through rates. These techniques may be used for promoting phishing and other scams, but they are most commonly used for malware distribution. A visitor to the site will be offered a download related to their search term or they otherwise be prompted to download a file that will silently install malware and give the attacker access to their device.

Search Engine Ad Abuse / Malvertising

It is easy to create a malicious website for malware distribution, but traffic needs to be driven to that website. Phishing emails are commonly used, but email filters are getting much better at detecting malicious hyperlinks. Instead, cybercriminals can drive traffic to malicious content via Google Ads and other search engine ad platforms or by adding malicious adverts to third-party ad blocks on legitimate websites. Many websites display these adverts as a way of generating additional revenue. While there are control mechanisms in place to prevent malicious adverts from being added to Google and Bing Ads and third-party ad networks, cybercriminals can get around these controls for long enough to drive considerable volumes of traffic to their malicious web pages. This technique is often referred to as malvertising (malicious advertising). Since these adverts appear above the search engine results or are otherwise displayed in a prominent position, they attract a lot of clicks. As with SEO poisoning, the web pages trick users into downloading a malicious file that installs malware.

Torrents and Warez Sites

SEO poisoning and malvertising usually require some user action to install malware. The user must be tricked into downloading and opening a file. One of the easiest ways to do this is to offer something a user wants to download, and ideally, something that requires them to open an executable file. Cybercriminals often bundle malware into executable files used to install pirated software or the product activators/cracks that are needed to generate valid license codes. Torrent sites are used for peer-2-peer file sharing, and often for distributing pirated games, software, videos, and music, with software commonly offered on ‘warez’ sites. Oftentimes the content being sought is installed when the files are downloaded, but malware is silently side loaded during the installation process. The user gets the software, game, or app they want, and is unaware that malware has also been installed.

How to Protect Against Web-Based Malware Attacks

Assuming that you have an effective spam filter such as SpamTitan Plus for blocking malicious links in emails and antivirus software or other endpoint security solutions installed on each device, there are two main ways for protecting against malware attacks: security awareness training and web filtering.

Security Awareness Training

The importance of security awareness training cannot be overstated. If employees are not made aware of cyber threats and are not taught cybersecurity best practices, they cannot be expected to be able to identify and avoid threats and will likely engage in risky practices that could easily lead to a malware infection. Many employees mistakenly believe that they or their company will not be targeted; however, the reality is that businesses of all sizes are being attacked and employees are usually the easiest way to gain access to sensitive data and internal systems. Training needs to be an ongoing process, where knowledge is improved over time and employees are taught about the changing tactics used by cybercriminals to attack businesses. Training should be provided to all members of the workforce, including the CEO and C-suite and a good best practice is to provide an annual or bi-annual training session, with shorter training modules completed throughout the year. A few minutes each month completing training modules will help to ensure that employees are kept aware of the latest threats and it will help to keep cybersecurity fresh in the mind.

Web Filtering

All of the above techniques involve driving traffic to malicious websites. Training will help employees to recognize and avoid threats, but it is possible to prevent connections to malicious websites from being made with a web filter. A web filter is used to carefully control the web content that employees can access. Web filters typically have category-based filtering controls that can be used to block access to categories of web content that are illegal, undesirable, risky, or otherwise serve no work purpose.

Businesses can block access to torrents/warez sites by category, along with other risky sites. Web filters can be configured to block certain types of files from being downloaded from the internet, such as executable files. This will help to prevent malware delivery and shadow IT installations (software that has not been authorized by the IT department). Web filters are also updated with blacklists of known malicious websites and web pages. Any attempt to visit one of those resources will be blocked, and with a DNS-based web filter, the connection will be rejected without any content being downloaded.

How TitanHQ Can Help

Many thousands of businesses rely on TitanHQ cybersecurity solutions to protect against malware threats, phishing attacks, business email compromise scams, and other cyber threats. TitanHQ has developed the SpamTitan suite of email security products for blocking phishing, malware, and other email threats, the WebTitan DNS-based web filter for blocking Internet-based threats, and the SafeTitan security awareness training and phishing simulation platform for improving awareness of threats and teaching cybersecurity best practices. All TitanHQ solutions are intuitive, easy to implement, easy to maintain, and easy to use, and are available on a free trial to allow businesses to evaluate them in their own environment before deciding on a purchase. If you want to improve security, why not give the TitanHQ team a call for advice on the best solutions to meet your needs or sign up for a free trial of these solutions.