Web Filtering

Watering Hole Attacks Deliver Keylogger and Malware Loader

A watering hole attack, as the name suggests, is a cyberattack involving a place that is frequently visited. A threat actor uses a website that is often visited by the targeted business or individual and malware is loaded to that site and will be inadvertently downloaded or executed when a user lands on the site. The website is usually compromised by exploiting an unpatched vulnerability or by obtaining website administrator credentials.

These attacks are often conducted by Advanced Persistent Threat (APT) actors in cyber espionage campaigns and one such campaign has recently been detected that has been attributed to the Chinese APT group tracked as TA423 which delivers the JavaScript-based reconnaissance tool, ScanBox. The campaign targets offshore energy firms that operate in the South China Sea.

While watering hole attacks often see malware written to disk, this campaign is different as ScanBox is executed in the web browser and requires no malware to be downloaded. Once executed, ScanBox logs keystrokes and records all activity on the infected website, including any passwords that are entered. As is often the case with these watering hole attacks, the user is directed to the website via a phishing email. In this campaign targeted individuals receive messages requesting collaboration that appear to have been sent by an Australian media organization – the fictional Australian Morning News. The website to which the user is directed includes news content that has been scraped from legitimate news outlets and landing on the site will see the user served with the ScanBox framework, which is used for reconnaissance and browser fingerprinting.

In addition to collecting information about the browser, operating system, extensions, and plugins, that attack sets up interactive connectivity establishment (ICE) communications with STUN servers, allowing communication with victim devices without having to go through network address translator (NAT) gateways and firewalls.

Watering hole attacks have been conducted by a range of different APT groups and these attacks have been the initial access vector of choice for Iranian threat actors for several years. Earlier this year, a campaign was detected that targeted Israeli websites and attempted to collect data from logistics companies involved with shipping and healthcare, and attempted to deliver malware that provided persistent access to victim devices.

Watering hole attacks can also be conducted by cybercriminal groups for distributing malware and one such campaign was recently detected that targets law firms with the goal of delivering Gootloader malware, a first-stage malware loader that can be used for delivering a variety of malware payloads. Rather than using phishing emails to drive traffic to a malicious site, compromised WordPress websites were used. Once access to the websites was gained, the threat actors used search engine optimization (SEO) techniques targeting specific search terms that are likely to be used by law firms. The SEO techniques used ensured that the malicious websites appeared high in the search engine listings for searches for legal information online, especially legal contact templates.

Defending against watering hole attacks requires a defense in-depth strategy that includes end-user security awareness training, web filtering to block access to known malicious websites, endpoint detection software, and spam filters. TitanHQ can help by providing several of these layers, including the SafeTitan security awareness training and phishing simulation platform, the WebTitan DNS-based web filter, and SpamTitan email security.

For more information, give the TitanHQ team a call. Product demonstrations can be arranged on request, and all TitanHQ cybersecurity solutions are available on a no-obligation, 100% free trial.

How to Protect Against Web-based Malware Attacks

Cybercriminals use a variety of tactics, techniques, and procedures for distributing malware, and while email is one of the most common attack vectors, web-based malware attacks are becoming more common. In this article, we explore some of the ways that traffic is driven to malicious websites hosting malware and suggest ways that businesses can protect themselves against these attacks.

SEO Poisoning

SEO poisoning is the term given to the manipulation of search engine results to get malicious websites to appear high in the search engines for specific search terms, often those likely to be used by business users. Cybercriminals create a website/web page or compromise an existing website and create a page with malicious content. Cybercriminals often choose a domain name/page URL that is very similar to a brand that is being spoofed. Black hat search engine optimization techniques are used to trick search engines into ranking the page highly for a specific search term or set of search terms. Common techniques include keyword stuffing – adding many relevant keywords to the HTML and text; backlinking campaigns – adding many backlinks to a website from other websites such as via private link networks; cloaking – displaying different content to search engine crawlers than genuine visitors; and artificially increasing click through rates. These techniques may be used for promoting phishing and other scams, but they are most commonly used for malware distribution. A visitor to the site will be offered a download related to their search term or they otherwise be prompted to download a file that will silently install malware and give the attacker access to their device.

Search Engine Ad Abuse / Malvertising

It is easy to create a malicious website for malware distribution, but traffic needs to be driven to that website. Phishing emails are commonly used, but email filters are getting much better at detecting malicious hyperlinks. Instead, cybercriminals can drive traffic to malicious content via Google Ads and other search engine ad platforms or by adding malicious adverts to third-party ad blocks on legitimate websites. Many websites display these adverts as a way of generating additional revenue. While there are control mechanisms in place to prevent malicious adverts from being added to Google and Bing Ads and third-party ad networks, cybercriminals can get around these controls for long enough to drive considerable volumes of traffic to their malicious web pages. This technique is often referred to as malvertising (malicious advertising). Since these adverts appear above the search engine results or are otherwise displayed in a prominent position, they attract a lot of clicks. As with SEO poisoning, the web pages trick users into downloading a malicious file that installs malware.

Torrents and Warez Sites

SEO poisoning and malvertising usually require some user action to install malware. The user must be tricked into downloading and opening a file. One of the easiest ways to do this is to offer something a user wants to download, and ideally, something that requires them to open an executable file. Cybercriminals often bundle malware into executable files used to install pirated software or the product activators/cracks that are needed to generate valid license codes. Torrent sites are used for peer-2-peer file sharing, and often for distributing pirated games, software, videos, and music, with software commonly offered on ‘warez’ sites. Oftentimes the content being sought is installed when the files are downloaded, but malware is silently side loaded during the installation process. The user gets the software, game, or app they want, and is unaware that malware has also been installed.

How to Protect Against Web-Based Malware Attacks

Assuming that you have an effective spam filter such as SpamTitan Plus for blocking malicious links in emails and antivirus software or other endpoint security solutions installed on each device, there are two main ways for protecting against malware attacks: security awareness training and web filtering.

Security Awareness Training

The importance of security awareness training cannot be overstated. If employees are not made aware of cyber threats and are not taught cybersecurity best practices, they cannot be expected to be able to identify and avoid threats and will likely engage in risky practices that could easily lead to a malware infection. Many employees mistakenly believe that they or their company will not be targeted; however, the reality is that businesses of all sizes are being attacked and employees are usually the easiest way to gain access to sensitive data and internal systems. Training needs to be an ongoing process, where knowledge is improved over time and employees are taught about the changing tactics used by cybercriminals to attack businesses. Training should be provided to all members of the workforce, including the CEO and C-suite and a good best practice is to provide an annual or bi-annual training session, with shorter training modules completed throughout the year. A few minutes each month completing training modules will help to ensure that employees are kept aware of the latest threats and it will help to keep cybersecurity fresh in the mind.

Web Filtering

All of the above techniques involve driving traffic to malicious websites. Training will help employees to recognize and avoid threats, but it is possible to prevent connections to malicious websites from being made with a web filter. A web filter is used to carefully control the web content that employees can access. Web filters typically have category-based filtering controls that can be used to block access to categories of web content that are illegal, undesirable, risky, or otherwise serve no work purpose.

Businesses can block access to torrents/warez sites by category, along with other risky sites. Web filters can be configured to block certain types of files from being downloaded from the internet, such as executable files. This will help to prevent malware delivery and shadow IT installations (software that has not been authorized by the IT department). Web filters are also updated with blacklists of known malicious websites and web pages. Any attempt to visit one of those resources will be blocked, and with a DNS-based web filter, the connection will be rejected without any content being downloaded.

How TitanHQ Can Help

Many thousands of businesses rely on TitanHQ cybersecurity solutions to protect against malware threats, phishing attacks, business email compromise scams, and other cyber threats. TitanHQ has developed the SpamTitan suite of email security products for blocking phishing, malware, and other email threats, the WebTitan DNS-based web filter for blocking Internet-based threats, and the SafeTitan security awareness training and phishing simulation platform for improving awareness of threats and teaching cybersecurity best practices. All TitanHQ solutions are intuitive, easy to implement, easy to maintain, and easy to use, and are available on a free trial to allow businesses to evaluate them in their own environment before deciding on a purchase. If you want to improve security, why not give the TitanHQ team a call for advice on the best solutions to meet your needs or sign up for a free trial of these solutions.

ChromeLoader Malware on the Rise: How to Prevent Infection

ChromeLoader is a family of malware that is extremely prevalent and persistent. The malware installs malicious browser extensions and removing them can be problematic as users are denied access to the Google Chrome extension list to prevent the removal of the malicious extensions if they are discovered. These malicious extensions are used to deliver unwanted ads, and redirect users to websites that they would otherwise not visit. At best, infection is a nuisance; however, the malware can increase the attack surface of a system and can easily lead to other malware being delivered.

ChromeLoader was first observed in January 2022 and infections are now extremely widespread. The malware is most commonly spread via sites that offer pirated software – torrents and warez sites – with the malware usually delivered through infected ISO image files. Several campaigns have been detected that advertise pirated software, games, and movies on social media networks, especially Twitter, with the posts/tweets including links to download sites. When the installation file is downloaded and installed, the user will likely get the software, operating system, or game they are expecting, but ChromeLoader and/or other malware will also be installed.

A new ChromeLoader distribution campaign has recently been detected by HP’s Wolf Security team. They report that the campaign has been active since at least March 2023 and delivers ChromeLoader, which installs a malicious adware browser extension called Shampoo. Shampoo will perform unwanted redirects to a variety of websites, including fake giveaways, games, and dating sites. These redirects can simply be annoying but can risk other malware infections. The malicious browser extension is also difficult to uninstall as the user will be prevented from accessing Chrome Extensions.  If the user does manage to uninstall the adware, it will simply be reloaded when the device is rebooted via a Windows scheduled task. According to HP, this campaign uses a network of malicious websites that offer pirated material. The download sites deliver VBScripts that execute PowerShell scripts that fetch Shampoo and install the malicious Chrome extension. While this campaign only installs adware at present, tactics could change, and more damaging malware could be delivered.

While ChromeLoader could be distributed in multiple ways, the primary method of delivery is via pirated software, so the easiest step to take to prevent infection is never to download pirated material and to only install software/operating systems from official sources. Businesses should implement controls to prevent illegal software downloads. These downloads carry a high risk of installing malware and pirated software is also a legal risk. Businesses should also implement controls to prevent the use of shadow IT – IT solutions that are installed without the knowledge of the IT department, as they can introduce vulnerabilities that can be exploited by malicious actors.

The IT department should have a list of all versions of software and operating systems used by the company. When patches or updates are released, the IT department will need to ensure that the company is running the latest versions. If the IT department is unaware that employees have downloaded programs, vulnerabilities could easily go unaddressed. Employees may install additional software to make their jobs easier and improve productivity, but it introduces considerable security and legal risks.

How to Prevent ChromeLoader Infections

One way that businesses can control shadow IT and prevent ChromeLoader infections is to implement controls to use a web filter such as WebTitan Cloud. WebTitan Cloud is used to control access to the Internet. Categories of websites can be blocked such as torrents/warez sites, along with other risky websites that serve no work purposes. URLs and domains that are known to be malicious are blocked automatically. WebTitan is constantly updated with new malicious websites as soon as they are discovered. WebTitan Cloud can also be configured to block certain file downloads from the Internet, such as executable files that are used to install software (.msi, .iso etc) to control shadow IT along with other executable files that are often used for malware installation (.js, .exe, etc).

WebTitan Cloud is easy to implement and requires no additional hardware, configuration is very straightforward, and this is a low-cost solution that will provide excellent protection against web-based threats. For more information on WebTitan Cloud or to arrange a product demonstration, give the TitanHQ team a call. WebTitan Cloud is also available on a free trial to let you put the solution to the test before deciding on a purchase.

How to Improve the Effectiveness of Your Security Awareness Training

Cyberattacks on businesses have been increasing at an astonishing rate and attacks are becoming much more sophisticated. A successful attack can cause long-lasting problems for businesses due to the reputational damage caused, especially when sensitive customer data is stolen. Customers will be lost and may never return and lawsuits following successful cyberattacks are increasingly likely. That is on top of the disruption to business while remediating an attack and the potential for permanent loss of data.

Many businesses invest considerable money into technical cybersecurity measures and while these are important and will block many attacks, some will bypass those defenses and will reach employees. Employees are an important line of defense and they should not be neglected. Education of the workforce on security best practices and the threats they may encounter can be the difference between a thwarted attack and an extremely damaging data breach.

An increasing number of businesses are recognizing that security awareness training for employees is a good investment and can significantly improve their security posture, but simply providing a training course to employees may not provide the expected benefits. You must make sure the training is effective to get a good return on your investment.

Security awareness training is important because cybercriminals usually target an organization’s employees. The Verizon Data Breach Investigation Report suggests 82% of data breaches involve the human element, which includes responses to phishing emails, misconfigurations, and other mistakes that can open the door to hackers. Through security awareness training, bad security practices can be reduced and employees can be trained to be more security aware and taught how to identify the telltale signs of phishing emails and other types of cyberattacks.

Security Awareness Training Tips to Make Training More Effective

Many security awareness training programs are not as effective as they should be, so to get the best bang for your buck you should consider the following.

Create a baseline against which progress can be measured

If you have yet to start providing security awareness training, make sure you create a baseline against which you can measure the success of the training program and ensure you continue to record metrics that allow you to measure progress. Keep records of training, who has completed each module, test results, the number of security incidents that you experience, and phishing simulation metrics.

Provide ongoing training

Security awareness training should be provided to all new hires as part of the onboarding process but don’t stop there. Even an annual training session is not sufficient. Training needs to be an ongoing process provided throughout the year. Only through continuous training are you likely to develop a security culture and be able to keep employees up to date on the latest threats.

Tailor the training to individuals

A one-size-fits-all training course is unlikely to be effective. Your workforce will consist of people that learn in different ways and have different levels of understanding about security, so your training content should reflect that. Staff members well versed in security will likely get bored by basic courses, and make them too advanced too quickly and people will get left behind. You should also provide training based on the threats employees will likely encounter – Those threats will be different for different roles.

Use a professional training course

You can develop a training course from scratch, but it will require a lot of effort to make sure it is effective for all employees, and then ensure it is kept up to date with the latest threat intelligence. You will likely have far greater success if you use a training solution provided by a cybersecurity company that has put the time and effort into making quality, engaging, fun, and gamified content, regularly updates that content, and provides a platform that allows training to be largely automated.

Ensure the training is engaging

Try to avoid classroom sessions where you explain threats and teach best practices. Also ensure that training is provided in manageable chunks that can be easily assimilated. Training should be engaging, interactive, and enjoyable, and should include a mix of training materials, including multimedia content, quizzes, and exercises.

Conduct phishing simulations

Ensure that the training process includes phishing simulations. These will allow you to measure how effective the training is and how people improve over time. Phishing simulations allow you to test to see whether training is being applied in the workplace and will identify individuals who require further training. Phishing simulations give employees practice at identifying phishing attempts and prepare them properly for real threats.

Provide training to everyone

Anyone can encounter a threat, and the CEO and board members are often targeted by cybercriminals as they have access to the most valuable data. Providing training to all will also help with the development of a security culture and employees are more likely to take training seriously if they know that everyone in the company must go through the same training process.

Security Awareness Training and Phishing Simulations from TitanHQ

TitanHQ has developed a comprehensive security awareness training program called SafeTian to help organizations develop a security culture and change employee behavior. The platform includes an extensive library of training content, split into small modules that are easy to fit into busy workflows. The content is interactive, gamified, and engaging to improve knowledge retention and allows training to be tailored to different abilities and roles.

The platform also includes a phishing simulation platform for ongoing testing against specific phishing threats, and the platform will automatically deliver training in real-time in response to security mistakes by employees, ensuring training is provided where it is needed most at the time when it is most likely to be effective.

For more information about improving security awareness through SafeTitan, give the TitanHQ team a call and take a big first step toward creating a security culture in your organization.

Search Engine Poisoning for Malware Distribution

There has been a notable increase in search engine poisoning for distributing malware. Search engine poisoning is the term given to the manipulation of search engine results to display links to malicious websites. These websites can be used to phish for sensitive information, but this technique is most commonly used for distributing malware.

Search engine poisoning can be achieved in different ways. One of the ways search engine poisoning is used to target businesses is to create a webpage and use search engine optimization techniques to target specific search queries. It can take a lot of time an effort to get webpages appearing in the organic search results for key search terms, but since the queries typically targeted have little competition, it is quite easy to get pages appearing high up in the organic search engine listings. Attackers typically target low volume business search queries, such as searches for contract templates, forms, and agreements. Since the person performing the search is looking to download the content, they can easily be tricked into downloading a malicious file. Oftentimes the user will get the file they are looking for but will silently install malware when the file is opened.

Google is well aware that the higher up a webpage is in the search results, the more likely it will be visited. The prime spots are at the very top of the search engine results, and that area is reserved for sponsored links. Getting a malicious site in these links will maximize the traffic to a website, and advertisers compete for these advertising slots through the Google Ads online advertising platform. Advertisers can bid for these slots for key search terms that they want to target.

Google Ads are increasingly being used by malicious actors as an alternative method of search engine poisoning, and they achieve the greatest success when they target popular software downloads. An attacker will create a website advertising a popular software solution, often cloning the website of a legitimate brand. They will offer a download of that software on the site but will alter the installation file so that in addition to installing the software, malicious code will be executed silently which will install malware.

The domain names used closely mirror those used by the legitimate brand, and typically include the brand name with additional characters or words to make it appear that the domain is official. The file downloads are usually signed with invalid certificates, and while invalid, have been issued to recognizable brands. If the warning signs are ignored and the installation file is executed, malware will be installed.

The key to defending against these attacks is to prevent these malicious files from being downloaded, and ideally, prevent users from visiting the malicious websites. The early stages of the attack can be blocked with an ad blocker or web filter. A web filter can be configured to prevent a user from visiting the malicious website, whereas an ad blocker will only block the adverts and will not block search engine poisoning in the organic listings. A web filter can also be configured to block downloads of certain file types, such as executable files. In addition to blocking search engine poisoning, preventing downloads of executable files will help IT teams to control shadow IT – unauthorized software installations.

These methods of malware distribution should also be covered in security awareness training. Businesses should teach their employees security best practices and make them aware of risks such as phishing and email-based attacks, and search engine poisoning and other web-based attacks. Security awareness training adds an important layer of protection and helps to improve human defenses, which is vital as the majority of cyberattacks are the result of human error.

TitanHQ can help improve security through its portfolio of cybersecurity solutions which include SpamTitan Email Security, WebTitan Web Filtering, and the SafeTitan Security Awareness Training and Phishing Simulation platform. For more information, to arrange a product demonstration, or to register for a free trial with full product support, give the TitanHQ team a call today.

AI Chatbots are Being Used to Create Perfect Phishing Emails

Identifying phishing attempts used to be fairly straightforward for end users. The messages often contain grammatical errors and spelling mistakes that had been inadvertently included in the messages.  Phishing campaigns are often conducted by individuals who do not speak English as a first language, so errors will inevitably be made and it is those errors that make it fairly easy for people to spot a phishing attempt.

Those errors may soon become a thing of the past thanks to artificial intelligence tools such as ChatGPT. ChatGPT and other large language model AI tools can be used to create perfect English (or other languages) and therefore convincing text for use in phishing and social engineering attacks. Evidence is growing that these tools are being adopted by malicious actors to create phishing content that is indistinguishable from the content that a human could create, and in many cases, it is even better.

Europol has recently issued an alert about the malicious use of these AI tools for phishing and warned that the problem is likely to get worse. It is not just a case of being able to draft a grammatically correct email devoid of spelling mistakes, but that these AI chatbots can write emails in whatever style the threat actor wants, including in an authoritative tone as one would expect from an official government communication.

The biggest threat is likely to be highly targeted emails – spear phishing. Spear phishing has a far higher success rate than standard phishing attempts, as emails are carefully crafted to attack a very small number of individuals. That requires considerable research to ensure that the scam is convincing and the email will likely be opened and the request followed. The ability of AI tools to create spear phishing emails should not be underestimated. The messages these tools can generate can be exactly what a threat actor needs and the process can be largely automated, which means a higher success rate and more attacks.

These tools are significantly lowering the barrier of entry for conducting phishing attacks, and while there are restrictions in place to prevent the malicious use of these AI tools, they are being bypassed. You can ask ChatGPT to write a phishing email but it won’t, but you can create the phishing content if you are not so direct. The cybersecurity firm Darktrace says it has found evidence of phishing emails increasingly being written by chatbots, and not only does that make it easier for cybercriminals to create convincing messages, they also allow much longer messages to be created than was previously possible. The company reports that phishing email volume is down, which it suggests could be due to threat actors being able to write better, more linguistically complex emails and opt for quality over quantity. Chatbots have also been used to write malicious scripts that could be used as ransomware or for information-stealing malware. Researchers have created examples of both using the engine that powers ChatGPT.  Europol paints “a grim outlook” as phishing emails will become a lot harder for people to identify. Tools have been developed that are capable of detecting AI-written content but they are not reliable and as AI chatbots become more advanced, these tools will likely become even more unreliable.

So while the outlook may not be too good, the advances in AI technology mean businesses will need to up their game and that means ensuring that they provide security awareness training to the workforce and keep them abreast of the changing tactics used by threat actors. Training should also emphasize that employees should not implicitly trust any communication and should assume that it might be a scam. Training should cover security best practices and businesses will need to improve their technical defenses and implement further solutions to identify and block the various stages of a phishing attempt, such as advanced spam filtering (SpamTitan includes an AI-based component for detecting phishing attempts), a web filter, multi-factor authentication and to ensure that patches are applied promptly and all software is kept up to date.

Rig Exploit Kit Delivering Malware with Highest-Ever Success Rate

Exploit kits are no longer as popular as they once were, but they are still being used as a vehicle for distributing malware. An exploit kit is a program loaded on an attacker-controlled website that is able to scan for vulnerabilities when visitors land on the site and exploit those vulnerabilities to silently deliver malicious payloads. Exploit kits were first detected in 2006 and were once one of the most common ways that malware was distributed, typically exploiting vulnerabilities in browsers and browser applications such as Adobe Flash, Microsoft Silverlight, Java, and Active X to deliver information stealers, remote access Trojan’s and ransomware.

Since 2017, exploit kits have been in decline, in a large part due to Adobe Flash reaching end-of-life. Adobe Flash vulnerabilities were among the most exploited vulnerabilities. Today, exploit kits are still used for distributing malware, most commonly crypto-mining malware, although under the exploit-kit-as-a-service model, they are used to deliver a variety of payloads.

Today, some of the most successful exploit kits are now fileless. They write no files to the disk, instead they load malicious code into the memory. Traffic to these exploit kits is most commonly generated through malvertising – malicious adverts displayed on legitimate websites, either through the third-party ad blocks that website owners use to increase revenue or through compromised websites.

In recent years, the RIG exploit kit has been one of the most successful. The RIG exploit kit first appeared in 2014 and was active until 2017, when a coordinated operation led by RSA Research successfully shut down and removed its infrastructure. According to the researchers who were part of that takedown, the operators of RIG had successfully hacked hundreds of hosting accounts – mostly on GoDaddy – and hid their malicious code inside hidden subdomains – shadow domains –to avoid detection. The RIG exploit kit was loaded onto tens of thousands of active shadow domains. The operators are thought to have gained access to those hosting accounts by conducting phishing attacks to steal credentials and through brute force attacks on hosting accounts with weak passwords.

A compromised site has malicious code injected that loads JavaScript from a malicious domain. When a visitor lands on the site, a check is performed to see if the user should be targeted – such as being in the right geographical region – then the exploit will be loaded. If successful, malicious code will be written to the user’s disk and executed, and the code will deliver the required payload. Exploit kits are offered to cybercriminal groups under the exploit-as-a-service model, where they either rent access or pay to have their payloads delivered. Attacks are automated and aside from a user visiting a malicious website hosting the exploit kit, no user interaction is required to deliver malware.

The RIG exploit kit was rebuilt after the takedown and was resurrected in 2021, then temporarily shut down, before returning in 2022 with a new exploit arsenal. According to researchers at the cybersecurity firm PRODAFT, the RIG exploit kit has never been more successful, achieving a successful exploitation rate of 30% in 2022. The exploit kit is being updated weekly or monthly with new exploits and has been used to deliver a range of payloads including banking Trojans such as Dridex and IdecID, information stealers such as Racoon stealer and AzoRult, malware downloaders such as WastedLoader, and ransomware such as Royal. The most successful recent exploit was for the Internet Explorer vulnerability – CVE-2021-26411. RIG remains highly active, with the researchers reporting a 22% successful exploitation rate in the past two months.

Exploit kits exploit vulnerabilities in browsers and browser applications, so the best defense is to ensure browsers are kept up to date; however, employees often install browsers and plug-ins without the knowledge of the IT department, and these may never be updated. As an additional protection, businesses should consider a web filter, which can block the adverts that drive traffic to malicious websites, block access to those sites through filtering controls, and also block malware downloads.

Review Your Cybersecurity Strategy to Ensure it is Still Effective

There has been an increase in the use of information-stealing malware by cybercriminals. Info stealers are typically installed to steal a range of sensitive data from a user’s device, such as system information, usernames and passwords, and cryptocurrency wallets. Infostealers typically have keystroke logging capabilities, allowing usernames and passwords to be obtained, which are then exfiltrated to the attacker’s command and control server, allowing the user’s accounts to be accessed.

In 2022, cybercriminals increasingly used these types of malware in their attacks on businesses. The latest information stealers have been developed specifically for this purpose and instead of targeting individual accounts, they are being used for much more extensive attacks on businesses, and steal system information and session cookies that allow multifactor authentication controls to be bypassed.

If the malware is installed, changing passwords will have little effect, as the attacker will already be in the system. Multifactor authentication can prevent stolen credentials from being used to access accounts, but modern malware is capable of stealing session cookies allowing accounts to be accessed. While multifactor authentication is important, it is not effective if the system has already been compromised. Further, phishing kits are now used that are capable of obtaining session cookies and bypassing multifactor authentication.

Phishing attacks have also become more sophisticated and it is now common for a wide range of malicious attachments to be used for distributing malware and directing users to malicious websites. While Office documents are commonly used, now compressed files, ISO files, ZIP files, OneNote files, image files, HTML files, and more are used for malware distribution, many of which are not blocked by email security solutions. To protect against these new malware variants and multifactor authentication-bypassing phishing attacks, businesses need to rethink their protections.

An email security solution is required to block malware delivery via email and identify and block the phishing emails that are used for credential theft. Email security solutions will block previously seen phishing emails, and are regularly updated with the latest threat intelligence; however, many are not effective at detecting zero-day threats. An email security solution with machine-learning capabilities is required to block more of these new threats, and for malware protection, sandboxing is required in addition to standard antivirus protection. Any attachments that pass AV inspection – which looks for signatures of known malware –  are sent to the sandbox for behavioral analysis. This allows zero-day malware threats to be identified and blocked. SpamTitan has AI/machine learning capabilities and provides AV protection and sandboxing.

Even advanced email security solutions such as SpamTitan should not be used in isolation, as no email security solution will block every threat. Email security solutions will massively reduce the number of malicious emails that are delivered to inboxes, but will not block SMS-based phishing attacks and web-based attacks. One way of improving protection is to use a web filter. A web filter is used to carefully control access to the Internet and can restrict access to websites that serve no work purpose. Web filters are updated with the latest threat intelligence and will block access to known malicious websites, and can be configured to block downloads of risky files from the Internet. They will also significantly improve protection against malicious hyperlinks in emails, providing time-of-click protection. WebTitan Cloud is one of the easiest web filters to implement, and can be set up in just a few minutes and will protect against cyberattacks over the Internet.

Multifactor authentication is important and will protect against the majority of automated attacks on accounts, but not all MFA is the same. The latest phishing kits can steal session cookies and bypass multifactor authentication controls. Businesses should consider implementing phishing-resistant MFA based on FIDO standards, as this will provide a much higher degree of protection.

An often neglected layer of security is security awareness training. Businesses are increasingly realizing the importance of security awareness training and more businesses now provide training to their employees, but providing once-a-year training sessions is not enough. Security awareness training needs to be regular if it is to be effective, so training courses should run continuously throughout the year. A modular course that delivers training every month in short sessions will be far more effective than a once-a-year training session. Businesses should also provide targeted training, with training courses developed based on an individual’s role and the threats they are likely to encounter. Phishing simulations should also be conducted to identify areas where training is not proving to be effective and to allow targeted training to be provided to individuals who fail to recognize threats. TitanHQ can help in this area through the SafeTitan security awareness training and phishing simulation platform.

With cyberattacks increasing in number and sophistication, there is no better time to revise your defenses than now. For more information on how you can improve your defenses against phishing, malware, business email compromise, and other cyberattacks, give the TitanHQ team a call.

QBot Malware Distributed via SVG Files and Hijacked Message Threads

A phishing campaign has been detected that is being used to deliver QBot malware, one of the oldest malware families still in use. QBot malware has been around since at least 2009 and is known by many different names, including QakBot, QuackBot and Pinkslipbot. One of the primary functions of the malware is to steal passwords, although the latest variants also serve as a backdoor into victims’ systems. As is the case with many other Trojan malware variants, the group operating the malware works as an initial access broker for ransomware gangs. After the gang has achieved its aims, access to compromised devices is sold to ransomware gangs.

The threat actors behind QBot malware have previously worked with the operators of the Emotet botnet, and used the Emotet malware for delivering QBot; however, the law enforcement takedown of the Emotet botnet in January 2021 forced the group to switch attack vectors, and since then QBot malware has been primarily distributed using phishing emails. Now the group has been observed using a new tactic in its phishing campaigns that use Scalable Vector Graphics (SVG) files.

SVG files have become popular due to their ability to support interactivity and animations and are a web-friendly XML-based vector file format. It is the support for interactivity that makes SVG files a good choice for malware distribution. SVG files can include HTML tags, and JavaScript can be included in the <script> tags in the image. In this case, the JavaScript is malicious. The phishing campaign involves emails that have an HTML attachment, which loads an SVG file from the Internet. The SVG image will be specified within an <embed> or <iframe> tag and will be displayed, but the JavaScript in the image will also be executed.

In this campaign, the JavaScript within the SVG image assembles the malware directly on the user’s device, instead of downloading the malware from the Internet, as that would risk detection by security solutions. The malware is packaged into a ZIP file that is password protected, so antivirus solutions cannot scan the content. The user is provided with the password to open the zip file in the HTML. The user is told that if the file is not displayed correctly, they will need to open the downloaded file, which will trigger the installation of QBot, bypassing traditional network defenses.

One of the ways that these campaigns can be identified and avoided is through security awareness training for the workforce to educate employees about the risks of opening files sent via email. One of the standard tenets of security awareness training has been to tell employees not to open files in unsolicited emails or from unknown individuals. That advice is not particularly helpful, as employees are often required to open emails from unknown individuals or unsolicited messages as part of their jobs, and in this case, that advice would not be effective.

QBot, like Emotet, is capable of hijacking message threads on infected devices and inserting its malicious content. In this campaign, a previous email correspondence is hijacked and text is inserted and the message is sent. That text is simple, yet effective “Good afternoon, Take a look at the attached file. Thanks.” The email will have been sent from a genuine email address, the individual is known to the recipient, and the email is not unsolicited as there has been a previous conversation. The only clue that the message is not a genuine reply is the email conversation is old. In this case, from two years ago.

It is important to provide security awareness training to the workforce but in order to be effective, the training needs to be ongoing and should include examples of the latest phishing techniques, such as this technique for distributing QBot.

5 Reasons Why You Should Conduct Phishing Simulations on Employees

Cybersecurity experts agree that security awareness training is an important part of any cybersecurity strategy. You can implement next-generation technology to repel malicious actors and prevent and rapidly detect cyberattacks, but it is important not to forget about the human element. According to the Verizon 2022 Data Breach Investigations report, 82% of all data breaches involve the human element. Through training, you can teach cybersecurity best practices and reduce risky behaviors that open the door to hackers, and you can train employees how to identify phishing.

The percentage of companies providing security awareness training to their employees is increasing as the importance of training is now better understood, but one aspect of the training process that is often neglected is conducting phishing simulations on the workforce. Phishing simulations are fake but realistic phishing emails that businesses send internally to employees. You may wonder why you should do such a thing. Well, there are clear benefits that come from doing so. Here we provide five reasons why conducting phishing simulations on employees is beneficial.

1.   Create a Baseline to Measure the Effectiveness of your Training

Many companies provide security awareness training but are unable to measure its effectiveness, other than a reduction in data breaches and phishing incidents. Phishing simulations are a great way to monitor the effectiveness of training over time and clearly show the return on investment. Conduct phishing simulations before you start your training program and you have a baseline against which you can measure the effectiveness of training over time and see the ROI.

2.   Test the Effectiveness of Training in a Work Setting

You can show an employee the signs of phishing that they need to look out for, and you can test to make sure they have understood the training at the end of the training course, but that does not mean the training will be remembered nor that it will be applied when they are at work. Phishing is often successful because the emails arrive in inboxes when employees are busy, and that is why mistakes are made. Phishing simulations allow you to test whether training is being applied and whether it is proving to be effective.

3.   Identify Weak Links

While most employees will take the training on board, will take greater care, and will follow the security best practices they have learned, there will always be employees who do not.  Phishing simulations allow you to identify the weak links and take proactive action to address the problem before the employee falls for a real phishing email. A failed phishing simulation is an opportunity for intervention training. You can deliver training instantly in response to the problem, and provide a specific training course relevant to the mistake that was made. Providing relevant training at the point when the error is made is the most effective way of eradicating risky behaviors.

4.   Practice Makes Perfect

You should not expect every employee to become a security Titan the second they complete their training course. They will not be able to instantly identify every phishing threat. It takes time to build up security awareness and create a security culture. Phishing simulations are a great way to do this. They give employees practice at identifying phishing threats in a safe setting. When a real threat arrives in their inbox, they will be much more likely to be able to identify the malicious message.

5.   Identify Weaknesses in the Training Course

Phishing simulations identify human weaknesses to allow further training to be provided, but they also identify problems with the training course. If you send a phishing simulation that a large number of employees fail, that is likely to indicate a problem with the training course – A type of threat that you have not covered sufficiently well. You can then update your training course to ensure that specific threat is properly explained.

SafeTitan from TitanHQ

TitanHQ has developed a comprehensive security awareness training solution for businesses called SafeTitan. The platform includes an extensive library of training content on all aspects of security, with the courses divided into short computer-based training modules of no more than 10 minutes, which makes them easy to fit into busy workflows.

The training content is fun, gamified, and engaging, and is proven to help eradicate risky security practices and reduce susceptibility to phishing attempts. The platform includes a phishing simulator for testing whether employees can recognize phishing attempts – the most common way that cybercriminals attack businesses. Phishing simulation data shows susceptibility to phishing attacks can be reduced by up to 80% with SafeTitan.

If you have yet to provide security awareness training to your workforce and are not conducting phishing simulations, the ideal time to start is now. Contact TitanHQ today for more information or sign up for a free trial of the solution and put it to the test before deciding on a purchase.

Common Web-Based Attacks That You Should Be Protecting Against

Cybercriminals have a diverse arsenal for conducting attacks. Phishing is a leading attack vector used by ransomware gangs, nation-state threat actors, and other cybercriminals, and even the protection provided by multifactor authentication is now being bypassed in some sophisticated campaigns. Unpatched vulnerabilities are often exploited to gain access to networks, then there are brute force attacks to guess weak credentials, but many attacks are conducted over the web.

Common Web-Based Threats

Malicious adverts are added to advertising networks, which see the adverts displayed in the third-party ad blocks on many of the most popular websites. Termed malvertising, these adverts redirect users to malicious websites where malware is downloaded or to phishing content. The adverts often advertise fictitious software solutions, which users are tricked into downloading and installing. Oftentimes, genuine programs are installed, albeit with malware installed in the background.

Despite the controls Google has in place for detecting malicious content, some malicious ads are displayed in the search engine listings. These malicious adverts are displayed at the top of the Google listings, so can attract considerable traffic. In the fall of 2021, one such campaign targeted cryptocurrency investors, and saw losses incurred of more than $500,000 before Google detected and removed the malicious adverts from its Google Ads platform.

Malicious websites are also displayed in the search engine listings for specific business searches, with SEO poising techniques used to get the sites to appear high up in the listings. These websites may only have a short shelf life before they are detected and removed from the listings, but they are added in such volume that they do pose a significant risk. These campaigns are commonly used for distributing malware, with users tricked into thinking they are downloading the content or program they have been searching for.

Another common web-based attack involves pirated software and copyright-infringing material that is added to peer-to-peer file-sharing networks, where the user is tricked into installing the malware in the belief they are getting licensed software for free. The product activators or cracks used for generating license codes often install malware in the background. Users may get the genuine software they are seeking, but malware is silently installed in the background.

Another tried and tested web-based attack – which has been used by cybercriminals for almost as long as the web itself – is known as typosquatting or URL hijacking. Typosquatting targets careless typists. The threat actor registers a swathe of domains that are very similar to the domains used by the brands they are spoofing. These domains often have transposed letters – Microsfot.com – for instance – or domains are registered with missing or additional letters.

These websites do not need to appear in the search engine listings as they target people who type the website into the address bar. Since these websites may look almost identical to the sites they spoof they can be very convincing. These campaigns are especially effective for targeting mobile users, as misspellings are much easier to make on mobile phones and users are much less likely to check the URL after typing.

Last weekend, a massive typosquatting campaign was discovered that included more than 200 separate domains, each of which was a clone of the brand being spoofed or a very close approximation. The domains included common misspellings and typos of 27 different brand names, including PayPal, Snapchat, Google Wallet, the Tor Project browser, and TikTok. In this campaign, the goal was to trick visitors into downloading Windows or Android malware – a banking Trojan called ERMAC that targets accounts and cryptocurrency wallets.

These are just a few examples of web-based attacks and despite the risks posed by these types of attacks, many businesses do not have the cybersecurity solutions in place to detect and block these threats. Security awareness training will go a long way toward improving defenses against these attacks and should be provided regularly to the workforce. Businesses should also consider implementing a web filter.

A web filter is a software solution that allows businesses to control the content their users can access, like a parental control filter that prevents minors from accessing age-inappropriate content. The web filter is fed extensive threat intelligence from a global network of endpoints. When a malicious site is detected, it is added to the blocklist and any attempt to connect to the site will be prevented.

Web filters such as WebTitan Cloud, TitanHQ’s DNS-based web filter, will also perform scans of websites and scores the sites on their potential to be malicious. This provides protection against new URLs that have yet to be detected as malicious. WebTitan Cloud can also be configured to block downloads of certain file types, such as executable files that are used to install “shadow IT” – software unauthorized by the IT department – and malware. Content can also be blocked by category, to help improve productivity and prevent access to inappropriate web content such as pornography.

Importantly, WebTitan Cloud protects businesses from all of the above web-based attacks. For more information on web filtering, to arrange a product demonstration, or to sign up for a free trial of the solution, give the TitanHQ team a call.

Erbium Malware: Dangerous New Information Stealer Being Distributed via Warez Sites

A new and dangerous new malware called Erbium is being advertised on hacking forums and has the potential to become a major threat. Erbium malware is an information stealer with extensive functionality, which is offered under the malware-as-a-service (MaaS) model.

MaaS provides hackers with an easy way to conduct attacks. The MaaS operators develop their malware and lease it out, usually charging a weekly, monthly, or annual subscription. The MaaS operator provides detailed instructions on how to conduct attacks, which means the malware can be used without having to become a programming expert. In fact, many MaaS operations make conducting attacks incredibly easy, requiring little in the way of technical skill. After signing up to use the malware, it can be operated via the web-based UI, where users can access the data stolen by the malware. Oftentimes, live chat is available to help resolve any issues.

Currently, one of the most popular information stealers available under the MaaS model is the RedLine Stealer, which is a highly capable malware variant that can be purchased or rented under a subscription model. The malware can steal information from browsers such as autocomplete data and saved credentials, steal from FTP and IM clients, and from cryptocurrency wallets. The latest variants allow users to upload and download files. RedLine has proven very popular; however, it is quite expensive.

Erbium malware is disrupting the market, offering broadly the same capabilities as RedLine but for a fraction of the cost. Initially, Erbium malware was being advertised at just $9 per week, although due to the popularity of the malware the price was increased to $100 per month. Even with the increase, the malware is far cheaper than RedLine, and based on user feedback, it is proving very popular with the cybercrime community.

Erbium malware is a work in progress, but it already has extensive capabilities. The malware can steal information from browsers such as saved credentials, cookies, credit card numbers, and autofill information. It can steal from cryptocurrency wallets installed on web browsers and attempts to steal from a wide range of cold desktop cryptocurrency wallets. The malware can also steal 2FA authentication codes from EOS Authenticator, Authy 2FA, Authenticator 2FA, and Trezor Password Manager, and steal Steam and Discord tokens, and Telegram auth files. The malware can profile the host and exfiltrate data via its API system to the command-and-control server. Users can log in to the UI and get an update on infections and access their stolen data.

As is quite common, the malware is distributed via fake software, fake cracks, and cheats for video games, so the best way to prevent infection is not to download these, and to only download software from reputable sources. Businesses can take additional steps to reduce risk, with the best defense being a web filtering solution.

Web filters are fed threat intelligence and incorporate blacklists of known malicious websites, such as sites used for distributing malware. They can also be configured to block access to certain categories of websites, such as warez sites and peer-2-peer file sharing networks, where pirated software, cracks, and product activators are made available.

Web filters allow businesses to enforce their acceptable internet usage policies and block web-based attacks, such as phishing, and malware downloads over the Internet, with WebTitan Cloud one of the easiest web filters to implement and use. WebTitan Cloud takes just a few minutes to set up and configure, and requires no technical skill to operate. Users can gain full visibility into the online activities on the network, including real-time views of Internet access, and can easily block malware downloads and restrict access to risky websites to prevent unauthorized software downloads.

WebTitan Cloud is an award-winning DNS-based web filter that is consistently highly rated on independent business software review sites and allows businesses to easily improve their security posture and reduce legal risk. The full product is available on a free trial, with full product support provided throughout the trial. For more information about web security and content control with WebTitan Cloud, give the TitanHQ team a call today.

Sophisticated DocuSign Phishing Scam Targets Microsoft 365 Credentials

A sophisticated phishing campaign is being conducted to steal Microsoft 365 credentials that bypasses multifactor authentication on accounts. Attacks on Microsoft 365 users are far from uncommon. With so many businesses using Microsoft 365, it is an attractive target for hackers. If they can develop a campaign that bypasses Microsoft’s security controls, huge numbers of businesses can be attacked. Microsoft 365 credentials are valuable. They provide an attacker with access to email accounts, and often other Microsoft products such as SharePoint, OneDrive, and Skype. A successful attack on just one Microsoft 365 user can give the attacker access to huge amounts of sensitive data and provide a foothold in the network for a much more extensive attack.

One of the latest campaigns spoofs DocuSign – a platform used by organizations to manage electronic agreements. The email requests feedback on a document, with the message crafted to look like a genuine email sent through DocuSign. This campaign appears to be a spear phishing attack, which targets executives at businesses. If the link is clicked, the user will be directed to a malicious URL where they are required to log in with their Microsoft 365 credentials. The website appears to be the genuine Microsoft login page, and if credentials are entered, they are captured. The user is then presented with a notice advising them that the authentication has failed and will likely be unaware that credentials have been stolen.

Stealing credentials alone may not be enough to gain access to Microsoft 365 accounts, as multifactor authentication may have been enabled. This is strongly encouraged by Microsoft to prevent stolen credentials from being used by unauthorized individuals to access accounts. To get around this, this campaign involves the use of a reverse proxy in a man-in-the-middle attack. The web page linked in the email used the evilginx2 proxy. When the credentials are entered on the fake login page they are fed to the genuine Microsoft 365 login, unbeknown to the victim. The session cookie from the successful login attempt is stolen and is used to assume the identity of the victim. That cookie means credentials do not need to be re-entered and no further multifactor authentication requests need to be approved.

This technique provides immediate access to the account, but the attackers go a step further to achieve persistent access. They add a secondary authentication app, which allows them to continue to access the account without going through the process again when the session expires or is otherwise revoked. This attack was investigated by Mitiga, which reports that the attackers used the compromised credentials to access SharePoint and Exchange, but they could have accessed other services had the attack not been detected and resolved quickly.

This attack shows how multifactor authentication can be bypassed. In this case, had multifactor authentication been used that requires an authorized device to be used to access the account, or a physical device such as a Yubikey for multifactor authentication, then the attack could have been thwarted.

These attacks can be difficult to identify, although in this case the initial email could have been blocked if DMARC had been correctly set up to block emails from domains not associated with the brand being spoofed. SpamTitan Incorporates DMARC controls for email authentication. End user training is also vital. All members of the workforce should be trained on how to recognize the signs of phishing. TitanHQ can assist in this regard through the SafeTitan security awareness and phishing simulation platform.

Businesses That Do Not Provide Cybersecurity Awareness Training are Taking a Huge Risk

Most people are aware of the importance of cybersecurity and the need to take care when opening emails, browsing the internet or downloading apps on their mobile phones. If you ask anyone whether they are knowledgeable about cybersecurity and if they can recognize a malicious website or email, there’s a high chance that they will say yes.

A recent survey conducted by AT&T on 2,000 U.S. adults confirms that. 70% of the respondents to the survey said they were knowledgeable about cybersecurity, two-thirds of people said they know how hackers gain access to sensitive information on devices, and 69% of people said they were able to recognize suspicious websites at a glance.

However, despite being aware of the importance of cybersecurity, cybersecurity best practices are not always followed. People take considerable risks with email and the Internet, and the survey suggests that the confidence in the ability to recognize scams, malicious websites, and suspicious emails is misplaced.

While most people claim to be able to recognize a suspicious website, only 45% of respondents said they knew those sites carried a risk of identity theft. 46% of respondents were unaware of the difference between active and passive cybersecurity threats. Passive cybersecurity threats are those where a threat actor simply monitors communications and gathers sensitive information, whereas an active attack involves some action or modification of communications. An example of a passive attack is a malicious actor eavesdropping on a connection to a website via an evil twin Wi-Fi access point. An example of an active attack would be a malware attack.

The average person lands on 6.5 malicious websites or suspicious social media accounts every day and in many cases, those sites are accessed deliberately. Suspicious websites include those that start with HTTP rather than HTTPS, which means the connection between the web browser and the website is not encrypted. Suspicious sites include those with lots of pop-ups, or unverified sites and social media accounts.

39% of respondents said they accessed suspicious streaming websites to view major sporting events, 37% would download files from suspicious websites if they wanted to find a song or video game that they couldn’t find elsewhere, and these sites would be used to make purchases if they were offering a big discount. Considering that 70% of people said they were knowledgeable about cybersecurity, it is alarming that less than 40% of people consider common security risks when accessing the Internet. Only 32% of people considered the possibility of a network intrusion and just 31% of people considered whether an app or software could be malicious. The survey also revealed people take big security risks with passwords. 42% of people reuse passwords on multiple websites and alarmingly, 31% of people use a birthday as a password.

Businesses should take note of this survey. The survey was conducted on a sufficiently large number of people that it should be considered representative of the population as a whole and makes it clear that there is a need for cybersecurity awareness training to be provided by employers to bring the level of knowledge about cybersecurity up to scratch and be taught the importance of following cybersecurity best practices. Even people who are aware of the risks will take shortcuts for convenience, so businesses should also consider restricting access to certain websites.

If you want to improve cybersecurity, you should start with the human element and try to eradicate risky behaviors. TitanHQ offers businesses a comprehensive cybersecurity awareness training platform – SafeTitan – that covers all aspects of security and cybersecurity in the workplace. The platform can be used to improve understanding of risks and teach the best practices that should be followed at all times. The training content is gamified, interactive, and fun, and has been shown to be highly effective at eradicating risky behaviors. SafeTitan is the only behavior-driven security awareness training platform that delivers intervention training in real-time in response to risky behaviors by employees. When a risky action is taken, the platform automates the intervention and delivers the relevant snippet of the company policy and training content specific to that risk or threat.

Businesses can also take advantage of WebTitan Cloud – a DNS-based web filtering solution that prevents employees from accessing known malicious websites. When an attempt to visit a malicious website is made, the connection to the site will not be made and the user will be informed that the site has been blocked. Businesses can also use the category-based filters in WebTitan Cloud to prevent employees from accessing certain types of websites, such as those that carry a risk of malware infections. Peer-to-peer file sharing networks for example.

By educating the workforce on cybersecurity and implementing controls to restrict access to risky websites, businesses will be able to prevent more costly cyberattacks and data breaches. For more information on cybersecurity awareness training and web filtering, give the TitanHQ team a call.

Bumblebee Loader Fast Becoming the Delivery Vehicle of Choice for Ransomware Gangs

Ransomware gangs gain initial access to business networks using a variety of techniques, with phishing one of the most common methods of gaining initial access to business networks. Phishing is used to obtain credentials, especially for cloud-based services and applications. Phishing emails are often used to deliver malware loaders. Once installed, the malware loader drops malicious payloads which ultimately results in a network-wide ransomware attack.

A relatively new malware loader – Bumblebee – is now gaining popularity with ransomware gangs and is known to be used by some of the highest profile ransomware operations. According to Symantec, Bumblebee Loader is known to be used by Conti, Quantum, and Mountlocker, and possibly others, and has fast become the ransomware delivery vehicle of choice.

The BumbleBee loader is primarily delivered via phishing emails and is used to create a backdoor in victims’ networks, allowing the attacker to take control of devices and execute commands. Bumblebee has been observed delivering the Cobalt Strike attack framework, which is used for lateral movement within networks. Once a sufficiently high number of devices and systems have been compromised, the BumbleBee loader drops the ransomware payload. After sensitive data has been exfiltrated from the victim’s systems, the file encryption process is initiated.

According to Symantec, the Bumblebee loader has replaced several other malware variants that have proven popular with ransomware gangs in the past, such as the TrickBot Trojan and BazarLoader. The replacement of those malware variants with Bumblebee the loader appears to have been pre-planned. If the Bumblebee loader is detected on any device, rapid action should be taken as it is likely that the malware could lead to a ransomware attack.

The Growing Threat of Ransomware Attacks

Ransomware attacks on businesses increased significantly in 2021. The Federal Bureau of Investigation (FBI) reported in its 2021 Internet Crime Report that the FBI Internet Crime Complaint Center (IC3) received 2,084 reports of ransomware attacks between January 1 and July 31, 2021, which represents a 62% increase year-over-year. The 2021 Ransomware Study by IDC found that 37% of global organizations had suffered at least one ransomware attack in 2021. Verizon reported in its 2021 Data Breach Investigations Report that the number of ransomware attacks doubled in 2021, and ransomware is now involved in 10% of all data breaches.

Ransomware attacks are being conducted on businesses in all industry sectors, with education, retail, professional and legal services, government, IT, manufacturing, energy, healthcare, and the financial services the hardest hit. Attacks can be extremely damaging to businesses and can cost millions of dollars to mitigate. Many businesses have been forced to close as a result of an attack.

How to Protect Against Ransomware Attacks

Many ransomware gangs operate under the ransomware-as-a-service model, where affiliates are recruited to conduct attacks in exchange for a cut of any ransom payments they generate. Having many affiliates conducting attacks means more attacks can be conducted than if ransomware gangs operated alone. Affiliates have specialist skills and excel at certain types of attacks. That means defending against attacks means blocking multiple attack vectors, which means multiple security solutions need to be deployed.

Defending against ransomware attacks requires a defense in-depth approach involving multiple layers of protection. An email security solution – such as SpamTitan – should be used for blocking attacks via email, such as emails distributing the Bumblebee loader. A DNS filter such as WebTitan should be deployed to block attacks over the Internet and prevent employees from visiting malicious and risky websites.

It is important to educate the workforce about the threat of phishing, malware, and ransomware, and train the workforce on how to recognize and avoid threats such as phishing and social engineering. TitanHQ offers the SafeTitan security awareness training and phishing simulation platform for creating a security-aware workforce.

Vulnerabilities are often exploited, so it is important to ensure that patches and software updates are applied promptly. In the event of an attack succeeding, businesses need to be able to recover quickly. One of the biggest causes of losses in ransomware attacks is lost business due to the disruption caused by an attack, not the cost of the ransom payment. To minimize damage and ensure the fastest possible recovery, an incident response plan should be developed that specifically covers ransomware attacks and that plan should be regularly tested in tabletop exercises.

It is naturally also vital for backups to be created of all data to ensure data can be recovered in the event of an attack. Multiple copies of data should be made, the backups need to be tested to ensure file recovery is possible, and the backups should be stored on a non-networked device, with one copy stored securely offsite.

How to Provide Security Awareness Training and Ensure it is Effective

Technical defenses need to be implemented to protect against cyber threats, but it is also important to provide security training to the workforce. Security awareness training involves teaching users how to identify and avoid cyber threats, and training users to follow the security best practices that are necessary for protecting devices, networks, and data.

When businesses analyze security incidents, they often find that the threat could have easily been identified and avoided. A ransomware attack, for example, could have been prevented had an employee recognized the phishing email that gave the attackers the credentials they needed to access the network. Employees are commonly thought of as a weak link in the security chain, but employees can actually be security assets. Through training, they can become important sensors that help to protect the company.

Security awareness training is necessary for all members of the workforce, from the CEO down. Security awareness training needs to be provided to all individuals when they join the company, and then periodically thereafter. 20% of businesses provide security awareness training once a year or less, but something so important needs to be provided more frequently as employees cannot be expected to retain all of the information from a single, annual training session and then apply that information to real-life situations continuously throughout the year.

Many businesses need to change their thinking on security awareness training from it being a checkbox item that needs to be completed for compliance or to take out cyber insurance. Effective training is required, and that means it needs to be provided continuously. If you don’t exercise, your muscles will become weak. The same applies to security awareness training.

Classroom or computer-based training should be provided, which should be augmented with presentations, quizzes, infographics, and videos. Regular refresher training sessions should be provided in bite-sized chunks that are easy to take on board and remember. The aim of security awareness training is to create a security culture where everyone knows to be constantly alert.

Businesses need to develop an incident response plan to ensure the business can continue to operate in the event of a disaster. Backups need to be made of critical data to ensure that no data is lost in the event of computer failure or a ransomware attack. If you don’t test those plans and backups, it is impossible to know if they work. The same is true for security awareness training. It is necessary to test to see if the knowledge from training has been retained by the staff, if that knowledge is being applied in real-world situations, and whether security awareness training is actually influencing behavior.

One of the best ways to do this is with phishing simulations. Phishing simulations are exercises that are conducted to determine how effective training has been and to identify any areas where training needs to be improved. If a large number of employees have fallen for a particular phishing simulation, it is clear that the training has not covered that particular threat in sufficient detail. Training can then be adapted to help employees understand. If an employee falls for a simulation, there should be consequences, but the consequences should not be punitive. The purpose is to improve security not to punish employees, so the threat needs to be explained to the employee at the time to make sure that if it is encountered again, they will recognize it for what it is and act appropriately.

TitanHQ can help businesses with security awareness training and phishing simulations. SafeTitan is the only behavior-driven security training solution that delivers contextual training in real-time. With SafeTitan, alerts are generated when users take actions they shouldn’t, and those alerts are used to trigger timely training content with context. Since that training is delivered with context, the content provided is always relevant. SafeTitan also allows businesses to monitor how effective training is over time and how training is actually reducing risk.

“Every time an alert is triggered and comes into us, we map that alert or behavior in our database. This allows us to see the frequency of that behavior and monitor how it changes over time. You can measure this by user, by department, by country, by office, by business unit, and by organization,” says Stephen Burke, Product Director of SafeTitan, and founder and CEO of Cyber Risk Aware, which was recently acquired by TitanHQ. “And the beautiful side of it is, unlike most enterprise-grade software, it doesn’t just give mid to large enterprises the ability to demonstrate how effective their training is. MSPs can also offer this technology to their SMB clients, who maybe don’t initially know to seek that information.”

If you want to find out more about security awareness training, this interview with Stephen Burke with Expert Insights is a good place to start. We also recommend starting training with SafeTitan – You can get started today at zero cost by taking advantage of the SafeTitan free trial!

Email Archiving is Just as Important as Backing Up Emails

Many businesses fail to understand the importance of implementing an email archiving solution and believe that since they have a backup system for email that allows them to recover data in the event of a disaster – whether that is an accidentally deleted email or ransomware attack – email archiving is not so important.

Why You Need Email Backups and an Email Archive

There is an important case for implementing an email archiving solution in addition to a backup. Backups are vital but they are not effective long-term data storage solutions. If searches need to be performed and emails found and recovered quickly, backups are not particularly useful. Finding specific data in a collection of backup tapes can be a hugely time-consuming process and potentially an almost impossible task if businesses have a lot of employees and old emails need to be recovered.

The primary purpose of backups is disaster recovery. In the event of a ransomware attack, for instance, the last known backup before the attack can be used to recover email data. That is likely to be the backup take from the day before the attack occurred. Those backups are easy to find, and while restoring all email data will not be a very quick job, email data will be able to be recovered provided backups have not also been encrypted. It should be pointed out that ransomware gangs search for backups and will encrypt them too. Backups are also useful for storing email data from individuals when they leave the company. A backup of their email can be made, with the .pst file able to be loaded if ever there are any queries. If you need to find an accidentally deleted email, recovering it from a backup – provided it was only recently deleted – is fairly painless. All businesses need to back up their emails for these reasons, so why is an email archive necessary?

Email archives can also be used for disaster recovery processes, although email archives are not supposed to replace backups. Email archiving should occur in addition to making regular backups of email data. Email archives are important for compliance, audits, and when legal issues arise, and for finding emails when investigating customer complaints and security breaches. A great deal of valuable time can be wasted on these tasks if there is no email archive, or if email archiving has not been correctly implemented.

Rapid Search and Retrieval of all Emails

The reason why archives are so useful for long-term storage of email is they allow searches to be quickly performed on email data. Before being sent to an archive, emails are categorized and data in the emails are tagged. Emails are stored with the metadata associated with the emails intact, and that information can be rapidly searched. You can conduct searches quickly based on individual senders and receivers, groups or departments, dates, and other key information. Finding that information in multiple backups, especially searches that date back several years, is not practical.

Businesses need to comply with data retention laws, and the retention times can differ based on the types of data. Automating data retention is straightforward with email archives due to the tagging of data. It is possible to set data retention times and automate the process of archiving, retention, and deletion to meet compliance requirements, with very little user effort required.

Benefits of a Cloud Email Archive

Businesses may prefer to archive their emails locally, but there are potential problems with this approach. Storage space can easily run out given the volume of emails that need to be kept, and new hardware may need to be purchased to accommodate the archive. Archives will also need to be backed up and the backups stored securely. Many businesses choose to archive their emails in the cloud, as they will never run out of storage space, do not need to purchase and maintain the hardware, and their archives will be automatically backed up.

Cloud-based archives, such as those created with ArcTitan, are optimized to make searches fast. ArcTitan allows multiple searches to be performed simultaneously, unlike several other popular email archiving solutions. That means searching archives is a very quick process. ArcTitan also ensures that emails can be tagged and categorized, further speeding up message search and retrieval.

With ArcTitan, security is assured. Archives are automatically backed up, the archives are always due to replication across multiple data centers, and controls can be applied to restrict access to only the individuals who need to access the archives to prevent external cyberattacks and insider incidents. In the event of a ransomware attack, all emails stored in the cloud archive will be protected so that ransomware gangs will not be able to access and encrypt the archive.

Businesses need to back up their data, but they should also have an email archive. With ArcTitan, email archiving is made simple, and if ever emails need to be recovered, they can be quickly and easily found and recovered.

Why Businesses Should Take Steps to Block Pirated Software and Product Activators

Software can be expensive, which is why many people choose to download pirated software. Naturally, downloading pirated software is illegal, but many people think there is little chance of getting caught especially if they do not use their own computer to download the software. Most people have access to a computer at work and that is a common place where pirated software is downloaded, both for home use and also for using unauthorized software at work.

Employees at small- to medium-sized businesses may struggle to get authorization to purchase certain software due to the high license cost, even though the use of that software may make employees’ jobs easier. It is not uncommon for employees to go behind their employer’s back and simply download a pirated version of the software they want. The Business Software Alliance conducted a study that suggested 39% of software on computers is unlicensed, and another study suggested 3 in 10 employees use software at work that their employers do not know about. Not all of these ‘shadow IT’ tools will be pirated, as many are available for free, but this is a concern.

Free software may only be free for consumer use. Business use often requires a paid license, and if a license is not purchased businesses are exposed to legal risk. Any software that is installed without the knowledge of the IT department will mean patches for the software to fix known vulnerabilities may not be installed – that would be the responsibility of individual users, not the IT department. Vulnerabilities could remain unaddressed that could potentially be exploited by threat actors to gain access to the user’s device or provide a foothold for a more extensive compromise.

There is also a risk of malware being introduced. This is especially risky with pirated software, which is often bundled with adware, spyware, potentially unwanted programs (PUPs), and malware, which are either included with the software or are installed via software cracks and product activators.

Software cracks and product activators are well-known for installing malware. KMSPico is a software piracy tool that used for activating all features of Windows and Microsoft Office without requiring a license key. The tool uses Windows Key Management Services (KMS), which is a legitimate feature of Windows that is used to license Microsoft products across an enterprise network. This is achieved by installing a KMS server and through Group Policy Objects. KMSPico emulates a local KMS server to fraudulently activate the software.

Many anti-malware solutions detect KMSPico as potentially malicious for good reason. The tool can disable antimalware products to prevent it from being detected, and that alone can open the door for malware. Further, there are many versions of KMSPico available online, and identifying a clean version can be a challenge. There are versions available for download that have been bundled with malware, including the Cryptbot stealer. The Cryptbot stealer is commonly packaged with KMSPico and other product activators and cracks. The user will get the KMSPico, but malware will be silently installed in the background.

Cryptbot stealer is a dangerous malware that can perform a range of functions, including stealing data from web browsers such as Opera, Chrome, Firefox, and Vivaldi. The malware steals browser histories, passwords, credit card information, cookies, and cryptocurrency wallets. The Cryptbot stealer has also recently been updated to make it stealthier and a more effective stealer and it can now search for file paths and exfiltrate a range of files. The Cryptbot stealer is far from the only malware distributed in this manner and malware delivery is not limited to KMSPico. Many cracks and warez are used to install malware.

There are steps businesses should take to make it harder for employees to download pirated software. To prevent downloads from the Internet, WebTitan can be installed. WebTitan is a DNS-based web filter that is used to control the web content that can be accessed by users of business networks. At its simplest, businesses can use the category-based controls to block access to certain categories of websites where pirated software is downloaded such as peer2peer file-sharing networks and any other undesirable categories of websites. WebTitan can also be configured to prevent the downloading of certain files associated with malware, including software installers and other executable files.

It is also important for IT departments to create a full inventory of software to identify any pirated or unauthorized software that has already been installed. This will allow them to remove potentially risky software and to ensure all legitimate software is identified and included in the patch management policy.

Malicious QR Codes are Being Used for Phishing and Malware Distribution

Cybercriminals are constantly developing new tactics to trick individuals into divulging sensitive information or installing malware. One of the latest tactics to be observed is the use of QR codes to direct people to malicious websites where sensitive information is harvested or to sites hosting malware.

A QR code is a machine-readable matrix barcode that is often used for tracking products in a supply chain, but in recent years has been adopted as a convenient way to direct people to web resources without them having to enter a URL or click a link. QR codes have been widely adopted during the COVID-19 pandemic for carrying out contactless operations, such as registering attendance at a venue and for viewing menus in restaurants to help prevent the spread of COVID-19.

Many smartphones have in-built QR code readers and apps can be downloaded for free to allow QR codes to be read. When a smartphone camera picks up a QR code, the user will be directed to whatever web resource has been programmed into the code. While QR codes have many important uses, QR codes can be easily tampered with to direct individuals to malicious websites.

Phishing emails often contain links to malicious websites that have been masked by changing the text in the hyperlink. Hovering a mouse arrow over the hyperlink on a computer will display the URL to which the user will be directed; however, with a QR code the user may be instantly directed to the website and could be prompted to enter their banking credentials, Microsoft 365 credentials, or other sensitive information.

Since QR codes are often used to direct individuals to hosted files, such as PDF restaurant menus, it would be easy to trick people into downloading malicious files through QR codes. The malware could provide a cybercriminal with access to the victim’s mobile device, allowing them to steal sensitive information such as passwords or bank account information.

Many businesses use QR codes to direct customers to websites where payments can be processed, and the use of QR codes for this purpose has increased significantly during the pandemic to avoid contact with Point-of-Sale card readers. QR codes could be abused to direct customers to malicious websites that mimic those used by the business in order to steal payment card information.

The Federal Bureau of Investigation (FBI) has recently issued a warning about the increase in the use of QR codes for conducting malicious activities. The FBI emphasized that QR codes are not malicious in nature but can be abused, so precautions should be taken when using QR codes and not to assume that QR codes are secure.

A study conducted by Ivanti in 2021 revealed 87% of people felt secure conducting financial transactions using QR codes. Given the rise in abuse of QR codes, that confidence is worrying. As with embedded hyperlinks in emails, it is important to exercise caution and to check the URL of the resource that the user is directed to before taking any actions. The domain should be checked to ensure it is correct, and care should be taken to look for any typos or misplaced or substituted letters.

The FBI recommends checking a QR code before scanning to make sure it has not been doctored with, such as by overlaying a sticker on the original QR code. If prompted to download a file after using a QR code, be aware that the file may be malicious. If prompted to download an app, it is more secure to visit an official app store. It is also not necessary to download a QR scanner on most mobile phones, as this increases risk. The apps may be malicious, and many automatically direct users to a resource without requiring confirmation or providing information about the URL that the user will be directed to.

Businesses can protect their corporate-owned devices against QR code scams by installing a web filter. A web filter such as WebTitan can be used to prevent mobile devices from being used to visit malicious websites or web pages that violate acceptable internet usage policies. WebTitan will protect against any redirect to a malicious website, whether via a link in a phishing email or QR code and will also block malware downloads and potentially malicious files.

RATDispenser: A New Malware Threat That Delivers 8 Secondary Malware Payloads

A new malware downloader has been identified that is being used to deliver 8 different malware payloads, including several Remote Access Trojans (RATs) and keyloggers. The malware has been named RATDispenser by security researchers at HP Wolf Security, who recently identified and analyzed the malware.

RATDispenser is a stealthy JavaScript-based malware that is primarily being used as a malware dropper to deliver a broad range of payloads, possibly under the malware-as-a-service model. Out of 155 samples analyzed by the researchers, 145 were droppers and 10 were downloaders that communicated over the network to retrieve a secondary stage of the malware.

RATDispenser is being distributed in spam emails that contain a malicious attachment – A JavaScript file with a double extension to make it appear to be a text file (.txt). In one of the emails distributing the malware, the email had the subject line “Product Specification” and related to a fake order placed by the recipient.

JavaScript files are executable files, so simply double clicking on the attachment is all that is required to start the infection process. When the JavaScript file is executed, it decodes itself at runtime and writes a Visual Basic script file to the %TEMP% folder using cmd.exe, with the VBScript file then run which delivers the malware payloads. RATDispenser drops GuLoader, Ratty, Remcos, AdWind, STRRAT, and WSHRAT and downloads the FormBook keylogger and information stealer and the Panda Stealer cryptocurrency stealer.

The malware delivered by RATDispenser can be used to obtain credentials and other sensitive data and gives the attacker backdoor access and full control of infected devices. Once sensitive data has been obtained, the threat actor could sell access to other threat groups, such as ransomware gangs.

The range of malware variants delivered by RATDispenser makes this malware particularly dangerous, made worse by the poor detection rates by many antivirus engines. Email security solutions use antivirus engines to detect malware and malicious files, but only 11% of the 77 antivirus systems on VirusTotal are currently identifying RATDispenser as malicious.

An email security solution such as SpamTitan, which includes dual antivirus engines to detect known malware variants and sandboxing to identify malicious files that pass AV controls, is the best defense against RATDispenser. In addition, SpamTitan users should configure the solution to quarantine all emails that contain executable file attachments such as JavaScript and VBScript files.

If you want to improve your defenses against malware and other email threats, give the TitanHQ team a call to find out more about SpamTitan Email Security. SpamTitan is available on a free trial to allow you to put the product to the test in your own environment and find out for yourself the difference it makes to email security.

Phishing Campaign Uses Spoofed Government Unemployment Websites for Fraud and Malware Distribution

A phishing campaign has been identified that uses spoofed unemployment benefits websites to trick people into disclosing sensitive personal and financial information. These websites have been designed to closely resemble official U.S. government websites that are used to apply for unemployment benefits.

Individuals arriving on the websites are prompted to enter personal and financial information as part of the claims process. The information provided can be used by the scammers to file fraudulent unemployment benefits claims and have payments directed to their accounts. The credentials and information harvested through the sites can also be used or sold to other cybercriminals to commit identity theft and fraud, with some of the sites used for installing malware onto victims’ devices, including ransomware.

The U.S. Federal Bureau of Investigation (FBI) has received an increased number of complaints about these scams through its Internet Crime Complaints Center in recent weeks, prompting the FBI to issue an alert about the scams. At the time of issuing the alert, the FBI had identified 385 domains hosted on the same IP address, 8 of which impersonated official government websites that host unemployment benefit platforms. Those sites have an .xyz top-level domain (TLD) rather than .gov, and mostly impersonate state-level websites.

The malicious websites include employ-nv[.]xyz, gov2go[.]xyz, illiform-gov[.]xyz, mary-landgov[.]xyz, and newstate-nm[.]xyz, which were all still active at the time of the alert, along with employ-wiscon[.]xyz, marylandgov[.]xyz, and newstatenm[.]xyz which are no longer active.

Campaigns such as this are nothing new, but the number of complaints received about the scams is increasing, as are the number of reported cases of identity theft. Figures from the U.S. Federal Trade Commission show identity theft reports doubled between 2019 and 2020, with more than 1.4 million reports received last year.

Several steps can be taken to avoid becoming a victim of these scams. It is important to exercise caution when visiting any website and ensure that the spelling of the web address is correct, and the website has a .gov TLD. The U.S. government does not use .xyx TLDs on its websites.

While the padlock icon next to a URL is a sign that the site has an SSL certificate and the connection between the website and the browser is secure, it does not indicate the website is genuine. Cybercriminals often obtain SSL certificates for their websites to make them appear to be legitimate. The padlock should be present before any sensitive data is disclosed to avoid interception of that information, but other checks should be performed to make sure the site is genuine.

Malware downloads can be blocked by using antivirus software, which should be set to update automatically. Any security updates should be applied promptly, and browsers and plugins regularly updated to the latest version. To prevent stolen credentials from being used to access accounts, multi-factor authentication should be implemented and strong passwords should be set on accounts.

It is important to stop and think before taking any action suggested on a website or in an email. In the case of the latter, never open attachments in emails or click links to websites in messages from unknown individuals. Even if an email appears to have been sent by a trusted individual, checks should be performed on the email header information, especially in unsolicited messages.

Many of these campaigns target individuals, but employees are often targeted in phishing attacks that seek email credentials and other sensitive business information. In addition to providing security awareness training to the workforce and implementing an advanced email security solution such as SpamTitan, businesses should consider implementing a web filter.

WebTitan is a powerful DNS-based web filtering solution that is used by many businesses and Managed Service Providers to improve Internet security. Web filters are used to control the content that users can access over wired and wireless networks. They block attempts to visit known malicious websites, can be configured to block access to risky categories of websites, and also block malware downloads. They serve as an important extra layer of security to block phishing attacks and provide greater protection than email security solutions alone.

If you want to improve protection against phishing and web-based attacks, give the TitanHQ team a call today to find out more about SpamTitan Email Security and WebTitan Web Filtering.

If you already have email and web security solutions in place, you might be surprised to find out that you can get the same or better protection and a much-reduced price with TitanHQ solutions.

BluStealer Malware Being Distributed in Phishing Emails

A new malware threat has been discovered that is being distributed using phishing emails. BluStealer malware can perform a range of malicious activities including logging keystrokes to obtain credentials, steal cryptocurrency and banking information, and exfiltrates sensitive files from victims’ devices via SMTP.

BluStealer malware was first identified by an infosec researcher in May and was initially named a310logger. Initially, BluStealer malware was being used in limited attacks, although it is now being distributed more widely in larger phishing campaigns. In mid-September, one phishing campaign was conducted targeting 6,000 users in a single day. The malware has been distributed in several countries, mainly Argentina, Czech Republic, Italy, Greece, Romania, Spain, Turkey, the United Kingdom and the United States.

As with many other malspam campaigns, the emails used to distribute the malware use social engineering techniques to trick recipients into opening a malicious attachment. The attached file is seemingly benign but delivers the BluStealer payload.

A variety of lures have been used in the phishing campaigns and multiple companies have been impersonated. The antivirus company Avast intercepted messages that impersonated the Mexican metal producer General de Perfiles and the international courier firm DHL.

The DHL phishing emails target businesses and closely resemble genuine email communications from the firm. The emails claim a package has been delivered to head office since the recipient was unavailable. The emails include an attached form which users are required to complete to reschedule a delivery; however, opening the attached file will allow a script to run that results in BluStealer malware being silently downloaded and executed. Avast says the General de Perfiles email also targets businesses and claims the recipient has overpaid an invoice and the money will be applied against the next purchase. Again, the user is required to open an attachment. The emails contained .iso attachments and download URLs on the Discord Content Delivery Network, along with a C# .NET loader.

The core code of the malware is written in Visual Basic and there is a C# .NET loader. The components were different in each of the phishing campaigns which suggests it is possible to customize each element individually. The .NET loader has been used by other malware families including Agent Tesla, Formbook, and Oski Stealer.

The easiest way to block BluStealer malware is to implement an advanced spam filtering solution such as SpamTitan. SpamTitan is constantly updated by multiple threat intelligence feeds to ensure new malware and phishing threats are detected and blocked. Dual anti-virus engines are used to detect malware, and sandboxing is used to conduct an in-depth analysis of suspicious attachments that pass inspection by the antivirus engines. Sandboxing ensures zero-minute threats are also detected and blocked. SpamTitan also incorporates SPF, DKIM, and DMARC to block email impersonation attacks.

To find out more about SpamTitan Email Security and how it can help to protect your business from malware and email spam, give the TitanHQ team a call. SpamTitan is available on a 100% free 14-day trial (no credit card required) and product demonstrations can be scheduled on request.

Widespread Phishing Campaign Uses Open Redirects and CAPTCHA Verification Page

A widespread phishing campaign has been identified that uses a range of tricks to fool end users and spam filters, with the ultimate goal of stealing Office 365 credentials.

Office 365 credentials are extremely valuable. Phishers can use the compromised email accounts for conducting more extensive phishing attacks on an organization or for business email compromise scams. There is also a market for these credentials and they can be sold for big bucks to other threat groups such as ransomware gangs. Office 365 email accounts also contain a wealth of sensitive data that can easily be monetized.

This campaign involves a range of social engineering techniques to fool end users into believing the emails are genuine. Well-known productivity tools such as SharePoint are impersonated, with the emails claiming to be collaboration requests. Zoom has also been spoofed to make it appear that the recipient has been invited to attend a meeting. The emails include the correct logos, and closely resemble the genuine requests they impersonate.

The emails direct users to a phishing webpage where users are required to enter their Office 365 credentials. Those phishing pages include the correct Microsoft logo and styling and appear genuine, other than the URL of the page. The scammers have also used CAPTCHA verification pages that need to be completed to prove the user is a human rather than a bot. The CAPTCHA adds legitimacy to the campaign and gives an illusion of security, whereas the purpose is to prevent security solutions from identifying the phishing content.

After passing the CAPTCHA challenge, the user is presented with a fake Office 365 login prompt. After entering their credentials, they are presented with a fake error message and are prompted to re-enter the password. This additional step helps to ensure that the correct password is captured. After completing that step, the user is sent to a legitimate domain advising them that the email message has been released.

The campaign also abuses open redirects to fool end uses and security solutions. An open redirect is a legitimate tool that is commonly used in marketing campaigns, where companies want to track responses to email messages and direct users to specific landing pages. The URL to which the user initially tries to connect may be on a trusted domain, so if the user hovers their mouse arrow over the link, they may be convinced that the URL is genuine; however, the attackers then redirect users to a malicious URL, which is added as a parameter.

Microsoft has detected more than 350 unique domains used in the campaign, including a variety of top-level domains from different countries, legitimate domains that have been compromised by the attackers with phishing content added, as well as domain-generated algorithm domains and free email domains.

The campaign incorporates several tricks to fool email security gateways, as well as a range of social engineering techniques to fool end users. It is likely that after being fooled into divulging their credentials, victims will be unaware that their credentials have been stolen.

The techniques used in this campaign highlight the importance of adopting a defense-in-depth approach. That means implementing overlapping layers of security to counter the multiple layers of deception. In addition to an advanced spam filtering solution such as SpamTitan, it is advisable to also implement a web filtering solution.

Web filters tackle phishing by preventing access to the malicious phishing domains used in these campaigns. If a phishing email evades the email security gateway, the web filter provides time-of-click protection and can block the attempt to visit the phishing webpage. Instead of allowing the user to access the phishing page they will be redirected to a local block page. These measures should be combined with end user training to raise awareness of the risk of phishing and to help employees identify malicious -or potentially malicious – emails. It is also recommended to implement multi-factor authentication on Office 365 email accounts.

If you want to improve your defenses against phishing attacks or have any questions about spam filtering or web filtering, give the TitanHQ team a call today. The SpamTitan Email Security and WebTitan Web Security solutions are both available on a free trial to allow you to see for yourself how effective they are at blocking threats and how easy they are to use.

Benefits of DNS Filtering with Web Filtering Myths Busted

To those unfamiliar with DNS filtering, it is a form of web filtering that is used to filter out unwanted and undesirable web content, whether that is webpages containing objectionable material such as pornographic images or cyber threats such as websites used for phishing or malware distribution.

The Domain Name System (DNS) is what makes it possible for websites to have easy-to-remember domain names. A domain name, such as google.com, is easy for people to remember, but no use to a computer, which requires an IP address to find that resource on a remote server. The DNS is used to convert a domain name into its corresponding IP address, and DNS filtering is web filtering that takes place at the DNS lookup stage of a web request before a connection is made to the server hosting the web content.

DNS Filtering Myths

DNS filtering has several advantages over standard web filtering. Filtering occurs before any content is downloaded, which is better for speed and security. With DNS filtering, there is next to no latency – page load speeds are unaffected.

Many businesses fail to appreciate the importance of DNS filtering, after all, what is the point of blocking malware and ransomware threats on the Internet when antivirus software is installed on all end points? While AV software is effective at blocking known malware threats, it will not block new threats that have not been seen before, as the signatures of those malware variants are not in the virus definition lists of AV software. New variants of old malware versions are constantly being released to bypass signature-based AV defenses, so additional protection is needed. DNS filters can block these threats based on the reputation of IP addresses and will block downloads of file types associated with malware.

DNS filtering also improves defenses against phishing attacks, which all too commonly result in costly data breaches. Phishers are constantly devising new methods to get their emails into inboxes and trick end users into clicking on links and disclosing their credentials. Spam filters will block most of these messages but not all, and security awareness training only goes so far. A web filter will block access to phishing content and can significantly improve an organizations’ phishing defenses. When links to phishing websites are clicked the request is blocked and DNS filter logs will show which links were clicked. That can help to improve the effectiveness of spam filters and security awareness training programs.

DNS filters are also used for content control. Most businesses will have acceptable Internet usage policies in place, and employees will be aware of the risks of accessing prohibited web content, but DNS filters are ideal for enforcing those policies. Thew can prevent lawsuits from downloads of copyright infringing cracked software and other pirated content onto business network or users’ devices.

There is a common misconception that DNS filtering is complicated and time consuming when that is not the case. A DNS filtering solution is actually very quick and easy to configure. Simply point the DNS to the service provider, and you can set your filtering controls quickly and easily through the user interface. WebTitan for instance can be up and running in around 30 minutes and after the initial set up and little ongoing maintenance is required.

Another common misconception is that DNS filters are easy to bypass. While no web filtering solution is impossible to bypass, it is fairly easy to ensure that most users will not be able to bypass the filtering controls. You just need to configure the solution to block proxies and anonymizers and lock down the DNS settings. It is also recommended to block DNS requests to anything other than your approved DNS service at the firewall for good measure.

If you have your own, locally hosted, internal DNS server, you should allow only port 53/UDP outbound requests from your internal DNS server’s internal IP address to the external IP addresses of the primary and secondary DNS servers that your internal DNS server is configured to use. That means local computers query your local DNS server, and only your DNS server queries the web filtering DNS service on the Internet.

Key Benefits of DNS Filtering

  • Block access to malicious and risky websites with no latency
  • Enforce acceptable Internet usage policies
  • Block malware downloads and file downloads associated with malware
  • Prevent users from visiting phishing websites
  • Block copyright infringing file downloads
  • Protect against zero-day malware threats
  • Have highly granular control over the content that network users can access
  • Protect employees and devices when they are working off-site
  • Stop employees from accessing productivity-draining websites

DNS Filtering with WebTitan

WebTitan Cloud offers a quick, easy, and painless way for businesses to filter the Internet and block malicious and undesirable web content. WebTitan can be used to apply filtering controls to users of wired and wireless networks, with controls effective no matter where employees use their devices to access the Internet – in the office, while travelling, or working remotely.

WebTitan Cloud uses three mechanisms for filtering the Internet – First there are SURBL & URIBL filters to block access to known malicious web content, then there are category filters – 53 pre-set categories plus customizable categories – that are used to block content such as pornography, gambling, gaming, and dating sites, and the third tier involves keyword filters that fine tune category controls and block sites based on the presence of keywords and web pages that exceed certain keyword scores.

WebTitan Cloud can be configured to block certain files from being downloaded, acceptable Internet usage policies can easily be applied, and sites can be easily blacklisted using third-party blacklists, or whitelisted to ensure they can always be accessed.

When an attempt is made to visit a prohibited website, the request will be denied, and the user will be directed to a customizable local block page. All web activity is logged, and it is easy to see what requests have been made, the access attempts that have been allowed or blocked, and what content has been viewed, with extensive reporting and real time views of Internet activity.

The result is total control over what users can access and full visibility into Internet activity, while greatly improving cybersecurity by blocking web-based threats.

With WebTitan you get:

  • Best-in-class malicious URL detection
  • Malware, phishing, and ransomware protection
  • Real-time filtering
  • Instant categorization of web content
  • Infinitely scalable DNS filtering
  • Flexible policies
  • An extensive web filtering API allowing incorporating into existing monitoring systems
  • Immediate live updates
  • Zero-day updates to protect your customers as threats arise.
  • No bandwidth limits
  • No latency issues
  • Remote management and monitoring
  • SSL is supported
  • Multiple hosting options
  • Flexible pricing policies
  • Low-cost web filtering

For more information about DNS filtering in general, the WebTitan suite of DNS filtering solutions, or to book a product demonstration or to register for a free trial, give the TitanHQ team a call.

DoppelPaymer RaaS Rebrands as Grief Ransomware

Ransomware gangs have been feeling the heat following the DarkSide ransomware attack on Colonial Pipeline in May that forced the company to shut down its fuel pipeline serving the U.S. East Coast for a week. Any attack on critical infrastructure is likely to draw a response from the U.S. government, so it is no surprise that ransomware gangs faced a great deal of scrutiny after the attack. The DarkSide group shut down following the attack, and several other ransomware gangs went quiet.

DoppelPaymer was one of the gangs that appeared to be laying low. Around a week after the Colonial Pipeline attack the group went quiet and no further updates were posted on the group’s data leak site after May 6, 2021.

It is not uncommon for ransomware operations to go quiet for a few weeks, but they usually return. In many cases, the threat group reappears with a tweaked ransomware variant that is used under a new name, as has happened with DoppelPaymer.

DoppelPaymer attacks often start with a phishing email with links or attachments that install other malware variants, which in turn deliver the ransomware payload. Prior to the Emotet botnet being shut down, that banking Trojan was used to deliver DoppelPaymer, as well as Dridex.

Security researchers investigating a new ransomware-as-a-service operation called Grief (PayorGrief) that appeared in June identified striking similarities between Grief and DoppelPaymer, leading them to the conclusion that they are one and the same.  A sample of the malware was found that dates back to May 17, indicating the group had only stopped attacks for a very short period of time.

Grief and DoppelPaymer both have the same encrypted file format and are both distributed in phishing emails via the Dridex botnet, with one of the analyzed Grief samples also found to link to the old DoppelPaymer portal, although the samples identified since point to a separate Grief RaaS portal. Analyses of the code and the leak site also revealed further similarities such as the use of identical encryption algorithms and matching General Data Protection Regulation (GDPR) warnings for non-paying victims about GDPR penalties. The group appears to have been quite active in the short time since the new RaaS was launched, with 12 victims already listed on the group’s data leak site.

The best way to protect against DoppelPaymer ransomware attacks is to concentrate on blocking the initial attack vector – the phishing emails that deliver Dridex, which in turn delivers the ransomware. That requires an advanced anti-spam solution with machine learning capabilities and sandboxing. SpamTitan has these capabilities and many more detection mechanisms that ensure 100% of known malware threats are identified and blocked and new malware threats are identified even before their signatures are known.

For further information on improving your defenses against ransomware, malware, botnets, phishing, and other email- and web-based threats, give the TitanHQ team a call.

Crackonosh Malware Turns Devices into Cryptocurrency Mining Rigs

A new malware dubbed Crackonosh is being used in attacks on gamers with the goal of hijacking the resources on their computers to turn them into cryptocurrency mining rigs.

Cryptocurrency prices have been soaring in recent months, with many reaching record prices. That makes mining cryptocurrency profitable, and even more so when using the powerful computers of gamers without their knowledge. The gamers cover the electricity costs and supply the hardware, while the coin mining profits go to the scammers.

Getting malware onto gamers’ devices is the key to this scam, and what better way to do that than to offer gamers free versions of popular games such as Grand Theft Auto V, Pro Evolution Soccer 2018, or NBA 2K19. These cracked games can be installed without having to make a purchase, with the games offered free in forums. Currently, most infections have come via forums, but games could easily be hosted on a website and traffic driven to those sites through malicious adverts in the search engines or third-party ad blocks on any number of high traffic websites.

The games are legitimate, although they have been cracked to allow them to be installed without having to purchase the game key. The correct game will be installed but bundled into the installer are several other files that will execute in the background and install Crackonosh malware, which is capable of disabling certain antivirus programs to ensure it is not detected, including Windows Defender. It also disables Windows Update to ensure that Windows Defender is not reactivated. Since the malware creates and stores an icon in the system tray, the user will most likely be unaware that their antivirus software has been disabled.

One of the main aims of Crackonosh malware is to deliver a legitimate cryptomining program named XMRig, although in this case, XMRig is used to hijack the CPU and GPU of victims’ devices and use those resources for generating cryptocurrency. Using XMRig on one gaming computer will not make much money, but at scale the operation is hugely profitable.

The malware distribution campaign has proven successful, with the malware found in more than a dozen countries, with the highest numbers of infected computers in the Philippines, Brazil, India, Poland, United States, and the United Kingdom. As of December 2020, there were more than 220,000 devices infected with Crackonosh malware and those devices had been used to generate at least $2 million in Monero coins at today’s prices.

This malware campaign targets gamers as their computers are well suited to mining cryptocurrency. Once infected, users are likely to experience a serious reduction in performance and much higher electricity bills, but cryptocurrency mining can also cause computers to overheat, components can wear out from overuse, and devices will ultimately fail.

It is not only cryptocurrency mining malware than can be installed along with cracked software. Any number of other malware variants could be delivered. Another recently identified campaign also uses cracked software as the cover but delivers a malware loader dubbed MosaicLoader. MosaicLoader is used to deliver cryptocurrency miners as well as Remote Access Trojans, cookie stealers, backdoors, and any other malware than the MosaicLoader operator sees fit to deliver.

Installing cracked software and games carries a risk of malware infections, and that is particularly bad news for businesses, especially those that have a BYOD policy or allow their employees to work remotely on corporate-issued devices.

Preventing malware infections such as Crackonosh or MosaicLoader should start with education. Employees should be told about the risks of installing cracked software or other unauthorized software on devices. Technical measures are also required. To block downloads from the Internet, it is worthwhile installing a DNS filter. DNS filters can be used to block content at the DNS lookup stage of a web request, before any content is downloaded.

They can block access to certain categories of websites – gaming sites and forums for examples – or specific files from being downloaded, such as game and software installers. DNS filters also use a variety of methods to assess whether sites are malicious and will block access to URLs and IP addresses known to be used for illegal and malicious purposes.

If you want to improve your defenses against malware, contact TitanHQ today. TitanHQ’s advanced spam filtering solution – SpamTitan – and DNS filter – WebTitan – block malware at source and keep you protected from phishing, ransomware, and other email and web based threats.

Cost of a Ransomware Attack? $600 Million for Ireland’s Health Service Executive

Ransomware is now one of the biggest threats faced by businesses. When hackers gain access to business networks, it is now common for large quantities of data to be stolen prior to file encryption. Ransomware gangs know all too well that businesses with good backup policies will be able to restore their encrypted data from backups, but they will need to pay the ransom in order to prevent the release or sale of the stolen data. Even when files can be recovered from backups, many businesses feel they have no alternative other than paying the ransom to ensure stolen data are deleted. Data from Coveware indicates 70% of ransomware attacks now involve data theft.

Ransomware attacks are incredibly costly, even if the ransom is not paid. Universal Health Services Inc. in the United States suffered a Ryuk ransomware attack in September 2020 and the health system choose not to pay the ransom. Add up the recovery costs which included data restoration, cybersecurity consultants, notification letters to patients, and the loss of many services during the remediation process, and the cost of the attack rose to $67 million.

While expensive, that high cost is just a fraction of the cost of the recent Conti ransomware attack on Ireland’s Health Service Executive. The May 2021 ransomware attack caused massive disruption to healthcare services in Ireland. Without access to patient records, patient safety was put at risk, non-urgent appointments had to be cancelled, and there were major delays getting test results.

A few days after issuing a ransom demand of €20 million, the Conti ransomware gang gave the HSE the decryption tools free of charge. Even with the valid tools to decrypt data, recovery has been slow and incredibly costly. It has been around a month since the tools were provided to decrypt files, but many systems are still inaccessible. HSE Chief executive Paul Reid said it is likely to take months before all systems are brought back online.

Simply eradicating the attacker from the network and recovering encrypted data is only part of the story. IT systems need to be upgraded, security greatly improved, and a security operation center needs to be set up to monitor the network to prevent any further attacks. The initial costs incurred as a result of the attack were reported to be well over €100 million, but the overall cost of the attack is expected to rise to around half a billion Euros – Around $600 million.

An attack on such a major healthcare provider is naturally going to be incredibly costly, but ransomware attacks on small businesses can be catastrophic. Following a ransomware attack, an estimated 60% of small businesses fail within 6 months. One study showed the cost of remediating a ransomware attack doubled between 2020 and 2021, with the average cost now around $1.85 million. Attacks are also increasing. An analysis of the data leak sites used by ransomware gangs by cybersecurity firm Mandiant showed there has been a 422% increase in ransomware-related data leaks between Q1, 2020 and Q1, 2021.

How to Improve Your Defenses Against Ransomware

The most prolific ransomware gangs operate under the ransomware-as-a-service model. The creators of the ransomware do not conduct attacks, instead they employ affiliates to do they attacks for them. That means more attacks can be conducted. The creators run the operation and take a cut of any ransom payments generated, with the affiliates retaining the bulk of the ransom payments from their attacks.

Affiliates conduct attacks using a variety of methods and no two attacks will be exactly the same. Preventing ransomware attacks therefore requires a range of different measures to block all of the attack vectors, but the best place to start is by improving phishing defenses. Phishing emails are increasingly used as the initial entry point into business networks, so if these malicious emails can be blocked at the email gateway, they will not be delivered to inboxes where they can be opened by employees.

That is an area where TitanHQ can help. TitanHQ has developed two advanced solutions that are effective at preventing ransomware attacks. SpamTitan is a powerful email security solution that filters out malicious messages to stop them from causing harm. Rather than be delivered, emails with malicious links and attachments are quarantined.

WebTitan is a DNS-based web filtering solution that complements SpamTitan to provide even greater protection against ransomware and malware attacks. WebTitan prevents employees from visiting the malicious websites where malware and ransomware are downloaded.

Both solutions are consistently given top marks on software review sites such as G2 Crowd, with the solutions given a maximum of 5 stars by users of Spiceworks and Capterra. SpamTitan has also received over 37 consecutive Virus Bulletin Spam awards.

If you want to improve your defenses against phishing, ransomware, and web-based attacks, give the TitanHQ team a call. If you would like more information about protecting against attacks, also be sure to attend the upcoming TitanHQ/Osterman Research webinar on June 30, 2021:

How to Reduce the Risk of Phishing and Ransomware. REGISTER YOUR PLACE HERE.

What are the Signs of a Phishing Email?

It used to be quite easy to identify a phishing email, but over the past few years, scammers have really upped their game. Some of the phishing emails now being sent can fool even the most security conscious and well-trained people, but if you know the signs of phishing email, you should be able to identify and avoid all but the most sophisticated phishing attempts.

What is Phishing?

Phishing is the name given to a tactic used by cybercriminals to obtain sensitive information through deception, often by impersonating a trusted source. Phishing is also used to deceive people into taking an action that allows the attacker to achieve their aim. This could be installing malware or even changing security settings on a device.

Phishing can be viewed as the digital equivalent of a confidence trickster, so these tactics are certainly nothing new. The attack technique gets the name from fishing. With fishing, a lure or bait is used to trick a fish into swallowing a hook. With phishing, a lure is used to trick an individual into taking an action in the belief that the request is genuine.

Phishing can take place over the telephone, in person, via text messages, social media networks, or chat platforms, although most commonly it occurs via email. Attacks are easy to perform, as all that is needed is an email address to send the messages and a phishing template. If credential theft is the goal, a website hosting a phishing kit is required to harvest credentials. Phishing kits are widely available on hacking forums and malware can also be purchased, so an attacker really only needs email accounts to send the messages.

Phishing emails can range from basic to highly sophisticated, and while email security solutions are effective at identifying phishing emails and ensuring they are not delivered to inboxes, no email security solution is capable of blocking every phishing threat without also blocking unacceptable numbers of genuine emails. It is therefore essential for employees to be told how to spot the signs of a phishing email and for them to be conditioned how to respond when a suspicious email is received.

Phishing Tactics are Constantly Changing!

There are tried and tested phishing techniques that are used time and time again because they are effective, but new lures are constantly being developed to trick individuals and evade email security solutions. It is not possible to train employees how to recognize every lure they are likely to receive, but it is possible to teach employees the most important signs of a phishing email, as there are commonalties shared across most phishing campaigns.

The aim of any training is not to ensure that every employee will recognize every phishing email, only to reduce susceptibility of the workforce to phishing attacks. Over time, employees will get better and will be able to recognize phishing emails and will get used to reporting suspicious emails to their security team.

What Are the Signs of a Phishing Email?

Every email received could potentially be a threat, even emails that appear to come from a known individual or other trusted source. Just because the sender’s name is familiar or the correct logos and contact details of companies are used, it does not mean that the email is genuine.

Some of the most effective phishing lures that are used to target businesses mimic genuine business communications such as purchase orders, receipts, invoices, job applications, shipping notifications, and non-delivery notifications. You should perform some quick checks of any email you receive, specifically looking for the following signs of a phishing email.

Urgency and Threats

Most phishing emails try to get the recipient to act quickly without thinking or checking for the signs of a phishing email. Some of the most effective lures require quick action to be taken to avoid negative consequences. Scare tactics are used, such as the threat of arrest or legal action, loss of service, loss of money, or even fear of missing out (FOMO).

Spelling and grammatical errors

Spelling and grammatical errors are common in phishing emails. These can be accidental – Google translate errors – or can be deliberate. Why deliberately include spelling errors? Anyone who still falls for the email will be more likely to then fall for the next stage of the scam.

When businesses send emails, they are usually careful to ensure there are no spelling and grammatical errors. Most businesses have a spell and grammar check configured for all outbound emails.

Unnecessary or Unusual Attachments

Email attachments are commonly used in phishing emails that distribute malware. Attachments may not be what they seem and could have a double extension. A Word document could in fact be an executable file that installs malware when double clicked. Malicious scripts such as macros are often added to files that will execute and download malware if allowed to run. Malicious hyperlinks are often hidden in attachments such as PDF files, Word documents and Excel spreadsheets to hide them from email security solutions. Exercise caution when opening any attachment, scan it with your AV software before opening, and do not enable content or macros – you do not need to in order to see the contents of a genuine document. If in doubt do not open.

Odd hyperlinks

Hyperlinks are often included in phishing emails to direct the recipient to a website hosting a phishing kit. These links may appear genuine from the link text, but links are often obfuscated to make them appear genuine. Check the true destination before clicking by hovering the mouse arrow over the link. If the link is clicked, make sure the domain you land on is the correct domain used by a company, and be exceptionally careful if you are asked to enter sensitive information such as your Office 365 credentials.

Atypical Requests

Phishing emails will try to get you to take an action you would not normally take. If the request deviates from the normal request received via email you should be suspicious. This could be a request to send sensitive data via email, install a program, or make a call or click a link to install a security update. It pays to make a quick phone call to check the legitimacy of any odd request using previously verified contact information – never contact information in the email. Also look out for unusual greetings and overly familiar or overly formal emails from contacts – These deviations could indicate an email impersonation attack.

Unfamiliar Email Addresses and Domain Names

Phishers often hijack email accounts so phishing emails can come from genuine email accounts, but it is most common for free email accounts to be used or for attackers to create email accounts on their own domains. Those domains often closely resemble the brand that the attackers are impersonating. Watch out for hyphenated domains – e.g. microsoft-updates.com; transposed or missing letters – e.g. mircosoft.com; use of irregular characters – e.g. m1crosoft.com; and subdomains microsoft.phishingdomain.com. Carefully check the email address and the domain name.

Block Phishing Emails with TitanHQ

If run a business and want to improve your security defenses, you should train your employees how to identify the signs of a phishing email. You should also ensure you have an effective email security solution in place that will block the vast majority of email threats to stop them from reaching inboxes. You should also consider implementing other anti-phishing solutions to create layered defenses.

This is an area where TitanHQ can help. TitanHQ offers two award-winning anti-phishing solutions for SMBs and managed service providers (MSPs) serving the SMB market: SpamTitan Email Security and WebTitan Web Security. Both can be used in tandem to greatly improve your defenses.

SpamTitan blocks malware and phishing emails at source and keeps inboxes free of threats, while WebTitan protects against the web-based component of phishing attacks, blocking attempts by users to access known malicious domains and stopping malware downloads from the Internet.

For further information on these solutions and how they can improve your phishing defenses, give the TitanHQ team a call today or drop us a line on email. If you want to test the solutions, both are available on a no-obligation free trial.

WebTitan OTG (on-the-go) for Chromebooks Now Available with WebTitan Cloud Update

TitanHQ has announced a new version of WebTitan Cloud has been released that brings new features and improved security.

The release of WebTitan Cloud version 4.16 has allowed TitanHQ to introduce a new web filtering solution for the education sector – WebTitan OTG (on-the-go) for Chromebooks.

The use of Chromebooks has been steadily increasing, especially in the education sector where they are a cost-effective option for schools to allow students to access the Internet. Internet access is important in education, but it is vital that students can access the Internet safely and securely. Controls need to be implemented to prevent students from accessing age-inappropriate content such as pornography, devices need to be protected from malware and ransomware, and phishing and other malicious websites should be blocked.

WebTitan OTG for Chromebooks allows IT professionals in the education sector to easily implement web filtering controls for individuals, user groups, or globally to ensure compliance with federal and state laws, including the Children’s Internet Protection Act (CIPA) and protect their students and their devices from threats.

WebTitan OTG for Chromebooks, like other WebTitan products, is a DNS-based web filter that applies filtering controls at the DNS lookup stage of web requests. That means there is no latency – Internet speed is unaffected. Since WebTitan is entirely cloud-based, there is no need for any additional hardware and the solution requires no proxies or VPNs.

Set up is easy and user and device level web filtering for Chromebooks can be set up in just a few minutes. The solution provides protection for students regardless of where the Internet is accessed – students will have access to a clean, safe, filtered Internet in the classroom and at home, and it is also easy to lockdown Chromebooks to prevent any bypassing of filtering controls. Administrators also have full visibility into Internet access, including locations, web pages visited, and attempts made to visit prohibited content.

Support Added for in Azure Active Directory

WebTitan Cloud version 4.16 includes DNS Proxy 2.06, which supports filtering of users in Azure Active Directory, as well as on-premise AD and directory integration for Active Directory, with further directory services due to be added to meet customers’ need.

Current WebTitan customers will be automatically updated to the latest version of WebTitan Cloud and will have instant access to the new features and the latest fixes will be applied automatically.

“This new release comes after an expansive first quarter. The launch of WebTitan Cloud 4.16 brings phenomenal new security features to our customers,” Said TitanHQ CEO, Ronan Kavanagh. “After experiencing significant growth in 2020, TitanHQ expects these product enhancements and new features to make 2021 another record-breaking year.”

5 Effective Techniques to Help You Identify Phishing Emails

Learning how to identify phishing emails is an important skill: One that all employees need to master. Many phishing emails are easy to spot if you know the signs of a phishing email to look for.

It is not necessary to spend a couple of minutes checking every email at work, after all, that would leave little time for doing anything else. There are some quick and easy checks that take a few seconds and can easily allow you to identify phishing emails quickly. Performing these simple checks on each inbound email should become second nature before long.

5 Easy Ways to Identify Phishing Emails

Listed below are 5 basic checks that should be performed to identify phishing emails. These will allow you to identify the most common techniques used by phishers to steal your credentials or get you to install malware.

Check the Sender’s Email Address

Many emails will have a different display name to the actual email address, so it is important to check who the real sender is. The display name can be easily configured by the sender to make you think an email is genuine. You may receive an email that has PayPal as the display name, but the sender’s email address could have a non-PayPal domain or have been sent from a Gmail account or another free email service.  Free email services such as Gmail, Yahoo, Hotmail are not used by businesses.

Check that the domain – the part of the email address after the @ symbol – matches the sender. For PayPal that would be PayPal.com. Also check to make sure the domain name is spelled correctly and that there are not any transposed or replaced letters. It is common to replace an i to be replaced with a number 1 for example, an m to be switched to an rn, or hyphens to be added to domains to make them look official. Pay-Pal for instance.

Carefully Check Hyperlinks in Emails

Phishing occurs via email, but the actual credential theft usually occurs online. Hyperlinks are included in emails that direct people to a web page where they are asked to enter sensitive information such as their email login credentials. These web pages are usually carbon copies of genuine login prompts for services such as Office 365, apart from the domain on which the page is hosted.

You should be suspicious of any hyperlink in an email. Even clicking a link could be enough to trigger a malware download. You should check the true destination URL of a link, which may be masked with a button or legitimate looking text. Hover your mouse arrow over any link to check the destination URL.

The domain should match the sender and be the official domain used by the company. If the email has been sent from a company, visit the website by entering the correct domain into the address bar of your browser rather than clicking the link. If you believe the link to be genuine, remember to double check the page you land on, as you may have been redirected to a different website.

Be Wary of Email Attachments

Email attachments are often used in phishing to hide malicious content. Malicious hyperlinks are often added to Word documents and PDF files rather than include them in the message body of the email to evade security solutions.

Attachments commonly have macros – code – which will perform malicious actions if allowed to run. When you open these files, you will be prompted to “enable editing” or “enable content.” Doing so will allow the code to run. You will not need to enable any content in order to view a legitimate file.

Executable files are often attached to emails that will install malware if double clicked. Executable files include files with a .exe, .js, .bat, .scr, .vbs extension. Also check for double extensions, such as .doc.exe or .pdf.exe. Windows may hide the actual extension of the file if it is known and only display the first part. If in doubt, do not open attachments, especially those in unsolicited emails. If you believe the attachment to be genune, make sure you scan it with antivirus software before opening.

Spelling and Grammatical Errors

Many phishing emails are poorly written and contain spelling and grammatical errors. Official emails from a company will have been checked prior to being sent, so spelling and grammatical errors are extremely unlikely. Businesses often have spell checks on emails enabled by default. Many phishing messages are sent from Eastern Europe or other non-English speaking countries and have been translated using Google Translate so may sound a little odd.

Also be wary of any odd or unusual requests, such as a request to open a file when information could easily have been included in the message body or requests to send sensitive information via email.

Threats and Urgency

Most phishing emails attempt to get the recipient to take fast action and not consider the request too carefully. There is often a threat of bad consequences if action is not taken quickly, such as the closure of an account or loss of service. Phishers rely on fear (or fear of missing out) to get people to take action that they would normally not take and to act without thinking.

You may receive an email warning that your Netflix account will be closed due to a security issue unless you login. Emails often threaten arrest or lawsuits of you do not take immediate action. You may receive a too-good-to-be-true email offering you an incredible bargain or claiming you have won a competition you did not enter. Sceptics are less susceptible to phishing!

Malware Delivery via Phishing Emails is Increasing

Phishing is the biggest cyber threat faced by businesses. Phishing emails are malicious email messages that use deception to obtain sensitive information or trick individuals into installing malware. During the pandemic, cybercriminals took advantage of COVID-19 trends and created phishing emails that spoofed trusted entities such as the World Health Organization (WHO) and the Centers for Disease Control and Prevention offering up to date information on the coronavirus. Companies offering personal protective equipment (PPE) were impersonated when there was a shortage of supply, and recently pharmaceutical firms have been spoofed to send offers related to COVID-19 vaccines.

One of the primary aims of these scams is to obtain Microsoft 365 credentials, which give the attackers access to the treasure trove of data that is typically found in email accounts. The compromised emails accounts are used in email impersonation attacks on other individuals in the organization, or in business email compromise (BEC) attacks to trick finance department employees to make fraudulent wire transfers. A single compromised Microsoft 365 account can give attackers the foothold they need for a much more extensive attack on the organization, with phishing emails the initial attack vector used to deliver ransomware.

These phishing emails can be difficult for employees to identify, even when they are provided with security awareness training. Once an email lands in an inbox, there is a high chance to that email being opened and an employee taking the action requested in the email, so it is essential for businesses to have an effective email security solution in place that can identify and block these malicious messages.

Malware Delivery via Email is Increasing

Recent research has shown that phishing emails are now the primary method used to deliver malware and the number of emails distributing malware is increasing. A study recently published by HP in its threat insights report shows 88% of malware is now delivered via email, with the volume of messages distributing malware increasing by 12% from the previous quarter. Many of these emails contain executable files that directly install the malware on devices or run malicious code that launches memory-only malware.

Traditional antivirus software solutions often fail to detect malware variants sent via email. Antivirus software is signature based, so in order for malware to be detected, its signature must have been loaded into the AV software’s virus definition lists. If there is no signature, the malware will not be detected as malicious. The HP study showed almost a third of all phishing emails used to distribute malware involve previously unseen malware variants.

The threat groups conducting these phishing campaigns use obfuscation techniques and packers that allow malware to evade antivirus software. It typically takes an average of 8.8 days for the hashes of malware variants to be added to AV engines.

Blocking new malware variants is difficult, but not impossible. One of the ways that these emails can be detected is through the use of a sandbox. Email security gateways with sandboxes first scan inbound messages and check attachments using AV engines. Email attachments that are suspicious but are not determined to be malicious from the AV scan are then sent to the sandbox for in-depth analysis. Within the secure environment of the sandbox, the files are investigated for any malicious actions such as command and control center callbacks.

No anti-malware controls will detect all malware variants but using a spam filtering solution such as SpamTitan that uses sandboxing technology will greatly improve the malware detection rate and will help to keep your inboxes malware free.  SpamTitan also allows rules to be created for departments, job roles, and individuals that will further improve protection against malware attacks. Rules can be set to prohibit certain file types from being delivered to inboxes – the types of files that are commonly used to deliver or mask malware.

For instance, a recent phishing campaign conducted to distribute NanoCore malware used a .zipx (compressed) file to hide the malware from email security solutions and JavaScript (.js) files are similarly used to install malware. By blocking these uncommon file types for individuals who do not need to run those files will also help to reduce risk.

With phishing and malware attacks increasing, businesses need to ensure that their cybersecurity defenses are up to scratch and are capable of detecting and blocking these and other email and web threats. If you are receiving spam and phishing emails in your inboxes, have suffered a malware attack via email, or simply want to improve your defenses against email and web-based threats, give the TitanHQ team a call to find out more about cybersecurity solutions that can greatly improve your security posture at a very competitive price.

Worrying Number of Employees Using Work Devices for Non-Work Purposes

The pandemic forced many businesses to accelerate their digital transformation strategies to support an at home workforce and survive the pandemic; however, this new approach to working was not without risk.

Cybercriminals took advantage of companies that failed to address vulnerabilities, with some of the most widely exploited vulnerabilities in 2020 in remote access solutions such as the Pulse Secure VPN. Brute force attacks against Remote Desktop Protocol skyrocketed as more businesses switched to remote working, and while many businesses have opened their offices once again, the brute force attacks are still occurring at levels far above those before the pandemic.

Threat actors also stepped up their attacks on remote workers early on in the pandemic and attacks are continuing as lockdowns persist and employees continue to work from home. Many businesses address these risks through security awareness training and teach employees cybersecurity best practices and how to identify threats such as phishing. A little security awareness can go a long way and can be the difference between a threat being recognized and avoided or a link in a phishing email being clicked without thinking by an employee.

There are many threats that businesses may not be aware of, one of which was highlighted by a recent YouGov survey. Throughout a large part of the pandemic, schools have been closed and children have been home schooled. The survey revealed a quarter of UK workers have allowed their children to use their corporate device as part of home schooling and for other purposes such as socializing and gaming.

An employee may be aware not to engage in risky online activities, but children using work devices for Internet access leaves businesses vulnerable to cyberattacks. The survey, conducted on 2,000 UK employees, also revealed 70% of employees could access social media websites on their corporate devices and despite being one of the most fundamental aspects of security, 74% of employees said they did not use a unique password for all accounts.

During the pandemic when employees are isolated and may ben struggling with home schooling as well as working, it is understandable for employers to take a more relaxed view on the use of work computers for non-work purposes, but risks do need to be managed. Having no visibility into Internet access and failing to implement any controls over the content that can be accessed by remote workers and other household members on work laptops is a serious risk, and one that could easily lead to a malware or ransomware attack.

One of the ways that security can be improved for remote workers is to place certain restrictions on uses of corporate laptops with a web filter. A web filter such as WebTitan gives IT teams visibility into the sites that their employees are accessing, which allows them to identify potential risks and apply controls to reduce those risks to an acceptable level.

WebTitan can be used to prevent downloads of certain file types to reduce the risk of a malware infection and to block access to high-risk websites, such non-sanctioned file sharing services. Categories of website can be blocked at the click of a mouse, such as social media websites, and it is straightforward to block messenger services.

WebTitan is a powerful, yet easy to use security solution that is easy to apply to protect devices issued to employees no matter where they work and can greatly improve security with a remote workforce as well as when employees return to the office.

For further information on improving security for remote workers, including web filtering and email security, give the TitanHQ team a call. You can also sign up for a free trial of WebTitan here and immediately reduce risk.

Network Segmentation Best Practices to Improve Internal Network Security

What is Network Segmentation?

Network segmentation is the act of dividing a computer network into smaller physical or logical components. Two devices on the same network segment can then talk directly to each other. For communication to happen between segments, the traffic must flow through a router or firewall. This passage allows for traffic to be inspected and security policies to be applied.

Network segmentation is one of the mitigation strategies in terms of protecting against  data breaches and multiple types of cyber security threats. In a  segmented network, device groups have the connectivity required for legitimate business use only. The ability of ransomware to spread is greatly restricted. However all too often organizations operate an unsegmented  network.

Network segmentation can also help to boost performance. With fewer hosts on each subnet, local traffic is minimized. It can also improve monitoring capabilities and helps IT teams identify suspicious behavior.

If you follow network segmentation best practices and set up firewall security zones you can improve security and keep your internal network isolated and protected from web-based attacks.

Looking to get enterprise-grade protection from malware and phishing? Sign up for a free WebTitan demo today.
Book Free Demo

Network Segmentation Benefits

There are many benefits to be gained from network segmentation, of which security is one of the most important. Having a totally flat and open network is a major risk. Network segmentation improves security by limiting access to resources to specific groups of individuals within the organization and makes unauthorized access more difficult. In the event of a system compromise, an attacker or unauthorized individual would only have access to resources on the same subnet. If access to certain databases in the data center must be given to a third party, by segmenting the network you can easily limit the resources that can be accessed, it also provides greater security against internal threats.

Network Segmentation Best Practices

Most businesses have a well-defined network structure that includes a secure internal network zone and an external untrusted network zone, often with intermediate security zones. Security zones are groups of servers and systems that have similar security requirements and consists of a Layer3 network subnet to which several hosts connect.

The firewall offers protection by controlling traffic to and from those hosts and security zones, whether at the IP, port, or application level. There are many network segmentation examples, but there is no single configuration that will be suitable for all businesses and all networks, since each business will have its own requirements and functionalities. However, there are network segmentation best practices that should be followed. We have outlined these and firewall DMZ best practices below.

Suggested Firewall Security Zone Segmentation

Network Segmentation Best Practices

Suggested Firewall Security Zone Segmentation

In the above illustration we have used firewall security zone segmentation to keep servers separated. In our example we have used a single firewall and two DMZ (demilitarized) zones and an internal zone. A DMZ zone is an isolated Layer3 subnet.

The servers in these DMZ zones may need to be Internet facing in order to function. For example, web servers and email servers need to be Internet facing. Because they face the internet, these servers are the most vulnerable to attack so should be separated from servers that do not need direct Internet access. By keeping these servers in separate zones, you can minimize the damage if one of your Internet facing servers is compromised.

In the diagram above, the allowed direction of traffic is indicated with the red arrows. As you can see, bidirectional traffic is permitted between the internal zone and DMZ2 which includes the application/database servers, but only one-way traffic is permitted between the internal zone and DMZ1, which is used for the proxy, email, and web servers. The proxy, email, and web servers have been placed in a separate DMZ to the application and database servers for maximum protection.

Traffic from the Internet is allowed by the firewall to DMZ1. The firewall should only permit traffic via certain ports (80,443, 25 etc.). All other TCP/UDP ports should be closed. Traffic from the Internet to the servers in DMZ2 is not permitted, at least not directly.

A web server may need to access a database server, and while it may seem a good idea to have both of these virtual servers running on the same machine, from a security perspective this should be avoided. Ideally, both should be separated and placed in different DMZs. The same applies to front end web servers and web application servers which should similarly be placed in different DMZs. Traffic between DMZ1 and DMZ2 will no doubt be necessary, but it should only be permitted on certain ports. DMZ2 can connect to the internal zone for certain special cases such as backups or authentication via active directory.

The internal zone consists of workstations and internal servers, internal databases that do not need to be web facing, active directory servers, and internal applications. We suggest Internet access for users on the internal network to be directed through an HTTP proxy server located in DMZ 1.

Note that the internal zone is isolated from the Internet. Direct traffic from the internet to the internal zone should not be permitted.

The above configuration provides important protection to your internal networks. In the event that a server in DMZ1 is compromised, your internal network will remain protected since traffic between the internal zone and DMZ1 is only permitted in one direction.

Looking to get enterprise-grade protection from malware and phishing? Sign up for a free WebTitan demo today.
Book Free Demo

Risks of an Unsegmented Network

A real world example of an unsegmented network and resulting attack is the massive Target data breach of 2013.  Reportedly, the Target breach had its origin in a phishing email opened by an employee at a small HVAC company that did business with Target. The malware lurked in the HVAC network for two months before moving on to attack the Target network.

Once inside they were able to move laterally through Target’s internal network, eventually installing malware on point-of-sale (POS) terminals throughout the stores. In the wake of the attack, Target implemented network segmentation to prevent the lateral movement that allows the attackers move with the system in this breach.

It’s no surprise a breach this huge is massively expensive and the cleanup represents an almost overwhelming challenge. Bloomberg BusinessWeek reported that Target spent $61 million through Feb. 1 on the breach.

The damage?

  • The data of 110 million customers was compromised.
  • Over 100 lawsuits have been filed.
  • Banks have already spent $200 million related to the Target breach, and it’s unclear if there’s an even bigger payout on the horizon.

Effective network segmentation also makes it easier to detect signs of an attack. It’s not uncommon for a company’s Intrusion Detection System to generate such a large number of alerts that many go uninvestigated.

By concentrating on alerts related to  sensitive parts of the network, security teams can prioritize incidents likely to be the most dangerous. Network segment traffic can also be monitored for unusual patterns or activity potentially indicating an attack.

Effective Network Segmentation is not enough

 

Many sectors including manufacturing, retail and industrial are prime target for cyberattacks. Often organizations in these sectors are not up to date in terms of implementing key cybersecurity controls in order to be prepared for advanced and evolving attack methods.

By adhering to network segmentation best practices, you can optimize network security. There's no silver bullet to take down every attacker, but it’s possible to implement several layers of security that work together as a whole to defend against a myriad of attacks.

Looking to get enterprise-grade protection from malware and phishing? Sign up for a free WebTitan demo today.
Book Free Demo

Layered Security to Prevent Data Breaches

 

Layered security allows for each security layer to compound with the others to form a fully functioning, complete sphere of security. The internal network (ideally segmented) and its data are surrounded by powerful, interwoven layers that an attacker must defeat. These layers make security much more complex for a successful breach.

Cybercriminals are already exploiting the lack of security at the DNS layer to conduct phishing attacks and gain access to proprietary enterprise data. Not securing the DNS layer is making it far too easy for hackers to take advantage.  Securing the DNS layer is a straightforward process that requires no additional computer hardware or even any software installations. Many vendors now offer cloud based DNS filtering solutions that can be set up in minutes.

Isn’t it about time you started securing the DNS layer and making it much harder for cybercriminals to compromise your network? If you’re looking to get enterprise-grade protection from malware and phishing, check out >WebTitan Cloud DNS filtering today.

 

FAQs

What does network segmentation mean?

Network segmentation is concerned with dividing a network up into smaller segments called subnets. This can improve network performance and is important for security. By using firewalls between each segment, you can carefully control access to applications, devices, and databases and can block lateral movement in the event of a successful cyberattack.

What is logical network segmentation?

Logical network segmentation is a popular way of segmenting a network. Instead of segmenting physical parts of the network such as routers and access points, logical segmentation uses concepts built into network infrastructure for segmentation, such as creating virtual local area networks (VLANS) that may share physical hardware.

Is network segmentation necessary for PCI compliance?

Organizations that store, process, and/or transmit cardholder data must comply with PCI DSS. One of the requirements is to use network segmentation to keep the cardholder data environment (CDE) separate from other parts of the network. Through network segmentation, organizations can isolate credit card data from all other computing processes.

Can network segmentation protect against ransomware attacks?

Network segmentation is a best practice that can help to reduce the damage caused by a malware or ransomware attack. If a computer is compromised, attackers will attempt to more laterally and access other devices and parts of the network. With network segmentation, lateral movement is much harder, so it is easy to contain malware and limit file encryption by ransomware.

What are the main benefits of network segmentation?

There are three main benefits of network segmentation. First is security. It reduces your attack surface and limits lateral movement in the event of a breach. Second, you can improve network performance, as traffic will be confined to the part of the network where it is required. Thirdly, it makes compliance easier by allowing you to separate regulated data from other computer systems.

TitanHQ Wins 3 Expert Insights’ 2021 Best-Of Awards for SpamTitan, WebTitan, and ArcTitan

TitanHQ has announced that three of its cybersecurity solutions have been named winners at the 2021 Expert Insights’ Best-Of” Awards, beating some of the best-known email security, web security, and email archiving products on the market.

For more than 25 years, TitanHQ has been developing innovative cybersecurity solutions to protect businesses from email and web-based threats to their networks and data. TitanHQ’s multi-award-winning products are used by more than 8,500 businesses in over 150 countries, and 2,500 Managed Service Providers (MSPs) offer TitanHQ solutions to their customers to protect them from phishing, malware, ransomware, botnets, viruses, and other cyber threats.

Expert Insights is a respected website that was created in 2018 to help businesses research and select the best cybersecurity solutions to protect their networks and data from cyber threats. Through impartial product reviews, advice from cybersecurity experts, and industry analysis, IT leaders can discover the best cybersecurity solutions to meet their unique needs. The website helps more than 40,000 businesses a month with their research into cybersecurity products and services.

Each year, Expert Insights recognizes the leading cybersecurity service and solution providers and their products at the Expert Insights’ Best-Of” Awards. Technical experts with decades of experience in the cybersecurity industry assess products based on several factors, including ease of use, range of features, the protection provided, and market position, as well as how each product is rated by verified business users. The top products then receive an Expert Insights’ Best-Of” Award.

This year, TitanHQ was recognized by Expert Insights for the powerful threat protection provided by its products, the ease-of-use of the solutions, and their cost-effectiveness, which is why the solutions have proven to be so popular with enterprises, SMBs and MSPs looking for comprehensive protection against email and web-based threats.

“2020 was an unprecedented year of cybersecurity challenges, with a rapid rise in remote working causing a massive acceleration in cybercrime,” said Expert Insights CEO and Founder Craig MacAlpine. “Expert Insights’ Best-Of awards are designed to recognize innovative cybersecurity providers like TitanHQ that have developed powerful solutions to keep businesses safe against increasingly sophisticated cybercrime.”

WebTitan, TitanHQ’s powerful DNS-filtering solution was named a winner in the Web Security category, the SpamTitan anti-phishing and anti-spam solution was named a winner in the Email Security Gateway category, and ArcTitan was named a winner in the Email Archiving category.

“The recent pandemic and the growth of remote working initiatives have further highlighted the need for multiple layers of cybersecurity and our award-winning solutions form key pillars in this security strategy,” said Ronan Kavanagh, CEO, TitanHQ. “We will continue to innovate and provide solutions that MSPs can use to deliver a consistent, secure and reliable experience to their customers.” 

 

Email Retention Laws in the United States

Email retention laws in the United States require businesses to keep copies of emails for many years. There are federal laws that apply to all businesses and organizations, data retention laws for specific industries, and a swathe of email retention laws in the United States at the individual state level. Ensuring compliance with all the appropriate email retention laws in the United States is essential. Non-compliance can prove incredibly costly. Multi-million-dollar fines await any organization found to have breached federal, industry, or state regulations.

Email archiving is absolutely necessary as a result of these federal, state and industry email retention laws. Retention periods vary depending on the regulations that govern your industry sector. Email retention laws require all organizations to quickly execute a legal hold on archived email and provide data in the case of litigation.

All electronic documents must be retained by U.S organizations, which extends to email, in case the information is required by the courts. eDiscovery requests often require large volumes of data to be provided for use in lawsuits and the failure to provide the data can land an organization in serious trouble. Failure to present the requested email can result in hefty fines, sanctions and reputational damage.

For decades, U.S organizations have been required to store documents. Document retention laws are included in numerous legislative acts such as the Civil Rights Act of 1964, the Executive Order 11246 of 1965, the Freedom of Information Act of 1967, the Occupational Safety and Health Act of 1970, and the Reform and Control Act of 1986 to name but a few; however, just over a decade ago, data retention laws in the United States were updated to expand the definition of documents to include electronic communications such as emails and email attachments.

To improve awareness of the many different email retention laws in the United States, a summary of the minimum email retention periods have been included below as a guide. Please bear in mind that this is for information purposes only and does not constitute legal advice. Industry and federal electronic data and email retention laws in the United States are also subject to change. Up to date information should be obtained from your legal team.

What are the Different Email Retention Laws in the United States?

As you can see from the list below, there are several federal and industry-specific laws applying to email retention in the United States. These email retention regulations apply to emails received and sent, and include internal as well as external emails and email attachments.

Email retention lawWho it applies toHow long emails must be stored
IRS RegulationsAll companies7 Years
Freedom of Information Act (FOIA)Federal, state, and local agencies3 Years
Sarbanes Oxley Act (SOX)All public companies7 Years
Department of Defense (DOD) RegulationsDOD contractors3 Years
Federal Communications Commission (FCC) RegulationsTelecommunications companies2 Years
Federal Deposit Insurance Corporation (FDIC) RegulationsBanks5 Years
Food and Drug Administration (FDA) RegulationsPharmaceutical firms, food manufacturers, food storage and distribution firms, manufacturers of biological productsMinimum of 5 years rising to 35 years
Gramm-Leach-Bliley ActBanks and Financial Institutions7 Years
Health Insurance Portability and Accountability Act (HIPAA)Healthcare organizations (Healthcare providers, health insurers, healthcare clearinghouses and business associates of covered entities)6 Years
Payment Card Industry Data Security Standard (PCI DSS)Credit card companies and credit card processing organizations1 Year
Securities and Exchange Commission (SEC) RegulationsInvestment banks, investment advisors, brokers, dealers, insurance agents & securities firmsMinimum of 7 years up to a lifetime

Email retention laws in the United States that are applied by each of the 50 states are beyond the scope of this article.  There area also European laws, such as the GDPR email requirements, that must be considered if you do business with EU residents.

Reduce storage space, eliminate mailbox quotas and improve email server performance.

What is the Best Way to Store Old Emails?

Storing emails for a few years is not likely to require masses of storage for a small business with a couple of members of staff. However, the more employees an organization has, the greater the need for extensive resources just to store emails. The average size of a business email may only be 10KB, but multiply that by 123 – the average number of emails sent and received each day by an average business user in 2016 (Radicati email statistics report 2015-2019), and by 365 days in each year, and by the number of years that those emails need to be stored, and the storage requirements become considerable.

If any emails ever need to be accessed, it is essential that any email archive or backup can be searched. In the case of standard backups, that is likely to be an incredibly time consuming process. Backups are not designed to be searched. Finding the right backup alone can be almost impossible, let along finding all emails sent to, or received from, a specific company or individual. Backups have their uses, but they are not suitable for businesses for email retention purposes.

For that, an email archive is required. Email archives contain structured email data that can easily be searched. If ever an eDiscovery order is received, finding all email correspondence is a quick and easy task. Since many email archives are cloud based, messages are deduplicated, and files are compressed, they also do not require huge storage resources. Emails are stored in the cloud, with the space provided by the service provider.

Increasing Dependence on Email

  • Number of emails sent and received daily in 2020: 306.4 billion (Radicati)
  • Amount of business-critical data residing in emails: 60 percent (IDC)

With the rise of remote working, the reliance on business email has grown. More than ever users are treating their inbox as an archive to find documents or information. Email is a centralized store of sensitive data. Consequently, companies use email as a form of information retention, referring back to old emails to find vital information.

ArcTitan: TitanHQ’s Cost Effective and Convenient Email Archiving Solution

ArcTitan is a cost-effective, fast and easy-to-manage email archiving solution provided by TitanHQ that meets the needs of all businesses and enables them to comply with all email retention laws in the United States.

ArcTitan incorporates a range of security protections to ensure stored data is kept 100% secure and confidential, with email data encrypted in transit and at rest in Replicated Persistent Storage, with the archive automatically backed up for you.

In contrast to many email archiving solutions, ArcTitan is fast. The solution can process 200 emails per second from your email server and archived emails can be retrieved instantly via a browser or Outlook (using a plugin) or other mail clients. Emails can be archived from any location, whether in the office or on the go via a laptop or tablet. Multiple searches of the archive can be performed simultaneously with up to 30 million emails searched per second. There are no limits on storage space or the number of users and the solution can be scaled up to meet the needs of businesses of all sizes.

Ensuring email archive searchs are performed without hurting network performance and keeping data integrity intact are priorities for most businesses. ArcTitan makes eDiscovery easy for attorneys while simultaneously protecting data.

Data Compliance Considerations When Archiving Email with Remote Working

Last year saw a huge increase in remote working, the pandemic has significantly changed the technology and business landscape. As workers worldwide connects remotely, organizations must  ensure that data compliance, security, and privacy is ensured. Cloud-based email archiving offers a cost-effective and efficient way to manage email data across a remote workforce.

A key benefit of cloud-based email archiving is the centralization of disparate email servers. With the ongoing move to remote working, this is even more important. Cloud-based email archiving offers a way to consolidate and manage the data held in business emails, while ensuring compliance across disparate working environments.

Main Features of ArcTitan

  • Scalable, email archiving that grows with your business
  • Email data stored securely in the cloud on Replicated Persistent Storage on AWS S3
  • Lightning fast searches – Search 30 million emails a second
  • Rapid archiving at up to 200 emails a second
  • Automatic backups of the archive
  • Email archiving with no impact on network performance
  • Ensure an exact, tamper-proof copy of all emails is retained
  • Easy data retrieval for eDiscovery
  • Protection for email from cyberattacks
  • Eliminate PSTs and other security risks
  • Facilitates policy-based access rights and role-based access
  • Only pay for active users
  • Slashes the time and cost of eDiscovery other formal searches
  • Migration tools to ensure the integrity of data during transfer
  • Seamless integration with Outlook
  • Supports single sign-on
  • Save and combine searches
  • Perform multiple searches simultaneously
  • Limits IT department involvement in finding lost email – users can access their own archived email
  • Compliant with regulations such as HIPAA, SOX, GDPR, Federal Rules of Civil Procedure, etc.

ArcTitan email archiving reduces storage space, eliminates mailbox quotas, and improve email server performance. Email archives allows users to clear their inboxes without deleting emails and creates a tamper-proof, repository for emails to meet compliance requirements and discovery requests.

 

 

Email Retention Laws in the United States FAQ

Is it difficult to change email archiving providers?

With ArcTitan you can important data in a wide range of formats, including from your legacy email archiving environment. Some email archiving providers use proprietary data formats which can make changing provider difficult. ArcTitan uses no proprietary formats. You can export data in all common formats should you ever wish to move your archive.

How does the GDPR affect email archiving?

The GDPR permits email data to be retained if the data is processed for archiving purposes. E.U. citizens can submit requests to access their data or have their data deleted, which is why an email archive is important for compliance. It allows personal data to be quickly found if requests are received.

How long do I need to archive emails?

This is between 1  to 7 years, although some email data may need to be kept indefinitely. The Payment Card Industry Data Security Standard (PCI DSS) requires email data to be kept for 1 year, whereas HIPAA, SOX, and the Gramm-Leach-Bliley Act require certain types of email data to be retained for 7 years.

Will any email archiving solution ensure compliance?

No -  to be compliant, an email archiving solution must archive emails in an unchanged form, store emails in a tamper proof repository, encrypt emails in transit, encrypt email data at rest, and allow emails to be restored in their original form.

Do I need to continue paying for inactive mailboxes?

Some email archiving providers require you to continue paying for mailboxes and storage even if an employee leaves the company. With ArcTitan, you only pay for active users, even if you still need to store archived email data associated with inactive mailboxes.

What is the difference between a email archive and a backup?

An email archive is an archive used for long term email storage and an email backup is used for short to medium-term storage for disaster recovery. Backups aren't easily searchable wheras email archives can be searched, and individual emails can be quickly found and restored.

Can I search inside archived email attachments?

With ArcTitan you can search emails across the entire organization, within departments/user groups, or individual mailboxes. You can also search inside all common email attachment types, including Microsoft Word, Excel and PowerPoint files, OpenOffice documents, as well as PDFs, RTFs, ZIP files, and many more.

How can I migrate my email archive to ArcTitan?

Migration of an existing archive to ArcTitan is a straightforward process and assistance will be provided. You can use a cutover migration – a straight transfer from an existing provider, perform a staged migration if you have a very large archive to minimize disruption, or a hybrid migration of you want to have a physical and virtual server.

How to Improve Your Defenses Against Phishing Without Breaking the Bank

Phishing remains the number one cyber threat to businesses and there are no signs that cybercriminals will be abandoning phishing any time soon. Phishing is defined as the use of deception to fraudulently obtain sensitive information, which often involves impersonating trusted individuals and using social engineering techniques to trick people into disclosing their login credentials.

It is not necessary to be a hacker to conduct phishing campaigns. All that is needed is a modicum of technical expertise and the ability to send emails. The actual phishing kits that are loaded onto websites to harvest credentials do not need to be created from scratch, as they can simply be purchased on hacking forums and dark net websites. A potential phisher only needs to pay for the kit, which typically costs between $20 and $1,000, then host it on a website, and send emails, SMS messages, or instant messages to direct users to the website.

The ease of obtaining a phishing kit makes this this method of attacking businesses simple. All that is needed is a plausible lure, and many people will disclose their credentials. Figures released by security awareness training companies show just how frequently employees fall for these scams. Around 30% of phishing emails are opened by recipients, and 12% of those individuals either open attachments or click hyperlinks in emails.

One 2020 study, conducted on 191 employees of an Italian company, showed no significant difference between employees’ demographics and susceptibility to phishing. Anyone can fall for a phishing scam. Interestingly, that study, published by the Association for Computing Machinery, also found that while the employees believed their security awareness training had been effective, it did not appear to have any effect on their susceptibility to phishing attacks.

Phishing is popular with cybercriminals, it is one of the easiest scams to perform, and it is often successful and profitable. Security awareness training will help to prepare employees and, if performed properly, regularly, and with subsequent phishing simulations to reinforce the training, can help to reduce susceptibility, but what is most important is to ensure that phishing emails do not land in inboxes where they can be opened by employees.

To block the phishing emails at source you need an advanced email security solution. Many email security solutions are heavily reliant on blacklists of IP addresses and domains that have previously been used for phishing and other malicious activities. Along with SPF, DKIM, and DMARC to identify email impersonation attacks, it is possible to identify and block around 99% of phishing emails.

However, to block the remaining 1% without also miscategorizing genuine emails as potentially malicious requires more advanced techniques. SpamTitan achieves independently verified catch rate of 99.97%, which is due to standard anti-phishing measures coupled with greylisting and machine learning techniques.

Greylisting is the process of initially rejecting a message and requesting it be resent. Since phishers’ mail servers are usually too busy on spam runs, the delay in the message being resent is a red flag. Along with other indicators, this helps SpamTitan catch more spam and phishing emails. Machine learning techniques are used to identify the typical emails that a company receives, which allows deviations from the norm to be identified which raises a further red flag.

In addition to a high detection rate and low false positive rate, SpamTitan is easy to implement and use, and regularly receives top marks in user reviews. SpamTitan has achieved 5 out of 5 on Expert Insights, is the most reviewed and best reviewed email security solution on G2, and is also a top-rated solution on Capterra, GetApp, and Software Advice.

SpamTitan works seamlessly with Office 365 and greatly improves phishing email detection, is priced to make it affordable for small- and medium-sized businesses, and has a much-loved managed service provider offering, allowing MSPs to incorporate highly effective spam and phishing protection into their service stacks.

If you want to improve your defenses against phishing attacks, why not give SpamTitan a try. You can trial the solution for two weeks free of charge, during which time you will be able to try the full product and will have access to full product support, should you need it.

Give the TitanHQ team a call today to find out more!

What is DNS Filtering?

DNS filtering – or Domain Name System filtering to give it its full title – is a technique of blocking access to certain websites, webpages, and IP addresses. The DNS is what allows easy to remember domain names to be used – such as Wikipedia.com – rather than typing in very difficult to remember IP addresses – such as 198.35.26.96. The DNS maps IP addresses to domain names to allow computers to find web resources.

How DNS Filtering WorksWhen a domain is purchased from a domain register and that domain is hosted, it is assigned a unique IP address that allows the site to be located. When you attempt to access a website, a DNS query will be performed. Your DNS server will look up the IP address of the domain/webpage, which will allow your browser to make a connection to the web server where the website is hosted. The webpage will then be loaded. The actual process involves several different steps, but it is completed in a fraction of a second.

So how does DNS Web Filtering Work?

With DNS filtering in place, rather than the DNS server returning the IP address if the website exists, the request will be subjected to certain controls. DNS blocking occurs if a particular webpage or IP address is known to be malicious. The DNS filter will use blacklists of known malicious websites, previous crawls of new websites and web pages, or web content will be assessed in real time if the web page or website has not previously been crawled and categorized. If the website trying to be accessed is determined to be malicious or otherwise violates pre-defined policies, instead of the user being connected to the website, the browser will be directed to a local IP address that displays a block page explaining why the site cannot be accessed.

This control could be applied at the router level, via your ISP, or by a web filtering service provider. In the case of the latter, the user – a business for instance – would point their DNS to the service provider. That service provider maintains a blacklist of malicious webpages/IP addresses and access to those sites is prevented.

Since the service provider will also categorize webpages, the DNS filter can also be used to block access to certain categories of webpages – pornography, child pornography, file sharing websites, gambling, and gaming sites for instance. Provided a business creates an acceptable usage policy (AUP) and sets that policy up with the service provider, the AUP will be enforced. Since DNS filtering is low-latency, there will be next to no delay in accessing safe websites that do not breach an organization’s acceptable Internet usage policies.

Block web-based threats and carefully control online activities. Sign up for a free WebTitan demo today.
Book Free Demo

Will a DNS Filter Block All Malicious Websites?

Unfortunately, no DNS filtering solution will block all malicious websites, as in order to do so, a webpage must first be determined to be malicious. If a cybercriminal sets up a brand-new phishing webpage, there will be a delay between the page being created and it being checked and added to a blacklist. However, a DNS web filter will block the majority of malicious websites.

The purpose of a web filter is to reduce risk, not eradicate it entirely. Since the vast majority of malicious web content will be blocked, risk can be significantly reduced and there will only be a low chance of a website being accessed that violates your policies.

Can a DNS Filtering Service be Bypassed?

The short answer is yes. Proxy servers and anonymizer sites could be used to mask traffic and bypass the DNS filter. Your DNS filtering service should allow you to easily block access to anonymizer websites and prevent the use of proxy servers and virtual private networks (VPNs). Configuring the DNS filtering service to block access to these services will prevent all but the most determined employees from bypassing the DNS filtering service.

The other key way of bypassing a DNS filtering service is to manually change the DNS settings locally, so it is important for these settings to be locked down. Determined individuals may be able to find a way to bypass DNS filtering, but for most end users, a DNS filter will block any attempt to access forbidden or harmful website content.

There may be a legitimate need to bypass a DNS filtering service. Some DNS content filtering solutions have a feature that allows administrators to temporarily remove content filtering controls. WebTitan Cloud uses cloud keys for this. The cloud key can be issued to a user to bypass content filtering settings for a set time period, such as if research needs to be conducted.

Block web-based threats and carefully control online activities. Sign up for a free WebTitan demo today.
Book Free Demo

DNS Content Filtering for CIPA Compliance

Schools and libraries in the United States are required to comply with the Children's Internet Protection Act (CIPA) in order to receive E-rate discounts and qualify for federal grants.  There are several requirements of CIPA, one of the most important being to block or filter Internet access to prevent access to images that are obscene, involve child pornography or child abuse, or could otherwise be harmful to minors.

DNS content filtering is the easiest and most cost-effective way of complying with this requirement of CIPA and applying content filtering controls for both wired and Wi-Fi networks. DNS content filtering solutions require no hardware purchases, no software needs to be installed, and they are easy to implement and maintain. DNS content filtering solutions have highly granular filtering controls and allow precision control over content, without overblocking.

DNS Web Filtering Software from TitanHQ

Now you have a better idea about how DNS filtering works, we will introduce you to WebTitan Cloud. WebTitan Cloud is a powerful, easy to implement DNS filtering solution that allows you to filter the internet and block access to malicious content and enforce your acceptable internet usage policies. Being DNS-based, there are no hardware requirements and no software downloads are required. To get started you simply point your DNS to WebTitan, set your filtering parameters through an easy to use web-based interface, and you will be filtering the internet in minutes.

WebTitan Cloud can be used to protect users on and off the network, so it is the perfect choice for protecting remote workers from online threats as well as office staff. The WebTitan  DNS web filtering solution - WebTitan Cloud - is a feature-rich, cloud-based solution with a low maintenance overhead and a three-tiered filtering mechanism for maximum granularity. Universally compatible and infinitely scalable, WebTitan Cloud has SSL inspection to provide the highest level of defense against online threats.

WebTitan Cloud can be integrated with multiple management applications (Active Directory, LDAP, etc.) for easier administration. WebTitan can also be  remotely configured and adjusted from any Internet-enabled device. An unlimited number of users can be filtering at any time.

Block web-based threats and carefully control online activities. Sign up for a free WebTitan demo today.
Book Free Demo

Try DNS Filtering Software with SSL Inspection for Free

If you would like to evaluate the benefits of the WebTitan DNS filtering solution in your own environment, please get in touch. Our team of experienced security professionals will answer any questions you have about DNS Internet filtering  and guide you step by step through the process of registering for your free trial.

Once you are registered, we will walk you through the process of redirecting your DNS to receive our service. There are no credit cards required, no contracts to sign and no commitment from you to continue with our DNS filtering software once the trial period is over. Simply call us today, and you could be adding an extra level of security to your organization´s web browsing activity within minutes.

WebTitan incorporates an intelligent AI-based component that provides real-time classification of websites for precision control over the content that can be accessed. WebTitan Cloud provides real-time categorization of over 500 million websites, and 6 billion web pages in 200 languages, including coverage of Alexa 1 million most visited websites. Industry leading antivirus is also incorporated to identify and block malware and ransomware threats. A full suite of reports gives you full visibility into the online activities of your employees and any guest users of your network. The reports can be scheduled or run on demand.

These and more features will allow you to block web-based threats and carefully control online activities for only a few dollars per user per year.

Why WebTitan is a Vital DNS Web Security Layer for Your Business

  • DNS Security Layer - Filter URLs, detect malicious threats, create flexible policies, and more with an API driven DNS security filter
  • Full Path Detection - Provide analytical credibility to any activity marked as malicious with page and path-level reporting.
  • User Identification - Assign custom policies to a user or group of users with uniquely identifiable user names.
  • Scaleable Support - Handle any volume of usage with no latency and receive support from our top-class team.
  • Reporting - full suite of reports including behavior, trend and security reports.
  • API Driven - robust API set that allows our MSP customers to easily incorporate WebTitan DNS filtering directly into their existing cloud offering.
  • URL Filtering - block access to websites known to contain malware.
  • Remote & Roaming Users - allows off-network roaming by users while continuing to apply their policy.
  • Content Filtering - highly granular content controls with multiple integration options and comprehensive malware protection.
  • AI Threat Intelligence - real time AI driven DNS protection from malicious online threats such as viruses, malware, ransomware, phishing attacks and botnets.

What WebTitan Customers Have to Say

"WebTitan is an outstanding tool for most reliable content filtering. The monitoring feature of this specific product is quite unique that totally monitors all the process of online working and also secures all the data. Additionally, its set-up is superb easy and it can be done in just few minutes that save my time and energy as well." Kristie H. Account Manager

"WebTitan is fairly easy to setup. It is available as a cloud based solution or on prem. You can get as simple or as complicated with your filtering as you like, it will handle most situations with ease. [It] has provided us with a stable web filtering platform that has worked well for us for many years. "Derek A. Network Manager

If you have yet to implement a web filtering solution, are unhappy with your current DNS filtering service, or you have questions about DNS content filtering, contact the TitanHQ team today and ask about WebTitan Cloud.

Why not try our web filtering solution for free?

 

How Does DNS Filtering Work FAQ

What 3 things are most important about employee internet access?

Employees need internet access to complete their work duties, but it is essential to develop an acceptable Internet usage policy and get employees to sign it, that policy should be enforced using a web filtering solution, and you should have a sanctions policy for when employees violate the rules.

What is best, a web filtering appliance of cloud-based web filter?

Both options will provide clean, safe Internet access, but cloud-based web filtering does not require the purchase of a costly appliance, it is more flexible and scalable, and there is no patching burden. For SMBs and MSPs, cloud-based web filtering is the easiest and most cost-effective Internet filtering solution.

Does web filtering slow Internet speed?

Some web filtering solutions involve a degree of latency, but a DNS filtering solution will not slow internet speed as all filtering takes place at the DNS lookup stage of a web request before any content is downloaded. Filtering occurs in the same time as it takes to perform a standard DNS lookup so there is no latency.

How can I provide DNS filtering as a managed service as an MSP?

Adding the WebTitan DNS filtering service to your service stack couldn’t be easier. WebTitan is can be set up in minutes, APIs allow easy integration into your existing back office systems, you will be provided with a white label version ready to take your branding, and you can even host the solution in your own environment.

How much does DNS content filtering cost?

There is considerable variation in price between different web filtering solutions. The most expensive solution will not necessarily be the best option for your business. Price depends on contract term, the number of users, and add-ons. TitanHQ’s DNS content filtering solution, WebTitan, typically costs around $1 per user, per month.

DanaBot Trojan Phishing Campaign Resumes with Phishing and Internet Distribution

A phishing campaign is underway which is distributing a new variant of the DanaBot Trojan. The DanaBot Trojan was first identified in May 2018 and has been actively distributed via phishing emails for more than two years. In the summer of 2020, activity slowed but the campaigns resumed in October.

DanaBot is a modular banking Trojan used in targeted geographical attacks on businesses. The first variant that emerged in 2018 was used in targeted attacks in Australia, while the second variant was primarily used in attacks on U.S. companies. Attacks have also been conducted in Europe, primarily in Ukraine, Austria, Poland, Italy, and Germany.

The latest variant is the fourth to be identified and has been released around a year after the third variant was identified in February 2019. The latest variant has had several technical anti-analysis changes made to the main component of the malware and its method of maintaining persistence has changed. The latest variant now achieves persistence through a LNK file loaded into the user’s startup folder, which launches the malware when the device is booted.

Affiliates are used to conduct campaigns distributing the DanaBot Trojan under the malware-as-a-service model. Several new affiliate IDs have been added which suggests the malware-as-a-service operation is growing. It is therefore probable that DanaBot will grow into a much bigger threat in 2021.

Previously, DanaBot has been primarily distributed via spam emails that deliver a malware dropper, which downloads the banking Trojan via a multi-stage process. It now appears that the malware is being distributed via websites that offer cracks and software keys for pirated software such as graphics software, VPNs, antivirus software, and games.

Protecting Against Banking Trojans by Blocking Malware Delivery

Protecting against DanaBot and other Trojans requires a range of security measures. Two of the most important are an advanced spam filter and a web filtering solution. The spam filter will detect malicious emails that attempt to deliver the malware dropper, while the web filter will block access to the websites that are used to download the malware.

TitanHQ has developed a spam filtering solution – SpamTitan – that provides protection against known and unknown malware variants and a web filter – WebTitan – that prevents users from accessing malicious websites and categories of website commonly used to distribute malware.

With both of these cost-effective cloud-based cybersecurity solutions implemented, businesses can block the two most common vectors used to distribute malware and keep their networks and devices well protected.

For further information on both solutions, details of pricing, and to register for a free trial of the full solutions, give the TitanHQ team a call.

How is the Cyber Threat Landscape Likely to Change in 2021?

COVID-19 presented many new opportunities for cybercriminals, many of which have proven to be highly successful. In the early days of the pandemic, when it became clear that the new coronavirus was spreading beyond the borders of China and concern about the virus grew, cybercriminals switched from their normal phishing campaigns and started adopting COVID-19 lures.

Phishing campaigns were conducting offering advice about the virus, potential cures, and advice as people craved information that was in short supply. Fake COVID-19 tracking apps and websites were set that collected sensitive information or installed malware, and PPE shortages saw fake shops set up offering non-existent supplies. Then there were fake charities, disinformation campaigns, and phishing scams related to job retention schemes, self-employment income support, government coronavirus loans, and fake tax rebates.

The move to remote working due to the pandemic saw hackers targeting vulnerabilities in remote working solutions such as VPNs and throughout 2020, ransomware gangs have been extremely active, especially in Q3 and Q4, 2020 when attacks soared.

As we move into 2021, cybercriminals are likely to continue to exploit the pandemic to steal credentials, access sensitive data, and spread malware and ransomware, so it is important for businesses not to let their guard drop and to continue to ensure that they have appropriate protections in place to block threats.

The Cyber Threat Landscape in 2021

The high level of ransomware attacks in the last quarter of 2020 is likely to continue in 2021. There are no signs that cybercriminals will reduce attacks, as they are still proving to be profitable. The healthcare industry is likely to continue to be targeted, with cyberattacks on pharmaceutical and clinical research firms also extremely likely.

Now that COVID-19 vaccines have been approved and are starting to be rolled out, cybercriminals have yet another opportunity. The vaccine rollout is likely to take many months and it could well be the autumn or later before most people receive the vaccine. Cybercriminals have already adopted COVID-19 vaccine lures to obtain sensitive information and spread malware and ransomware.

These COVID-19 vaccine scams have impersonated the World Health Organization, Centers for Disease Control and Prevention, and vaccine manufacturers, and are likely to increase over the coming weeks and months. Campaigns have been identified in 2021 that impersonate public health authorities and trick users into clicking links and download files that install Trojans when opened.

We are also likely to see the scams offering financial support, virus information, and infection alerts continue, and offers of fake vaccine can be expected over the coming weeks and months.

One vaccine-related scam to be recently identified involved messages sent to businesses asking recipients to click a link to confirm their email in order to receive the vaccine. Clicking the link directed them to a phishing website where Microsoft 365 credentials were harvested.

Since many employees will continue to work from home in 2021 until the risk of infection is reduced, attacks on remote working infrastructure are also likely to continue.

There is good reason to be hopeful in 2021 now that the vaccines are starting to be rolled out, but it is important for businesses not to let their guard down and to ensure that they have adequate protections in place to identify and block current and new threats.

Many scams are conducted via email, as it is the easiest way for cybercriminals to obtain the credentials they need to gain a foothold in business networks. It is therefore important to ensure that email security is up to scratch and an advanced spam filtering solution is in place that can block phishing and malware threats. If it is possible to implement multi-factor authentication, this should be widely used, especially on email accounts and remote access solutions.

Web filtering solutions are an important cybersecurity measure to deploy to block the web-based component of phishing attacks and to prevent malware and ransomware downloads over the internet. Web filters can be used to block access to known malicious websites and restrict access to risky websites, and cloud-based solutions are easy to deploy to protect both office-based and remote workers.

With many employees still working remotely, it is important to provide regular updates on threats and security awareness training on the threats they are likely to face. Patches and software updates should be applied promptly to prevent cybercriminals exploiting vulnerabilities, especially in remote access solutions such as VPNs which are being actively targeted.

Since ransomware attacks are an ever-present risk, ensure your critical data is regularly backed up and test your backups to make sure data recovery is possible in the event of disaster. A good strategy to adopt is the 3-2-1 approach. Make three backups, store on 2 separate media, and make sure one copy is stored on a non-networked device.

The 2021 threat outlook may be bleak, but with preparation and the above solutions in place, it is possible to prevent most attacks, detect attacks in progress, and recover quickly should an attack succeed.

K-12 Education Sector Warned of Major Increase in Ransomware, Malware, and Phishing Attacks

The K-12 education sector has long been a target for cybercriminals, but this year has seen the sector targeted more aggressively by threat actors. 2020 has seem a major increase in attacks involving ransomware and malware, phishing incidents have risen, as have network compromises and distributed denial-of-service (DDoS) attacks.

This December, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a warning to the education sector after the massive increase in cyberattacks was identified.

Data from the Multi-State Information Sharing and Analysis Center (MS-ISAC) shows a substantial increase in ransomware attacks on K-12 schools. In August and September 2020, 57% of all reported ransomware attacks occurred at K-12 schools, compared to just 28% from the year to July.

Ransomware attacks renders essential systems and data inaccessible which can cause serious disruption to learning, especially at a time when many schools have transitioned to distance learning. K-12 schools often have little choice other than paying the ransom, and many do. Figures from the Department of Education show that between 2016 and 2017, 60% of schools attacked with ransomware paid the ransom to recover their data. A recent Department of Education alert to K12 schools called for a collective effort to ensure that all data is regularly backed up and advised schools not to pay the ransom demands if attacked. The DoE wants to send a message to ransomware gangs that attacks on the education sector are not financially viable.

Similar tactics have been used in ransomware attacks on K-12 schools that have been used to attack business and industry targets. Access to networks is gained, the attackers move laterally to identify data of interest, and exfiltrate that data prior to encrypting files. The attackers threaten to publish or sell sensitive student and employee data if the ransom is not paid.

Several ransomware gangs have stepped up attacks on K-12 schools, including REvil, Nefilim, Ryuk, and AKO. The Maze ransomware operation, which has now been shut down, has also conducted several attacks on K-12 schools in 2020.

The CISA/FBI alert also warned of an increase in Trojan malware and phishing attacks on K12 schools since the start of the school year. The ZeuS banking Trojan has been commonly used in K-12 school cyberattacks and the Shlayer malware downloader has also proven popular. Those two Trojans account for 69% of malware attacks on K-12 schools in 2020.

The increase in attacks in 2020 has been attributed to the ease at which K12 schools can be attacked. Many K-12 schools have transitioned to distance learning and have had to do so in a hurry to ensure student learning was not disrupted by the pandemic; however, that has meant cybersecurity gaps have been created which leave schools vulnerable to attack.

In addition to conducting phishing attacks on staff and students, vulnerabilities in software and remote learning solutions are also commonly exploited. Since the sector has a limited budget for cybersecurity, these vulnerabilities often persist for some time before being addressed, giving cybercriminals and easy entry point into K-12 school networks. It is also common for software to continue to be used after it has reached end of life.

The K-12 Cybersecurity Act of 2019 has been introduced which requires CISA to work with federal departments and the private sector to identify sector-specific cybersecurity risks and make recommendations to K-12 schools on how they can improve their security posture. The Act also calls for CISA to make tools and resources available to help the sector improve cybersecurity; however, the legislation is yet to be passed by Congress.

These cyberattacks on K-12 schools are likely to continue at elevated levels well into 2021. While budgets may be already stretched, it is important for defenses to be improved. The cost of improvements to cybersecurity defenses is likely to be far lower than the cost of dealing with a ransomware attack and costly data breach.

How to Protect Accounts from Credential Stuffing Attacks

The importance of choosing strong and unique passwords for every account you create has been highlighted by a recent data breach at the music streaming service Spotify. Security researchers identified a database that had been exposed on the Internet which contained the usernames and password combinations of around 300 million individuals. It is unclear where the database came from, although it is likely that it had been amalgamated from data leaks from several major data breaches of online platforms.

Interestingly, within the 300 million-record database was a field stating whether the username/password could be successfully used to login to a Spotify account. According to the researchers, an estimated 300,000 to 350,000 Spotify accounts had been breached.

This breach clearly demonstrates how a data breach at one company can provide the usernames and passwords to gain access to accounts at another. When a username/password is obtained in a cyberattack, it can be used to try to access other accounts that share the same username. A username is often an email address. People may have more than one email address, but there is usually one that is used across most platforms. There is nothing wrong with that of course, but there is a problem with using the same password with that email address on multiple online platforms.

If there is a breach at one platform, the password can be used to access many other accounts. In this example, up to 350,000 Spotify users had reused their password on more than one platform. The Spotify breach victims may well have had several other accounts breached if they used their password on other platforms too.

The credentials to the breached Spotify accounts could easily be sold to anyone who wanted a cheap Premium Spotify account. There have been many reports of passwords being changed to block the real account holder out of their account. The accounts also contain personal information that could be used in further attacks, such as to make convincing phishing emails to obtain the information necessary for identity theft and other types of fraud.

Trying 300 million username and password combinations is a time-consuming process, but that process is automated. An army of bots will work its way through a huge list of username/password combos to see which passwords work. Hackers can also include a list of commonly used passwords against a particular username which will increase the hit rate further. Many people choose easy to remember passwords for their accounts, which are also easy to guess.

The process of trying multiple passwords against a username is called credential stuffing, and it is an effective way of breaching accounts. Recently there have been a swathe of credential stuffing attacks on companies in the retail, travel, and hospitality sectors. One report indicates that out of the 100 billion credential stuffing attacks between July 1, 2018 and June 30, 2020, 64% were on companies in those sectors.

Successful data breaches can result in the theft of hundreds of millions of usernames and password combos. Those credentials could be used on a wide range of different accounts, and since many people reuse passwords from personal accounts for their work accounts – such as Office 365 – one set of Spotify credentials could easily lead to a business Office 365 breach. An Office 365 account is all that is needed to launch further attacks on the company and achieve a more widespread and harmful data breach.

The solution to protecting against credential stuffing attacks is simple. Use a unique, strong password on every different account and use a password manager so you do not have to remember all of those passwords. Just set a very strong password for your password manager, and that means you just have one password to remember.

Businesses also need to take steps to block these attacks and prevent compromised credentials being used to access employee accounts. Multi-factor authentication is a must to block attempts to use stolen credentials to access accounts. Breaching Spotify accounts was easier than on other platforms as Spotify does not yet support multi-factor authentication.

An email security solution such as SpamTitan Cloud is also important for protecting against the email vector in the attacks on businesses. SpamTitan Cloud blocks malicious messages such as phishing attempts and, through outbound email scanning, will help you prevent any compromised mailboxes from being used in more extensive attacks on your organization.

Exorcist 2.0 Ransomware Distributed via Malvertising and Fake Software Cracking Websites

The operators of Exorcist 2.0 ransomware have adopted a new tactic for distributing their ransomware. They have set up fake websites that claim to be crack sites for popular software programs. The websites offer cracking tools that can be used to generate valid license codes that allow popular software to be used free of charge.

One of the websites offers a Windows 10 activator, which can be used to generate a license code that activates windows 10 free of charge. When a user arrives on the website, they are presented with download links for the software cracking tool. Clicking on the link will generate the download of a password-protected zip file, along with a text file that provides the user with the password to open the zip file.

This method of file delivery helps to prevent the malicious contents of the zip file from being detected by antivirus solutions. Since the zip file can only be opened if the password is entered, antivirus software is unable to scan the contents. This method also bypasses the protection of Microsoft SmartScreen and Google Safe Browsing.

Once the file contents are extracted, the user must run the setup program, which is actually the Exorcist 2.0 binary. Double clicking and executing the file will start the file encryption process and a ransom demand will be presented. Contact must be made with the attackers to find out how much must be paid for the keys to decrypt files, with the attackers in control of the ransom amount. Ransom demands can be for several thousand dollars and there is no way of decrypting files without paying the ransom.

While phishing emails are commonly used to direct individuals to websites where malware and ransomware is downloaded, this campaign involves malvertising – malicious advertisements on third-party ad networks that direct web visitors to malicious websites.

These adverts are displayed in ad blocks on legitimate websites, often high traffic websites. There have recently been several major malvertising campaigns that have seen malicious adverts displayed on some of the most popular adult websites, although any website that uses third-party ad blocks could potentially have malicious adverts displayed to visitors. In this case, the threat actors have used the PopCash ad network.

The Exorcist 2.0 ransomware operators are far from the only ransomware operators to use this method of infecting victims. This tactic has also been used by the operators of STOP ransomware, who similarly used the lure of fake software cracking tools to install their malware.

One of the ways that businesses can protect against this method of malware and ransomware delivery is to use a web filtering solution. A web filter can be used to carefully control the types of web content that can be accessed by employees. In addition to blocking access to web content that does not need to be accessed for work purposes, restrictions can be placed on the types of files that can be downloaded and attempts to visit websites known to be used for malicious purposes will be automatically blocked.

Businesses that implement WebTitan Cloud have precision control over the content their employees can access, whether they are working from the office, accessing the Internet from a coffee shop, or working from home. WebTitan is available on a free trial and can be implemented in minutes to protect your employees and their devices from malware, ransomware, and phishing attacks.

For further information on the benefits of web filtering and how WebTitan can greatly improve your security posture, call the WebTitan team today.

What is Cloud Web Filtering Software?

Cloud web filtering software is now an important cybersecurity measure used by businesses of all sizes, but what exactly is it and why is it important? In this post we will explain exactly what cloud web filtering is, what it is used for, and why most businesses need to use it.

What is Cloud Web Filtering?

Cloud web filtering is a software-as-a-service (SaaS) solution that acts as a semi-permeable barrier between an individual and the Internet. For much of the time, users will not know this solution is in place, as there is no noticeable delay when browsing the Internet. Websites can be accessed as if the solution was not in place.

Cloud web filtering software is only noticed by a user when they attempt to visit a website that violates their organization’s acceptable internet use policy. When a request is made to access a website that falls into a category that an employer does not permit – pornography for example – rather than connect to the website, the user will be directed to a local block page and will discover that particular website cannot be accessed due to a content policy violation.

Cloud web filtering software acts as a form of internet content control which is used to reduce productivity losses due to personal Internet use, prevent HR issues, and reduce legal liability, but a cloud web filter it is not just used for restricting access to NSFW websites. It also has an important security function.

Why is Cloud Web Filtering Important?

The Internet can be a dangerous place. There are many threats lurking online that could compromise a business’s systems and lead to a costly data breach or catastrophic data loss. Malware and ransomware are often downloaded from websites, even from legitimate sites that hackers have been able to compromise. A visit to one of those malicious sites by an employee could easily result in a malware infection, and once installed on one device it could easily spread across the network.

Phishing is also a major risk for businesses. Phishing forms are loaded onto websites to harvest sensitive data such as login credentials to Office 365. Links to these sites are often sent to business email accounts.

A web filter acts as an additional layer of protection against these attacks, but in contrast to antivirus software that identifies malware that has been downloaded, cloud web filter software blocks the malware at source, preventing it from being downloaded in the first place. It also works in conjunction with anti-spam software to prevent visits to phishing websites when phishing emails sneak past the spam filter.

With cloud web filter software, all filtering takes place in the cloud (on the service provider’s server), which is important for a distributed workforce. Regardless of where an employee accesses the internet – office, home, airport, coffee shop – the cloud web filter will be active and providing protection.

How Much Does Cloud Web Filtering Software Cost?

Cloud web filtering software is a low-cost solution that can pay for itself by preventing costly malware infections and phishing attacks and stopping productivity losses by blocking access to certain types of web content.

The cost of a cloud web filter can vary considerably from provider to provider with the price starting at around $1 per user, per month.

WebTitan: Web Filtering for SMBs, ISPs, and MSPs

TitanHQ developed WebTitan Cloud web filtering software to help SMBs and MSPs serving the SMB market control what users can access online and to protect business networks from web-based cyberattacks. The solution is quick and easy to implement, as being cloud-based, there are no software downloads. Simply point your DNS to WebTitan Cloud and you can be filtering the Internet in minutes.

Administrators can use an easy-to-use interface to configure the solution, which can be accessed through any web browser. Log in, navigate to the content control section, and you can use the checkboxes to block access to any of 53 pre-defined categories of website (and create your own categories if you so wish).

Integration with LDAP and Active Directory makes it easy to set controls for individual users, user groups, departments, or different offices. You can set time-based controls to limit bandwidth usage or ease up on restrictions at certain times of the day. Cloud keys can be generated to bypass standard controls temporarily, should you ever need access to otherwise prohibited sites.

Whitelist and blacklists are supported, you can block downloads of certain file types, and access to websites known to be used for malicious purposes will be automatically blocked. A full suite of reports gives administrators full visibility into web access, including real-time views and automatic alerts.

AI-powered protection is provided against active and emerging Phishing URLs and zero-minute threats, allowing you to sanitize Internet access and provide your employees, customers, and guest users with clean, filtered internet access.

If you have yet to start using cloud web filtering software or you are unhappy with your current provider, give the TitanHQ team a call. You can also take advantage of a 14-day free trial to try out the solution for yourself before deciding on a purchase. Product demonstrations can also be arranged on request.

Why Remote Workers are More Susceptible to Phishing Attacks

Many companies now allow employees to work from home for at least some of the week. The number of companies allowing remote working increased by 300% from 1996 to 2016, according to a Gallup poll. In 2016, Gallop found that 43% of employees said they spent at least some time working away from their co-workers.

Then came the COVID-19 pandemic, which forced companies to allow virtually their entire workforce to work from home as countrywide lockdowns were introduced. Lockdowns have now been eased and employees are returning to their offices, but many have got used to home working and want to have the option to continue. Since many employers noticed no drop in productivity – some even saw productivity increases – it is likely that some employers will continue to allow employees to work from home if preferred. A study by cartridge People in the UK found 32% of UK office workers were planning to continue to work from home after the lockdown was eased.

Remote Working Increases Security Risks

While productivity may not decrease and employees may be happy with some employees working from home, home working is not without its risks. There are security concerns with remote working. It is harder for IT teams to secure devices and networks when the workforce is spread geographically and are not under the protection of the corporate firewall. With many workers connecting to their corporate networks remotely, it becomes harder to identify malicious connections. It is also much easier for threat actors to attack remote workers who connect to the Internet via consumer-grade routers, which are often never updated and have many security holes.

With office workers, it is easy to check if a request to change bank account information is genuine or other out-of-band request is made. All it takes is a quick visit to the employee’s desk. While phone calls can be made, performing these checks is more time consuming and complicated with remote workers. The pandemic also forced many companies to allow their employees to work remotely using their personally-owned devices, which may lack the security measures implemented on corporate-owned devices.

There are also many distractions in the home that are not present in the office, which can increase the risk of mistakes being made such as responding to a phishing email. Many employees have reported working longer hours during the COVID-19 lockdown and have felt pressured to do so, or at least check their emails outside of standard office hours in an effort to show that they are present and productive.

These long hours and the reduction in true off-time, along with the distractions in the home, can make mistakes more likely. Mistakes are more likely to occur when workers are stressed, tired, or distracted. One recent study conducted by a Stanford University researcher found 47% of employees who fell for a phishing scam were distracted, and 57% of remote workers said they are more distracted working from home.

The boundaries between home and work life become blurred with home working, and there is a tendency for work computers to also be used for personal purposes, especially personal internet access, which further increases risk.

Managing Home Working Security Risks

Remote working is here to stay, but employers have a responsibility to their remote workers and must take steps to ensure that those workers remain productive, do not feel overworked, and to reduce the risk of burnout, cases of which have increased during the pandemic.

Steps must also be taken to ensure that cybersecurity doesn’t suffer. Additional measures should be implemented to reduce the risks associated with home working and with phishing the leading cause of data breaches, taking steps to improve protection against phishing attacks is a good place to start.

It is essential for cybersecurity training to be provided to the entire workforce, but especially remote workers. If workers are not taught how to identify phishing emails, they cannot be expected to spot a phishing email when one lands in their inbox. Training needs to be provided frequently and should include training on the new techniques being used by phishers. Phishing email simulations should also be conducted to identify employees that are susceptible and to single them out for further training.

Anti-phishing solutions need to be implemented to block phishing emails at source. No single solution will provide total protection, so it is best to implement multiple overlapping layers of protection to block phishing and other email-based cyberattacks. If you are using Office 365, you will have Microsoft’s Exchange Online Protection (EOP) protection in place, which is provided free with the license. You should also layer a third-party solution on top of EOP, as many phishing threats bypass EOP. TitanHQ has developed SpamTitan to work seamlessly with Office 365 and complement Office 365 antispam and anti-phishing protections and greatly increasing protection against phishing and social engineering attacks.

Phishing attacks usually have an email and web-based component. Users click links in emails and are directed to malicious websites where credentials are harvested. A web filter will help to protect against the web-based component of the attack by preventing employees from visiting known phishing websites and for blocking malware downloads from the Internet. WebTitan, for example, can be used to protect both office and remote workers with no latency.

These protections will help you to block phishing attacks, but should one succeed and credentials be obtained, multi-factor authentication will help to prevent the credentials from being used to access accounts. Not all MFA solutions are created equal, so it is important to evaluate each solution to ensure it does not affect usability.

It is also important for Virtual Private Networking (VPN) solutions to be used for remote access, but these are not without their weaknesses. VPN software must be kept up to date as vulnerabilities are targeted by threat actors. MFA for VPN logins must also be used. It is also important to log all events and to monitor those logs for signs of compromise and investigate any anomalous behavior.

With these measures in place, employers and employees can enjoy the benefits that come from remote working while effectively managing and reducing security risks.

5 Tips for Businesses to Improve Defenses Against Phishing Attacks

Phishing is one of the biggest cyber threats faced by businesses and stopping phishing attacks from succeeding can be a big challenge. The purpose of phishing is usually to obtain sensitive information, most commonly employee credentials to email accounts, cloud services, social media accounts, or credit card or banking credentials. This is also achieved through the use of malware that is delivered using phishing emails.

Phishing attacks can take place over the telephone, via text message, social media networks, instant messaging, or any other form of communication, but most commonly the attack vector is email. For a phishing attack to be successful, user interaction is usually required. An employee must be convinced to part with the information that the phisher is targeting, and a wide range of lures are used to encourage that. Social engineering techniques are also used to encourage prompt action to be taken – To respond without really thinking too much about the legitimacy of the request.

At its most basic level, a phishing attack requires little skill and next to no financial outlay; however, many phishing campaigns now being conducted have been carefully crafted, research is conducted on the companies and individuals being targeted, and the websites used to harvest credentials are skillfully created and often carbon copies of the genuine websites that they spoof. Phishing emails often appear to have been sent from a trusted brand or contact, either by spoofing a genuine email address or using a compromised email account.

Some phishing attempts are laughable and are easily identified, others are much harder to identify, with some of the most sophisticated phishing emails virtually indistinguishable from genuine email requests.

As a business, you should take steps to improve your defenses against phishing attacks, as failure to do so could easily result in a malware or ransomware infection, costly data breach, theft of intellectual property, and damage to the reputation of your company.

Tips for Businesses to Improve Their Defenses Against Phishing Attacks

To help you improve your defenses and prevent phishing attacks from succeeding we have listed some of the steps you can take below. No one solution will be totally effective. The key to preventing phishing attacks is to implement overlapping layers of protection. For a phishing attack to succeed, it should be necessary for an attacker to bypass several layers of security.

  1. Use an advanced spam filtering solution

The number one protection against phishing is a spam filter. A spam filter will prevent the majority of phishing and other malicious emails from reaching inboxes where they can be opened by employees. Advanced spam filters such as SpamTitan use many different methods to detect phishing emails. The message body and email headers will be analyzed for the signatures of phishing, blacklists are used to block emails from known malicious IP addresses and domains, and machine learning techniques are used predict the likelihood of a message being malicious. SPF and DMARC is used to block email impersonation attacks, along with greylisting to identify new IP addresses that are being used for phishing.

  1. Provide regular anti-phishing training to employees

Even with an advanced spam filter, some phishing emails will sneak through so it is essential for employees to be trained how to identify phishing emails. They should be taught cybersecurity best practices, the dangers of macros and email attachments, and conditioned not to click on embedded hyperlinks in emails. You need to train your employees and provide regular refresher training sessions. You should also conduct phishing email simulations, otherwise you will not know if your training has been effective.

  1. Implement 2-factor authentication

2-factor authentication requires the use of a second factor in addition to a password to gain access to accounts. In the event of a password being compromised in a phishing attack, without that second factor, it is difficult for the attacker to access the account. Many businesses fail to implement 2-factor authentication, even though it is highly effective at preventing unauthorized account access using stolen credentials.

  1. Implement a web filtering solution

Spam filters are important, but many businesses fail to implement measures to block the web-based component of phishing attacks. A web filter will block attempts by employees to visit known phishing sites when they click links in emails, but also block redirects to phishing websites from general web browsing. Not all phishing attacks involve email. With a web filter in place, any attempt to visit a known malicious website will see that attempt blocked.

  1. Make sure you patch promptly and update your software

Phishing emails are not always concerned with getting employees to disclose their credentials, oftentimes the aim is to simply get them to click a link in an email and visit a malicious website. Compromised websites are loaded with malicious code that probes for vulnerabilities and exploits those vulnerabilities to silently download malware. After the link is clicked, no further user interaction is required. By patching promptly, these exploits will not work.

TitanHQ has developed two anti-phishing solutions for SMBs and managed service providers (MSPs) serving the SMB market. SpamTitan is a powerful anti-spam solution with advanced features for blocking phishing attacks and is an ideal solution for layering on top of Office 365 to improve your phishing defenses. WebTitan is a cloud-based web filtering solution that prevents employees and guest users from visiting malicious websites. For further information on these solutions, to register for a free trial, or to book a product demonstration, give the TitanHQ team a call today.

The Emotet Botnet is Back in Action Using New Tactics to Increase Emotet Malware Infections

The Emotet botnet sprang back to life and started sending large volumes of malicious spam emails earlier this month. The botnet consists of hundreds of thousands of computers that have been infected with Emotet malware and is capable of sending huge spam campaigns.

Emotet malware steals usernames and passwords for outgoing email servers, which are used to send emails from a company’s legitimate email server. This tactic helps to ensure the emails are delivered because the mail servers used to send the messages are trusted. The volume of emails sent from those mail servers is also limited to stay under the radar and avoid detection by security teams.

The emails contain a malicious attachment or a hyperlink that directs the recipient to a website where Emotet malware is downloaded. These malicious sites often change, and most commonly are compromised WordPress sites. The attachments are commonly Word documents with malicious macros, which launch PowerShell commands that download the Emotet payload.

Once installed, Emotet starts sending emails to infect more devices but is also used to deliver other malware payloads, typically a banking Trojan such as TrickBot or QakBot. Both Trojans have been distributed by Emotet malware in the latest campaign.

Emotet is one of the main malware threats, and was the leading malware threat in 2018 and 2019. It is also one of the most dangerous. Infection with Emotet will eventually also see a banking Trojan downloaded, and that Trojan is often used to deliver ransomware.

The Emotet gang targets businesses and uses a wide range of lures in its campaigns. Fake invoices, shipping notices, job applications, and purchase orders are often used. A commonly used tactic used which has proven to be extremely effective is the hijacking of email threads. Emotet uses legitimate email threads and inserts links and attachments. The hijacking of email threads adds credibility to the emails, as it appears that the email is a response to a previous conversation with a known and trusted contact. The response appears to be a follow up on a past conversation.

The latest campaign has seen the Emotet gang adopt a new tactic, one that has not been used before. Emotet has been updated to allow email attachments to be added to the emails, in addition to hijacking email threads. Researchers at Cofense intercepted emails sent by Emotet malware, one of which included a hijacked email thread along with 5 legitimate email attachments, a combination of rich text Files (.rtf) and PDFs. The email asked the recipient to “see/review attached”, and a link was included in the body of the email. The attached files were benign, but the link was malicious.

Emotet infections demonstrate quite clearly why it is important to not only filter inbound emails, but to also adopt an email security solution that scans outbound email messages, including outbound emails that are sent internally. Emotet is often spread internally in an organization, so one infected machine often leads to several on the network being infected. These attacks can be incredibly costly to resolve. An Emotet attack on the City of Allentown, PA cost in excess of $1 million to fix.

Spam filtering solutions need advanced threat detection capabilities such as sandboxing to identify malicious attachments, and since emails often change, machine learning capabilities are necessary to identify zero-day attacks – New tactics, techniques, and procedures that have previously not been used.

SpamTitan incorporates all of these advanced threat detection measures and will help to protect you from Emotet and other malware and phishing threats delivered via email. For more information on the capabilities of SpamTitan, to register for a free trial to test the solution, or to book a product demonstration, give the TitanHQ team a call today.

WastedLocker Ransomware Delivered Using Fake Software Updates

The notorious cybercriminal organization Evil Corp, which was responsible for the Dridex and Zeus banking Trojans and BitPaymer ransomware, have started using a brand new ransomware called Wastedlocker, so named due to the .wasted extension which is used on encrypted files.

Evil Corp has been relatively quiet in recent months following the indictment of two high-profile members of the group by the U.S. Department of Justice in December 2019 for their role in the creation and distribution of Dridex and Zeus. The group bounced back with relatively low-level campaigns in January, but there has been little activity since. It appears that the time has been spent developing WastedLocker ransomware, which appears to have been mostly written from scratch.

WastedLocker ransomware was first used in May 2020 and is believed to be a replacement for BitPaymer ransomware. In the short space of time that the new ransomware has been in use, attacks have been conducted on at least 31 organizations, according to data from Symantec. Most of the victims are located in the United States, eight of which are Fortune 500 companies and 11 are publicly listed. Attacks have been conducted on companies operating in a wide range of industry sectors, with the manufacturing, information technology, and media and telecommunications sectors experiencing the highest number of attacks.

Evil Corp appears to be targeting large organizations with deep enough pockets to pay the sizeable ransom demand, which has ranged from $500,000 to $10 million in some cases. In contrast to many other ransomware operators, Evil Corp does not steal data prior to file encryption, although that could well change in the future. The group certainly has the technical skill to adopt that tactic, but it appears that they have refrained from doing so to stay under the radar.

WastedLocker ransomware is downloaded using the JavaScript framework SocGholish under the guise of a browser update. Symantec has identified more than 150 websites that have been compromised that are being used as part of the campaign to deliver the ransomware payload. Once a network has been compromised, the attackers use living-off-the-land tactics to move laterally and gain access to as many endpoints as possible, including tools such as PsExec and PowerShell. The gang has been observed using the penetration testing tool Cobalt Strike to log keystrokes and obtain credentials and escalate privileges, before the WastedLocker ransomware is executed and files across the network are encrypted.

In addition to encrypting endpoints, the group is targeting database services, file servers, virtual machines and cloud environments to cause maximum disruption to maximize the probability of the ransom being paid. The group is careful and patient, often waiting several months before their ransomware encryption routine is triggered.

Evil Corp is one of many threat actors to have adopted ransomware, with attacks on businesses having increased over the past few months. Around 15 groups are now conducting manual ransomware attacks in which data is stolen prior to file encryption and threats are issued to publish or sell the stolen data if the ransom is not paid. This tactic has been effective, with around half of businesses paying the ransom.

The University of California San Francisco is one of the latest victims that has been forced to pay the ransom to recover data encrypted in the attack. That ransomware attack involved NetWalker ransomware, and data was stolen in that attack prior to encryption. Without access to essential research data, the university had little option other than paying the $1.14 million ransom.

Organizations are attacked in a variety of ways, often using brute force tactics on RDP or exploiting vulnerabilities in VPNs, but there has also been an increase in email-delivered ransomware and drive-by malware downloads, highlighting the need for advanced email and web security solutions, which is an area where TitanHQ can help.

NetWalker Ransomware Gang Continues Aggressive Campaign Against Healthcare Organizations and Universities

The operators of NetWalker ransomware have been aggressively targeting healthcare organizations and more recently attacks have increased on universities conducting research into COVID-19.

NetWalker ransomware first appeared in the middle of 2019 and has been primarily been used in targeted attacks on enterprises, with the operators deploying their ransomware manually after first gaining access to a victim’s network.

As is the case with several other manual ransomware operators, prior to the encryption of data reconnaissance is performed, the attackers move laterally to compromise as many networked devices as possible, and sensitive data is exfiltrated.  After the ransomware is deployed, the attackers threaten to publish the stolen data in an attempt to spur victims into paying the ransom rather than attempting to recover files from backups.

The business model of the NetWalker ransomware gang has recently changed and their ransomware is now being offered under the ransomware-as-a-service model, although the gang is only partnering with hackers that are experienced at attacking enterprises. This selective partnering is vastly different to many RaaS operations, which prioritize quantity over quality. The attack methods used to gain access to networks also differs from the typical brute force tactics typically used by Russian ransomware operators.

The operators of NetWalker ransomware have been extremely active during the COVID-19 pandemic. In addition to attacks on hospitals, medical billing companies have been attacked, COVID-19 research organizations, educational software providers and, in the past few weeks, there has been a spate of attacks on universities. Michigan State University, Columbia College of Chicago and, most recently, University of California San Francisco have all been attacked. All three universities are involved in COVID-19 research. It is currently unclear whether an affiliate specializing in attacks on universities has been signed up or if universities involved in COVID-19 research have been specifically targeted.

Healthcare organizations are an attractive target as they are heavily reliant on data to operate. If patient data is encrypted and rendered inaccessible, the ability to provide medical services is significantly hampered, which makes payment of a ransom more likely. Current indications suggest the group is only interested in profiting from ransoms, but COVID-19 research data is in high demand and is certainly valuable. That could account for the number of recent attacks on universities, which have also been targeted by other ransomware gangs. Data from Emsisoft indicates at least 30 universities have suffered ransomware attacks so far in 2020.

NetWalker ransomware is evolving and poses a significant threat to organizations in all industry sectors, but especially healthcare and education. The ransom demands issued by the gang range from hundreds of thousands of dollars to millions, and data theft makes the cost of remediating an attack even higher.

It is unlikely that attacks will slow down in the weeks and months to come, and with a range of attack methods used to gain access to networks, it is important to ensure that all vulnerabilities are addressed and measures are implemented to protect against all possible attack vectors.

Web Filtering Myths and the Truth About DNS Filtering

There are several common web filtering myths that have led businesses to believe that it is not worth their while implementing a web filtering solution. It is important to bust these myths as they are preventing businesses from adding an essential extra layer of security that can prevent downloads of malware, ransomware infections, and block phishing attacks. The failure to filter the internet is often a costly mistake.

Once upon a time, having a firewall, antivirus solution, and spam filter would ensure your business was well protected, but the sophisticated nature of today’s cyber threats and the massive increase in cyberattacks has meant that these solutions alone are no longer sufficient to block cyber threats and prevent data breaches. The key to blocking these threats is to implement layered defenses. If the outer layer fails to block a threat, other layers exist to provide protection. A web filter should be one of those layers.

Why Web Filtering is Now Essential

Finding vulnerabilities and exploiting them is a difficult and labor-intensive way of attacking a business. Attacks on employees are much easier and require far less skill. All that is needed is a carefully written email to direct an employee to a malicious website and credentials can be easily harvested and malware downloaded. You don’t need to be a skilled hacker to conduct a phishing attack or set up a website for distributing malware.

Email security solutions are great for blocking phishing attacks, but many malicious emails bypass email security defenses. Phishing emails usually have a web-based component and various tactics are used to hide malicious URLs in emails. A web filter provides protection against the web-based component of phishing attacks by providing time-of-click protection. When an attempt is made to visit a malicious website linked in an email, the web filter blocks that request. A web filter will also prevent users from visiting malicious website through web browsing and also block visits to malicious websites through malvertising redirects. Without a web filter in place, there is nothing to stop an employee from visiting a malicious website.

Pervasive Web Filtering Myths

There are some pervasive web filtering myths that need to be busted, the most common of which are detailed below.

Web Filtering is Expensive

OK, so we are not going to tell you that a web filter is a zero cost solution as you will need to pay for this extra level of protection, but the cost is actually low, no hardware needs to be purchased, and what you spend will pay for itself in terms of the data breaches you will prevent and the productivity gains that can be made. In terms of the real cost, less than $1 per user per month is all that needs to be spent to protect your users with WebTitan.

Web Filtering is Complicated

A DNS-based web filter is not complicated to set up, configure, or maintain. In fact, web filtering could not be any simpler. All you need to do is point your DNS to WebTitan. Even during the COVID-19 lockdown, making this change for all of your remote users is a simple process, and one that we can easily talk you through.

Once that small change has been made, here is what happens:

  • A user enters a web address into their browser and a DNS query is made to locate that web resource
  • A DNS lookup is performed through WebTitan to find the IP address associated with the domain
  • If the resource exists, WebTitan will provide the IP address to the browser. If the domain or web page is malicious or violates your organization’s policies, no IP address will be provided, a connection to the site will not be made, and the user will be presented with a local block page telling them why that resource cannot be accessed.

Your standard DNS request will go through all of those steps aside from applying filtering controls. All that changes with a web filter is filtering controls are applied.

Web Filters are Easy to Bypass

Once you set up your DNS to point to WebTitan, all internet traffic will be subject to filtering controls. For most businesses that will be sufficient, however, web filters can be bypassed by using an anonymizer/proxy website. Connect to the anonymizer site, and through that site any other website can be accessed, thus bypassing the filter. The solution? Click the checkbox in WebTitan to block access to anonymizer sites.

A web filter can be used to block the use of shadow IT by preventing downloads of unauthorized software, including unauthorized VPNs, to prevent this method of web filter bypass.

Maybe, one of your employees will try to change the DNS settings on their laptop to access the unfiltered internet. This is why you need to lockdown your laptops to make sure that is not possible. You should also block DNS requests to anything other than your approved DNS service. If you use an external DNS server, only allow port 53/UDP to access the IP addresses of your chosen DNS filtering service servers. If you host your DNS server internally, ensure that local computers query your local DNS server, and only your DNS server queries the web filtering DNS service on the Internet.

No web filter is infallible, but by taking these steps it will be much harder to bypass the filter and it will be beyond the ability of most employees.

Internet Speeds will be Greatly Reduced

One of the web filtering myths that is based in fact is the slowing of internet speed. Filtering the internet can result in latency and a slowing of internet speed. If you require your users to login remotely using a VPN, then connect to your secure web gateway appliance, this will naturally result in latency. Backhauling traffic to the office, especially when your remote workers have slow home internet connections, will result in significant latency.

The solution is to use a DNS-based filtering solution on your employees’ laptops. With a DNS filter there is no backhauling of traffic, as the DNS filter can be integrated into the laptop. When a request is made to view a website, filtering takes place as part of the DNS lookup process. Point your DNS to WebTitan and filtering takes place before any content is downloaded, with zero latency.

Web Filtering Myths

How to Defend Against Phishing Attacks on Remote Workers

There has been an increase in phishing attacks on remote workers using COVID-19 as a lure over the past few months. Multiple studies suggest the number of COVID-19 related phishing attacks have soared. The anti-phishing training company KnowBe4 placed the rise at about 600% in Q1, 2020, and that rise has continued in Q2.

As was pointed out by Microsoft, the total number of phishing attacks has not increased by any major degree during the COVID-19 public health emergency, as cyber actors have finite capabilities for conducting attacks. What has happened is threat actors have abandoned their standard phishing campaigns and have repurposed their phishing infrastructure and are now using COVID-19 lures, and with good reason.

People crave information about the 2019 Novel Coronavirus, SARS-CoV-2, and COVID-19. There is a thirst for knowledge about the virus, how it infects people, how to prevent infection, and how great the risk is of catching it. With little information available about this new virus, finding out more information required following the news from countries around the world that are involved in research. Unsolicited emails offing important information naturally had a high open rate, so it is no surprise that COVID-19 phishing attacks have increased.

To control the spread of the virus, countries have gone into lockdown, so businesses have had to allow their employees to work from home. The increase in home workers happened very quickly, so businesses did not have the time to prepare properly and that meant new risks were introduced. It is therefore no surprise that there has been an increase in data breaches during the COVID-19 pandemic. Cybercriminals have taken advantage of lapses in security, insufficient staff training, and the vulnerabilities that are introduced when employees are forced to work in an environment that has not been set up remote working.

IT teams have had to rapidly purchase new laptops to allow employees to work outside the office and there has not been time to properly secure those devices. VPN infrastructure was not sufficient to cope with the rapid increase in users. Home networks lack the security of corporate networks, and training employees on working from home securely had to be rushed. In order to allow remote workers to access the data they need, data has had to be moved to the cloud, and that has inevitably resulted in vulnerabilities being introduced. In short, the attack surface has increased considerably, huge numbers of devices are being used outside the protection of the corporate firewall, and new working environments have greatly increased the potential for errors.

Cybercriminals have taken advantage of these new vulnerabilities. Unpatched VPNs and software flaws are being exploited, RDP is being targeted, but phishing and spear phishing attacks offer the easiest way of gaining access to sensitive corporate data and spreading malware and ransomware. Improving phishing defenses is therefore critical.

Important Phishing Defenses for Remote Workers

Improving phishing defenses is one of the most important ways of protecting remote workers, their devices, and the networks and data that they are accessing remotely. Listed below are simple steps you can take to improve security and reduce risk.

Improve Email Security

The easiest way to thwart phishing attacks is to block the emails at source, and that requires a powerful anti-phishing solution. Many businesses have been relying on the standard anti-phishing measures provided with Office 365 – Exchange Online Protection (EOP). EOP is effective at blocking spam and standard (known) phishing attacks, but it is not particularly effective at blocking zero-day threats: New, previously unseen phishing and malware attacks. There have been a great many of zero-day attacks during the COVID-19 lockdown.

They key to improving email security is layered defenses. Adding an extra layer of email security on top of EOP will greatly improve detection rates. It is best not to put all your eggs in one basket and opt for the second (paid) tier of protection offered by Microsoft (Advanced Threat Protection or APT), instead use a third-party dedicated anti-spam and anti-phishing solution that features predictive threat detection and advanced anti-phishing mechanisms to detect zero-day threats. SpamTitan features machine learning, predictive technology, threat intelligence feeds, sandboxing, dual anti-virus engines and more to ensure that zero-day threats are blocked. SpamTitan adds an important extra layer of security, and SpamTitan itself includes layered defenses against phishing attacks.

Implement a Web Filter

Security can be further improved with a web filtering solution such as WebTitan. A web filter adds another layer to your anti-phishing defenses by blocking the web-based component of phishing and malware attacks. If a phishing email does reach an inbox, a web filter can prevent a click on a hyperlink from turning into a data breach. WebTitan provides time of click protection to block attempts by employees to visit malicious websites, such as those used to phish for credentials or distribute malware. WebTitan can be used to block web-based attacks for office and remote workers and allows different controls to be set depending where employees connect to the internet.

Train Staff and Conduct Phishing Simulations

Remote employees need to be trained how to work and access data securely, and that means refresher cybersecurity training should be provided to reeducate employees about cybersecurity best practices. Trai9ning must also be provided on how to work securely from home.

Phishing is the easiest way that employees can be attacked, so they must be trained how to recognize a phishing email. It is also useful to run phishing email simulations on remote workers to find out which employees have taken the training on board and who needs further training. Training can reduce susceptibility to phishing attacks by up to 90%.

Increase in Malvertising Highlights Importance of Strong Internet Security Measures

The massive increase employees working reportedly has not been missed by cybercriminals, who are actively targeting these workers using a variety of tactics to fool them into disclosing their credentials or installing malware. Phishing attacks remain the most common method used to attack remote workers, but there has also been a notable increase in malvertising during the COVID-19 pandemic.

Malvertising is the practice of creating malicious adverts which are syndicated across legitimate websites through third-party ad networks. The malicious adverts are used to redirect website visitors to webpages where credentials are harvested, malware is downloaded, or to other scams to obtain fraudulent payments or charitable donations.

Several COVID-19 themed ploys have been used in these malvertising campaigns to trick people into downloading malware. These scams prey on fears about SARS-CoV-19, often spoofing WHO and other COVID-19 authorities to add legitimacy to the campaigns. A common theme is an offer of important advice on how to protect against COVID-19.

There rise in malvertising activity during the COVID-19 pandemic has been significant, with some reports indicating the number of malicious adverts have doubled in March compared to standard levels of malicious advert activity prior to the pandemic.

A malvertising campaign was recently identified that spoofed the anti-malware software vendor Malwarebytes. The campaign claimed the user’s computer was infected with malware and a download of Malwarebytes’ software was required to remove the infections. The malicious webpage used for the scam was on a malwarebytes-free domain that was registered on March 29, 2020. The site used a copycat template created from stolen branding from the genuine site. Any individual that landed on the website that was using the Internet Explorer browser was redirected to a webpage hosting the Fallout exploit kit that silently downloads the Raccoon information stealer.

There was a major increase in domain registrations related to COVID-19 in March. While not all of these websites are currently being used for nefarious purposes, many are being used for scamming. NTT recently issued an alert stating that around 2,000 COVID-19 domains are being set up each day and there has been a significant rise in phishing attacks directing users to newly registered domains. The TrickBot Trojan accounts for the majority of malware infections from these sites. Figures from Palo Alto Networks’ Unit 42 team show there was a 656% increase in the number of new COVID-19 related domains registered in March.

The increase in web-based attacks calls for improvements to cybersecurity defenses to protect remote employee’s devices from malware infections. A download of malware onto a user’s device could easily see the malware transferred to the network when the user connects.

One of the easiest and most effective ways of blocking these attacks is to implement a web filtering solution such as WebTitan Cloud. With WebTitan Cloud in place, when a user attempts to visit a malicious website, or when an attempt is made to redirect a user through malvertising, rather than arriving on the website the user will be directed to a local block page.

WebTitan Cloud also allows filtering controls to be applied to control the types of websites employees can visit on their corporate-owned devices. Controls can be applied to block access to risky websites such as torrents and peer-to-peer file sharing sites, which are also being used to distribute malware.

WebTitan Cloud is a DNS-based filter that conducts filtering at the DNS lookup stage of a web request. Applying filtering controls and restricting access to certain categories of website involves no latency, which is especially important during lockdown when employees typically have far less bandwidth available than at the office.

WebTitan Cloud does not require the installation of a clients and the solution can be set up and configured in minutes to protect all workers, no matter where they choose to access the internet.

If you are interested in improving internet security and want to find out more about WebTitan Cloud and DNS filtering, call TitanHQ today to book a product demonstration, register for a free trial, and start protecting your employees from online threats.

Don’t Neglect Security Awareness Training for Remote Workers During COVID-19 Pandemic

New research has recently been published which suggests there has been a lack of security awareness training for remote workers, even with the massive increase in people working from home due to the COVID-19 pandemic and the increased threat level.

Many companies have had to make major changes to policies and allow most employees to work from home, even though doing so introduces cybersecurity risks. While this is seen by many as a temporary measure due to the pandemic, there is currently some debate about how long lockdown measures will be in place. It could well be many months before lockdowns are eased and there is a return to “normal” working life. It may also be difficult to convince workers to return to the office when measures are eased, or at least until a vaccine for the virus has been developed. That could well be a year or most likely much longer.

In the meantime, remote workers are not just encountering the odd phishing email. These workers are being actively targeted by cybercriminals and APT groups. It is important to ensure that technical controls are up to scratch and are blocking threats but also to train workers to recognize threats such as phishing.

Technical Controls Will Not Block 100% of Cybersecurity Threats

Technical solutions can block most malware and phishing attacks on remote workers and will protect devices and the networks to which those devices connect. TitanHQ has developed two solutions that provide excellent protection from email and web-based threats, and there has been a massive increase in demand for those solutions during the COVID-19 pandemic from businesses and managed service providers (MSPs).

When these solutions are coupled with other cybersecurity protections such as firewalls, antivirus software, and intrusion detection systems, businesses will be well protected; however, no matter how many layers are added to your defenses, security awareness training for remote workers should still be provided. Employees are the last line of defense and require training to help them identify threats that bypass your technical defenses.

Employees are a Weak Link, but Neglecting Security Awareness Training for Remote Workers is a Mistake

One study recently conducted on IT workers by Apricorn revealed 57% of IT decision makers in the United Kingdom believe remote workers are a security risk and will expose organizations to data breaches and that there is apathy among IT leaders about training the workforce as employees are not concerned about security. 34% of IT leaders said their remote workers do not care about security, but that is not a reason not to provide training. It is a reason to reinforce training and get employees to buy into the company’s security strategy.

Another survey, conducted by Promon on 2,000 remote workers in the United Kingdom, confirmed those findings. The study revealed 66% of employees have not been provided cybersecurity training in the last 12 months, even though cybercriminals are actively targeting remote workers. It is also concerning that 77% of respondents were not worried about the security threat from working from home. The survey also revealed that 61% of employees are using personal devices to work from home instead of corporate-issued devices, which typically have far fewer protections in place to block threats.

Given the numbers of employees working from home due to COVID-19 and the increase in threats targeting those workers, now is the time to be stepping up training and to make sure employees are working in a secure environment. TitanHQ can help you better protect employees and the devices they use to work from home, but you should also ensure that cybersecurity training is reinforced.

Cybercriminals Are Exploiting Uncertainty and Fear About Coronavirus and COVID-19

Cybercriminals are taking advantage of the 2019 Novel Coronavirus pandemic and are exploiting fear to spread malware and steal data. These tactics many not be new, but these campaigns pose a significant threat in the current climate of global fear and worry.

People are naturally worried about contracting COVID-19 and will be concerned about the wellbeing of their friends and family members. Many people crave new information to help avoid them avoid illness and protect their families. If that information arrives in an inbox, email attachments may be opened, and links clicked to malicious websites.

Even when training is provided to employees and they are taught not to respond to unsolicited messages, open email attachments, or click links in emails from unknown senders, mistakes can still be made. During the COVID-19 crisis, stress levels are high, and this can easily lead to decisions being taken that would not normally be made.

Businesses have been forced to allow their employees to work from home, many of whom are now working in a home environment where there are many distractions. Many people do not have home offices where they can quietly work, and a challenging working environment also makes mistakes more likely. Those mistakes can prove very costly.

Phishing campaigns are being conducted targeting home workers as they are seen as low-hanging fruit and an easy way to gain access to business networks to install malware, ransomware, and steal sensitive data. Several campaigns have been detected that offer important advice on the 2019 novel coronavirus that impersonate authorities on disease control and prevention such as the U.S. Centers for Disease Control and Prevention (CDC), U.S. Department of Health and Human Services, UK National Health Service, and the World Health Organization (WHO). The phishing campaigns are credible, claim to offer important advice, and are likely to be opened by many individuals. These campaigns seek remote access credentials and distribute malware.

Coronavirus maps that display the number of cases per country are being used on many websites, including a legitimate COVID-19 case tracking map on Johns Hopkins University website.  One campaign has been detected that uses a carbon copy map and urges users to download a desktop application that allows them to track new cases. The application installs the information-stealing AZORult Trojan. As the COVID-19 crisis has deepened, these phishing and malspam campaigns have increased significantly.

With more people working from home and self-isolating, the risk of malware and phishing attacks has increased significantly. It is therefore important for businesses to make sure that they are properly protected and manage risk. During this difficult time, it is important to provide security awareness training to staff to keep them aware of the threat of cyberattacks and to help them identify malicious messages. Phishing simulation exercises are a useful way of assessing risk and identifying individuals that require further training.

It is also important to implement additional control measure to block attacks at source. There are two main attack vectors being used to target remote workers: Email and the web. Due to the high risk of mistakes by employees it is essential for businesses to have an effective email security solution in place.

The key to improving email security is defense in depth. Layered defenses will greatly improve resilience to phishing and malware attacks. If you are using Office 365 and have yet to augment protection with a third-party email security solution, now is the ideal time. One 2019 study showed that Office 365 protections only block around 75% of phishing attempts. Given the increase in phishing volume, a great many malicious emails will land in inboxes unless protection is improved.

The more time people spend online, the greater the risk. With many workers housebound and self-isolating, online time has increased considerably. Unsurprisingly, the of number of malicious domains being used to distribute malware has increased and drive-by malware attacks have spiked. With corporate laptops being used at home, steps should be taken to limit what employees can do on those laptops. Blocking access to ‘risky’ websites such those distributing pirated TV shows and movies will help to reduce the risk of a malware download, along with controls to prevent the downloading of risky file times such as software installers and executable files.

A web filtering solution will allow you to control the sites that remote employees can access on their corporate laptops and prevent malicious websites from being visited. A cloud-based web filtering solution is the ideal choice as it can be easily implemented to protect all remote workers, without causing any latency issues.

TitanHQ can help you protect your telecommuting workers from email and web-based threats. SpamTitan is a powerful email security solution that compliments Office 365 anti-spam and anti-phishing controls and enhances protection against phishing, spear phishing, and zero-day malware.  WebTitan is a cloud-based DNS filtering solution that is simple to implement that allows you to carefully control the online activities of remote employees and block drive-by malware downloads and other web-based threats.

Both solutions can be implemented in a matter of minutes and will greatly improve protection against web and email-based threats. For further information, to book a product demonstration, or to register for a free trial, contact TitanHQ today.

Why a DNS Filter Should be Part of Your Security Stack

Phishing attacks are increasing and malware is a growing threat. A DNS filter adds an important level of protection to block these attacks. In this post we explain why.

The Growing Threat from Malware and Phishing Attacks

There are various methods used to deliver malware, but email remains one of the most common methods of distributing malware, either through malicious attachments or hyperlinks in emails that direct users to websites where malware is downloaded. The latter is a popular method of malware delivery as there is an increased chance that the hyperlink will not be detected as malicious by an email security solution. Various tactics are used to mask these URLs from email security solutions, such as adding the hyperlink to an attached file such as a PDF.

The Emotet Trojan is one of the most prevalent threats and also one of the most dangerous. Emotet is primarily spread via email through a combination of attachments and malicious URLs. The Trojan is an information stealer capable of spreading across networks to infect other vulnerable devices. Removing the malware is problematic, as there are usually multiple devices infected. As soon as the malware is removed from one device, others on the network re-infect the cleaned machine. Emotet is also a malware downloader. Once all valuable information has been obtained post-infection, other malware variants such as the TrickBot Trojan and RYUK ransomware are downloaded. All devices infected with Emotet are added to the botnet. An analysis by the SpamHaus project revealed around 6,000 malicious URLs are emitted from infected devices, which act as compromise vectors.

An advanced spam filter will ensure that the majority of malicious emails are blocked, but it is important not to totally rely on a spam filter alone to block email-based malware and phishing attacks. The key to a strong defense is to implement layered defenses. With overlapping layers of security, if one layer fails to block a threat, another is in place to provide protection. One of the most important additional protections against phishing attacks and email-based malware is a web filter.

Why a Web Filter is so Important

Phishing attacks have an email and web-based component. The email contains the lure and a hyperlink is included that directs the recipient to a webpage hosting a phishing kit. When the user visits the website credentials and other sensitive information is harvested. A spam filter will block most of these phishing emails and a web filter provides protection against emails that are not blocked, as well as protecting against accidental navigation to malicious websites through malvertising or general web browsing.

A web filter is a form of content control that prevents network users from visiting known malicious websites. When a network user attempts to visit a malicious website, rather than connecting to the site, they are directed to a block page. That block page informs the user that they have attempted to visit a prohibited website which, in this case is a phishing page or website hosting malware. It could equally be a website that violates an organization’s internet usage policies. A web filter therefore serves as an additional, and important, layer of security to block phishing attacks and malware and ransomware downloads.

Web Filtering Options

There are different web filtering options available. Appliance-based web filters were once the go-to solution, but cloud-based filtering is now much more common, more cost effective for most organizations, and easier to implement and maintain.

Appliance-based solutions are not scalable. Once capacity has been reached, another appliance must be purchased. Software-based web filters, which are usually deployed as a virtual appliance on existing hardware, are a good choice but the most popular web filtering solutions are cloud-based. With cloud-based web filters, all filtering takes place in the cloud on the service provider’s hardware. Cloud-based filters are highly scalable. If capacity is increased, additional licenses just need to be purchased which takes seconds.

DNS Filtering is the Most Flexible Web Filtering Choice

The most popular, flexible, and scalable solution is a DNS filter. When a user makes a request to visit a website, such as by clicking a hyperlink or navigating to a website through their browser, a set of procedures must be followed to display the content.

One of the first steps is to send a query to the DNS server. The DNS server matches an easy to remember domain name – google.com for instance – with an IP address that allows the site to be found. A DNS filter works at this stage of the process and will block attempts to visit prohibited websites or malicious sites before any content is downloaded. Modern DNS filters do not just block content at the domain level. They also block content at the URL and page level. This means that a page on Medium.com could be blocked, while other content on the site is allowed. This means filtering controls are very granular and there is less potential for overblocking of web content.

WebTitan – A DNS Filter for SMBs and MSPs Serving the SMB Market

TitanHQ’s DNS filtering solution – WebTitan – has been developed for use by SMBs, MSPs providing security services to SMBs, and ISPs with millions of users. WebTitan includes market-leading classification of web content and malicious URL detection, and the solution is updated in real-time with more than 60,000 malicious URLs added to the filter every day. The solution includes advanced analytics and threat intelligence feeds and covers more than 99.9% of the active web. The solution is also easy to integrate into your own systems through TitanHQ’s API, and the solution can be purchased, set up, and be providing protection in just a few minutes.

For more information on WebTitan, to sign up for a free trial, or to book a product demonstration, give the TitanHQ team a call today.

Texas School District Loses $2.3 Million in Phishing Scam

A recent phishing attack on an 8,600-student school district in Texas ended up costing an astonishing $2.3 million. The Manor Independent School District phishing attack started in November 2019 and continued through December.

The attack was an example of a highly effective – and highly lucrative – email scam known as business email compromise (BEC) or vendor email compromise, if the attack is conducted through a vendor.

A BEC/VEC scam involves the use of a legitimate business email account to send emails to individuals within the organization (BEC) or to its clients (VEC) requesting a bank transfer. BEC attacks are also conducted to make changes to payroll or requests are sent via email asking for sensitive information such as W-2 forms for use in tax fraud.

The scam starts by sending phishing emails to individuals in the targeted organization. Emails are sent containing a credible ploy to get the recipient to click a hyperlink that directs them to a specially crafted webpage. That webpage is usually a carbon copy of a legitimate website, but on a different domain, that has been set up to harvest credentials.

Attackers often spoof Microsoft to capture Office 365 credentials. When the user visits the website via the hyperlink embedded in the email, they are presented with the standard login prompt that they receive when attempting to login to their Office 365 account. When the credentials are entered, they are captured by the attackers. The attackers then use the credentials to access the email account. The account is then used in the second phase of the attack.

Oftentimes, when attackers gain access to an email account, they set up a mail forwarding rule that will see all messages in the email account forwarded to the attackers. They check the emails until they find something of interest, such as contractors that are performing construction works.

Attackers often insert themselves into legitimate email conversations. Both parties believe they are communicating with each other, when the reality is they are communicating with the scammer. The scammer then asks for payments to be sent to a different email account. These conversations can span many messages and email exchanges can continue for several days or weeks. Since the scammer has full control of one of the email accounts, it is likely that the scam will not be detected until it is too late.

It is unclear whether a vendor’s email account was compromised in the Manor Independent School District phishing attack or if this was a standard BEC attack, with emails sent to the billings department requesting a bank account change. Details on the specifics of the phishing attack have not been released. What is known is that the bank account details of a vendor were changed, and the school district made three separate payments over the space of the following month before the scam was identified and the school district discovered it had been scammed out of $2.3 million.

A defense in depth strategy is required to prevent attacks such as this from succeeding. Technical defenses are essential. An advanced spam filter should be implemented that scans all incoming and outgoing messages, multi-factor authentication should be implemented to prevent stolen credentials from being used to remotely access accounts, and end user training is required to raise awareness of the threat. Policies and procedures should also be implemented that require all bank account changes to be verified, via telephone, before they are authorized.

How to Protect Remote Workers from Wi-Fi Threats

Today there is an increasingly mobile workforce. Workers are able to travel and stay connected to the office and many employees are allowed to work remotely for at least some part of the week. While workers are in the office, security is not a problem for IT departments. Workers connect to the internal network, be that a wired or wireless network, and thanks to the protection of the firewall, their devices and the network are protected. The problem comes when workers move outside the protection of that firewall. Here IT departments struggle to ensure the same level of protection.

When workers are travelling for work or are between the home and the office, they often connect to public Wi-Fi hotspots. Connecting to those hotspots introduces risks. While connected, sensitive information could potentially be disclosed which could be intercepted. Malware could also be inadvertently downloaded. When a connection is made to the work network, that malware could easily be transferred.

Connecting to untrusted Wi-Fi networks is a major risk. These could be legitimate Wi-Fi services provided on public transport, in coffee shops, or city-wide Wi-Fi networks. While these networks may be safe, there is no telling who may be connected to that network. These Wi-Fi networks are often not monitored, and cybersecurity protections may be poor.

There are several possible attack scenarios where an individual could perform malicious acts on users of the Wi-Fi network. One of the biggest risks is a man-in-the-middle attack. In this scenario, a Wi-Fi user will be connected to the network and will believe that they are securely accessing the internet, their email, or even the work network, when the reality is that their connection is anything but secure.

A hacker could be listening in and could obtain information from that connection. Through ARP poisoning, a hacker could trick the Wi-Fi gateway and the user’s device into connecting, and traffic would be routed through the hacker’s device where it is intercepted. An attacker could also create an evil twin hotspot. Here a rogue hotspot is created that closely mimics the genuine hotspot. A Wi-Fi user may mistakenly connect to the evil twin thinking they are connected to the legitimate hotspot. Since the evil twin is operated by the attacker, any information disclosed while connected can be intercepted.

Remote workers must be told never to connect to a Wi-Fi network unless they do so through a VPN than encrypts their data. Employees may forget to connect to their VPN, and if weak passwords are used, even if they are encrypted they could be cracked relatively easily, but with a VPN and password policies, risk will be reduced to a reasonable level.

Wi-Fi networks tend not to have the same protections as corporate networks, so there may be little restrictions on the types of website that can be accessed while connected. To protect remote workers, a DNS filter such as WebTitan should be used.

A DNS filter performs content control at the DNS lookup stage when a user attempts to access the internet. When a web address is entered in the browser, the DNS server looks up the fully qualified domain name (FQDN) and matches it with the IP address of the website. The browser is provided with the IP address and the server is contacted and the content is downloaded. With a DNS filter, before any content is downloaded, it is subject to certain rules. For instance, category-based filtering could be used to prevent adult content from being accessed. An attempt would be blocked before any content is downloaded. Importantly for security, the DNS filter would prevent the user from visiting any known malicious website. A phishing site for instance or a site known to harbor malware. With a cloud-based DNS filtering service, all filtering takes place in the cloud and there is no latency regardless of where the individual is located. DNS filtering protects workers on corporate networks as well as remote workers.

A further control that is useful is an email filtering solution, such as SpamTitan, that incorporates Domain-Based Message Authentication, Reporting, and Conformance (DMARC).

In the event of a user’s email credentials being obtained in a man-in-the-middle attack via a rogue Wi-Fi hotspot, their email account could be accessed by the attacker. Since legitimate credentials are being used, this would not generate any alerts and the attacker could peruse the email account in their own time. If the account is used to send phishing messages, as they often are, DMARC will prevent those messages from being delivered and will alert the company to the issue.

The DMARC element of the spam filter checks the sender’s IP address to make sure it matches the IP on the DNS servers for the sender’s organization to make sure they match. If the IP is not authorized to send messages from that domain, the messages will be rejected or quarantined, and the company would be alerted to the phishing attack. The same is true for spoofing of email addresses.

SpamTitan also includes dual anti-virus engines to identify malware sent via email and sandboxing to help catch previously unknown malware variants that have yet to have their signatures uploaded to AV engines. Any malware sent via email will also be quarantined to keep inboxes free of threats.

If you run a business and allow workers to connect remotely, speak to TitanHQ today to find out more about how you can better protect your remote workers, and your business, from cyberattacks conducted via email and the web.

Our team of highly experienced staff will walk you through the benefits of DNS and spam filtering, can schedule a personalized product demonstration, and will help you get set up for a free trial of SpamTitan and WebTitan. You can then evaluate both solutions in your own environment. Both solutions can be set up and protecting you in a matter of minutes.

Is an Email Archive the Same as a Backup?

One of the most common misconceptions about email archiving is that an email archive is the same as a backup, but there are some important differences. In this post we explain those differences and why your business needs to be archiving emails as well as creating email backups.

In the event of disaster, you need to be able to recover your data and the same is true of emails. A huge quantity of important information is saved in email accounts and businesses cannot afford to lose all that data. In the event of disaster, a ransomware attack for instance, without some form of backup, all of your email data will be permanently lost. In the case of a ransomware attack, you can pay the ransom and the attackers may supply viable keys to decrypt your data but there is no guarantee that they will make good on their promise. You must have a backup plan, and that is an email backup.

Email accounts can be restored to a particular moment in time from a backup file, and emails can be recovered with little to no data loss. From a business perspective, your backups may not need to be retained for very long. Their primary purpose is to allow data recovery in the event of disaster, and they will be replaced with a new backup.

Backups are designed to restore entire mailboxes. Problems arise if you need to recover a single email that has been accidentally deleted, if you need to respond to a request to have a person’s data deleted in its entirety to comply with GDPR, or if you get an eDiscovery request or have to produce emails to settle disputes. You may also need to review emails to determine if there has been a data breach or to investigate potential malicious insiders. In all of these cases, backups fall short as they are not designed to be searched.

Email archives are different. An email archive can be viewed as an extension of an inbox, where searches for individual emails can be performed and messages can be quickly recovered when needed. Every sent and received email is sent to the archive and is stored along with metadata, which allows searches to be performed. In fact, searching an email archive is almost as easy as searching for a message in an inbox.

If you wanted to restore emails from a particular moment in time, say last year, restoring data from your backup could easily result in loss of current email data. With the restoration of data from an email archive that would not occur. Many businesses only discover the difference between an email archive and a backup when they need to deal with one of the above situations. By then it is too late.

You should also bear in mind that businesses have a legal responsibility to preserve their emails, even in industries that are not highly regulated. The Federal Rules of Civil Procedure in the United States were updated in 2006 to include electronic communications, which require email data to be produced in the event of legal action. Further, an audit trail must be maintained, email data must be protected against accidental loss or deliberate tampering, and data must be immediately available. An archive allows this, a backup does not. The failure to produce information can result in a heavy fine and could well be the difference between winning and losing a case.

ArcTitan: Cost Effective Cloud Email Archiving for SMBs and MSPs

TitanHQ offers a lightning fast, email archiving solution that ensures that you will never lose an email again. ArcTitan is a set and forget email archiving solution that serves as a black box flight recorder for email. All emails sent and received by your business will be automatically sent to the archive for long term email storage, freeing up space on your mail server and improving performance. Set your email archiving policy, email retention periods, and your emails will be encrypted in transit to the archive and at rest and stored on Replicated Persistent Storage on AWS S3. Your archive will be automatically backed up to ensure that come what may you can recover your emails.

When you need to find an email, receive an eDiscovery request, are selected for a compliance audit, or otherwise need to find historic email, searching the archive is simple and fast. You can search up to 30 million emails a second and recovery of emails takes seconds to minutes. ArcTitan facilitates policy-based access rights and role-based access, so you can allow employees to access their own archives, so your IT department will not have to be involved every time an employee misplaces an email.

Key Features of ArcTitan

  • Scalable, email archiving that grows with your business
  • Email data stored securely in the cloud on Replicated Persistent Storage on AWS S3
  • Lightning fast searches – Search 30 million emails a second
  • Rapid archiving at up to 200 emails a second
  • Automatic backups of the archive
  • Email archiving with no impact on network performance
  • Ensure an exact, tamperproof copy of all emails is retained
  • Easy data retrieval for eDiscovery
  • Protection for email from cyberattacks
  • Eliminate PSTs and other security risks
  • Facilitates policy-based access rights and role-based access
  • Only pay for active users
  • Slashes the time and cost of eDiscovery other formal searches
  • Migration tools to ensure the integrity of data during transfer
  • Seamless integration with Outlook
  • Supports single sign-on
  • Save and combine searches
  • Perform multiple searches simultaneously
  • Limits IT department involvement in finding lost email – users can access their own archived email
  • Compliant with regulations such as HIPAA, SOX, GDPR, Federal Rules of Civil Procedure, etc.

MSPs looking to offer email archiving to their clients can integrate ArcTitan easily into their own packages with ease or offer the solution as a standalone service. The solution can be provided as a white label to MSPs and resellers to add their own branding.

To find out how easy and cost-effective it is to implement an email archiving solution, call TitanHQ today.

Rise in Cyberattacks on Law Firms Highlights Need for Additional Security Layers

The increase in cyberattacks on law firms has highlighted a need for greater security protections, especially to protect against phishing, malware, and ransomware.

According to a recent Law.com report, more than 100 law firms are known to have experienced cyberattacks in the past five years: Cyberattacks that have resulted in hackers gaining access to sensitive information and, in many cases, employee, attorney, and client information.

Investigations such as this are likely to uncover just a small percentage of successful cyberattacks, as many are resolved quietly and are not reported. Many law firms will be keen to keep a cyberattack private due to the potential damage it could do to a firm’s reputation. The reputation of a law firm is everything.

As Law.com explained, there are different data breach reporting requirements in different states. If there is no legal requirement to report the data breaches, they will not be reported. That means that only if reportable information has potentially been compromised will the breach be reported to regulators or made public. It is therefore not possible to tell how many successful cyberattacks on law firms have occurred. However, there has been a steady rise in reported cyberattacks on law firms, as is the case with attacks on other industry sectors. Law.com’s figures are likely to be just the tip of the iceberg.

From the perspective of cybercriminals, law firms are a very attractive target. The types of information stored on clients is incredibly valuable and can be used for extortion. Information on mergers and takeovers and other sensitive corporate data can be used to gain a competitive advantage. Cybercriminals are also well aware that if they can deploy ransomware and encrypt client files, there is a higher than average probability that the ransom will be quietly paid.

Based on the information that has been made public about law firm data breaches, one of the main ways that law firms are attacked is via email. Many of the data breaches started with a response to a phishing or spear phishing email. Phishing allows cybercriminals to bypass even sophisticated cybersecurity protections as it targets a well-known weakness: Employees.

Employees can be trained to be more security aware and be taught how to recognize potential phishing emails, but phishers are conducting ever more sophisticated campaigns and every employee will make a mistake from time to time. That mistake could be all that it takes to compromise a computer, server, or a large part of a network.

One firm contacted for the report explained that it had implemented advanced cybersecurity protections that were undone with a phishing email. The digital security measures it had in place greatly restricted the harm caused, and there was no evidence that the attacker had accessed sensitive information, but the attack did succeed.

In response, the law firm implemented more advanced security protocols, implemented a more aggressive spam filter, multi-factor authentication was used more widely, and it revised its policies and procedures and training. Had those measures been implemented in advance, it may have been possible to block the attack.

The response was to implement more layered defenses, which are critical for blocking modern cyberattacks. Overlapping layers of security ensure that if one measure fails, others are in place to prevent an attack from succeeding.

This is an area where TitanHQ can help. TitanHQ has developed cybersecurity solutions that can fit seamlessly into existing security stacks and provide extra layers of security to block the most common attack vectors. TitanHQ’s email and web security solutions – SpamTitan and WebTitan – provide advanced protection without compromising usability.

Since many clients prefer to communicate via email, it is important for all incoming attachments to be analyzed for malicious code. Extensive checks are performed on all incoming (and outgoing) emails, with SpamTitan able to block not only known malware but also zero-day threats. SpamTitan also includes DMARC email authentication to block email impersonation attacks and sandbox to analyze suspicious files and identify malicious or suspicious activity.

WebTitan provides protection from web-based threats. Most malware is now delivered via the internet, so a web security solution is essential. WebTitan is a DNS filtering solution that protects against all known malicious sites. It is constantly updated in real time through threat intelligence services to ensure maximum protection. The solution provides advanced protection against drive-by downloads and malicious redirects to exploit kits and other malicious sites and provides and important additional layer of security to protect against phishing attacks.

Law firms will no doubt prefer to host their cybersecurity solutions within their own environments or private clouds, which TitanHQ will happily accommodate.

For further information on TitanHQ’s cybersecurity solutions for law firms, contact the TitanHQ team today. Managed Services Providers serving the legal industry should contact TitanHQ’s channel team to find out more about the TitanShield program and discover why TitanHQ is the leading provider of cloud-based email and web security solutions to MSPs serving the SMB market.

Spelevo Exploit Kit Now Delivering Maze Ransomware

The Spelevo exploit kit is being used to deliver Maze ransomware to unsuspecting internet users via a vulnerability in Adobe Flash Player.

The Spelevo exploit kit has been used to deliver a variety of malicious payloads since it was first detected in early 2019. Initially it was used to silently download the GootKit Trojan, and latterly the Dridex and IceD banking Trojans. Now the threat actors behind Maze ransomware have joined forces with the EK developers to deliver their malicious payload.

Spelevo has previously been loaded onto a compromised business-to-business contact website to target business users, although the latest campaign uses ad network traffic to send users to a fake cryptocurrency website, where they are then redirected to a web page hosting the exploit kit.

The Flash Vulnerability – CVE-2018-15982 – is then exploited in the browser to silently download and execute the ransomware payload. If that download occurs, the user’s files will be encrypted. There is currently no free decryptor for Maze ransomware. Recovery will depend on restoring files from backups – provided they too have not also been encrypted – or the user will face permanent file loss if they do not pay the ransom demand. The ransom doubles if payment is not made within a week.

Exploit kits used to be one of the main ways that malware was distributed, although they fell out of favor with cybercriminals who found alternate, more profitable ways to earn money. The threat never disappeared but exploit kit activity dropped to a tiny fraction of the level seen a few years ago when Angler exploit kit activity was at its peak. However, over the past year or so, exploit kit activity has been increasing. Today, there are several active exploit kits that are being used to deliver a variety of malware and ransomware payloads.

Exploit kits will only work if they have been loaded with an exploit for a vulnerability that has not been patched on a user’s device. Prompt patching will ensure that even if a user lands on a web page hosting an exploit kit, no malware download will take place. However, many businesses are slow to apply patches and it can be several months before vulnerabilities are corrected.

One of the best defenses against exploit kits is a DNS filter. A DNS filter is a control mechanism used to prevent users from visiting malicious websites. With a DNS filter in place, websites known to host malware or malicious code are blocked at the DNS lookup stage, before any content is downloaded. If a user attempts to visit a known malicious web page, they will be directed to a block screen instead.

Web filters can also be used to prevent ‘risky’ file types from being downloaded, such as .exe, .scr, or .js files.  In addition to blocking malware downloads, a DNS filter can be used by businesses to enforce their acceptable internet usage policies and prevent employees from accessing productivity-draining websites and adult content.

A web filter is an important part of layered defenses against malware and other internet-based attacks such as phishing. TitanHQ’s DNS filter, WebTitan, is used by thousands of businesses and managed service providers to protect against web-based threats. WebTitan blocks more than 60,000 new malware sites every day and provides businesses and MSPs with real-time protection against the full range of web-based threats.

WebTitan can be deployed in minutes, is updated automatically, highly scalable, and costs as little as 90 cents per user per month. The productivity gains alone from using the solution mean it more than pays for itself, let alone the savings from preventing phishing attacks and costly malware downloads and data breaches.

To find out more about DNS filtering and why it is now considered an essential part of layered security defenses, give the TitanHQ team a call. Our support staff will be happy to answer your questions, book a product demonstration, and help you get set up for a free trial.

Rise in Ransomware Attacks on Education Institutions Highlights Need for Improved Defenses

Ransomware attacks slowed in 2018 but the malicious file-encrypting malware is back with a vengeance. Ransomware attacks on educational institutions have soared this year, and as the attackers are well aware, these attacks can be extremely profitable.

There have been 182 reported ransomware attacks so far this year and 26.9% of those attacks have been on school districts and higher education institutions. The increase has seen education become the second most targeted sector behind municipalities (38.5%) but well ahead of healthcare organizations (14.8%).

The reason why the number of ransomware attacks on educational institutions, healthcare, and municipalities is so high compared to other sectors is because attacks are relatively easy to perform and there is a higher than average chance that the ransoms will be paid.

Attacks on municipalities mean they can’t access computer systems, and essential services grind to a halt. Police departments can’t access criminal records, courts have to be shut down, and payments for utilities cannot be taken. If hospitals can’t access patient data, appointments have to be cancelled out of safety concerns. In education, teachers cannot record grades and student records cannot be accessed. Administration functions grind to a halt and a huge backlog of work builds up.

Some of the recent ransomware attacks on school districts have seen schools forced to send students home. Monroe-Woodbury Central School District in New York had to delay the start of the school year due to its ransomware attack. If students need to be sent home, there is often backlash from parents – Not only because their children are not getting their education, but childcare then needs to be arranged.

The costs of these attacks are considerable for all concerned. Each day without access to systems costs schools, universities, municipalities, and hospitals a considerable amount of money. Downtime is by far the biggest cost of these attacks. Far greater than any ransom payment.

It is no surprise that even when ransom demands are for tens or hundreds of thousands of dollars, they are often paid. The cost of continued losses as a result of the attacks makes paying the ransom the most logical solution from a financial perspective. However, paying the ransom sends a message to other cybercriminals that these attacks can be extremely profitable, and the attacks increase.

The huge cost of attacks has seen educational institutions take out insurance policies, which typically pay the ransom in the event of an attack. While this is preferable financially for the schools, it ensures that the attackers get their pay day. Some studies have suggested that attackers are choosing targets based on whether they hold insurance, although the jury is out on the extent to which that is the case.

In total, 49 school districts and around 500 K-12 schools have been affected by ransomware attacks this year. While the ransomware attacks on school districts have been spread across the United States, schools in Connecticut have been hit particularly hard. 7 districts have been attacked, in which there are 104 schools.

Prevention of these attacks is key but securing systems and ensuring all vulnerabilities are identified and corrected can be a challenge, especially with the limited budgets and resources of most schools. Cybersecurity solutions need to be chosen wisely to get the maximum protection for the least cost.

A good place to start is by addressing the most common attack vectors, which for ransomware is Remote Desktop Protocol and email-based attacks.

Remote Desktop Protocol should be disabled if it is not required. If that is not possible, connection should only be possible through a VPN. Rate limiting should also be set to block access after a number of failed login attempts to protect against brute force password-guessing attacks.

Email security also needs to be improved. Massive spam campaigns are being conducted to distribute the Emotet banking Trojan, which serves as a downloader for Ryuk ransomware and others. Embedded hyperlinks in emails direct end users to sites where they are encouraged to download files that harbor malware, or to exploit kits where ransomware is silently downloaded.

Advanced spam filters should be deployed that incorporate sandboxing. This allows potentially suspicious email attachments to be checked for malicious activity in a safe environment. DMARC email authentication is also important as it is one of the best defenses against email impersonation attacks. SpamTitan now incorporates both of these measures.

A DNS based content filtering solution is also beneficial as an additional protection against malware downloads and phishing attacks. Not only can the content filter be used to ensure compliance with CIPA, it will prevent end users from visiting malicious websites where ransomware is downloaded.

Email attacks usually require some user interaction, which provides another opportunity to block the attacks. By educating all staff and students on the risks, they can be prepared for when malicious emails arrive in their inboxes and will be conditioned how to respond.

It is often the case that breached entities only implement these measures after an attack has occurred to prevent any further attacks from succeeding. By taking a more proactive approach and implementing these additional security measures now, costly, disruptive attacks can be avoided.

For more information on ransomware defenses such as email and DNS filters for educational institutions, give the TitanHQ team a call today. You are likely to find out that these security measures are far cheaper than you think… and naturally a great deal less expensive than having to deal with an attack.

Ransomware Modifications Double as Cybercriminals Step up Attacks on Businesses

2017 was a bad year for ransomware attacks, but as 2018 progressed it was starting to look like the file-encrypting malware was being abandoned by cybercriminals in favor of more lucrative forms of attack. Between 2017 and 2018 there was a 30% fall in the number of people who encountered ransomware compared to the previous year, and the number of new ransomware variants continued to decline throughout 2018; however, now, that trend has been reversed.

2019 has seen a sharp increase in attacks. Figures from Malwarebytes indicate there was a 195% increase in ransomware attacks in Q1, 2019 and that increase has continued in Q2. A new report from Kaspersky Lab has shown that not only are attacks continuing to increase, the number of new ransomware variants being used in these attacks is also increasing sharply.

Kaspersky Lab identified 16,017 new ransomware modifications in Q2, 2019, which is more than twice the number of new ransomware modifications detected in Q2, 2018. In addition to updates to existing ransomware variants, Q2, 2019 saw 8 brand new malware families detected.

Kaspersky Lab tracked 230,000 ransomware attacks in Q2, which represents a 46% increase from this time last year. Far from ransomware dying a slow death, as some reports in 2018 suggested, ransomware is back and is unlikely to go away any time soon.

Not only are attacks increasing in frequency, ransom demands have increased sharply. Ransom demands of hundreds of thousands of dollars are now the norm. Two Florida cities paid a combined total of $1 million for the keys to unlock files encrypted by ransomware. Jackson County in Georgia paid $400,000 for the keys to unlock the encryption that crippled its court system, and recently, a massive ransomware attack that impacted 22 towns and cities in Texas saw a ransom demand of $2.5 million issued.

Earlier this year, the developers of GandCrab ransomware shut down their popular ransomware-as-a service offering. They claimed to have made so much money from attacks that they have now taken early retirement. Despite GandCrab ransomware being one of the most widely used ransomware variants for the past 18 months, the shut down has not been accompanied with a reduction in attacks. They continue to increase, as other ransomware-as-a-service offerings such as Sodinokibi have taken its place.

Ransomware attacks are increasing because they are profitable, and as long as that remains the case, ransomware is here to stay. Businesses are getting better at backing up their data but recovering files from backups and restoring entire systems is a difficult, time-consuming, and expensive task. When major attacks are experienced, such as those in Texas, recovering systems and files from backups is a gargantuan task.

Attackers realize this and set their ransom demands accordingly.  A $400,000 ransom demand represents a sizable loss, but it is a fraction of the cost of recovering files from backups. Consequently, these sizable ransoms are often paid, which only encourage further attacks. It is for this reason that the FBI recommends never paying a ransom, but for many businesses it is the only option they have.

Businesses naturally need to develop plans for recovering from an attack to avert disaster in the event of ransomware being installed on their network, but they must also invest in new tools to thwart attacks. At the current rate that attacks are increasing, those tools need to be implemented soon, and that is an area where TitanHQ can help.

To find out more about email and web security solutions that can block ransomware and protect your network, give the TitanHQ team a call.

Phishing Campaign Uses Voicemail Notifications Trick Users into Disclosing Credentials

A new phishing campaign has been detected which uses Microsoft Office 365 voicemail notifications as a lure to get users to open a malicious HTML file attached to the email.

The phishing emails are very realistic. The emails include the Microsoft and Office 365 logos, use the Microsoft color scheme, and Microsoft contact information.  The messages inform the recipient that they have received a new voicemail message. The caller’s number and length of the voicemail message is included, along with the time and date of the message. In order to access that message, the user is required to open a HTML file attached to the email.

Many phishing campaigns use Word documents or Excel spreadsheets containing malicious macros or embedded hyperlinks that direct users to a phishing web page where credentials are harvested. Through security awareness training employees are told to look out for thee commonly used file types. HTML files are likely to be familiar to employees, but since these file types are not often used in phishing campaigns, employees may believe the attached file to be benign, when that is definitely not the case.

The HTML file uses meta refresh to redirect the user from the local HTML file to a phishing page hosted on the Internet. That phishing page contains a highly realistic spoofed voicemail management page where users are required to enter their Office 365 credentials to access the message. Doing so hands those credentials to the attacker.

Cybercriminals are constantly coming up with new ways to trick employees into clicking links in emails or opening malicious attachments. Keeping the workforce up to date on these threats is important. If employees are aware of the types of scam emails, they are likely to receive they will be more likely to correctly identify an email as malicious if it arrives in their inbox.

Keeping the workforce 100% up to date on the latest scams will not be possible as new scams and lures are constantly being developed. It is therefore important to ensure that you have an advanced spam filtering solution in place that can block these messages to ensure they never test employees.

SpamTitan incorporates DMARC to block email impersonation attacks, dual antivirus engines to identify known malware, and a sandbox where suspicious attachments can be executed safely and studied for malicious actions. In addition, a range of checks are performed to assess the content of messages and embedded hyperlinks for any malicious actions.

With SpamTitan in place, businesses will be able to block more than 99.97% of spam and phishing emails, and 100% of known malware.

If you want to improve protections against phishing attacks and ensure fewer malicious messages reach your Office 365 inboxes, give the TitanHQ team a call to find out more about SpamTitan email security and other measures you can take to improve your security posture and block these sophisticated phishing attacks.

Make Sure You are Protected Against Google Calendar Phishing Attacks

A Google Calendar phishing campaign is being conducted that abuses trust in the app to get users to click malicious hyperlinks.

Cybercriminals are constantly developing new phishing tactics to convince end users to click links in emails or open email attachments. These campaigns are often conducted on organizations using Office 365. Campaigns are tested on dummy Office 365 accounts to make sure messages bypass Office 365 spam defenses.

Messages are carefully crafted to maximize the probability of an individual clicking the link and the sender name is spoofed to make the message appear to have been sent from a known and trusted individual.

Businesses that implement email security solutions that incorporate DMARC authentication can block the vast majority of these email spoofing attacks. Office 365 users that use a third-party anti-phishing solution for their Office 365 accounts can make sure malicious messages are blocked. Along with end user training, it is possible to mount a solid defense against phishing and email impersonation attacks.

A new phishing tactic is being used in an active campaign targeting businesses which achieves the same aim as an email-based campaign but uses a personal calendar app to do so.

Phishing campaigns have one of two main aims – To steal credentials for use in a further attack or to convince the user to install some form of malware or malicious code. This is most commonly achieved using an embedded hyperlink in the email that the user is urged to click.

In the Google Calendar phishing attacks, events are added into app users’ calendars along with hyperlinks to the phishing websites. This is possible because the app adds invites to the calendar agenda, even if the invite has not been accepted by the user. All the attacker needs to do is send the invite. As the day of the fictitious event approaches, the user may click the link to find out more. To increase the likelihood of the link being clicked, the attacker sets event reminders so the link is presented to the user on multiple occasions.

This attack method is only possible with Google Calendar in its default setting. Unfortunately, many users will not have updated their settings after installation and will be vulnerable to Google Calendar phishing attacks.

To prevent these attacks, on the desktop application settings menu click on:

Event Settings > Automatically Add Invitations

Select the option, No, only show invitations to which I’ve responded.”

Navigate to View Options and ensure that “Show declined events is not checked.
 

FBI Issues HTTPS Phishing Warning

The FBI’s Internet Crime Complaint Center (IC3) has issued a warning about the increasing number of phishing websites using HTTPS.

The green padlock next to a URL once gave an impression of security. Now it is a false sense of security for many internet users.

HTTPS or Hyper Text Transfer Protocol Secure to give it its full name, indicates the website holds a valid certificate from a trusted third-party. That certificate confirms that the website is secure and any data transmitted between the browser and the website will be encrypted to prevent interception in transit.

The public has been taught to look for the green padlock and HTTPS before entering card details or other sensitive information. However, the padlock does not mean that the website being visited is genuine. It only means any information transmitted is secured in transit between the browser and the website.

If you are buying a pair of shoes from Amazon, all well and good. If you are on a website controlled by a cybercriminal, HTTPS only means that the cybercriminal will be the only person stealing your data.

Cybercriminals create realistic phishing webpages that imitate well-known brands such as Microsoft and Google to obtain login credentials or banks to obtain banking information. These phishing pages can be set up on dedicated phishing websites or phishing kits can be added to previously compromised websites. Traffic is then generated to those webpages with an email phishing campaign.

If one of the links in the email is clicked, a user will be directed to a website that requests some information. If the website starts with HTTPS and displays the green padlock, the user may mistakenly believe the site is genuine and that it is safe to disclose sensitive information.

The IC3 alert was intended to raise awareness of the threat from HTTPS phishing and make the public aware of the true meaning of the green padlock and never to trust a website because it starts with HTTPS.

Businesses should take note and make sure they include HTTPS phishing in their security awareness training programs to raise awareness of the threat with employees.

A web filter can greatly reduce the risk of HTTPS phishing attacks, provided the web filter has the capability to decrypt, scan, and re-encrypt HTTPS traffic.

WebTitan provides real-time protection against web-based attacks and uses a constantly updated database of 3 million known malicious sites to block attempts to visit phishing websites. WebTitan is capable of SSL inspection and can inspect HTTPS traffic, block specific applications within a webpage, and display alerts or block sites with fake https certificates.

If you want to improve protection against web-based attacks, contact the TitanHQ team today for more information about WebTitan.

Buran Ransomware Distributed via RIG Exploit Kit

While it is good news the GandCrab ransomware operation has been shut down, ransomware attacks are on the rise and a new threat has been detected: Buran ransomware.

Buran ransomware lacks some of the common features of more successful ransomware strains. The ransomware does not make any attempt to hide its activity and it doesn’t attempt to hamper recover by deleting Windows shadow copies. However, it is capable of encrypting a wide range of file types and there is currently no free decryptor available to unlock encrypted files.

Buran ransomware is being spread via the RIG exploit kit, with traffic to that exploit kit generated using a malvertising campaign. Malicious adverts have been injected into legitimate ad networks and are being displayed on a range of different websites. The malvertising campaign was identified by security researcher nao_sec.

The malvertising campaign directs web browsers to a domain hosting RIG, which attempts to exploit several vulnerabilities in Internet Explorer. If an unpatched vulnerability exists, Buran ransomware will be downloaded and executed.

An analysis of the malware suggests it is a new variant of Vega ransomware that was previously used in a campaign in Russia.

While Buran ransomware may not be a long-term successor to GandCrab ransomware, there are many threat actors moving to fill the void. Sodinokibi ransomware attacks are increasing and the ransomware developers are also using a malvertising campaign on the PopCash ad network to deliver traffic to domains hosting the RIG exploit kit.

Exploit kits can only download malware if they have been loaded with an exploit for a vulnerability that has not been patched on a visitor’s computer. The primary defense against these attacks is to ensure that all Windows security updates are applied promptly, along with updates and patches for plugins and other browsers.

There is invariably a delay between a patch being issued and all devices being updated. To provide protection until patches are applied, and to protect against zero-day exploits, a web filtering solution is recommended. A web filter can be used to control the websites that can be visited by employees and can block access to known malicious websites to prevent attacks on vulnerable computers.

New Partnership Sees French VARs Offered Easy Access to TitanHQ Cybersecurity Solutions

TitanHQ is a leading provider of email security, web security, and email archiving solutions to SMBs and managed service providers (MSPs) serving the SMB market. Over the past five years, TitanHQ has significantly expanded its customer base and its solutions now protect over 7,500 businesses and are offered by more than 1,500 MSPs around the world.

TitanHQ works closely with European partners and businesses and has been expanding its footprint throughout the EU. TitanHQ is working towards becoming the leading email and web security solution provider in Europe and as part of that process, the company has recently entered into a new partnership with the French Value Added Distributor Exer.

Exer is one of the leading VADs in France and works with more than 600 value added resellers and integrators in the country. The company specializes in network security, mobile security, Wi-Fi and managed cybersecurity services and helps French VARs better serve their clients.

Under the new partnership agreement, Exer will start offering TitanHQ’s three cloud-based solutions to French VARs: SpamTitan, WebTitan, and ArcTitan.

SpamTitan is an award-winning spam filtering solution that keeps inboxes free from spam emails and malicious messages. The solution is regularly updated to incorporate further controls to ensure that it continues to provide superior protection against an ever-changing email threat landscape. The solution now blocks more than 7 billion spam and malicious messages every month and helps to keep businesses protected from phishing and malware attacks.

WebTitan is a cloud-based DNS filtering solution that protects businesses from a wide range of malicious web content. The solution can also be used to carefully control the types of web content that users can access through company wired and wireless networks. The solution now blocks more than 60 million malicious websites every month and prevents malware downloads, controls bandwidth use, and enforces acceptable internet usage policies, .

ArcTitan is a cloud-based email archiving solution that helps businesses securely store emails to ensure compliance with government and EU regulations. The solution now archives and stores more than 10 million emails each month.

With these solutions, French VARs can provide their clients with even greater value and ensure they are well protected against rapidly evolving cyberthreats.

“Collaboration with TitanHQ is an opportunity to represent a brand internationally recognized on 3 key technologies: Web Content Filtering, Anti-Spam, and Email Archiving. We are eager to propose these security solutions to ours VARs,” explained Exer CEO, Michel Grunspan. “Our regional presence and our expertise will be our strength for asserting the presence of TitanHQ in the French market”

“We are pleased to be offering the Exer partner community choice, enhanced functionality and greater overall value,” explained TitanHQ Executive VP, Rocco Donnino.
 

TitanHQ Incorporates Location-Based Filtering into WebTitan Cloud 4.12

A new version of WebTitan Cloud has been released by TitanHQ. WebTitan Cloud 4.12 offers existing and new customers the opportunity to set filtering controls by location, in addition to setting organization-wide policies and role and departmental policies via links to Active Directory/LDAP.

The new feature will be especially useful to MSPs and companies with remote workers, satellite offices, bases in multiple locations, and operations in overseas countries. Organization-wide web filtering policies can be set to prevent users from accessing illegal web content and pornography, but oftentimes, the one size fits all approach does not work for web filtering. The new location filter helps solve this.

MSPs can use this new feature to set web filtering controls for customers in different locations while businesses using WebTitan Cloud can easily set a range of different policies for all users from a specific location, whether those users are accessing the Internet on or off the network.

There will naturally be times when policies need to be bypassed to enable specific tasks to be completed. Rather than making temporary changes to location or other policies, WebTitan Cloud uses cloud keys which allow policy-based controls to be temporarily bypassed.

Accompanying the location-based controls are new reporting options which allow administrators to quickly access information about web views and blocked access attempts in real time. While reports can be useful, oftentimes information needs to be accessed quickly. To help administrators find the information they need, search functionality has been enhanced.

Administrators can use the search filter on the history page to search by location name. For MSPs this allows a specific customer to be selected and for traffic information at a specific location to be quickly viewed in real time, without having to generate a report.

Location-based when filtering policies can be set and viewed for all locations through the same user interface, giving administers full visibility into traffic and settings of all customers through a single pane of glass.

It is hoped that these updates will make WebTitan even more useful for businesses and MSPs and will further improve the user experience.
 

$5.2 Million Lost to Scammers in Two Recent BEC Attacks

Earlier this month, the FBI Internet Crime Complaint Center (IC3) released its annual Internet Crime Report, which highlights the most common attack trends and the extent of financial losses based on victims’ reports of internet crime. The report highlighted the seriousness of the threat of Business Email Compromise (BEC) attacks, which resulted in losses of more than $1.2 billion in 2018 – More than twice the losses to BEC attacks that were reported in 2017.

2019 is likely to see losses increase further still as the BEC attacks are continuing at pace. Last week, almost coinciding with the release of the report, Scott County Schools in Kentucky announced that it was the victim of a major BEC attack that resulted in a loss of $3.7 million.

The school was notified by a vendor that a recent invoice was outstanding. Further investigation revealed payment had been made, just not to the vendor in question. An email had been received that appeared to be from the vendor, which included forged documents and details of a bank account that was controlled by the scammer.

The FBI was contacted, and attempts are being made to recover the funds, although since the payment was made two weeks previously, it is unclear whether it will be possible to recover the money.

A few days later, news broke of another major BEC scam, this time on a church.  St. Ambrose Catholic Parish in Brunswick, Ohio, was a victim of a BEC attack that resulted in the fraudulent transfer of $1.75 million from the Church’s renovation fund. The scam was a virtual carbon copy of the Scott County Schools BEC attack.

The church was contacted by its contractor after not having had invoices paid for two months. That was news to the church, which believed that payments had been made on time. The funds had left the church account but had been directed elsewhere. The investigation into the BEC attack revealed hackers had gained access to the church’s email system and altered the contractor’s bank and wire transfer instructions.

These are just two recent examples of major losses to BEC attacks. Many other million-dollar and multi-million-dollar losses have been reported over the past 12 months.

With potential profits in the upper hundreds of thousands or millions of dollars, it is no surprise that organized criminal gangs are turning to business email compromise scams. The scams are easier to pull off than many other crimes and the potential profits are considerably higher.

Business email compromise scams involve the impersonation of an individual or company. The scams are often conducted via email and usually include a request for a wire transfer.  The scams require some research to identify a company to impersonate, but in many cases that is not particularly difficult. It would not be difficult, for example, to identify a contractor that is conducting a major renovation. The company’s banners are likely to be clearly visible around the building where the work is being completed.

Impersonating a company is far from challenging. It is child’s play to spoof an email and make it appear to have come from another domain. The scams are even more convincing if an email account is compromised. Then the email will come from a genuine account.

Gaining access to an email account requires a carefully crafted phishing email that directs the recipient to a phishing webpage that collects login credentials – such as Office 365 credentials. A single phishing email could start the scam in motion.

These BEC attacks show how critical it is for businesses to have an advanced anti-spam solution in place to prevent the initial phishing attack from succeeding and to implement multi-factor authentication for email accounts to make it harder for stolen credentials to be used to gain access to corporate email accounts.

 

TitanHQ Partner ViaSat Launches Secure Managed WiFi Hotspot Service for SMBs

TitanHQ partner, Viasat, has launched a new managed Wi-Fi service for businesses that allows them to offer their customers free, in-store Wi-Fi at an affordable price point.

The service is aimed at small and medium sized businesses that want to reap the rewards of providing free Wi-Fi to customers. Businesses that provide free Wi-Fi access can attract new customers and can benefit from customers spending longer in stores.

One of the problems for small businesses is finding a hotspot solution that is affordable. Most SMBs have to resort to setting up Wi-Fi access themselves, which can be difficult. Further, should errors be made, security could be placed in jeopardy and customers – or hackers – could potentially gain access to the business Wi-Fi network.

The Viasat Business Hotspots service makes the creation and management of Wi-Fi hotspots simple. The service can be used to set up Wi-Fi networks indoors or outdoors and has scope for customization. The login page is supplied in white label form ready to take a company’s branding.

The solution keeps the business Wi-Fi network totally separate from the guest Wi-Fi network. Two separate Wi-Fi networks are provided through a single internet connection. The business network remains secure and private and cannot be accessed by guest users, who are only permitted to access the public guest network.

Viasat Business Hotspots is an enterprise-grade hotspot solution for SMBs complete with a range of management and security features.  Businesses that sign up for the solution can manage their hotspots through the Viasat management portal where they can view the status of the Wi-Fi network and equipment, manage user access, run a wide range of reports on usage, and customize their login screens.

Viasat Business Hotspots also incorporates enterprise-grade Wi-Fi security which is powered by WebTitan – TitanHQ’s advanced web content filtering solution.

WebTitan offers businesses the option of restricting the types of content that users can access while connected to the Wi-Fi network, such stopping users from visiting inappropriate websites, sites hosting malware, and phishing websites.

Granular controls allow businesses to carefully control content and apply application controls. The solution also includes a full reporting suite, which lets businesses see exactly what sites users are accessing, giving them valuable insights into user behavior while in-store.

Benefits of WebTitan Cloud for WiFi for Service Providers

Some of the important benefits of WebTitan Cloud for WiFi for managed service providers and ISPs include:

  • Accurate filtering of web content using 53 pre-set categories and up to 10 custom categories.
  • Filter by keyword and keyword score.
  • Filter content in 200 languages.
  • Multiple hosting options, including within your own data center
  • No limit on access points or users
  • Manage multiple access points through a single web-based administration portal
  • Easy delegation of access point management
  • Extensive reporting suite including report scheduling, real-time views of Internet activity, and drill down reporting
  • Easy integration into existing billing, auto provisioning and monitoring systems through TitanHQ APIs
  • Available as a white label ready to take your own branding
  • World class customer service with dedicated account managers
  • Highly competitive pricing
  • Fully transparent pricing policy
  • Flexible pricing to meet the needs of MSPs including monthly billing

TitanHQ Forms Strategic Cloud Distribution Partnership with GRIDHEART

TitanHQ has formed a strategic partnership with the GRIDHEART, which will see TitanHQ’s leading cloud-based email security, web security, and email archiving solutions made available to users of the Cloudmore Cloud Commerce platform.

GRIDHEART is a privately-owned Swedish company that delivers the world’s leading cloud-based solutions through its Cloud Commerce platform, Cloudmore.

For the past 10 years, GRIDHEART has been offering leading cloud solutions to its customers and resellers and now deals with more than 1,000 cloud partners. The Cloudmore platform makes selling cloud services easy and brings a wide range of cloud services together in a single unified platform.

The platform gives users complete centralized control over their cloud solutions and allows them to easily provision new customers, bill for services, automate processes, and obtain pre-and post-sales support. The platform provides a host of management tools to make control of SaaS and cloud computing simple.

The partnership with TitanHQ will see the Galway, Ireland-based cybersecurity firm add its leading cybersecurity solutions to the platform, through which users can manage the solutions for free.

GRIDHEART’s customers will be able to offer their clients the SpamTitan Cloud email security solution, the WebTitan web filtering solution, and the ArcTitan email security solution and provide multi-layered security to protect against email, web, and modern blended threats.

“By offering additional layers of cloud-based security through Cloudmore’ s unique Cloud Commerce platform, MSPs can procure and deploy IT services for their customers and quickly maximize their IT investment, enhance their security stack and lower operational costs for their customers,” said Rocco Donnino, Executive VP of Strategic Alliances at TitanHQ. “This agreement highlights the importance of delivering comprehensive security solutions to the MSP community through a single and powerful platform”

“TitanHQ fits the bill as a perfect partner with their razor focus on advanced threat protection via email and the web. We’ve very happy to have them on board,” said Stefan Jacobson, Sales Director of GRIDHEART.
 

Mandatory Internet Filtering in Hawaii Under Consideration

Two companion bills have been introduced in the House and Senate that require mandatory Internet filtering in Hawaii by device manufacturers to block access to adult web content, sites that facilitate human trafficking, and illegal content such as child and revenge pornography.

The bills mirror those introduced in other states in the U.S. to restrict access to adult content by default and prevent illegal online activities. The aim of the bills is not to prevent individuals from accessing adult content in Hawaii, only to make it harder for minors to gain access to inappropriate material and to make prostitution hubs harder for the general public to access. The proposed laws will simultaneously help to protect children and fight human trafficking.

If the bills are passed, Internet filtering in Hawaii will be required by default on all Internet-enabled devices that allow the above content to be viewed.

Adults that wish to opt in to view legal adult content will be free to do so, although in order to lift the digital content block they will be required to pay a one-off fee of $20. In order to have the content block lifted, an individual would be required to provide proof of age (18+) and sign to confirm they have been provided with a written warning about the dangers of lifting the content filter. In addition to the $20 fee, manufacturers, vendors, and other individuals/companies that distribute devices will be permitted to charge a separate, reasonable fee for lifting the content block on a device.

The money raised through the $20 fee payments will be directed to a fund which will be used to support victims of human trafficking and for projects that help to prevent human trafficking and child exploitation.

Any manufacturer, vendor, company, or individual covered by the act that does not implement a digital content block will be liable for financial penalties. Financial penalties will also be applied if requests to block covered content are received and are not added to the content filter within 5 days. Similarly, if a request is made to unblock content not covered by the bill and the request is not processed within 5 days a fine will be issued. The proposed fine is $500 per piece of content.

If the bills are passed, Internet filtering in Hawaii will be mandatory from July 1, 2020.
 

Essential Anti-Phishing Controls for Businesses

Phishing is the number one threat faced by businesses and attacks are increasing across all industry sectors. Businesses of all sizes are being targeted by hackers. The risk of phishing attacks should not be underestimated.

The High Cost of a Data Breach

A successful phishing attack that results in a data breach can be incredibly costly to resolve. A 2019 Radware survey suggests the cost of a successful cyberattack has increased to $1.1 million, while the Ponemon Institute’s Cost of a Data Breach Study in 2018 placed the average cost at $3.86 million.

The Anthem Inc. data breach of 2015, that resulted in the theft of 78.8 million health plan members’ personal information, started with a phishing email. The attack resulted in losses well over $100 million.

In 2017, a phishing email sent to a MacEwan University employee resulted in a fraudulent wire transfer of $11.8 million to the attacker’s bank account.

Essential Anti-Phishing Controls for Businesses

For most businesses there are two essential elements to anti-phishing defenses. A spam filtering solution to identify phishing emails and block them before they are delivered to employees’ inboxes and training for staff to ensure that if a malicious email makes it past the perimeter defenses, it can be identified as such before any harm is caused.

A spam filter is quick and easy to implement, although care must be taken to choose the correct solution. Not all spam filtering and anti-phishing solutions are created equal.

The Danger of Relying on Office 365 Anti-Phishing Controls

Many businesses now use Office 365 for email. 155 million business (and growing) are now using Office 365. That makes Office 365 a major target for hackers.

Microsoft does provide anti-phishing and anti-spam protection through its Advanced Threat Protection (APT) offering for Office 365. APT is an optional extra and comes at an additional cost.

APT provides a reasonable level of protection against phishing, but ‘reasonable’ is not sufficient for many businesses. APT is certainly better than nothing, but it does not provide the same level of protection as a third-party spam filtering solution from a dedicated cybersecurity solution provider.

Hackers use Office 365 accounts protected by APT to test their phishing campaigns to make sure they can bypass Office 365 controls. Hackers can easily tell which businesses are using Office 365 as it is broadcasted through public DNS MX records, so finding targets is easy.

With a third-party solution implemented, businesses will be much better protected. Hackers can tell that a business is using Office 365, but they will not know that it has advanced spam defenses from a third-party solution provider. This multi-layer approach is essential if you want to ensure you are well protected against phishing attacks.

SpamTitan is a leading spam filtering solution for businesses that is highly effective at blocking phishing and other malicious emails. Independent tests confirm the solution blocks more than 99.9% of spam and malicious emails and 100% of known malware through its two AV engines. It is a perfect addition to Office 365 to provide even greater protection against phishing threats.

Don’t Underestimate the Importance of Security Awareness Training

No technical anti-phishing solution will be 100% effective, 100% of the time. Hackers are constantly developing new techniques to bypass organizations’ defenses and occasionally messages may be delivered. Employees must therefore be trained how to identify malicious messages and conditioned to be alert to the threat of attack. Employees are the last line of defense in an organization and that defensive line will be tested.

A once a year training session may have been sufficient in the past, but the increased threat of attack means far more frequent training is required. To develop a security culture, it is necessary to have regular training sessions and use a variety of different methods to reinforce that training.

Twice a year formal training sessions should be accompanied by more frequent CBT mini-training sessions, cybersecurity newsletters, posters, and phishing email simulations to identify weaknesses.

SMBs are Being Targeted by Hackers

Many SMB owners think that their business is too small to be targeted by hackers. While large organizations are attacked more frequently, SMB cyberattacks are far from uncommon.

The 2018 State of Cybersecurity in Small and Medium Size Businesses study conducted by the Ponemon Institute showed that 67% of SMBs had experienced a cyberattack in the past 12 months and 58% had experienced a data breach.

Due to the high risk of cyberattacks, the increased number of phishing attacks on SMBs, defenses need to be improved. Businesses that fail to implement appropriate cybersecurity solutions and train staff how to identify phishing emails are a data breach waiting to happen.

Fortunately help is at hand. If you want to improve your defenses against phishing, contact TitanHQ to chat about your options.

 

Benefits of Internet Content Control for Businesses

In this post we explore the key benefits of Internet content control for businesses and explain how the disadvantages can be minimized or eliminated.

The Problems of Providing Unfettered Internet Access to Employees

Providing employees with Internet access makes a great deal of sense. In order to work efficiently and effectively, employees need access to the wealth of information that is available online. Via the internet, businesses can interact with customers and vendors and provide them with important information. Information can easily be shared with colleagues rather than relying on email, and a wide range of online tools are available to improve productivity.

The Internet is something of a double-edged sword. It offers the opportunity to improve productivity, but it also has potential to reduce productivity. A great deal of time is wasted online by employees – Often referred to as cyber slacking. The losses to cyber slacking can be considerable. If each employee spends an hour a day on personal Internet use, a company with 50 employees would lose 50 hours a day or 250 hours a week. That’s 13,000 hours a year lost to personal Internet use. Many employees waste much more time online than an hour a day, so the losses can be significantly higher.

Personal Internet use can also result in legal problems for businesses. Businesses can be vicariously liable for illegal activities that take place on their network. Illegal file sharing for instance. Some online activities can also lead to the creation of a hostile work environment.

Giving employees full access to the Internet also introduces security risks. As well as very beneficial websites there is no shortage of malicious web content. Phishing websites are used to steal login credentials. If credentials are stolen, hackers can gain access to the network undetected and steal data and install malware. Malware downloads are also common. The cost of mitigating cyberattacks is considerable and can be catastrophic for small to medium sized businesses.

Common Internet Content Control Issues and How to Avoid Them

The solution to these issues is to implement an Internet content control solution. By carefully controlling the websites employees can access at work, productivity losses can be avoided and businesses can effectively manage risk. Access to phishing and other malicious websites can be blocked and businesses can block categories of website that are NSFW or are a major drain on productivity. The former includes adult content and the latter includes gaming websites, dating sites, and social media websites.

Internet content control for businesses is best achieved with a web filtering solution. This can either be an appliance that sites between your Internal network and the Internet through which all web traffic passes, or a DNS-based web filter that applies Internet content control for businesses at the DNS level.

The former is a more traditional approach to content control that comes with certain disadvantages. The latter is a more modern approach, that eliminates the problems of internet content control for businesses.

The benefits of Internet content control for businesses are clear but there are disadvantages. Latency is a key issue. If Internet speed is slowed, productivity declines. Appliance based filtering solutions tend to slow Internet access and download speeds. DNS-based Internet content control for businesses avoids this. There is no latency with DNS-level filtering.

Cost is another stickling point. An appliance-based solution requires a significant outlay and the appliances are not scalable. They need to be upgraded when the business grows. DNS-based solutions on the other hand are highly scalable – up and down. DNS-based filtering is much cheaper – a few dollars a year per employee. TitanHQ also offers monthly billing to make the cost more affordable.

Appliances need to be selected to fit in with your network architecture and there can often be compatibility issues. DNS-filtering allows businesses to seamlessly integrate Internet content control into the current infrastructure. DNS-based filters are technology agnostic and work on all operating systems.

Easy Internet Content Control for Businesses

WebTitan Cloud is an innovative, easy to use, DNS-based web filter that provides cost-effective Internet content control for businesses of all sizes.

For further information on WebTitan Cloud, to arrange a product demonstration, or to register for a free trial, contact TitanHQ today.

WebTitan Cloud v Cisco Umbrella

The biggest problem with compiling a comparison of WebTitan Cloud v Cisco Umbrella is that the Cisco Umbrella range consists of four packages with an increasing number of capabilities per package. Additionally, there is a lack of transparency about Cisco Umbrella pricing and how many add-ons a business may need to filter the Internet effectively.

When Cisco Systems Inc. acquired OpenDNS in 2015, there was only one Cisco DNS filtering and Internet security package available – the former OpenDNS Umbrella. Since the acquisition, Cisco has broken down the Umbrella into four sets of capabilities – ostensibly to better meet the needs of all businesses; but, in practice, to disguise the cost of the packages.

By comparison, WebTitan Cloud is similar in many ways to v1 launched in 2009. Naturally there have been some improvements made to its capabilities along the way; however, the DNS filtering and Internet security solution is still as flexible and scalable as ever it was to meet the needs of businesses and Managed Service Providers (MSPs) of all sizes.

WebTitan Cloud v Cisco Umbrella Comparison

The best way to compare WebTitan Cloud v Cisco Umbrella is to list a selection of capabilities in each Cisco Umbrella package and then see where WebTitan Cloud fits into the range. The following is a snapshot of the capabilities of each Cisco Umbrella package which demonstrates how the sophistication of each package increases as you work through the range:

WebTitan Cloud v Cisco Umbrella

The key points to note are:

  • The DNS Essentials package does not inspect and decrypt SSL traffic. This means that any encrypted website that has not yet been identified as a threat will bypass the DNS filter.
  • Both the DNS Essentials and DNS Advantage packages lack granular filtering inasmuch as it is only possible to block or allow website access by domain name, rather than by URL.
  • Although classified as a Secure Access Service Edge (SASE) solution, the SIG Essentials package lacks some key service edge security capabilities and is limited in others.
  • The SIG Advantage package includes many capabilities that businesses may already have access to via other security solutions (i.e., Microsoft Sentinel, Amazon Security Lake, etc.).
  • There is a mandatory cost for onboarding and technical support by phone. Customers who pay extra for premium support are prioritized when technical support is required.
  • There is a lack of transparency about pricing, and anecdotal evidence suggests licensing costs and the cost of optional add-ons can be negotiated – especially with resellers.
  • Cisco operates two MSP programs – neither of which allows MSPs and MSSPs a white label product to rebrand as their own. Only co-branding is tolerated.

Where WebTitan Cloud Fits Into the Cisco Umbrella Range

>WebTitan Cloud is a fully featured DNS filtering and Internet security solution that includes or betters all the capabilities of Cisco´s DNS Advantage package and includes several capabilities of the SIG Essentials package – including granular filtering so that businesses can block or allow Internet access by URL, group, individual, time, location, and more.

Naturally, WebTitan Cloud does not include SecureX and Cisco Investigate integration. Instead, WebTitan Cloud´s threat database is updated in “real-time” to mitigate the risk of emerging threats evading detection and reduce the need for threat response services. WebTitan Cloud also includes “Zero-Minute” protection against emerging phishing threats.

Importantly, with WebTitan Cloud, what you see is what you get. Customer support is included in the subscription cost, there are no optional add-ons, or the need to subscribe to other WebTitan services to take advantage of the full range of DNS filtering and Internet security capabilities. Also, for MSPs and resellers, WebTitan Cloud is available as a white label service.

In terms of subscription costs, the maximum price business will pay for WebTitan Cloud in 2023 is $1.58 per user per month –  the price decreasing according to the number of users and length of subscription. Unlike Cisco, it is not necessary to pay the subscription cost all upfront in order to take advantage of WebTitan Cloud pricing, and there is no premium for monthly payments.

WebTitan Cloud v Cisco Umbrella Conclusion

Our comparison of WebTitan Cloud v Cisco Umbrella demonstrates that, if a business has subscribed to a DNS Essentials or DNS Advantage package and is paying more than $1.58 per user per month once the mandatory and optional add-ons are taken into account, it makes economic sense to switch to WebTitan Cloud. Not only will the business save money, but it will also have more protection against web-borne threats and more control over Internet activity.

New Research Reveals Extent of Reputation Loss After a Cyberattack

Reputation loss after a cyberattack can have a major impact on businesses. While large companies may be able to absorb the loss of customers that results, for small to medium businesses, reputation damage and loss of customers can prove devastating.

Cybersecurity consultants and computer forensics firms can be hired to find out how an attack occurred, and new solutions can be implemented to plug the holes through which access to the network was gained. Regaining the trust of customers can be much harder to recover from. Once trust in a brand is lost, some customers will leave and never return.

When personal data has been exposed or stolen, customers feel betrayed. Company privacy policies may not be read, but customers believe that any company that collects their personal data has a responsibility to protect it. A data breach is seen as a breach of the company’s responsibility to keep personal data private and secure, and many customers will take their business elsewhere after such a privacy violation.

Reputation loss after a cyberattack can also make it hard to find new customers. Once information about a breach has been made public, it can be enough to see potential customers avoid a brand.

Extent of Reputation Loss After a Cyberattack

Radware recently conducted a survey to investigate the cost of cyberattacks on businesses. The study revealed 43% of companies that took part in the study said they had experienced negative customer experiences and reputation loss as a result of a successful cyberattack.

Previous studies suggest that as many as one third of customers will stop doing business with a company that has experienced a data breach. A study by Gemalto paints an even bleaker picture. In a global survey of 10,000 individuals, 70% claimed they would stop doing business with a company that had experienced a data breach.

The cyberattack on the telecoms company TalkTalk in 2015 – which cost the firm an estimated £77 million – caused uproar online. Customers turned to social media networks to express their rage about loss of service and the theft of their personal data.  The company’s reputation took a massive hit as a result of the attack, not helped by interviews with the hackers who explained how easy it was. The firm claimed it lost around 101,000 customers as a result of the incident. Research from Kantar Worldpanel ComTech suggests 7% of its broadband customers – around 300,000 people – left the firm for another provider.

With such potential losses, it is no surprise that the Marsh and Microsoft Global Cyber Risk Perception Survey in 2018 found that reputation loss after a cyberattack was the biggest concern of companies. 59% of respondents rated it as a major concern.

Steps can naturally be taken to limit customer turnover, repair reputations, and win back customer trust, but repairing damage to a brand and winning back customers can be a long uphill struggle.

Given the high probability of a cyberattack and the potential repercussions, increased investment in cybersecurity defenses to prevent breaches should be given serious consideration.

It is not possible to prevent all cyberattacks, but it is possible to implement security solutions to protect against the most common attack vectors – email and malicious websites - and that is an area where TitanHQ can help.

 

Fallout Exploit Kit Returns with Additional Functionality and New Exploit

The Fallout exploit kit, a toolkit used to silently deliver ransomware and malware to vulnerable devices, was first identified in September 2018. Between September and December, the toolkit was used to exploit vulnerabilities and deliver GandCrab ransomware and other malicious payloads. Towards the end of the year, the vulnerabilities most commonly exploited were a remote code execution vulnerability in the Windows VBScript engine (CVE-2018-8174) and the use-after-free vulnerability in Adobe Flash Player (CVE-2018-4878).

Around December 27, 2018, Fallout exploit kit activity stopped, but only for a few days. Now the exploit kit is back, and several updates have been made including the addition of HTTPS support, a new landing page format, and PowerShell-based malware downloads. A new exploit has also been added for a zero-day use-after-free Adobe Flash player vulnerability (CVE-2018-15982) which was patched on December 5, 2018: A vulnerability also exploited by the Underminer exploit kit.

The Fallout exploit kit is primarily delivered via malvertising campaigns – malicious adverts on third-party ad networks that are served on a variety of legitimate websites. The adverts redirect users to the exploit kit, which probes for vulnerabilities and exploits them to silently deliver malware or ransomware. The updated version of the Fallout exploit kit is delivering the latest version of GandCrab ransomware, for which there is no free decryptor. In addition to GandCrab ransomware, the Fallout exploit kit is delivering ServHelper, AZORult, TinyNuke, Dridex and Smokebot malware.

The malvertising campaigns used to generate traffic to the exploit kit include TrafficShop, Popcash, RevenueHits, and HookAds. The latter is primarily used on high-traffic adult websites that are visited millions of times a month. Users are redirected to a decoy adult site that contains the exploit kit and would be unaware that anything untoward has happened. If there is an unpatched vulnerability for which fallout has an exploit, the ransomware or malware payload will be silently downloaded.

Exploit kit activity is now much lower than in 2016 when EKs were extensively used to deliver malware, but the latest updates show EKs are still a threat and that they are regularly being updated with the latest exploits.

Exploit kits can only deliver malware if unpatched vulnerabilities are present, so prompt patching is strongly recommended. Users also need to visit the sites hosting the exploit kit. Businesses can prevent users from visiting malicious websites using a web filter.

Web filters use blacklists of websites known to host exploit kits are capable of scanning websites for malicious content. They can also prevent third-party ads from being displayed, thus preventing redirects. Since certain categories of website are often used in malvertising campaigns, adult sites and torrents sites for instance, blocking access to those categories of content with a web filter is also recommended.

For further information on web filtering and how it can protect against web-based attacks, contact the TitanHQ team today.

Why Change from Cisco Umbrella to WebTitan?

If you subscribe to a Cisco Umbrella DNS filtering and Internet security service, it may be worth your while considering a change from Cisco Umbrella to WebTitan Cloud. In this post we explain some of the main benefits of changing from Cisco Umbrella to WebTitan and illustrate this with an example from the education sector.

Cisco Umbrella has evolved from the former OpenDNS Enterprise service to a four-tiered DNS filtering and Internet security service. At the entry-level tier, businesses get a less-than-ideal service with basic web filtering capabilities that lack SSL decryption and inspection; while, at the top tier, businesses can find themselves paying for services they may never use or that are already present in other security solutions.

Selecting the right tier of service to best protect the business from web-borne threats and control Internet activity is not the only challenge. One of the reasons businesses change from Cisco Umbrella to WebTitan is a lack of transparency about the cost of Cisco Umbrella – notwithstanding that businesses not only have to pay the licensing fee, but also the cost of mandatory and optional add-ons to maximize the effectiveness of the service.

Cisco Umbrella Licensing

Like most software services, Cisco Umbrella licensing is via a subscription service. Terms are for one year or three years, and in most cases must be paid all upfront. The licensing cost does not include mandatory onboarding and technical support, while there is a further “optional add-on” for premium support if a business wants its calls to support to be prioritized. Basically, businesses have to pay twice to get a decent level of support from Cisco.

Other optional add-ons vary according to which tier is subscribed to – and some are not available in all tiers. For example, if you want to identify which internal IP address was responsible for a malware download, you have to subscribe to a secondary Cisco service. However, this option is not available to subscribers of the DNS Essentials tier. Other optional add-ons and limitations by tier are illustrated in the table below.

WebTitan Cloud v Cisco Umbrella

Cisco Umbrella Pricing

Cisco Umbrella pricing is variable depending on the number of users, the length of the subscription, the location of the business, and any discounts negotiated with Cisco directly or a reseller. Some resellers do advertise fixed-price Cisco Umbrella packages, but it is often not possible to tell whether or not the cost of mandatory onboarding and technical support is included – or what additional optional add-ons are included in the price.

Anecdotal evidence suggests that businesses pay from $2.20 per user per month for the ineffective DNS Essentials service, while the DNS Advantage service – which lacks granular block and allow lists – costs up to $5.50 per user per month. Nobody appears to be prepared to disclose what they are paying for the SIG Essentials or SIG Advantage tiers, or whether they are able to take advantage of all the services´ capabilities.

Why Change from Cisco Umbrella to WebTitan?

WebTitan is a fully featured, cloud-based DNS filtering and Internet security service that includes most of the capabilities of the DNS Advantage tier and some of the capabilities of the SIG Essentials tier. The capabilities not included in WebTitan Cloud are SecureX and Investigate threat response integration. This is because WebTitan Cloud updates its threat intelligence database in real time and include “zero-minute” protection against phishing URLs to mitigate the need for threat response.

Additionally, although the cost of WebTitan Cloud varies according to the number of users and length of subscription, the price you see is the price you pay. Customer support is included in the subscription cost, and there are no optional add-ons or the need to subscribe to a secondary service to take advantage of WebTitan´s capabilities.  In terms of cost, the maximum a business will pay for WebTitan Cloud in 2023 is $1.58 per user per month. The option also exists for monthly payments.

Case Study Background

Web Filtering for Schools and Libraries and CIPA Compliance

Web filters are a requirement of the Children’s Internet Protection Act (CIPA). CIPA was enact by congress in 2000 and is concerned with protecting minors from harmful website content such as pornography. CIPA requires schools and libraries to implement an Internet safety policy that addresses the safety and security of minors online.

To comply with CIPA, measures must be introduced to block access to obscene content, child pornography, and other web content that is considered to be harmful to minors. Additionally, schools must educate minors about appropriate online behavior and monitor the online activities of minors.

While there are many choices of web filters for schools that can help them comply with CIPA, not all solutions are created equal. While it is usually easy to block access to harmful content, with some solutions monitoring user activity can be difficult and time consuming, and solutions as feature-rich and complex as Cisco Umbrella may be considered overfill for schools and libraries only looking to block access to obscene images.

Case Study

Why Did Saint Joseph Seminary College Change from Cisco Umbrella to WebTitan?

There is no doubt that Cisco has developed a powerful web filtering solution in Umbrella that can offer protection from web-based threats and allow content control, but the solution is not without its drawbacks.

One of the main downsides is usability, especially monitoring the online activities of users, something that is particularly important for CIPA compliance. It was proving to be particularly difficult for Saint Joseph Seminary College, which needed to quickly identify attempts by students to access restricted content.

“I don’t need rounded corners and elegant fonts when I am trying to see who has been visiting dangerous websites.  I need to clearly see domain names and internal IPs,” explained Saint Joseph Seminary College IT Director Todd Russell. “In my opinion, after Cisco bought OpenDNS, they made some major changes to the UI which made it virtually useless for quickly looking through blocked traffic for signs of particular types of usage.” The complexity of the user interface made the solution unpopular with IT staff and the complexity was jeopardizing security.

Ease of use was a major problem, but the troubles didn’t end there. There was also the issue of cost. “We found that once Cisco bought OpenDNS, they began upping the Umbrella pricing every year at renewal time. Despite the repeated price increases, the service was not improving and there was no additional value offered,” explained Russell.

Cost and usability issues prompted Russell to look for a Cisco Umbrella alternative. After assessing various Cisco Umbrella alternatives, the decision was taken to switch from Cisco Umbrella to WebTitan.  “It didn’t take long to realize that WebTitan was the best alternative for an efficient, cost-effective, and easy to use filtering solution to replace Cisco Umbrella,” explained Russell.

“I am able to quickly scan an entire previous day of blocked traffic and take a closer look at the full traffic on any users that raise a concern in a matter of minutes. This has saved me an enormous amount of time when I need to examine a user’s traffic, but it has also made it possible for me to keep close tabs on our traffic.” All the information required was accessible with just two clicks.

In terms of time savings gained from using WebTitan and the lower cost of running the solution, the college has been able to make significant cost savings as well as identify and remediate issues immediately, which means greater safety and security for students.

Are You Looking for an Alternative to Cisco Umbrella?

If you are currently using Cisco Umbrella and are frustrated with the interface and are unable to easily get the information you need, or if you are looking for a lower-cost alternative to Cisco Umbrella that will not jeopardize security, you have nothing to lose by evaluating WebTitan.

Contact the WebTitan team today via the links at the top of the page and you can arrange a product demonstration and set up a free trial of the full solution to see for yourself the difference it makes. In the words of Todd Russell, “That brief demo was all I needed to know that WebTitan would serve my needs much better than Umbrella and I have been thrilled with the improvements to my workflow since switching over.”

 

How to Improve Wireless Access Point Security

It is straightforward to implement security controls to protect wired networks, but many businesses fail to apply the same controls to improve WiFi security, often due to a lack of understanding about how to improve wireless access point security. In this post we cover some of the main threats associated with WiFi networks and explain how easy it can be to improve wireless access point security.

Wireless Access Points are a Security Risk

Most businesses now apply web filters to control the types of content that can be accessed by employees on their wired networks but securing wireless networks can be more of a challenge. It is harder to control and monitor access and block content on WiFi networks.

Anyone within range of the access point can launch an attack, especially on public WiFi hotspots which have one set of credentials for all guest users. It is therefore essential that controls are implemented to improve wireless access point security and protect users of the WiFi network.

WiFi Security Threats

A single set of credentials means cybercriminals are afforded a high degree of anonymity. That allows them to use WiFi networks to identify local network vulnerabilities virtually undetected. They could conduct brute force attacks on routers, for example, or use WiFi access to inject malware on servers that lack appropriate security. If access is gained to the router, attacks can be launched on connected devices, and malware can be installed on multiple end points or even POS systems to steal customers’ credit/debit card information.

The cyberattack on Dyn is a good example of how malware can be installed and used for malicious purposes. The DNS service provider was attacked which resulted in large sections of the Internet being made inaccessible. A botnet of more than 100,000 compromised routers and IoT devices was used in the attack.

Man-in-the-Middle attacks are also common on Wi-Fi networks. Any unencrypted content can be intercepted, such as if information is exchanged between a user and a HTTP site, rather than HTTPS, if a VPN is not used.

Public WiFi networks are often used for all manner of nefarious purposes due to the anonymity provided. If users take advantage of that anonymity to access illegal content and download child pornography or perform copyright infringing downloads of music, films, and TV shows from P2P file sharing sites, an investigation would center on the hotspot provider. Questions would likely be asked about the lack of security controls to prevent illegal website access.

The Easy Way to Improve Wireless Access Point Security

The easy way to improve wireless access point security is a web filtering solution. Web filtering solutions are usually implemented by businesses to secure wired networks, but solutions also exist to improve wireless access point security.

A web filter forms a barrier between the users of the network and the Internet. Controls can be applied to stop users from accessing dangerous, illegal, or inappropriate website content. Even if each user has their own access controls, without a web filter, users will still be vulnerable to malware attacks and phishing attempts and the hotspot provider may be liable for illegal activities over the WiFi network.

There are two ways of implementing WiFi web filtering to improve wireless access point security. One is to rely on a list of categorized domain names and use that to control content. The other is DNS-layer web filtering, which uses the DNS lookup process that is required before any user is directed to a website after entering the domain name into their browser. The DNS server turns the domain name into an IP address to allow the web page to be found.

Why DNS Filtering is Best Way to Improve Wireless Access Point Security

The main difference between the two types of web filtering is the point at which access is blocked. With a traditional web filter, content is first downloaded before it is blocked, which is a risk. With DNS-layer filtering, content is blocked during the lookup process before content is downloaded.

If content is downloaded before being blocked, this will naturally have an impact on available bandwidth. DNS-layer filtering has no impact on bandwidth, since the content is blocked before it is downloaded.

DNS filtering does not need to be integrated with other systems and it works across all devices and operating systems, since they all use DNS servers to access websites.

DNS filtering is also quick and easy to implement. No appliances need to be purchased, hardware doesn’t need to be upgraded, and no software downloads are required. A simple change to the DNS is all that is required to point it to the provider’s DNS server. It is also much easier to maintain. No software updates are necessary and, in contrast to other security solutions, no patching is required. It is all handled by the service provider.

WebTitan Cloud for WiFi – The Leading Wireless Access Point Security Solution

TitanHQ has set the standard for WiFi security with WebTitan Cloud for WiFi. WebTitan Cloud for WiFi gives businesses the opportunity to implement bulletproof WiFi security to protect end users from online threats, block malware downloads, and carefully control the content that can be accessed by wireless network users.

Businesses that run WiFi hotspots can quickly and easily implement the solution and let TitanHQ secure their WiFi networks and provide the massive processing power to fight current and emerging web-based threats. With WebTitan Cloud for WiFi, businesses can instead concentrate on profit-generating areas of the business.

If you want to improve wireless access point security, contact TitanHQ for further information on WebTitan cloud for WiFi. Our security experts will be happy to schedule a product demonstration and set up for a free trial.

FAQs

Can I secure multiple access points at different geographical locations?

WebTitan is a DNS-based web filtering solution that sees all filtering take place in the cloud. Being cloud-based, WebTitan can be used to filter the Internet at any location, for both wired and wireless networks. You can protect multiple access points through the same solution, even if those access points are in different cities or countries. You can set controls for each access point through a single web-based user interface.

Can I set different filtering controls for employees and guest users?

With WebTitan you have full control over the content that can be accessed by all users of your access points. You can set different filtering controls for individuals, departments, user groups such as guest users, and the entire organization. You have highly granular control over the content that can be accessed, with filtering by category, keyword, and URL filtering.

Is it possible to bypass filtering on access points?

Most people will attempt to bypass filtering controls on access points by using an anonymizer service or proxy. If the Internet is accessed through the anonymizer website or proxy, the actual content viewed will not be visible via the web filtering service. To prevent users from bypassing the web filter you can block anonymizer services through the WebTitan UI.

Can I block specific websites on my access points?

You can use the blacklisting feature of WebTitan to prevent a specific website from being accessed via your access points. You can do this for the entire organization, for different departments or user groups, or for specific individuals. Conversely, you can use whitelisting to allow a website to be accessed even if it contravenes other filtering controls.

Is it possible to temporarily disable filtering on access points?

With WebTitan, you do not need to disable web filtering if you need to bypass your web filtering policies on a temporary basis. You can configure a cloud key that can be used to bypass filtering controls for a limited period and can set the duration that the cloud key is valid through your UI.

Internet Filtering to Improve Employee Productivity

In this post we explore the use of Internet filtering to improve employee productivity, including statistics from recent surveys that show how many companies are now choosing to control employee Internet access more carefully.

Employee Productivity Falls on Black Friday and Cyber Monday

The staffing firm Robert Half Technology recently conducted a survey on 2,500 chief information officers (CIOs) across 25 metropolitan areas in the United States and more than 1,000 U.S. officer workers over 18 years of age to determine how Black Friday and Cyber Monday affect employee productivity.

The results of the survey provide an indication on what goes on throughout the year, but Black Friday and Cyber Monday were studied as they are the two busiest days for online shopping. The survey results show that three quarters of employees spent at least some of Cyber Monday shopping online on a work device. Four out of 10 workers said they spent more than an hour looking for bargains online on Cyber Monday while they were at work. 23% said they were expecting to spend even longer than that this year.

46% of workers said they would be online shopping on their work computers during their lunch hour and breaks, but 29% said they would be shopping throughout the day and would be keeping browser tabs open. 20% of workers said they would do online shopping at work in the morning.

While policies on accessing pornography may have been made crystal clear, online shopping is something of a gray area. 31% of employees were not aware of their company’s stance on online shopping on work devices. 43% said their employers permit it and 26% said it is not permitted.

The survey of CIOs shows 49% of companies allow online shopping within reason but that they monitor employee Internet use. 22% said they allow totally unrestricted Internet access while 29% have implemented solutions to block access to online shopping sites.

In June 2018, Spiceworks published the results of a survey that showed 58% of organizations actively monitor employee Internet activity and 89% of organizations use Internet filters to block at least one category of Internet content.

Most surveyed companies use Internet filtering to improve employee productivity. While only 13% block online shopping sites, many companies block other productivity-draining sites such as social media, gaming, gambling and dating sites.

Internet filtering to improve employee productivity is important, but the majority of companies are flexible when it comes to employee Internet use for personal shopping, provided employees keep it to a reasonable level.

Monitoring Employee Internet Access to Prevent Abuse

Many businesses use Internet filtering to improve employee productivity and enforce acceptable usage policies. Some control Internet access with an iron fist, others are much more permissive.

Regardless of the controls that are put in place, Internet filters also allow employers to keep close tabs on their employees’ Internet activity. An internet filter is a useful tool for monitoring employees, not just enforcing company policies.

Internet filters allow employers to easily check employee Internet use while maintaining a relatively permissive controls. This allows them to take action when individuals are abusing Internet access. Monitoring is easy as reports can be generated on user, group, or organization-wide activity while providing information on browsing activity in real time. Reports can also be automatically generated and sent to department heads or IT security teams.

Different controls can be applied to different user groups and time-based controls can be set, for instance, only permitting online shopping during lunch hours or other scheduled breaks. Such controls would be useful for stopping the 20% of workers that do their online shopping at work in the morning which, in many businesses, is the most important part of the day when productivity needs to be high.

Since controls can be applied for different types of Internet content, security can be maintained by blocking access to high risk sites and illegal or totally unacceptable content all of the time, while restrictions on other categories of content can be eased during relatively quiet periods.

In short, Internet filters should not be viewed just as a way of restricting employee Internet access, but as a tool for the management of Internet use to improve security and enjoy productivity gains while giving employees some flexibility.

How TitanHQ Can Help

Not all Internet filters offer businesses the highly granular controls that are necessary to carefully control Internet content. Many lack flexibility and have difficult to use interfaces.

Applying and managing Internet filters should be an easy process, which is why TitanHQ developed the WebTitan suite of products. WebTitan Gateway, WebTitan Cloud, and WebTitan Cloud for WiFi have been developed to make Internet filtering a simple process, while giving businesses the ability to precisely control employee Internet access to achieve productivity gains and improve security.

What Makes WebTitan the Ideal Choice for Businesses

Listed below are some of the key features of WebTitan that are often found lacking in other business Internet filtering solutions.

  • No hardware purchases necessary
  • No software downloads required
  • Quick and easy set up and application of Internet policies
  • Highly granular controls allow flexible policies to be applied
  • Links with Active Directory and LDAP allowing easy application of organization, department, group, or user-level Internet controls
  • Easily block content through 53 pre-defined categories and 10 customizable categories
  • Keyword-based filtering controls
  • Time-based filtering
  • SSL inspection
  • Dual anti-virus engines provide leading AV protection
  • Excellent protection from phishing websites
  • An intuitive web-based user interface places all information and controls at your fingertips
  • Highly scalable
  • Protect wired and wireless networks, including protection/content controls for off-site workers
  • Provides full visibility of network usage
  • Full reporting suite, including group and user activity, real time browsing activity, report scheduling, and real-time alerts

If you want to use Internet filtering to improve employee productivity, enforce acceptable usage policies, and improve security by blocking web-based threats, WebTitan is the ideal solution.

For more information on WebTitan and advice on the best option to suit the needs of your business, contact the TitanHQ team today. Our experts will be happy to book a product demonstration and help you take advantage of a free trial of the full product to see the solution in action and discover the difference it makes.

 

University Students Call for WiFi Filters to Block Pornography

The students of Notre Dame University in Indiana are calling for WiFi filters to block pornography on public WiFi hotspots at the university. The campaign has attracted more than 1,000 signatures and now Enough is Enough has added its backing to the campaign.

Pressure Mounting on WiFi Hotspot Providers to Implement Content Controls

There have been calls for coffee shops, restaurants, and other providers of WiFi filters to block pornography. One campaign targeting Starbucks has recently proven to be successful. A campaign led by the pressure group Enough is Enough helped to convince the global coffee shop chain to finally implement WiFi filters to block pornography, albeit more than two years after the initial promise was made. A similar campaign in 2016 resulted in WiFi filters being implemented in McDonalds restaurants.

This week, Enough is Enough has issued a fresh call for the use of WiFi filters to block pornography, this time at the University of Notre Dame in Indiana.

Support for University of Notre Dame Students Demanding WiFi Filters to Block Pornography

In October 2018, Jim Martinson, a student at the University of Notre Dame, launched a campaign calling for the University to implement a WiFi filter to block pornography on campus.  The university cannot stop students from using their own devices and data to view adult content, but Martinson believes the university should not be allowing students to freely use its WiFi networks to view pornographic material on campus.

Jim Martinson’s campaign has gathered considerable support. After writing a letter to the university from the men of Notre Dame, to which 80 fellow male students added their names, a similar letter was written by Ellie Gardey. Gardey’s letter was signed by 68 female students at the university.

In Jim Martinson’s letter to the university from the men of Notre Dame, he cites a previous university survey, conducted in 2013, which revealed 63% of male students had viewed pornography on the WiFi network of the university. That figure is in line with various national surveys that showed 64% of men and 18% of women at colleges spend at least some time each week viewing pornography. National research indicates that each month, 86% of men have at least some interactions with pornographic material. Martinson also points out that pornography has already been declared a public health crisis in five states due to the harm it causes and that the university needs to take action to protect students.

Since the letters were written, the campaign has gathered more than 1,000 signatures from staff and students. Yet even with widespread approval for university WiFi filtering, nothing has yet been done to accommodate the request.

Enough is Enough Launches its Own Campaign to Pressure the University to Take Action

Enough is Enough has now launched its own campaign to pressure the university into responding to the request and has given its backing to the Notre Dame porn free WiFi campaign.

“By implementing a filtered WiFi solution, the University of Notre Dame can stand as a leader among colleges and universities to ensure the safety of its students, faculty and others,” Explained EIE President and CEO, Donna Rice Hughes. “Having a policy prohibiting porn or sexually explicit material is not enough – taking concrete action to prevent its access is the only viable solution. Filtered WiFi will also prevent predators from accessing child pornography utilizing the University’s WiFi and flying under the radar of law enforcement.”

Blocking objectional and illegal web content is just one of the reasons why educational institutions may consider implementing a filtered WiFi solution. There are several other important reasons for exercising some control over what can happen on WiFi networks, the most important of which relates to cybersecurity. A WiFi filter not only allows certain categories of web content to be blocked, it will also prevent students from accessing phishing websites and sites known to harbor malware.

Universities and other educational institutions are being targeted by cybercriminals to gain access to sensitive data, access computers for cryptocurrency mining, and to install ransomware which encrypts entire networks and holds computer systems and data to ransom. In March 2021, the FBI issued a joint alert with DHS-CISA warning of a ransomware campaign specifically targeting the education sector using Pysa ransomware, although the Pysa gang is only one of the many threat groups targeting education.

Regardless of the categories of content that are blocked – pornography, gambling, hate speech etc. – a WiFi filter should be used to block these very real cyber threats. WiFi filters include blacklists of known malicious websites and will prevent access to malicious content to protect the WiFi network itself, and any individual who connects to it., and will create a safe and secure WiFi network for all staff and students to use.

WebTitan Cloud for WiFi – A Simple but Powerful WiFi Filtering Solution

TitanHQ has developed an easy-to-use WiFi filtering solution that is ideal for use in educational institutions. WebTitan Cloud for WiFi can be used to prevent WiFi users from accessing harmful, malicious web content that steals sensitive information or is used to distribute malicious software such as malware and ransomware. malicious content will be automatically blocked, and other blacklists will block access to illegal content such as child pornography and copyright-infringing downloads. The WiFi filter can also be used to block access to content by a specific URL or domain, category of website, keywords, or keyword density. It is also possible to block downloads of specific file types.

Highly granular controls prevent overblocking of web content and allow universities and other educational institutions to restrict access to certain types of web content with precision, such as blocking pornography without blocking educational content of a sexual nature.

WebTitan Cloud for WiFi is a cloud based solution that can be used to protect and restrict access to web content for multiple access points, even if those access point are distributed widely geographically. All of the access points can be controlled via a single, intuitive web-based user interface.

Being 100% cloud based, the solution requires no hardware or software, the cost per user is low, and the filtering controls are highly accurate. The solution provides coverage of Alexa’s top 1 million most visited websites, supports blacklists such as the child pornography/child abuse blacklist maintained by the Internet Watch Foundation, and allows 53 categories of website to be blocked with a click of a mouse.

Why WebTitan Cloud for WiFi is an Ideal WiFi Filter for Universities

  • Provides protection from phishing, malware, and ransomware attacks via the web
  • No software installations or hardware required.
  • Central control of multiple routers.
  • No restrictions on the number of users connected to the service.
  • Easy to use solution that requires no training
  • Scalable to hundreds of thousands of WiFi users
  • Customizable reports on network usage and traffic
  • No latency
  • No bandwidth restrictions.
  • Easy integration with other systems through APIs
  • Range of hosting options: WebTitan Cloud, Private cloud, or within your own data center
  • World-class customer support

For further information on WebTitan Cloud for WiFi, to book a product demonstration, or to sign up for a free trial to see the solution in action in your own environment, contact the TitanHQ team today.

Dunkin Donuts Data Breach Highlights Risks of Password Reuse

A credential stuffing attack has led to a Dunkin Donuts data breach which has seen some customer data compromised. While the breach was limited and most attempts to access customers’ DD Perks accounts were blocked, the incident does highlight the risks of password reuse.

It is unclear exactly how many customers have been affected, but for certain customers, the attackers may have gained access to their DD perks accounts – The loyalty program run by the donut company. The Dunkin Donuts data breach was limited to first and last names, email addresses, DD Perks account numbers, and QR codes.

The method used to gain access to customers DD perks accounts was unsophisticated, cheap to conduct, and in the most part can be conducted automatically. Low cost and little effort makes for a winning combination for hackers.

The Dunkin Donuts data breach did not involve internal systems and no credentials were stolen from the donut giant. Customers’ usernames (email addresses) and passwords were obtained from security breaches at other companies. Those usernames and passwords were then utilized in an automated attack on Dunkin Donuts customers’ DD Perks accounts. Dunkin Donuts has performed a password reset and affected users will be required to choose a new password. New DD Perks account numbers will be given to affected customers and their card balances will be transferred to the new account.

Since Dunkin Donuts did not expose any passwords and its systems remained secure, the only individuals that will have been affected are those that have used the same password for their DD Perks account that they have used on other online platforms.

The Risks of Password Reuse

Hackers obtain credentials from multiple data breaches, compile the data to create a list of passwords that have previously been used with a specific email address, then conduct what is known as a credential stuffing attack. Multiple login attempts are made using the different passwords associated with an email address.

The Dunkin Donuts data breach demonstrates the importance of good password hygiene and the risks of password reuse. Every user account must be secured with a strong, unique password – One that has not been used with a particular email address or username in the past and is not shared across multiple platforms.

If any online platform experiences a data breach and credentials are obtained, only the account at the breached entity will be compromised.

Naturally, using different passwords for each account means users are required to have scores of unique passwords for their work and personal accounts and remembering strong passwords can be difficult. That is why so many people reuse passwords on multiple accounts or recycle old passwords.

To avoid having to remember so many passwords it is advisable to use a password manager to generate strong passwords and store them. Of course, the password manager account must be secured with a very strong password or long pass phrase as if that account is breached, al passwords will be compromised.

WiFi Filtering and Protecting Your Brand

There are many reasons why businesses should implement a WiFi filtering solution, but one of the most important aspects of WiFi filtering is protecting your brand.

The Importance of Brand Protection

It takes a lot of hard work to create a strong brand that customers trust, but trust can easily be lost if a company’s reputation is damaged. If that happens, rebuilding the reputation of your company can be a major challenge.

Brand reputation can be damaged in many ways and it is even easier now thanks to the Internet and the popularity of social media sites. Bad feedback about a company can spread like wildfire and negative reviews are wont to go viral.

Smart business owners are proactive and take steps to protect their digital image. They are quick to detect and enforce online copyright infringements and other forms of brand abuse. They monitor social media websites and online forums to discover what people are saying about their company and how customers feel about their products and services. They also actively manage their online reputation and take steps to reinforce their brand image at every opportunity.

Cyberattacks Can Seriously Damage a Company’s Reputation

One aspect of brand protection that should not be underestimated is cybersecurity. There are few things that can have such a devastating impact on the reputation of a company as a cyberattack and data breach. A company that fails to secure its POS systems, websites, and network and experiences a breach that results in the theft of sensitive customer data can see their reputation seriously tarnished. When that happens, customers can be driven to competitors.

How likely are customers to abandon a previously trusted brand following a data breach? A lot more than you may think! In late 2017, the specialist insurance services provider Beazley conducted a survey to find out more about the impact of a data breach on customer behavior. The survey was conducted on 10,000 consumers and 70% said that if a company experienced a data breach that exposed their sensitive information they would no longer do business with the brand.

WiFi Filtering and Protecting Your Brand

The use of Wi-Fi filtering for protecting your brand may not be the first thing that comes to mind when you think about brand protection, but it should be part of your brand protection strategy if you offer WiFi access to your customers or provide your employees with wireless Internet access.

It is essential for businesses to take steps to ensure their customers are protected and are not exposed to malware or phishing websites. If a customer experiences a malware infection or phishing attack on your WiFi network the fallout could be considerable. If your employees download malware, they could give hackers access to your network, POS system, and sensitive customer data. If you offer free Wi-Fi to your customers, you need to make sure your Wi-Fi network is secured and that you protect your customers from malicious website content.

One of the most important aspects of WiFi filtering for protecting your brand is preventing your WiFi access points from being used for illegal activities. Internet Service Providers can shut down Internet access over illegal activities that take place over the Internet. That will not only mean loss of WiFi for customers but could see Internet access lost for the whole company. Your company could also face legal action and fines.

If WiFi users can access pornography and other unacceptable content, a brand can be seriously tarnished. Imagine a parent discovers their child has seen pornography via your WiFi network – The failure to prevent such actions could be extremely damaging. WiFi filters allow businesses to carefully control the content that can be accessed on their network and prevents customers from viewing harmful web content.

WebTitan Cloud for WiFi – The Easy Way to Secure Your WiFi Access Points

Implementing a WiFi filter to protect your brand and provide safe and secure Internet access for your employees and customers is a quick and easy process with WebTitan Cloud for WiFi.

WebTitan Cloud for WiFi is a powerful, yet easy to use web filtering solution for WiFi hotspots that requires no hardware purchases or software downloads. WebTitan Cloud for WiFi can be implemented and configured in just a few minutes. No technical skill required.

WebTitan Cloud for WiFi is highly scalable and can protect any number of access points, no matter where they are located. If you have business premises in multiple locations, or in different countries, WebTitan Cloud for WiFi will protect all of your access points via an intuitive web-based user interface.

WebTitan Cloud for WiFi protects against online threats, allows businesses to carefully control the types of content that WiFi users can access, allows businesses to control bandwidth use, and gives them full visibility into network usage.

If you have yet to implement a WiFi filter on your hotspots, give TitanHQ a call today for details of pricing, to book a product demonstration, and register for a free trial.

Starbucks Porn Filter to Finally be Implemented in 2019

A Starbucks porn filter will finally be introduced in 2019 to prevent adult content from being accessed by customers hooked up to the coffee shop chain’s free WiFi network.

It has taken some time for the Starbucks porn filter to be applied. In 2016, the coffee shop chain agreed to implement a WiFi filtering solution following a campaign from the internet safety advocacy group Enough is Enough, but two years on and a Starbucks porn filter has only been applied in the UK.

Businesses Pressured to Implement WiFi Filters to Block Porn

Enough is Enough launched its Porn Free WiFi campaign – now renamed the SAFE WiFi campaign – to pressure businesses that offer free WiFi to customers to apply WiFi filters to restrict access to adult content. In 2016, more than 50,000 petitions were sent to the CEO’s of Starbucks and McDonalds urging them to apply WiFi filters and take the lead in restricting access to pornography and child porn on their WiFi networks.

After petitioning McDonald’s, the global restaurant chain took prompt action and rolled out a WiFi filter across its 14,000 restaurants. However, Starbucks has been slow to take action. Following the McDonalds announcement in 2016, Starbucks agreed to roll out a WiFi filter once it had determined how to restrict access to unacceptable content without involuntarily blocking unintended content. Until the Starbucks porn filter was applied, the coffee shop chain said it would reserve the right to stop any behavior that negatively affected the customer experience, including activities on its free WiFi network.

The apparent lack of action prompted Enough is Enough to turn up the heat on Starbucks. On November 26, 2018, Enough is Enough president and CEO, Donna Rice Hughes, issued a fresh call for a Starbucks porn filter to be implemented and for the coffee chain to follow through in its 2016 promise. Rice Hughes also called for the public to sign a new petition calling for the Starbucks porn filter to finally be put in place.

Starbucks Porn Filter to Be Applied in All Locations in 2019

Starbucks has responded to Enough is Enough, via Business Insider, confirming that it has been testing a variety of WiFi filtering solutions and has identified one that meets its needs. The Starbucks porn filter will be rolled out across all its cafes in 2019.

All businesses that offer free WiFi to their customers have a responsibility to ensure that their networks cannot be abused and are kept ‘family-friendly.’ It is inevitable that some individuals will abuse the free access and flaunt policies on acceptable use. A technical solution is therefore required to enforce those policies.

While Enough is Enough is focused on ensuring adult content is blocked, there are other benefits of WiFi filtering. A WiFi filter protects customers from malware downloads and can stop them accessing phishing websites. All manner of egregious and illegal content can be blocked.

WiFi filters can also help businesses conserve bandwidth to make sure that all customers can access the Internet and enjoy reasonable speeds.

WebTitan Cloud for WiFi – The Easy Way to Start Filtering Content on WiFi Networks

TitanHQ has long been an advocate of WiFi filtering for public WiFi hotspots and has developed WebTitan Cloud for WiFi to allow businesses to easily block access to unacceptable and illegal web content on WiFi networks.

WebTitan Cloud for WiFi allows businesses to carefully control the content that can be accessed over WiFi without involuntarily blocking unintended content. Being 100% cloud based, no hardware purchases are required and no software downloads are necessary.

The solution offers businesses advanced web filtering capabilities through an easy to use intuitive user interface. No IT consultants are required to implement and run the solution. It can be set up and operated by individuals that have little to no technical knowhow.

The solution is highly scalable and can be used to protect thousands of users, at multiple locations around the globe, all controlled through a single user interface.

If you run a business that offers free WiFi to customers and you have not yet started controlling the activities that can take place over your WiFi network, contact TitanHQ today for further information on WebTitan Cloud for WiFi.

Managed Service Providers (MSPs) that want to start offering WiFi filtering to their clients can join the TitanHQ Alliance. All TitanHQ solutions have been developed to meet the needs of MSPs and make it easy for them to add new security capabilities to their service stacks.

DNS Web Filtering for MSPs – Improve Security for Your Clients and Your Bottom Line

DNS web filtering for MSPs is an easy way to improve security for your clients, save them money, and boost your profits. This post explains the benefits of a DNS-level web filter for MSPs and their clients.

DNS web filtering is a great way for MSPs to boost profits, save clients money, and better protect them from cyber threats. Web filtering is an essential cybersecurity measure that businesses of all sizes should be using as part of their arsenal against malware, ransomware, botnets and phishing attacks. However, many MSPs fail to include web filtering in their security offerings and consequently miss out on an important income stream: One that requires little effort and generates regular monthly revenue.

What Are the Benefits of Web Filtering?

There are two main benefits of web filtering: Enforcing Internet usage policies and improving cybersecurity. Employees need to be able to access the Internet for work purposes, but many employees spend a considerable percentage of their working day accessing websites that have no work purpose. Cyberslacking costs businesses dearly. Businesses that do not filter the Internet will be paying their employees to check personal mail, view YouTube videos, visit dating websites, and more. A web filter will help to curb these non-productive activities and will also prevent employees from accessing inappropriate or illegal web content which can prevent legal and compliance issues.

A recent study by Spiceworks revealed the extent of the problem. 28% of employees at large companies (more than 1,000 employees) spend more than four hours a week on personal Internet use and the percentages increase to 45% for mid-sized businesses and 51% for small businesses. The difference in those figures reflects the fact that more large businesses have implemented web filters. 89% of large companies have implemented a web filter to curb or prevent personal Internet usage and, as a result, they benefit from an increase in productivity of the workforce.

Web filtering is essential in terms of cybersecurity. The Spiceworks study revealed 90% of large companies use a web filter to block malware and ransomware infections. A web filter prevents employees from accessing websites known to be used for phishing and those that host malware.

The Spiceworks study showed just how important a web filter is in this regard. 38% of companies had experienced at least one security incident in the past year as a result of employees visiting web pages for personal use, most commonly webmail services and social media channels.

Additional benefits of web filtering include improving network performance and ensuring sufficient bandwidth is available for all users – by blocking access to bandwidth-heavy online activities such as gaming and video streaming.

From the productivity gains alone, a web filter will pay for itself. Add in the costs that are saved by preventing malware and phishing attacks and use of a web filter really is a no brainer.

Why DNS Web Filtering for MSPs is the Way Forward

MSPs have three main web filtering options open to them. An appliance-based web filter, a virtual appliance or software solution, or a DNS filter. DNS web filtering for MSPs is usually the best choice.

DNS web filtering for MSPs avoids the need for hardware purchases so there is not an initial high cost for clients or for the MSP, since a powerful appliance does not need to be installed in an MSP’s own data center. DNS web filtering for MSPs means no site visits are necessary to install the solution as no hardware is required and no software downloads are necessary. DNS web filtering is not restricted by operating systems and is hardware independent, and since there are no clients to install, there will not be any installation issues. A DNS web filter also doesn’t have any impact on Internet speed.

A SaaS DNS web filtering solution, such as WebTitan Cloud, allows MSPs to deploy the web filter for their clients in a few minutes. All that is required is to direct clients’ DNS to the cloud-based filter.

DNS web filtering for MSPs is easy to implement, simple to use, requires little management, and with WebTitan Cloud, MSPs benefit from generous margins. Improving clients’ security posture and helping them make important productivity gains could not be easier.

Why WebTitan Cloud is the Best Choice for MSPs

WebTitan Cloud has been developed to meet the needs of the SMB marketplace but the solution was developed specifically to meet the needs of MSPs. WebTitan Cloud includes a full suite of pre-configured reports (with scope for customization) to allow MSPs to show their clients the sites that have been blocked and what employees have been up to online. The reports give MSP clients total visibility into their web traffic and highlight problem areas and trends affecting network performance. The reports can be automated and sent directly to clients with no MSP involvement.

WebTitan Cloud Features

  • DNS-based web filter with no latency
  • Real-time antivirus, malware, spyware, and adware protection
  • URL filtering using pre-defined categories
  • Content blocking with the option for time-based rules
  • Integration with LDAP and Active Directory
  • Incorporates web-based application filtering
  • Supports whitelists and blacklists
  • Contains a comprehensive reporting suite
  • Full set of APIs for easy back-end integration
  • Scalable with no limits on bandwidth, number of routers, or locations
  • Support clients with dynamic or static IPs

Some of the key benefits of TitanHQ’s DNS web filtering for MSPs are detailed below:

  • WebTitan Cloud can be hosted by TitanHQ, in a private cloud on AWs, or within an MSP’s own infrastructure
  • WebTitan Cloud includes APIs to integrate with auto-provisioning, billing, and monitoring systems
  • MSPs do not need to become an ISP to use the service
  • WebTitan Cloud is scalable to hundreds of thousands of users
  • WebTitan Cloud includes multiple management roles
  • New customers and WiFi hotspots can be added and configured in minutes
  • One control panel to manage all clients
  • Intuitive controls with low management overhead
  • Eliminates the need for site visits, with no local support required
  • WebTitan Cloud can be supplied in white-label form ready for an MSP’s logos and color schemes
  • MSPs benefit from industry-leading customer service
  • Highly competitive usage-based pricing with generous margins for MSPs and aligned monthly billing

If you have yet to start offering web filtering to your clients or if you are unhappy with the usability or cost of your current solution, contact TitanHQ’s Alliance team today for full product details, details of pricing, to book a product demonstration and register for a free 14-day no obligation trial.

MSP Testimonials

“WebTitan is an outstanding tool for most reliable content filtering. The monitoring feature of this specific product is quite unique that totally monitors all the process of online working and also secures all the data. Additionally, its set-up is superb easy and it can be done in just few minutes that save my time and energy as well.” Kristie H. Account Manager

“WebTitan is fairly easy to setup. It is available as a cloud based solution or on prem. You can get as simple or as complicated with your filtering as you like, it will handle most situations with ease. It has provided us with a stable web filtering platform that has worked well for us for many years. ” Derek A. Network Manager

“WebTitan is outstanding software that helps me a lot in minimizing viruses. The thing I like most about WebTitan is that it is extremely easy to use and configure. I like its clear interface. It lets us block malicious content and spam easily. It is no doubt an amazing product helping us a lot in kicking out harmful bad stuff.” Randy Q. Software Engineer

Ransomware is the Biggest Cyber Threat to SMBs

The biggest cyber threat to SMBs is ransomware, according to Dato’s State of the Channel Report. While other forms of malware pose a serious risk and the threat from phishing is ever present, ransomware was considered to be the biggest cyber threat to SMBs by the 2,400 managed service providers that were polled for the study.

Many SMB owners underestimate the cost of mitigating a ransomware attack and think the cost of cybersecurity solutions to prevent attacks, while relatively low, are not justified. After all, according to Datto, the average ransom demand is just $4,300 per attack.

However, the ransom payment is only a small part of the total cost of mitigating an attack. The final cost is likely to be ten times the cost of any ransom payment. Datto points out that the average total cost of an attack on an SMB is $46,800, although there have been many cases where the cost has been far in excess of that amount.

One of the most common mistakes made by SMBs is assuming that attacks will not occur and that hackers are likely to target larger businesses with deeper pockets. The reality is SMBs are being targeted by hackers, as attacks are easier to pull off. SMBs tend not to invest heavily in cybersecurity solutions as larger businesses.

Anti-Virus Software is Not Effective at Preventing Ransomware Attacks

Many SMB owners mistakenly believe they will be protected by anti-virus software. However, the survey revealed that 85% of MSPs said clients that experienced a ransomware attack had anti-virus solutions installed. Anti-virus software may be able to detect and block some ransomware variants, but since new forms of ransomware are constantly being developed, signature-based cybersecurity solutions alone will not offer a sufficient level of protection.

Many SMBs will be surprised to hear just how frequently SMBs are attacked with ransomware. More than 55% of surveyed MSPs said their clients had experienced a ransomware attack in the first six months of this year and 35% experienced multiple attacks on the same day.

Some cybersecurity firms have reported there has been a slowdown in ransomware attacks as cybercriminals are increasingly turning to cryptocurrency mining. While that may be true for some cybercriminal gangs, the ease of conducting attacks using ransomware-as-a-service means many small players have started attacking SMBs. That is unlikely to change.

92% of surveyed MSPs said they thought ransomware attacks would continue at current levels or even increase throughout this year and next.

Ransomware attacks are even being conducted on Apple operating systems. In the past year, there has been a five-fold increase in the number of MSPs who have reported ransomware attacks on macOS and iOS operating systems.

“Not only have ransomware attacks increased in recent years, but the problem may even be bigger than we know, as many attacks go unreported,” explained Jeff Howard, Founder and Owner, of the Texas MSP Networking Results. Datto suggests that only one in four attacks are reported to law enforcement.

How to Protect Against SMB Ransomware Attacks

To protect against ransomware attacks, businesses need to implement a range of solutions to block the most common attack vectors. To block email-based attacks, advanced spam filtering technology is required, and end user security awareness training is essential. To block ransomware downloads from malicious websites, web filtering software should be implemented.

Business continuity and disaster recovery technology should be implemented to ensure that a quick recovery is possible in the event of an attack, and naturally intelligent backing up is required to ensure files can be recovered without paying a ransom.

MSPs need to explain the risks to SMBs, along with the solutions that need to be installed to prevent attacks and the likely cost of recovery. Many businesses are shocked to discover the true cost of a ransomware attack.

How TitanHQ Can Help Improve Defenses Against SMB Ransomware Attacks

TitanHQ has developed two innovative cybersecurity solutions that work in tandem to block the two most common attack vectors: Email and Internet attacks. SpamTitan is a powerful spam filtering solution that combines two AV engines with intelligent scanning of incoming mail using a variety of techniques to identify malicious messages and new ransomware variants and block them at source.

WebTitan is a powerful web filtering solution that can block malvertising attacks, drive-by ransomware downloads, and prevent employees from visiting malicious websites.  Both solutions should be part of an SMBs arsenal to protect against ransomware and malware attacks and both solutions should be part of an MSPs security stack.

For further information on SpamTitan and WebTitan and details of TitanHQ’s MSP offerings, contact the TitanHQ today.

How to Improve Wi-Fi Security for Hotels and Prevent Data Breaches

Most businesses are aware of the importance of securing their Wi-Fi networks; however, in some industry sectors Wi-Fi security has not been given the importance it requires. Wi-Fi security for hotels, for instance, is often lacking, even though the hospitality sector is being actively being targeted by cybercriminals who see hotel Wi-Fi as a rich picking ground.

Hotel Chains are Under Attack

Hotels are an attractive target for cybercriminals. They satisfy the two most important criteria for cybercriminals when selecting targets. Valuable data that can be quickly turned into profit and relatively poor cybersecurity which makes conducting attacks more straightforward.

In 2018, there have been several major cyberattacks on hotel groups. In November 2018, Federal Group, which runs luxury hotels in Tasmania, experienced an email security incident that exposed the personal data of some of its members. A cyberattack on the Radisson Hotel Group was also reported. In that case it resulted in the exposure of the personal information of its loyalty program members.

In August one of China’s largest chains of hotels – Huazhu Hotels Group Ltd – which operates 13 hotel brands – suffered a cyberattack that affected an estimated 130 million people.  In June one of Japan’s largest hotel groups, Prince Hotels & Resorts, experienced a cyberattack that impacted almost 125,000 customers. In 2017 there were major data breaches at Hilton, Hyatt Hotels Corporation, Trump Hotels, Four Seasons Hotels, Loews Hotels, Sabre Hospitality Solutions, and InterContinental Hotels Group to name but a few.

The Cost of a Hotel Data Breach

When a data breach occurs the costs quickly mount. Access to data and networks must be blocked rapidly, the breach must be investigated, the cause must be found, and security must be improved to address the vulnerabilities that were exploited. That invariably requires consultants, forensic investigators and other third-party contractors. Affected individuals must be notified and credit monitoring and identity theft protection services may need to be offered.

The direct costs of a hotel data breach are considerable. The Ponemon Institute calculated the average cost of a data breach in 2018 had risen to $3.86 million. That was for a breach of up to 100,000 records. Larger breaches cost considerably more.

Then there is GDPR. Fines of up to €20 million or 4% of global annual turnover (whichever is higher) can be issued for GDPR compliance failures, which includes data breaches that resulted from poor security.

What is much harder to calculate is the cost of reputation damage and the customer churn rate after a breach. Damage to a hotel chain’s reputation can be long lasting and in the highly competitive hospitality industry, it could even be disastrous.

The security firm Ping Identity recently published the results from its 2018 Consumer Survey: Attitudes and Behavior in a Post-Breach Era. 3,000 people from the USA, UK, France, and Germany were surveyed for the study, which investigated the expectations of customers and the fallout from data breaches. 78% of respondents said they would stop engaging with a brand online after a breach and 36% would stop engaging with a brand altogether. Could your hotel group weather a 78% drop in online bookings or a loss of more than a third of your customer base?

Wi-Fi Security for Hotels

Cybersecurity solutions should be implemented to protect hotel networks from cyberattacks and prevent customer’s personal information from being accessed by cybercriminals. Perimeter cybersecurity solutions such as firewalls are essential, but Wi-Fi security for hotels should not be underestimated.

Guests use the Wi-Fi network to conduct business while at the hotel, for entertainment, and communication. Guests typically bring three devices that they connect to hotel Wi-Fi networks. A hotel with 100 guests potentially means 300 devices connecting to Wi-Fi. There is a high probability that at least some of those devices will be infected with malware, which could be transferred to other guests.

Hotel guests often access types of content that they do not access at home – sites that carry a higher risk of resulting in a malware download. Hackers often exploit poor hotel Wi-Fi security to attack guests. The DarkHotel threat group is a classic example. The group targets high profile hotel guests and has been doing so for more than a decade. If Wi-Fi security for hotels is substandard, successful attacks are inevitable.

Naturally guest and business Wi-Fi networks should be separated to ensure that one does not pose a threat to the other. A VLAN should be set up for the wired network, with a separate VLAN for internal wireless access points and those used by guests.

Wi-Fi security should include WPA2 encryption to prevent the interception of data and a web filtering solution should be implemented to protect guests from phishing websites and sites hosting malware. A web filter will also allow hotels to control the types of content that can be accessed by guests and restrictions can be put in place to create family-friendly Wi-Fi access and prevent guests from accessing illegal web content.

TitanHQ Email and Wi-Fi Security for Hotels

TitanHQ is a leading provider of advanced cybersecurity solutions for hotels to protect against email-based cyberattacks and improve Wi-Fi security for hotels.

WebTitan is a powerful web filtering solution for wired and wireless networks that blocks malware downloads and prevents employees and guest Wi-Fi users from accessing malicious websites. WebTitan also allows hotels to carefully control the content that can be accessed via their Wi-Fi networks, ensuring a business-friendly and family-friendly Internet service is provided.

Key Benefits of WebTitan

WebTitan Cloud and WebTitan Cloud for Wi-Fi are 100% cloud-based web filters for hotels that require no software downloads or hardware purchases. They can be implemented in minutes and are easy to configure and maintain. They are ideal for improving Wi-Fi security for hotels and securing wired hotel networks.

WebTitan web filters allow hotels to:

  • Control the content that can be accessed by guests without slowing Internet speeds
  • Block access to pornography to create family-friendly Wi-Fi zones in communal areas
  • Prevent guests from engaging in illegal online activities
  • Prevent guests from accessing phishing websites
  • Block the downloading of viruses, malware, and ransomware
  • Create custom policies for different user groups – management, employees, guests, or individuals
  • Create custom controls for different wireless access points
  • Restrict bandwidth-draining online activities to ensure good Internet speeds for all users
  • Manage web filtering controls for multiple locations from a single web-based control panel

WebTitan is ideal for use in the hospitality sector to protect internal networks from attack and to block web-based threats that could otherwise lead to a data breach.

To find out more about improving Wi-Fi security for hotels, contact TitanHQ today. The team will be happy to provide details of the products, advise you on the best deployment options, and schedule a product demonstration. You can also sign up for a free trial to evaluate the effectiveness of TitanHQ’s web filters for hotels in your own environment.

Ransomware Attacks on Cities and Municipal Services Highlight Cybersecurity Failings

This year has seen several ransomware attacks on cities and municipal targets, clearly demonstrating that the threat from ransomware has not abated, despite several analyses from cybersecurity firms that suggest hackers are moving away from ransomware and concentrating on cryptomining malware attacks.

Cryptocurrency miners have certainly become more popular and their use has increased substantially in recent months, but there is still a significant threat from ransomware.

Ransomware development may have slowed, but ransomware attacks on cities and other high value targets have not. In fact, October has seen two new ransomware attacks on cities in the United States, along with several attacks on municipal targets. In the past few months. It is clear that the threat is not going away any time soon.

$2,000 Ransom Paid to Resolve City of West Haven Ransomware Attack

The city of West Haven ransomware attack started on the morning of October 16, 2018, and by the time the attack had been contained, 23 servers had been encrypted and taken out of action. Prompt action limited the scope of the attack, although it did cause major disruption as computers on the affected network had to all be shut down.

The attack affected a critical system, and after an assessment of the situation, the decision was taken to pay the ransom. Considering the number of servers affected, the ransom demand was relatively low. The city paid $2,000 in Bitcoin for the keys to decrypt its files.

Art House, Connecticut’s chief of cybersecurity, explained that this was one of several targeted ransomware attacks on cities and municipal services in the state in recent weeks. In February, around 160 computers were affected by ransomware in more than a dozen agencies in the state according to the Department of Administrative Services, and a month later the state’s Judicial Branch was attacked and had more than 100 servers encrypted.

City of Muscatine Ransomware Attack

The West Haven ransomware attack was shortly followed by a ransomware attack on the city of Muscatine in Ohio, which saw files on several government servers encrypted. The attack is understood to have started on October 17 and caused considerable disruption especially to services at City Hall.

Few details about the attack have been made public, although it is understood that the ransom demand was not paid. Instead, IT teams have had to painstakingly rebuild affected servers and workstations and restore files from backups.

Ransomware Attack on City of Atlanta

In August one of the most serious ransomware attacks on cities occurred. The City of Atlanta was attacked with SamSam ransomware, which was manually deployed on multiple computers after access had been gained to the network. The attack occurred in March and took down computers used for many city services, causing major disruption for weeks. A ransom demand of around $50,000 was issued, although the decision was taken not to pay. Initially the cost of recovery was expected to reach $6 million. Later estimates in the summer suggest that the final cost may exceed $17 million, highlighting just how costly ransomware attacks on cities can be.

Ransomware Attacks on Municipal Services Becoming More Common

Ransomware attacks on cities are becoming more common, as are attacks on municipal targets. In October, the Onslow Water and Sewer Authority in Jacksonville, North Carolina was attacked with ransomware resulting in most systems being taken out of action. In that case, a dual attack occurred, which started with the Emotet Trojan followed by the deployment of Ryuk ransomware two weeks later. The attack is expected to disrupt services for several weeks. The Indiana National Guard also suffered a ransomware attack in October. In both cases, the ransom was not paid.

Prevention and Incident Response

One of the reasons behind the rise in ransomware attacks on cities is underinvestment in cybersecurity defenses. Too little has been spent on protecting systems and updating aging hardware and software. With many vulnerabilities left unaddressed, staff receiving insufficient training, and even basic cybersecurity defenses often found lacking, it is no surprise that the attacks are increasing.

The only way that the attacks will be stopped is by spending more on cybersecurity defenses and training to make it much harder for attacks to occur. It can certainly be hard to find the money to commit to cybersecurity, but as the City of Atlanta found out, the cost of prevention is far lower than the cost of recovery from a ransomware attack.

How to block employees from accessing websites

Many businesses want to block websites at work and exercise greater control over employee internet access. Acceptable internet usage policies can be developed and employees told what content they are allowed to access at work, but there are always some employees that will ignore the rules.

In some cases, policy violations may warrant instant dismissal or other disciplinary action, which takes HR staff away from other important duties. If staff are fired, replacements must be found, trained, and brought up to speed, and the productivity losses that result can be considerable.

The Dangers of Unfettered Internet Access

Before explaining how to block websites at work, it is worthwhile explaining the problems that can arise from the failure to exert control over the content that can be accessed through wired and wireless networks.

While extreme cases of internet abuse need to be tackled through HR, low level internet abuse can also be a problem. Any time an employee accesses a website for personal reasons, it is time that is not being spent on work duties. Checking emails or quickly visiting a social media website is unlikely to have a major impact on productivity, but when cyber-slacking increases its effect can certainly be felt. If all employees spent 30 minutes a day on personal internet use, the productivity losses would be be considerable - A business with 100 workers would lose 50 hours of working time a day, or 1,100 hours a month!

In addition to lost opportunities, internet use carries a risk. Casual surfing of the internet by employees increases the probability of users encountering malware. The accessing of personal webmail at work could easily result in a malware infection on a work device, as personal mail accounts are not protected by the filtering controls of an organization’s email security gateway. If illegal activities are taking place at work, the legal ramifications can be considerable. It will be the business that is liable in many cases, rather than the individual employee.

The easiest solution is for businesses to enforce their acceptable internet usage policies and simply block websites at work that are not required for normal working duties. Preventing end users from visiting certain categories of web content – social media websites, gaming and gambling websites, dating sites, adult content, and other NSFW web content – is the easiest solution.

Even legitimate use of the internet for work purposes carries risks. There has been a major increase in phishing attacks on businesses in recent years and mitigating attacks can prove incredibly costly. Technical solutions that are used to block websites at work to prevent cyber-slacking can also be configured to block access to phishing websites and prevent malware and ransomware downloads.

Selectively block websites at work and take control over the content that your employees can access. See how with a FREE WebTitan demo.
Book Free Demo

The Easy Way to Block Websites at Work

The easiest way to block websites in the workplace is to use a web filtering solution. This could be a physical appliance through which all internet traffic is routed, a virtual appliance installed on your existing hardware, or a cloud-based solution. The latter is a popular solution for SMBs as the cost of implementation is minimal and the web filter can be set up in a matter of minutes. All that is required is to make a simple change to point the DNS to the cloud web-filter and all traffic will be routed though the solution.

Not all businesses need to exercise the same controls over internet content, so granular controls are essential. With a cloud-based web filter such as WebTitan, it is easy to block websites at work. The administrator simply logs into the administration panel using a web browser and clicks on the checkboxes of content that they want the filter to block. Blocking adult entertainment, gambling, gaming, dating, and social media by category is common.

It is not practical to apply the same settings across the board for all employees. The marketing department, for instance, will need access to social media networks when other employees may not. With WebTitan, filtering controls can easily be set at the organization level, by user group, or for individuals.

With WebTitan Cloud you can control the internet and block threats no matter where your users access the internet. WebTitan Cloud works for users both on and off the network, so you can protect office workers and employees working remotely using the same solution.

Further Information on Blocking Websites in the Workplace

If you would like further information on how you can selectively block websites at work and take control over the content that your employees can access, speak to TitanHQ today.

Our friendly and knowledgeable sales team will be able to answer all your questions, explain in detail how WebTitan works, and suggest the best deployment option to suit your needs.

After learning about the best setup to suit your business, you can schedule a product demonstration and/or start a free trial to see WebTitan in action.

In 20 minutes your content control issues could be solved and you could be filtering the internet and blocking access to unsuitable, unsavory, and harmful web content.

 

 

The Easy Way to Block Websites at Work and Control Employee Internet Access FAQ

What is DNS Filtering?

DNS filtering is when content filtering takes place at the DNS lookup stage of a web request, when the URL is checked to find its corresponding IP address. The request is processed via the web filtering service provider and the IP address will only be returned if the web resource does not violate administrator-defined policies. Filtering takes place without any content being downloaded and there is no latency.

Can I block Facebook Messenger without blocking access to Facebook?

You can block Facebook Messenger without blocking access to Facebook with WebTitan. It is easy to prevent employees from using Facebook Messenger at work without blocking access to the entire Facebook website and the process takes just a few seconds. Just open the WebTitan Cloud administration panel, select Filtering URL keywords, and add in two blacklisted keywords.

Is it difficult to block websites in the workplace?

It is not difficult to block websites in the workplace due to category-based web filtering. Category-based web filtering makes content control simple. You simply access your cloud administration panel, navigate to category controls, and you can restrict access to 53 distinct categories of website using the checkbox options. Apply those changes and all websites in those categories will be blocked. You can also create your own custom categories.

Can web filters be bypassed by employees?

Web filters can be bypassed by employees unless controls are implemented to restrict access to proxies, VPNs, and other anonymization services. These controls will be sufficient to prevent users from bypassing filtering controls. However, you should also lock down your DNS settings to prevent users from manually changing the DNS settings to bypass the filtering controls.

Can I view user Internet activity in real time?

You can view user Internet activity in real time or retrospectively. With WebTitan you can do both with a few clicks of the mouse. All information is easily accessible via the administration portal and can either be viewed or exported with the click of a mouse.

What is the difference between web filtering and DNS filtering?

The difference between web filtering and DNS filtering is that web filtering is more granular. Web filtering allows organizations to filter the Internet by URL rather than by domain name or IP address. Therefore, if there is (for example) a news website employees need to access for their jobs, but the organization wants to block access to the sports and leisure pages of the website, the organization can blacklist just the pages it does not want employees to access. DNS filtering lacks the granularity to block selected pages of a website and can only block the whole website.

How does casual surfing increase the risk from malware?

Many websites are monetized by advertising, and it is not uncommon for cybercriminals to place ads on popular sites that are weaponized with malware, trojans, ransomware, or cryptomining scripts. Additionally, clicking on an ad can take a casual Internet surfer to a phishing site where they may be asked to create login credentials to progress to the area of interest. Many employees have poor password habits, and could use a username and password that matches a corporate account.

Which is the best type of web filtering solution for the workplace?

The best type of web filtering solution for the workplace is most often a cloud-based solution. This is because a cloud-based solution can control on-premises and remote Internet access. It is also important to be aware that the web filtering vendor most often manages cloud-based solutions. Therefore, all updates, patches, and technical issues are the responsibility of the vendor rather than the organization’s IT department – reducing the demand for internal IT support.

Selectively block websites at work and take control over the content that your employees can access. See how with a FREE WebTitan demo.
Book Free Demo

Webinar: Datto and TitanHQ Deliver Enhanced Web Content Filtering to MSPs

TitanHQ, the leading provider of web filtering, spam filtering, and email archiving solutions for managed service providers (MSPs) recently partnered with Datto Networking, the leading provider of IT solutions to SMBs delivered through MSPs.

Datto Networking has now incorporated TitanHQ’s advanced web filtering technology into the Datto Networking Appliance to provide superior protection to users on the network.

Datto and TitanHQ will be hosting a webinar on October 18, 2018 to explain how the new technology provides enhanced protection from web-based threats, and how MSPs can easily deliver content filtering to their customers.

During the webinar, MSPs will find out about the enhanced functionality of the Datto Networking Appliance.

Webinar: Datto Networking & Titan HQ Deliver Enhanced Web Content Filtering
Date: Thursday, October 18th
Time: 11AM ET | 8AM PT | 4PM GMT/BST

Speakers:
John Tippett, VP, Datto Networking
Andy Katz, Network Solutions Engineer
Rocco Donnino, EVP of Strategic Alliances, TitanHQ

CloudFlare IPFS Gateway Phishing Forms Fool Users with Valid SSL Certificates

The CloudFlare IPFS gateway has only recently been launched, but it is already being used by phishers to host malicious content.Cloudflare IPFS gateway phishing attacks are likely to have a high success rate, as some of the checks performed by end users to confirm the legitimacy of domains will not raise red flags.

The IPFS gateway is a P2P system that allows files to be shared easily throughout an organization and accessed through a web browser. Content is distributed to different nodes throughout the networked systems. The system can be used for creating distributed websites, and CloudFlare has made this process easier by offering free SSL certificates and allowing domains to be easily connected to IPFS.

If phishers host their phishing forms on CloudFlare IPFS, they benefit from CloudFlare’s SSL certificate. Since the phishing page will start with cloudflare-ipfs.com, this adds legitimacy. The CloudFlare-owned domain is more likely to be trusted than domains owned by phishers.

When CloudFlare IPFS Gateway phishing forms are encountered, visitors will be advised that the webpage is secure, the site starts with HTTPS, and a green padlock will be displayed. If the visitor takes the time to check certificate information of the web page, they will find it has been issued to CloudFlare-IPFS.com by CloudFlare Inc., and the certificate is valid.  The browser will not display any warning and CloudFlare IPFS Gateway phishing content will therefore seem legitimate.

At least one threat actor is using the CloudFlare IPFS Gateway for phishing and is hosting forms that claim to be standard login pages for Office 365, DocuSign, Azure AD, and other cloud-based services, complete with appropriate logos.

If a visitor completes the form information, their credentials will be forwarded to the operator of a known phishing domain – searchurl.bid – and the user will be displayed a document about business models, strategy and innovation. This may also not raise a red flag.

The CloudFlare IPFS Gateway phishing strategy is similar to that used on Azure Blob storage, which also take advantage of legitimate SSL certificates. In that case the certificate is issued by Microsoft.

It is becoming increasingly important for phishers to use HTTPS for hosting phishing content. As more businesses transition from HTTP to HTTPS, and browsers such as Chrome now display warnings to users about insecure sites, phishers have similarly had to make the change to HTTPS. Both CloudFlare IPFS Gateway and Azure Blog storage offer an easy way to do this.

In both cases, links to the malicious forms are distributed through spam email. One of the most common ways to do this is to include an email attachment that contains a button which must be clicked in order to download content. The user is advised that the content of the file is secured, and that professional email login credentials must be entered in order to view the content. The document may be an invoice, purchase order, or a scanned document that needs to be reviewed.

The increase in use of cloud platforms to host phishing content makes it more important than ever for organizations to implement advanced phishing defenses. A powerful spam filter such as SpamTitan should be used to block the initial emails and prevent them from being delivered to end users’ inboxes. These phishing tactics should also be covered in security awareness training to raise awareness of the threat and to alert users that SSL certificates do not necessarily mean the content of a web page is legitimate. Web filtering solutions are also essential for blocking access to known malicious web pages, should a user visit a malicious link.

Ryuk Ransomware Attack on Recipe Unlimited Results in Widespread Restaurant Closures

A suspected Ryuk ransomware attack on Recipe Unlimited, a network of some 1,400 restaurants in Canada and North America, has forced the chain to shutdown computers and temporarily close the doors of some of its restaurants while IT teams deal with the attack.

Recipe Unlimited, formerly known as Cara Operations, operates pubs and restaurants under many names, including Harvey’s, Swiss Chalet, Kelseys, Milestones, Montana’s, East Side Mario’s, Bier Markt, Prime Pubs, and the Landing Group of Restaurants. All of the above pub and restaurant brands have been affected by the Recipe Unlimited ransomware attack.

While only a small number of restaurants were forced to close, the IT outage caused widespread problems, preventing the restaurants that remained open from taking card payments from customers and using register systems to process orders.

While it was initially unclear what caused the outage, a ransomware attack on Recipe Unlimited was later confirmed. An employee of one of the affected restaurants provided CBC News with a copy of the ransom note that had appeared on the desktop of one of the affected computers.

The ransom note is the same used by the threat actors behind Ryuk ransomware. They claim files were encrypted with “military algorithms” which cannot be decrypted without a key that is only held by them. While it is unclear exactly how much the attackers demanded in payment to decrypt files, they did threaten to increase the cost by 0.5 BTC (Approx. $4,000 CAD) per day until contact was made. The Recipe Unlimited ransomware attack is understood to have occurred on September 28. Some restaurants remained closed on October 1.

The ransomware attack on Recipe Unlimited is just one of many such attacks involving Ryuk ransomware. The attackers are understood to have collected more than $640,000 in ransom payments from businesses who have had no alternative other than to pay for the keys to unlock their files. The ransomware attack on Recipe Unlimited did not increase that total, as Recipe Unlimited conducted regular backups and expects to be able to restore all systems and data, although naturally that will take some time.

Ransomware attacks on restaurants, businesses, healthcare providers, and cities are extremely common and can be incredibly costly to resolve. The recent City of Atlanta ransomware attack caused widespread disruption due to the sheer scale of the attack, involving thousands of computers.

The cost of resolving the attack, including making upgrades to its systems, is likely to cost in the region of $17 million, according to estimates from city officials. The Ransomware attack on the Colorado Department of Transportation is expected to cost $1.5 million to resolve.

There is no simple solution that will block ransomware attacks, as many different vectors are used to install the malicious file-encrypting software. Preventing ransomware attacks requires defense in depth and multiple software solutions.

Spam filtering solutions should be used to prevent email delivery of ransomware, web filters can be configured to block assess to malicious websites where ransomware is downloaded, antivirus solutions may detect infections in time to block attacks, and intrusion detection systems and behavioral analytics solutions are useful to rapidly identify an attack in progress and limit the harm caused.

All operating systems and software must be kept fully up to date, strong passwords should be used, and end user must receive training to make them aware of the threat from ransomware. They should be taught security best practices and trained how to identify threats. Naturally, robust backup policies are required to ensure that in the event of disaster, files can be recovered without having to pay the ransom.

How to Prevent Windows Remote Desktop Protocol Attacks

Windows Remote Desktop Protocol attacks are one of the most common ways cybercriminals gain access to business networks to install backdoors, gain access to sensitive data, and install ransomware and other forms of malware.

This attack method has been increasing in popularity over the past two years and there has also been a notable rise in darknet marketplaces selling exposed RDP services and RDP login credentials. The high number of Remote Desktop Protocol attacks has prompted the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) and the Department of Homeland Security to issue an alert to businesses in the United States to raise awareness of the threat.

Remote Desktop Protocol is a proprietary Windows network protocol that allows individuals to remotely access computers and servers over the Internet and gain full control of resources and data. RDP is often used for legitimate purposes, such as allowing managed security service providers (MSSPs) and managed service providers (MSPs) to remotely access devices to provide computer support without having to make a site visit. Through RDP, input such as mouse movements and keystrokes can be transmitted over the Internet with a graphical user interface sent back.

In order to gain access to a machine using RDP, a user must be authenticated by supplying a username and password. Once a user is authenticated, the resources on that device can be accessed. While authorized individuals can use RDP connections, so too can cybercriminals if they have access to login credentials or are able to guess usernames and passwords. As with any software, RDP can contain flaws. For instance, flaws in the CredSSP encryption mechanism could be exploited to perform man-in-the-middle attacks.

Cybercriminals are identifying vulnerable RDP sessions over the Internet and are exploiting them to gain access to sensitive information and conduct extortion attacks. The threat actors behind SamSam ransomware, which has been used in many attacks on U.S. businesses, educational institutions, and healthcare providers, often gain access to networks through brute force attempts to guess weak passwords. The threat actors behind CrySiS and CryptON ransomware attack businesses through open RDP ports and similarly use brute force and dictionary attacks to guess passwords.

How to Prevent Windows Remote Desktop Protocol Attacks

There are four main vulnerabilities that can be exploited to gain access to Windows devices that have RDP enabled:

  • Exploitation of weak passwords
  • Use of outdated versions of RDP
  • Failure to restrict access to the default RDP port – TCP 3389
  • Failure to block users after a set number of unsuccessful login attempts

Strong passwords should be used to make it harder for cybercriminals to use brute force tactics to guess login credentials. Dictionary words should be avoided. Default passwords must be changed and passwords should be at least 8 characters and include a mix of upper/lower case letters, numbers, and special characters. Rate limiting is also essential. A user should be blocked after a set number of failed login attempts have been made and, if possible, two-factor authentication controls should be implemented. External to internal RDP connections should be limited and software should be kept up to date.

An audit should be conducted to identify all systems that have RDP enabled, including cloud-based virtual machines with public IP addresses. If RDP is not required, it should be disabled. A list of systems with RDP enabled should be maintained and available patches should be applied promptly. All open RDP ports should be located behind a firewall and access should only be possible by using a VPN.

Logging mechanisms should be applied, and successful and unsuccessful login attempts should be regularly monitored to identify systems that have been attacked.

To ensure that recovery from a ransomware or sabotage attack is possible, all data must be regularly backed up and a good backup strategy adopted.

By regulating, monitoring, and controlling the use of RDP and addressing vulnerabilities, it is possible to reduce risk and prevent Remote Desktop Protocol attacks.

Exploit Kit Deployments and Website Attacks on the Rise

Recent research has shown that the United States is the main distributor of exploit kits and hosts the most malicious domains and cyberattacks on websites have increased sharply.

United States Hosts the Most Malicious Domains and Exploit Kits

The United States hosts the most malicious domains and is the number one source for exploit kits, according to new research conducted by Palo Alto Networks. Further, the number of malicious domains increased between Q1 and Q2 in the United States. In all countries, apart from the Netherlands, the number of malicious domains remained constant or declined.

Exploit activity is only at a fraction of the level of 2016, although the web-based kits still pose a major threat to businesses with poor patching processes and a lack of protections against web-based attacks.

Three exploit kits have been extensively used throughout Q1 and Q2, 2018: Sundown, Rig, and KaiXin. The United States is the number one source for the Sundown and Rig EKs and is number two behind China for the KaiXin exploit kit. Further, a new exploit kit was detected in Q2: Grandsoft. The United States is also the number one source for this new exploit kit.

More than twice the number of exploit kits are hosted in the United States than in Russia in second place. 495 malicious URLs were detected in the United States compared to 147 in Russia. 296 malicious URLs hosting exploit kits were detected in the United States, with Russia in second place with 139.

The Microsoft VBScript vulnerability, CVE-2018-8174, is being extensively exploited via these exploit kits. Microsoft released a patch in May 2018 to fix the flaw, but many companies have yet to install the update and are vulnerable to attack. Exploit kits are still using old vulnerabilities to install their malicious payloads. According to Palo Alto Networks’ Unit 42, two vulnerabilities are extensively used – The IE7 vulnerability – CVE-2009-0075 – and the Internet Explorer 5 vulnerability – CVE-2008-4844 – even though patches were released to fix the flaws more than 9 years ago.

The Jscript vulnerability in Internet Explorer 9 through 11 – CVE-2016-0189 – and the OleAut32.dll vulnerability – CVE-2014-6332 – have also been used in many attacks. One vulnerability known to be used in zero-day attacks was also detected.

Website Attacks on the Rise

Research conducted by SiteLock has revealed there has been a significant rise in attacks on websites in Q2, 2018. According to its study of more than 6 million websites, each website is attacked, on average, 58 times a day with one attack occurring every 25 minutes. That represents a 16% increase in website attacks since Q1, 2018.

These attacks are primarily conducted in order to install cryptocurrency mining code to hijack web visitors’ computers to generate cryptocurrency. Cases of cryptocurrency mining code insertions doubled between Q1 and Q2, while the installation of malicious JavaScript increased by 16%.

Once access is gained to a site and the miner or malicious JavaScript is deployed, it often remains undetected as many website malware detection solutions fail to detect these scripts. For website owners, there are no symptoms displayed to indicate their website has been compromised. SiteLock notes that approximately 1% of websites are infected with malware, although scans of websites revealed 9% contained at least one vulnerability that could potentially be exploited to gain access to the site to install malicious code.

Many search engines now alert users when websites have been discovered to contain malware, and Google sends warnings to site owners when malicious software is discovered. However, relatively few sites are being detected as malicious. SiteLock notes that out of 19.2 million sites that it has discovered to be hosting malicious files, only 3 million had been detected as malicious by the search engines.

The threat of exploit kit attacks and the rise in sites hosting malicious code highlights the need for businesses to deploy a web filtering solution to prevent employees from visiting these malicious sites and giving cybercriminals an opportunity to install malware on their networks.

Companies that take no action and fail to implement software solutions to restrict access to malicious sites face a high risk of their employees inadvertently installing malware. With the cost of a data breach now $3.86 million (Ponemon/IBM), the decision not to implement a web filter could prove incredibly costly.

Princess Evolution Ransomware Offered as RaaS

Princess Locker ransomware has now morphed into Princess Evolution ransomware. The latest variant is one of several cryptoransomware threats that maximize the number of infections by using an affiliate distribution model – termed Ransomware-as-a-Service or RaaS.

RaaS sees affiliates given a percentage of the ransom payments they generate, while the author of the ransomware also takes a cut of the profits. Under this business model, the author can generate a much higher number of infections, which means more ransom payments. The affiliates get to conduct ransomware campaigns without having to develop their own ransomware and the author can concentrate on providing support and developing the ransomware further. For Princess Evolution ransomware, the split is 60/40 in favor of the affiliate. The RaaS is being promoted on underground web forums and prospective affiliates.

Ransomware attacks involving RaaS use a variety of methods to distribute the malicious payload as multiple actors conduct campaigns. Spam email is usually the main delivery mechanism for RaaS affiliates as it is easy to purchase large quantities of email addresses on darkweb sites to conduct campaigns. Brute force attacks are also commonly conducted.

Princess Evolution ransomware has also been loaded into the RIG exploit kit and is being distributed via web-based attacks. These web-based attacks take advantage of vulnerabilities in browsers and browser plug-ins. Exploits for these vulnerabilities are loaded into the kit which is installed on attacker-controlled web domains. Often legitimate sites are compromised have the exploit kit loaded without the knowledge of the site owner.

Traffic is generated to the websites through search engine poisoning, malvertising, and spam emails containing hyperlinks to the websites. If a user visits the website and has an exploitable vulnerability, the Princess Evolution ransomware will be silently downloaded.

At this stage, there is no free decryptor for Princess Evolution ransomware. If this ransomware variant is downloaded and succeeds in encrypting files, recovery is only possible by paying the ransom for the keys to unlock the encryption or rebuilding systems and recovering files from backups.  The ransom demand is currently 0.12 Bitcoin – Approximately $750 per infected device.

Protecting against Princess Evolution ransomware attacks requires a combination of cybersecurity solutions, security awareness training, and robust backup policies. Multiple backups of files should be created, stored on at least two different media, with one copy stored securely off site. Infected devices may need to be re-imaged, so plans should exist to ensure the process can be completed as quickly as possible.

Cybersecurity solutions should focus on prevention and rapid detection of threats. A spam filtering solution – such as SpamTitan – will help to ensure that emailed copies of the ransomware or downloaders are not delivered to inboxes.

Care should be taken with any email sent from an unknown individual. If that email contains an attachment, it should not be opened, but if this is unavoidable, the attachment should be scanned with anti-virus software prior to opening. For greater protection, save the attachment to disk and upload it to VirusTotal for scanning using multiple AV engines.

A web filter such as WebTitan can block web-based attacks through general web browsing and by preventing end users from visiting malicious websites via hyperlinks in spam emails.

To reduce the risk of brute force attacks, strong, unique passwords should be used to secure all accounts and remote desktop protocol should be disabled if it is not required. If RDP is required, it should be configured to only allow connection through a VPN.

You should also ensure that all software, including browsers, browser extensions and plugins, and operating systems are kept patched and fully up to date.

HTTPS Phishing Websites Make Up One Third of Total

There has been a marked rise in HTTPS phishing website detections, phishing attacks are increasing, and the threat of phishing attacks is greater than ever before.

Phishing is the biggest cyber threat that businesses must now deal with. It is the easiest way for cybercriminals to gain access to email accounts for business email compromise scams, steal credentials, and install malware.

The Threat from Phishing is Getting Worse

The Anti-Phishing Working Group – an international coalition of government agencies, law enforcement, trade associations, and security companies – recently published its phishing trends activity report for Q1, 2018. The report shows that the threat from phishing is greater than ever, with more phishing websites detected in March 2018 than at any point in the past year.

In the first half of 2017, there was an average of 48,516 phishing websites detected each month. The figure rose to 79,464 phishing websites detected on average per month in the second half of the year. In the first quarter of 2018, there was an average of 87,568 phishing websites detected, with detections peaking in March when more than 115,000 phishing sites were identified.

The number of unique phishing reports received in Q1, 2018 (262,704) was 12.45% higher than in the final quarter of 2017.

Healthcare Industry Heavily Targeted

In the United States, the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers, health insurers, healthcare clearinghouses and business associates of HIPAA-covered entities to report breaches of protected health information within 60 days of the discovery of the breach. The main enforcer of HIPAA compliance, the Department of Health and Human Services’ Office for Civil Rights (OCR), publishes summaries of those breach reports. Those summaries show just how serious the threat from phishing is.

HIPAA-covered entities and business associates have reported 45 email hacking incidents in 2018 – 21.68% of all breaches reported.

Phishers Make the Move to HTTPS

PhishLabs, an anti-phishing vendor that provides a security awareness training and phishing simulation platform, has been tracking HTTPS phishing websites. The company has recently released figures showing there has been a sharp increase in HTTPS phishing websites in the past few months with HTTPS and SSL certificates now popular with phishers.

As businesses make the switch to HTTPS, the phishers have followed. In the final quarter of 2015, a little over 1% of all phishing websites were hosted on HTTPS. By the final quarter of 2016, the percentage had increased to a shade under 5%. By the end of the final quarter of 2017, 31% of phishing sites used HTTPS. The Q1, 2018 figures show HTTPS phishing websites now account for a third of all phishing websites.

HTTPS websites ensure the connection between the browser and the website is encrypted. This offers greater protection for website visitors as information entered on the site – such as credit card numbers – is secure and protected from eavesdropping. However, if the site is controlled by a cybercriminal, HTTPS offers no protection.

The Importance of SSL Inspection

Protecting against phishing attacks and malware downloads via HTTPS websites requires the use of a web filtering solution that performs SSL inspection. If a standard web filtering solution is used that is unable to inspect HTTPS websites, it will not protect employees from visiting malicious websites.

It is certainly possible to block users from accessing all HTTPS websites, which solves the problem of SSL inspection, but with more websites now using HTTPS, many valuable internet resources and essential websites for business could not be accessed.

While many businesses may be reluctant to implement SSL filtering due to the strain it can place on CPUs and the potential for slowing internet speed, TitanHQ has a solution. WebTitan includes HTTPS content filtering as standard to ensure businesses are protected from HTTPS phishing websites and other online threats while ensuring internet speeds are not adversely affected.

You can find out more about how you can protect your business from phishing websites by contacting the TitanHQ sales team and asking about WebTitan.

New Underminer Exploit Kit Delivering Coinminer Malware

Exploit kit activity may not be at the level it one was, but the threat has not gone away. Rig exploit kit activity has increased steadily in 2018 and now a new exploit kit has been detected.

The exploit kit has been named underminer by Trend Micro researchers, who detected it in July 2018. The Underminer exploit kit is being used to spread bootklits which deliver coinminer malware. The EK is primarily being used in attacks in Japan, although other East Asian countries have also seen attacks with activity now spreading beyond this region.

The underminer exploit kit was also detected by Malwarebytes researchers who note that the exploitation framework was first identified by the Chinese cybersecurity firm Qihoo360 in late 2017, when it was being used to deliver adware. Now the exploit kit is being used to deliver Hidden Bee (Hidden Mellifera) cryptocurrency mining malware. Trend Micro notes that evidence has been uncovered that strongly suggests the exploit kit was developed by the developers of Hidden Mellifera coinminer malware.

The exploit kit uses complex methods to deliver the payload with different methods used for different exploits. The developers have also incorporated several controls to hide malicious activity including the obfuscation of exploits and landing pages and the use of encryption to package exploits on-the-fly.

The EK profiles the user via a user-agent to determine if the user is of interest. If not, the user will be directed to a HTTP 404 error page. If a user is of interest, a browser cookie will be used to identify that user to ensure that the payload will only be delivered once, preventing reinfection and hampering efforts by researchers to reproduce an attack. URLs used in the attacks are also randomized to prevent detection by standard AV solutions. The coinminer is delivered via a bootkit which is downloaded through encrypted TCP tunnels.

The underminer exploit kit contains a limited number of exploits: The Adobe Flash Player exploit CVE-2018-4878, the use-after-free Adobe Flash Player vulnerability CVE-2015-5119, and the Internet Explorer memory corruption vulnerability CVE-2016-0189. Patches for all of the vulnerabilities were released in February 2018, July 2015, and May 2016 respectively.

The best defense against exploit kit attacks is prompt patching. All systems and applications should be kept 100% up to date, with virtual patching deployed on legacy systems and networks. Since there will always be a delay between the identification of a vulnerability and a patch being released, patching alone may not be sufficient to prevent all attacks, although EK developers tend to use old vulnerabilities rather than zero days.

In addition to prompt patching, cybersecurity solutions should be deployed to further reduce risk, such as a web filtering solution (WebTitan) to block users from visiting malicious websites and redirects through malvertising. In this case, one of the main ways that users are directed to the exploit kit is via adult-themed malvertising on legitimate adult websites. Using the web filter to block access to adult sites will reduce exposure.

Cybersecurity solutions should also be deployed to scan for malware installations and monitor for unusual activity and standard cybersecurity best practices should also be employed… the principle of least privilege and removing unused or unnecessary applications, plugins, and browser extensions.

The fact that a new exploit kit has been developed, and that it was recently updated with a new exploit, shows that the threat of web-based attacks has not gone away. EK activity may be at a fraction of the level of 2016, but businesses should not assume that attacks will not take place and should implement appropriate defenses to mitigate the threat.

Rig Exploit Kit Activity Continues to Rise

A recent analysis of exploit kit activity by Trend Micro has shown that while exploit kit activity is at a fraction of what it was in 2016, the threat has not gone away. Links to malicious websites hosting exploit kits are still being distributed by spam email and malicious adverts are still being used to redirect web users to malicious websites hosting exploit kits.

Most of the exploit kits that were in use in 2016 have all but disappeared – Angler, Nuclear, and Neutrino. There was a rise in Sundown activity in 2017, but activity has now stopped, and Disdain and Terror exploit kits have similarly disappeared.

The demise of exploit kits as an attack vector has been attributed, in part, to the arrests of the operators of some of the most commonly used EKs such as Angler, although there have been fewer zero-day vulnerabilities to exploit. Many of the exploits used in exploit kits are for Flash vulnerabilities, and while use of Flash is declining, the creators of exploit kits are still attempting to exploit a handful of these Adobe Flash vulnerabilities.  Many threat actors have switched to easier and less time-consuming ways of attacking businesses, but not all.

While most exploit kits are operating at a low level, the Rig exploit kit is still in use and has recently been updated once again. Further, there has been a steady increase in Rig exploit kit activity since April. Rig is most commonly used in attacks in Japan, which account for 77% of Rig activity.

The GrandSoft exploit kit is still active, although at a much lower level than Rig. This exploit kit was first seen in 2012 although activity all but disappeared until the fall of last year when it became active once again. Japan is also the country most targeted by the GrandSoft exploit kit (55% of activity), while the private exploit kit Magnitude is almost exclusively used in South Korea, which accounts for 99.5% of its activity.

For the most part, exploit kits are being used to exploit vulnerabilities that should have been patched long ago, such as the use-after-free vulnerability in Microsoft Windows’ VBScript engine (CVE-2018-8174) which was identified in April 2017 and patched in May 2017.

Internet Explorer vulnerabilities are also being exploited on vulnerable systems, with at least two exploits for IE flaws included in GrandSoft recently. Research conducted by Palo Alto networks showed that out of 1,583 URLs found in malicious emails, the majority were linked to exploit kits including Rig, Sundown, Sinowal, and KaiXin, with the latter still evolving with new exploits still being added – CVE-2016-0189 and CVE-2014-6322 – both IE VBScript flaws – the most commonly used.

Trend Micro has warned that the recent increase in zero-days – there were 119 last year – could see at least some exploits for these vulnerabilities introduced into exploit kits. MalwareBytes reported last month that a zero-day flaw in Flash Player’s ActionScript language had been incorporated into one exploit kit and was being actively used in attacks.

The fact that exploit kits are still being used strongly suggests that they are still working, which means that many systems are not being patched.

The threat from exploit kits does not appear to be going away, so it is still essential for businesses to ensure they are protecting against attacks.

Strict patch management practices are still important, as is the use of a web filter. Drive-by downloads still occur – unintentional downloads of malware by users in the belief that the files are genuine. Implementing a web filter can help to block these malware downloads, either by blocking specific file types or preventing end users from visiting known malicious websites. Web filters can also be used to block adware, which continues to plague businesses.

Benefits of Web Filtering for Businesses

Why should businesses use a web filtering solution? Listed below are three key benefits of web filtering for businesses.

Protection Against Exploit Kits

Email spam is the most common attack vector used to deliver malware, and while the threat from exploit kits is nowhere near the level in 2015 and 2016, they still pose a problem for businesses.  Exploit kits are web-based apps that are loaded onto websites controlled by cybercriminals – either their own sites or sites that have been hijacked.

Exploit kits contain code that exploits vulnerabilities in web browsers, plugins and browser extensions. When a user with a vulnerable browser visits a malicious URL containing an exploit kit, the vulnerability is exploited and malware is downloaded.

With browsers becoming more secure, and Flash being phased out, it has become much harder to infect computers with malware via exploit kits and many threat actors have moved on to other methods of attack. However, some exploit kits remain active and still pose a threat.

The exploit kits currently in use – RIG for example – contain multiple exploits for known vulnerabilities. Most of the vulnerabilities are old and patches have been available for months or years, although zero-day vulnerabilities are occasionally uploaded. Exploit kits are also updated with recently disclosed proof-of-concept code. Exploit code for two recently discovered vulnerabilities: one in Internet Explorer (CVE-2018-8174) and one in Adobe Flash (CVE-2018-4878) have been added to EKs already.

Keeping browsers and plugins up to date and using a top antivirus solution will provide a good level of protection, although businesses can further enhance security by using a web filter. Web filtering for businesses ensures that any attempt to access a website known to host an exploit kit will be blocked.

Blocking Phishing Attacks

Phishing is one of the biggest threats faced by businesses. Phishing is a method of obtaining sensitive information by deception, such as impersonating a company in an attempt to obtain login credentials or to fool employees into making wire transfers to bank accounts controlled by criminals.

A spam filter can prevent the majority of malicious messages from reaching inboxes, although some phishing emails will make it past the perimeter defenses, especially emails containing links to malicious websites. A web filter provides an additional level of protection against phishing by preventing users from visiting malicious websites sent via email and social media posts. When an attempt is made to visit a known malicious website, access will be blocked, and the user will be directed to a block screen.

A web filter can also be used to enforce safe search on search engines such as Google, Yahoo, and Bing. This will help to prevent inappropriate website content from being accessed through search and image search results.

Monitoring Internet Access and Blocking Inappropriate Websites

Employees can waste an extraordinary amount of time on the Internet. Allowing unfettered access to all website content can result in a considerable reduction in productivity. If every employee wastes an hour a day on the Internet instead of working, a company with 100 employees would lose 100 hours a day, 500 hours a week, and 26,000 hours a year. A sizeable loss.

A web filter can be used to block access to websites such as gambling, gaming, and social media sites – all major drains on productivity. Web filters can also be used to monitor Internet activity. When employees are told that the company monitors Internet use, employees will be less likely to spend time surfing the Internet instead of working.

Web filters can also be used to block not-suitable-for-work (NSFW) content such as pornography and will limit company liability by blocking illegal online activities at work, such as the downloading of copyright-protected content via P2P file sharing sites. Web filters can also limit bandwidth hogging activities such as the streaming of audio and video.

WebTitan Cloud – DNS-Based Web Filtering for Businesses

DNS-based web filtering for businesses is easy with WebTitan Cloud. WebTitan Cloud will help improve security posture, reduce company liability, and improve the productivity of the workforce. Being 100% cloud-based, the solution requires no hardware purchases, no software downloads, and can be implemented in a matter of minutes.

The solution filters websites into 53 pre-defined categories, making it easy for businesses to block specific types of content. More than half a billion URLs are categorized in the database and combined with cloud-based lookup, it is possible to ensure highly accurate content filtering without overblocking valuable content. The solution can inspect all web traffic, including encrypted sites.

The solution allows policies to be created for the entire workforce, groups, or individuals and protects employees who on and off the network. When employees use multiple devices, the content filtering controls can be applied across the board and will work whether the user is on-site or roaming.

Administrators benefit from a comprehensive reporting suite, with 55 preconfigured reports and scope for customization, with report scheduling options and the ability to view browsing in real-time.

If you want to improve your security posture, save bandwidth, reduce legal liability, block NSFW content, and improve productivity, give TitanHQ a call today and find out more about how WebTitan Cloud can benefit your business.

FAQ

How easy to implement is web filtering for business?

DNS-based web filtering is very simple to operate. Deployment consists of redirecting the organization´s Domain Name Server (30 seconds) and logging into a web-based administrative portal (another 30 seconds). Thereafter system administrators can synchronize the filtering service with an existing directory in order to apply role-based filtering policies within minutes.

How does web filtering for businesses block phishing attacks?

Strictly speaking, web filtering for businesses does not block phishing attacks - it mitigates the consequences of a phishing email avoiding detection by an email filter, and the recipient of the email clicking on a link to a malicious website. If the destination website is known to be malicious, web filtering for businesses blocks the recipient from visiting the malicious website.

How does monitoring Internet access work?

Organizations can configure web filtering solutions to monitor which websites users visit and which websites they are refused access to. While some may consider the monitoring of Internet access at work a form of employee surveillance, the information collected from Internet monitoring reports can be used to fine-tune Internet filters to create a more welcoming environment for everyone.

How do I find out what websites the web filter solution has blocked access to?

WebTitan Cloud´s monitoring logs are used to compile reports that reveal not only which websites were blocked, but the reasons why access was blocked (i.e. malicious website, contravened category policy, etc.). These reports help identify if your employees are exposing the organization to risk by attempting to visit unsafe websites, or whether they need to be reminded of acceptable Internet use policies.

What if I need to block Internet content for some people but not for others?

WebTitan Cloud has granular controls that enables system administrators to apply Internet policies by user, team, department, etc. as required. Therefore, if - for example - your marketing team requires access to social media platforms, but you want to avoid giving everybody in your organization access to Facebook and Twitter, you simply whitelist the marketing team from the social media category.

Employee Negligence is the Biggest Cybersecurity Risk for Businesses

The biggest cybersecurity risk for businesses in the United States is employee negligence, according to a recent Shred-It survey of 1,000 small business owners and C-suite executives.

The findings of the survey, detailed in its North America State of the Industry Report, show the biggest cybersecurity risk for businesses is human error such as the accidental loss of data or devices containing sensitive company information.

84% of C-Suite executives and 51% of small business owners said employee negligence was the biggest cybersecurity risk for their business. 42% of small business owners and 47% of C-suite executives said employee negligence was the leading cause of cybersecurity breaches.

Employees are the Biggest Cybersecurity Risk for Businesses in the United States

Employees often cut corners in order to get more done in their working day and take considerable security risks. Even though laptop computers can contain highly sensitive information and allow an unauthorized individual to gain access to a work network, around a quarter of U.S employees leave their computer unlocked and unattended. Documents containing sensitive information are often left unattended in full view of individuals who are not authorized to view the information.

The risks taken by employees are greater when working remotely, such as in coffee shops or at home. 86% of executives and SBOs said remote workers were much more likely to cause data breaches.

88% of C-suite executives and 48% of small business owners said they have implemented flexible working models that allow their employees to spend at least some of the week working off site. A survey conducted on behalf of the Switzerland-based serviced office provider IWG suggests that globally, 70% of workers spend at least one day a week working remotely, while 53% work remotely for at least half of the week.

Adoption of these flexible working practices is increasing, although cybersecurity policies are not being implemented that specifically cover remote workers. Even though a high percentage of workers are spending at least some of the week working remotely, the Shred-It survey shows that more than half of SMBs do not have policies in place for remote workers.

One of the most important ways that business owners and executives can improve their cybersecurity posture is through employee training, especially for remote workers. The provision of security awareness training will help to ensure that workers are aware of the organization’s policies and procedures and are taught security best practices.

However, the survey suggests training is often inadequate or in some cases nonexistent. 78% of surveyed C-suite executives and small business owners said they only provided information security training on policies and procedures once a year. Considering the risk, training needs to be far more frequent. Employees cannot be expected to retain all the information provided in a training session for the entire year. Training should cover the use of strong passwords, locking devices when they are not in use, never leaving portable devices unattended in public areas, safe disposable of electronic and physician data, and Wi-Fi security. Refresher training should be provided at least every six months.

Policies and procedures need to be developed specifically for remote workers, which cover the practices which must be adopted when working outside the office. With so many workers now spending more time working off-site, the probability of portable electronic devices being lost or stolen is greatly increased.

Businesses must ensure they maintain an accurate inventory of all devices used to access their network and implement appropriate security measures to ensure the loss or theft of those devices does not result in a data breach.

Increased use of insecure WiFi networks poses a major problem, greatly increasing the chance of a malware or ransomware download. Appropriate technologies should be implemented to protect remote workers’ devices from malicious software. TitanHQ can help in this regard.

WebTitan Cloud, TitanHQ’s 100% cloud-based web filtering solution can block malware and ransomware downloads and carefully control the websites that remote workers can access on their company-issued and BYOD devices, regardless of where the individual is located: on or off-site.

For more information on WebTitan and how it can protect your remote workers and improve your security posture, contact the TitanHQ team today for further information.

RIG Exploit Kit Now Includes Windows Double Kill Exploit Code

The RIG exploit kit, used on compromised and malicious websites to silently download malware, has been upgraded with a new exploit. Windows Double Kill exploit code has been added to exploit the CVE-2018-8174 vulnerability – a remote code execution vulnerability that was addressed by Microsoft on May 2018 Patch Tuesday.

To protect against exploitation of this vulnerability, Windows users should ensure they have applied the latest round of patches, although many businesses have been slow to update their Windows devices, leaving them vulnerable to attack.

The vulnerability is in the VBScript engine and how it handles objects in the memory. If the vulnerability is exploited, attackers would gain the same level of privileges as the current user, could reallocate memory, gain read/write access, and potentially remotely execute code on a vulnerable device. The vulnerability has been named ‘Double Kill’ and affects all Windows versions.

The Windows Double Kill vulnerability was being actively exploited in the wild when Microsoft released the update on Patch Tuesday. Initially, exploitation of the vulnerability was achieved through phishing campaigns using RTF documents containing a malicious OLE object. If activated, an HTML page was downloaded and rendered through an Internet Explorer library and the VBScript flaw was exploited to download a malicious payload. The attack could also be conducted via a malicious website. In the case of the latter, it does not matter what browser the user has set as default – on unpatched systems the IE exploit could still work.

The Windows Double Kill exploit code was posted online this week and it didn’t take long for it to be incorporated into the RIG exploit kit. End users could be directed to the RIG exploit kit through phishing campaigns, malvertising, web redirects, or potentially could visit malicious sites through general web browsing. In addition to the Windows Double Kill exploit, the RIG exploit kit contains many other exploits for a wide range of vulnerabilities. Any individual that lands on a URL with the kit installed could be vulnerable even if the latest Windows patch has already been applied.

The threat from email-based attacks is also likely to grow. The Double Kill exploit code has also been incorporated into the ThreadKit exploit builder, which is used to create malicious Office documents for use in phishing attacks.

Protecting systems against these types of attacks requires prompt patching, although many organizations are slow to apply updates out of fear of compatibility problems, which could cause performance issues. Consequently, prior to applying patches they need to be fully tested and that can take time. During that time, organizations will be vulnerable to attack.

A web filter – such as WebTitan – provides an additional level of protection while patches are assessed for compatibility. WebTitan provides protection against exploit kits and malware downloads by preventing end users from visiting known malicious sites, either through general web browsing, redirects, or via hyperlinks contacted in phishing emails.