Our cybersecurity advice section provides comprehensive information about the latest online security threats – not only the threats from unfiltered spam emails, but also the risks present on the Internet from malvertising and vulnerable websites onto which malware exploit kits may have been loaded by cybercriminals.
We also provide advice on the precautions that can be taken to heighten cybersecurity defenses and mitigate the risk of inadvertently downloading an infection. The message throughout all of our cybersecurity advice is to protect your network and WiFi systems with an email spam filter and web content control solution.
Cybercriminals use a variety of tactics, techniques, and procedures for distributing malware, and while email is one of the most common attack vectors, web-based malware attacks are becoming more common. In this article, we explore some of the ways that traffic is driven to malicious websites hosting malware and suggest ways that businesses can protect themselves against these attacks.
SEO Poisoning
SEO poisoning is the term given to the manipulation of search engine results to get malicious websites to appear high in the search engines for specific search terms, often those likely to be used by business users. Cybercriminals create a website/web page or compromise an existing website and create a page with malicious content. Cybercriminals often choose a domain name/page URL that is very similar to a brand that is being spoofed. Black hat search engine optimization techniques are used to trick search engines into ranking the page highly for a specific search term or set of search terms. Common techniques include keyword stuffing – adding many relevant keywords to the HTML and text; backlinking campaigns – adding many backlinks to a website from other websites such as via private link networks; cloaking – displaying different content to search engine crawlers than genuine visitors; and artificially increasing click through rates. These techniques may be used for promoting phishing and other scams, but they are most commonly used for malware distribution. A visitor to the site will be offered a download related to their search term or they otherwise be prompted to download a file that will silently install malware and give the attacker access to their device.
Search Engine Ad Abuse / Malvertising
It is easy to create a malicious website for malware distribution, but traffic needs to be driven to that website. Phishing emails are commonly used, but email filters are getting much better at detecting malicious hyperlinks. Instead, cybercriminals can drive traffic to malicious content via Google Ads and other search engine ad platforms or by adding malicious adverts to third-party ad blocks on legitimate websites. Many websites display these adverts as a way of generating additional revenue. While there are control mechanisms in place to prevent malicious adverts from being added to Google and Bing Ads and third-party ad networks, cybercriminals can get around these controls for long enough to drive considerable volumes of traffic to their malicious web pages. This technique is often referred to as malvertising (malicious advertising). Since these adverts appear above the search engine results or are otherwise displayed in a prominent position, they attract a lot of clicks. As with SEO poisoning, the web pages trick users into downloading a malicious file that installs malware.
Torrents and Warez Sites
SEO poisoning and malvertising usually require some user action to install malware. The user must be tricked into downloading and opening a file. One of the easiest ways to do this is to offer something a user wants to download, and ideally, something that requires them to open an executable file. Cybercriminals often bundle malware into executable files used to install pirated software or the product activators/cracks that are needed to generate valid license codes. Torrent sites are used for peer-2-peer file sharing, and often for distributing pirated games, software, videos, and music, with software commonly offered on ‘warez’ sites. Oftentimes the content being sought is installed when the files are downloaded, but malware is silently side loaded during the installation process. The user gets the software, game, or app they want, and is unaware that malware has also been installed.
How to Protect Against Web-Based Malware Attacks
Assuming that you have an effective spam filter such as SpamTitan Plus for blocking malicious links in emails and antivirus software or other endpoint security solutions installed on each device, there are two main ways for protecting against malware attacks: security awareness training and web filtering.
Security Awareness Training
The importance of security awareness training cannot be overstated. If employees are not made aware of cyber threats and are not taught cybersecurity best practices, they cannot be expected to be able to identify and avoid threats and will likely engage in risky practices that could easily lead to a malware infection. Many employees mistakenly believe that they or their company will not be targeted; however, the reality is that businesses of all sizes are being attacked and employees are usually the easiest way to gain access to sensitive data and internal systems. Training needs to be an ongoing process, where knowledge is improved over time and employees are taught about the changing tactics used by cybercriminals to attack businesses. Training should be provided to all members of the workforce, including the CEO and C-suite and a good best practice is to provide an annual or bi-annual training session, with shorter training modules completed throughout the year. A few minutes each month completing training modules will help to ensure that employees are kept aware of the latest threats and it will help to keep cybersecurity fresh in the mind.
Web Filtering
All of the above techniques involve driving traffic to malicious websites. Training will help employees to recognize and avoid threats, but it is possible to prevent connections to malicious websites from being made with a web filter. A web filter is used to carefully control the web content that employees can access. Web filters typically have category-based filtering controls that can be used to block access to categories of web content that are illegal, undesirable, risky, or otherwise serve no work purpose.
Businesses can block access to torrents/warez sites by category, along with other risky sites. Web filters can be configured to block certain types of files from being downloaded from the internet, such as executable files. This will help to prevent malware delivery and shadow IT installations (software that has not been authorized by the IT department). Web filters are also updated with blacklists of known malicious websites and web pages. Any attempt to visit one of those resources will be blocked, and with a DNS-based web filter, the connection will be rejected without any content being downloaded.
How TitanHQ Can Help
Many thousands of businesses rely on TitanHQ cybersecurity solutions to protect against malware threats, phishing attacks, business email compromise scams, and other cyber threats. TitanHQ has developed the SpamTitan suite of email security products for blocking phishing, malware, and other email threats, the WebTitan DNS-based web filter for blocking Internet-based threats, and the SafeTitan security awareness training and phishing simulation platform for improving awareness of threats and teaching cybersecurity best practices. All TitanHQ solutions are intuitive, easy to implement, easy to maintain, and easy to use, and are available on a free trial to allow businesses to evaluate them in their own environment before deciding on a purchase. If you want to improve security, why not give the TitanHQ team a call for advice on the best solutions to meet your needs or sign up for a free trial of these solutions.
ChromeLoader is a family of malware that is extremely prevalent and persistent. The malware installs malicious browser extensions and removing them can be problematic as users are denied access to the Google Chrome extension list to prevent the removal of the malicious extensions if they are discovered. These malicious extensions are used to deliver unwanted ads, and redirect users to websites that they would otherwise not visit. At best, infection is a nuisance; however, the malware can increase the attack surface of a system and can easily lead to other malware being delivered.
ChromeLoader was first observed in January 2022 and infections are now extremely widespread. The malware is most commonly spread via sites that offer pirated software – torrents and warez sites – with the malware usually delivered through infected ISO image files. Several campaigns have been detected that advertise pirated software, games, and movies on social media networks, especially Twitter, with the posts/tweets including links to download sites. When the installation file is downloaded and installed, the user will likely get the software, operating system, or game they are expecting, but ChromeLoader and/or other malware will also be installed.
A new ChromeLoader distribution campaign has recently been detected by HP’s Wolf Security team. They report that the campaign has been active since at least March 2023 and delivers ChromeLoader, which installs a malicious adware browser extension called Shampoo. Shampoo will perform unwanted redirects to a variety of websites, including fake giveaways, games, and dating sites. These redirects can simply be annoying but can risk other malware infections. The malicious browser extension is also difficult to uninstall as the user will be prevented from accessing Chrome Extensions. If the user does manage to uninstall the adware, it will simply be reloaded when the device is rebooted via a Windows scheduled task. According to HP, this campaign uses a network of malicious websites that offer pirated material. The download sites deliver VBScripts that execute PowerShell scripts that fetch Shampoo and install the malicious Chrome extension. While this campaign only installs adware at present, tactics could change, and more damaging malware could be delivered.
While ChromeLoader could be distributed in multiple ways, the primary method of delivery is via pirated software, so the easiest step to take to prevent infection is never to download pirated material and to only install software/operating systems from official sources. Businesses should implement controls to prevent illegal software downloads. These downloads carry a high risk of installing malware and pirated software is also a legal risk. Businesses should also implement controls to prevent the use of shadow IT – IT solutions that are installed without the knowledge of the IT department, as they can introduce vulnerabilities that can be exploited by malicious actors.
The IT department should have a list of all versions of software and operating systems used by the company. When patches or updates are released, the IT department will need to ensure that the company is running the latest versions. If the IT department is unaware that employees have downloaded programs, vulnerabilities could easily go unaddressed. Employees may install additional software to make their jobs easier and improve productivity, but it introduces considerable security and legal risks.
How to Prevent ChromeLoader Infections
One way that businesses can control shadow IT and prevent ChromeLoader infections is to implement controls to use a web filter such as WebTitan Cloud. WebTitan Cloud is used to control access to the Internet. Categories of websites can be blocked such as torrents/warez sites, along with other risky websites that serve no work purposes. URLs and domains that are known to be malicious are blocked automatically. WebTitan is constantly updated with new malicious websites as soon as they are discovered. WebTitan Cloud can also be configured to block certain file downloads from the Internet, such as executable files that are used to install software (.msi, .iso etc) to control shadow IT along with other executable files that are often used for malware installation (.js, .exe, etc).
WebTitan Cloud is easy to implement and requires no additional hardware, configuration is very straightforward, and this is a low-cost solution that will provide excellent protection against web-based threats. For more information on WebTitan Cloud or to arrange a product demonstration, give the TitanHQ team a call. WebTitan Cloud is also available on a free trial to let you put the solution to the test before deciding on a purchase.
There has been a notable increase in search engine poisoning for distributing malware. Search engine poisoning is the term given to the manipulation of search engine results to display links to malicious websites. These websites can be used to phish for sensitive information, but this technique is most commonly used for distributing malware.
Search engine poisoning can be achieved in different ways. One of the ways search engine poisoning is used to target businesses is to create a webpage and use search engine optimization techniques to target specific search queries. It can take a lot of time an effort to get webpages appearing in the organic search results for key search terms, but since the queries typically targeted have little competition, it is quite easy to get pages appearing high up in the organic search engine listings. Attackers typically target low volume business search queries, such as searches for contract templates, forms, and agreements. Since the person performing the search is looking to download the content, they can easily be tricked into downloading a malicious file. Oftentimes the user will get the file they are looking for but will silently install malware when the file is opened.
Google is well aware that the higher up a webpage is in the search results, the more likely it will be visited. The prime spots are at the very top of the search engine results, and that area is reserved for sponsored links. Getting a malicious site in these links will maximize the traffic to a website, and advertisers compete for these advertising slots through the Google Ads online advertising platform. Advertisers can bid for these slots for key search terms that they want to target.
Google Ads are increasingly being used by malicious actors as an alternative method of search engine poisoning, and they achieve the greatest success when they target popular software downloads. An attacker will create a website advertising a popular software solution, often cloning the website of a legitimate brand. They will offer a download of that software on the site but will alter the installation file so that in addition to installing the software, malicious code will be executed silently which will install malware.
The domain names used closely mirror those used by the legitimate brand, and typically include the brand name with additional characters or words to make it appear that the domain is official. The file downloads are usually signed with invalid certificates, and while invalid, have been issued to recognizable brands. If the warning signs are ignored and the installation file is executed, malware will be installed.
The key to defending against these attacks is to prevent these malicious files from being downloaded, and ideally, prevent users from visiting the malicious websites. The early stages of the attack can be blocked with an ad blocker or web filter. A web filter can be configured to prevent a user from visiting the malicious website, whereas an ad blocker will only block the adverts and will not block search engine poisoning in the organic listings. A web filter can also be configured to block downloads of certain file types, such as executable files. In addition to blocking search engine poisoning, preventing downloads of executable files will help IT teams to control shadow IT – unauthorized software installations.
These methods of malware distribution should also be covered in security awareness training. Businesses should teach their employees security best practices and make them aware of risks such as phishing and email-based attacks, and search engine poisoning and other web-based attacks. Security awareness training adds an important layer of protection and helps to improve human defenses, which is vital as the majority of cyberattacks are the result of human error.
TitanHQ can help improve security through its portfolio of cybersecurity solutions which include SpamTitan Email Security, WebTitan Web Filtering, and the SafeTitan Security Awareness Training and Phishing Simulation platform. For more information, to arrange a product demonstration, or to register for a free trial with full product support, give the TitanHQ team a call today.
There has been an increase in the use of information-stealing malware by cybercriminals. Info stealers are typically installed to steal a range of sensitive data from a user’s device, such as system information, usernames and passwords, and cryptocurrency wallets. Infostealers typically have keystroke logging capabilities, allowing usernames and passwords to be obtained, which are then exfiltrated to the attacker’s command and control server, allowing the user’s accounts to be accessed.
In 2022, cybercriminals increasingly used these types of malware in their attacks on businesses. The latest information stealers have been developed specifically for this purpose and instead of targeting individual accounts, they are being used for much more extensive attacks on businesses, and steal system information and session cookies that allow multifactor authentication controls to be bypassed.
If the malware is installed, changing passwords will have little effect, as the attacker will already be in the system. Multifactor authentication can prevent stolen credentials from being used to access accounts, but modern malware is capable of stealing session cookies allowing accounts to be accessed. While multifactor authentication is important, it is not effective if the system has already been compromised. Further, phishing kits are now used that are capable of obtaining session cookies and bypassing multifactor authentication.
Phishing attacks have also become more sophisticated and it is now common for a wide range of malicious attachments to be used for distributing malware and directing users to malicious websites. While Office documents are commonly used, now compressed files, ISO files, ZIP files, OneNote files, image files, HTML files, and more are used for malware distribution, many of which are not blocked by email security solutions. To protect against these new malware variants and multifactor authentication-bypassing phishing attacks, businesses need to rethink their protections.
An email security solution is required to block malware delivery via email and identify and block the phishing emails that are used for credential theft. Email security solutions will block previously seen phishing emails, and are regularly updated with the latest threat intelligence; however, many are not effective at detecting zero-day threats. An email security solution with machine-learning capabilities is required to block more of these new threats, and for malware protection, sandboxing is required in addition to standard antivirus protection. Any attachments that pass AV inspection – which looks for signatures of known malware – are sent to the sandbox for behavioral analysis. This allows zero-day malware threats to be identified and blocked. SpamTitan has AI/machine learning capabilities and provides AV protection and sandboxing.
Even advanced email security solutions such as SpamTitan should not be used in isolation, as no email security solution will block every threat. Email security solutions will massively reduce the number of malicious emails that are delivered to inboxes, but will not block SMS-based phishing attacks and web-based attacks. One way of improving protection is to use a web filter. A web filter is used to carefully control access to the Internet and can restrict access to websites that serve no work purpose. Web filters are updated with the latest threat intelligence and will block access to known malicious websites, and can be configured to block downloads of risky files from the Internet. They will also significantly improve protection against malicious hyperlinks in emails, providing time-of-click protection. WebTitan Cloud is one of the easiest web filters to implement, and can be set up in just a few minutes and will protect against cyberattacks over the Internet.
Multifactor authentication is important and will protect against the majority of automated attacks on accounts, but not all MFA is the same. The latest phishing kits can steal session cookies and bypass multifactor authentication controls. Businesses should consider implementing phishing-resistant MFA based on FIDO standards, as this will provide a much higher degree of protection.
An often neglected layer of security is security awareness training. Businesses are increasingly realizing the importance of security awareness training and more businesses now provide training to their employees, but providing once-a-year training sessions is not enough. Security awareness training needs to be regular if it is to be effective, so training courses should run continuously throughout the year. A modular course that delivers training every month in short sessions will be far more effective than a once-a-year training session. Businesses should also provide targeted training, with training courses developed based on an individual’s role and the threats they are likely to encounter. Phishing simulations should also be conducted to identify areas where training is not proving to be effective and to allow targeted training to be provided to individuals who fail to recognize threats. TitanHQ can help in this area through the SafeTitan security awareness training and phishing simulation platform.
With cyberattacks increasing in number and sophistication, there is no better time to revise your defenses than now. For more information on how you can improve your defenses against phishing, malware, business email compromise, and other cyberattacks, give the TitanHQ team a call.
Cybersecurity experts agree that security awareness training is an important part of any cybersecurity strategy. You can implement next-generation technology to repel malicious actors and prevent and rapidly detect cyberattacks, but it is important not to forget about the human element. According to the Verizon 2022 Data Breach Investigations report, 82% of all data breaches involve the human element. Through training, you can teach cybersecurity best practices and reduce risky behaviors that open the door to hackers, and you can train employees how to identify phishing.
The percentage of companies providing security awareness training to their employees is increasing as the importance of training is now better understood, but one aspect of the training process that is often neglected is conducting phishing simulations on the workforce. Phishing simulations are fake but realistic phishing emails that businesses send internally to employees. You may wonder why you should do such a thing. Well, there are clear benefits that come from doing so. Here we provide five reasons why conducting phishing simulations on employees is beneficial.
1. Create a Baseline to Measure the Effectiveness of your Training
Many companies provide security awareness training but are unable to measure its effectiveness, other than a reduction in data breaches and phishing incidents. Phishing simulations are a great way to monitor the effectiveness of training over time and clearly show the return on investment. Conduct phishing simulations before you start your training program and you have a baseline against which you can measure the effectiveness of training over time and see the ROI.
2. Test the Effectiveness of Training in a Work Setting
You can show an employee the signs of phishing that they need to look out for, and you can test to make sure they have understood the training at the end of the training course, but that does not mean the training will be remembered nor that it will be applied when they are at work. Phishing is often successful because the emails arrive in inboxes when employees are busy, and that is why mistakes are made. Phishing simulations allow you to test whether training is being applied and whether it is proving to be effective.
3. Identify Weak Links
While most employees will take the training on board, will take greater care, and will follow the security best practices they have learned, there will always be employees who do not. Phishing simulations allow you to identify the weak links and take proactive action to address the problem before the employee falls for a real phishing email. A failed phishing simulation is an opportunity for intervention training. You can deliver training instantly in response to the problem, and provide a specific training course relevant to the mistake that was made. Providing relevant training at the point when the error is made is the most effective way of eradicating risky behaviors.
4. Practice Makes Perfect
You should not expect every employee to become a security Titan the second they complete their training course. They will not be able to instantly identify every phishing threat. It takes time to build up security awareness and create a security culture. Phishing simulations are a great way to do this. They give employees practice at identifying phishing threats in a safe setting. When a real threat arrives in their inbox, they will be much more likely to be able to identify the malicious message.
5. Identify Weaknesses in the Training Course
Phishing simulations identify human weaknesses to allow further training to be provided, but they also identify problems with the training course. If you send a phishing simulation that a large number of employees fail, that is likely to indicate a problem with the training course – A type of threat that you have not covered sufficiently well. You can then update your training course to ensure that specific threat is properly explained.
SafeTitan from TitanHQ
TitanHQ has developed a comprehensive security awareness training solution for businesses called SafeTitan. The platform includes an extensive library of training content on all aspects of security, with the courses divided into short computer-based training modules of no more than 10 minutes, which makes them easy to fit into busy workflows.
The training content is fun, gamified, and engaging, and is proven to help eradicate risky security practices and reduce susceptibility to phishing attempts. The platform includes a phishing simulator for testing whether employees can recognize phishing attempts – the most common way that cybercriminals attack businesses. Phishing simulation data shows susceptibility to phishing attacks can be reduced by up to 80% with SafeTitan.
If you have yet to provide security awareness training to your workforce and are not conducting phishing simulations, the ideal time to start is now. Contact TitanHQ today for more information or sign up for a free trial of the solution and put it to the test before deciding on a purchase.
Cybercriminals have a diverse arsenal for conducting attacks. Phishing is a leading attack vector used by ransomware gangs, nation-state threat actors, and other cybercriminals, and even the protection provided by multifactor authentication is now being bypassed in some sophisticated campaigns. Unpatched vulnerabilities are often exploited to gain access to networks, then there are brute force attacks to guess weak credentials, but many attacks are conducted over the web.
Common Web-Based Threats
Malicious adverts are added to advertising networks, which see the adverts displayed in the third-party ad blocks on many of the most popular websites. Termed malvertising, these adverts redirect users to malicious websites where malware is downloaded or to phishing content. The adverts often advertise fictitious software solutions, which users are tricked into downloading and installing. Oftentimes, genuine programs are installed, albeit with malware installed in the background.
Despite the controls Google has in place for detecting malicious content, some malicious ads are displayed in the search engine listings. These malicious adverts are displayed at the top of the Google listings, so can attract considerable traffic. In the fall of 2021, one such campaign targeted cryptocurrency investors, and saw losses incurred of more than $500,000 before Google detected and removed the malicious adverts from its Google Ads platform.
Malicious websites are also displayed in the search engine listings for specific business searches, with SEO poising techniques used to get the sites to appear high up in the listings. These websites may only have a short shelf life before they are detected and removed from the listings, but they are added in such volume that they do pose a significant risk. These campaigns are commonly used for distributing malware, with users tricked into thinking they are downloading the content or program they have been searching for.
Another common web-based attack involves pirated software and copyright-infringing material that is added to peer-to-peer file-sharing networks, where the user is tricked into installing the malware in the belief they are getting licensed software for free. The product activators or cracks used for generating license codes often install malware in the background. Users may get the genuine software they are seeking, but malware is silently installed in the background.
Another tried and tested web-based attack – which has been used by cybercriminals for almost as long as the web itself – is known as typosquatting or URL hijacking. Typosquatting targets careless typists. The threat actor registers a swathe of domains that are very similar to the domains used by the brands they are spoofing. These domains often have transposed letters – Microsfot.com – for instance – or domains are registered with missing or additional letters.
These websites do not need to appear in the search engine listings as they target people who type the website into the address bar. Since these websites may look almost identical to the sites they spoof they can be very convincing. These campaigns are especially effective for targeting mobile users, as misspellings are much easier to make on mobile phones and users are much less likely to check the URL after typing.
Last weekend, a massive typosquatting campaign was discovered that included more than 200 separate domains, each of which was a clone of the brand being spoofed or a very close approximation. The domains included common misspellings and typos of 27 different brand names, including PayPal, Snapchat, Google Wallet, the Tor Project browser, and TikTok. In this campaign, the goal was to trick visitors into downloading Windows or Android malware – a banking Trojan called ERMAC that targets accounts and cryptocurrency wallets.
These are just a few examples of web-based attacks and despite the risks posed by these types of attacks, many businesses do not have the cybersecurity solutions in place to detect and block these threats. Security awareness training will go a long way toward improving defenses against these attacks and should be provided regularly to the workforce. Businesses should also consider implementing a web filter.
A web filter is a software solution that allows businesses to control the content their users can access, like a parental control filter that prevents minors from accessing age-inappropriate content. The web filter is fed extensive threat intelligence from a global network of endpoints. When a malicious site is detected, it is added to the blocklist and any attempt to connect to the site will be prevented.
Web filters such as WebTitan Cloud, TitanHQ’s DNS-based web filter, will also perform scans of websites and scores the sites on their potential to be malicious. This provides protection against new URLs that have yet to be detected as malicious. WebTitan Cloud can also be configured to block downloads of certain file types, such as executable files that are used to install “shadow IT” – software unauthorized by the IT department – and malware. Content can also be blocked by category, to help improve productivity and prevent access to inappropriate web content such as pornography.
Importantly, WebTitan Cloud protects businesses from all of the above web-based attacks. For more information on web filtering, to arrange a product demonstration, or to sign up for a free trial of the solution, give the TitanHQ team a call.
A new and dangerous new malware called Erbium is being advertised on hacking forums and has the potential to become a major threat. Erbium malware is an information stealer with extensive functionality, which is offered under the malware-as-a-service (MaaS) model.
MaaS provides hackers with an easy way to conduct attacks. The MaaS operators develop their malware and lease it out, usually charging a weekly, monthly, or annual subscription. The MaaS operator provides detailed instructions on how to conduct attacks, which means the malware can be used without having to become a programming expert. In fact, many MaaS operations make conducting attacks incredibly easy, requiring little in the way of technical skill. After signing up to use the malware, it can be operated via the web-based UI, where users can access the data stolen by the malware. Oftentimes, live chat is available to help resolve any issues.
Currently, one of the most popular information stealers available under the MaaS model is the RedLine Stealer, which is a highly capable malware variant that can be purchased or rented under a subscription model. The malware can steal information from browsers such as autocomplete data and saved credentials, steal from FTP and IM clients, and from cryptocurrency wallets. The latest variants allow users to upload and download files. RedLine has proven very popular; however, it is quite expensive.
Erbium malware is disrupting the market, offering broadly the same capabilities as RedLine but for a fraction of the cost. Initially, Erbium malware was being advertised at just $9 per week, although due to the popularity of the malware the price was increased to $100 per month. Even with the increase, the malware is far cheaper than RedLine, and based on user feedback, it is proving very popular with the cybercrime community.
Erbium malware is a work in progress, but it already has extensive capabilities. The malware can steal information from browsers such as saved credentials, cookies, credit card numbers, and autofill information. It can steal from cryptocurrency wallets installed on web browsers and attempts to steal from a wide range of cold desktop cryptocurrency wallets. The malware can also steal 2FA authentication codes from EOS Authenticator, Authy 2FA, Authenticator 2FA, and Trezor Password Manager, and steal Steam and Discord tokens, and Telegram auth files. The malware can profile the host and exfiltrate data via its API system to the command-and-control server. Users can log in to the UI and get an update on infections and access their stolen data.
As is quite common, the malware is distributed via fake software, fake cracks, and cheats for video games, so the best way to prevent infection is not to download these, and to only download software from reputable sources. Businesses can take additional steps to reduce risk, with the best defense being a web filtering solution.
Web filters are fed threat intelligence and incorporate blacklists of known malicious websites, such as sites used for distributing malware. They can also be configured to block access to certain categories of websites, such as warez sites and peer-2-peer file sharing networks, where pirated software, cracks, and product activators are made available.
Web filters allow businesses to enforce their acceptable internet usage policies and block web-based attacks, such as phishing, and malware downloads over the Internet, with WebTitan Cloud one of the easiest web filters to implement and use. WebTitan Cloud takes just a few minutes to set up and configure, and requires no technical skill to operate. Users can gain full visibility into the online activities on the network, including real-time views of Internet access, and can easily block malware downloads and restrict access to risky websites to prevent unauthorized software downloads.
WebTitan Cloud is an award-winning DNS-based web filter that is consistently highly rated on independent business software review sites and allows businesses to easily improve their security posture and reduce legal risk. The full product is available on a free trial, with full product support provided throughout the trial. For more information about web security and content control with WebTitan Cloud, give the TitanHQ team a call today.
Ransomware gangs gain initial access to business networks using a variety of techniques, with phishing one of the most common methods of gaining initial access to business networks. Phishing is used to obtain credentials, especially for cloud-based services and applications. Phishing emails are often used to deliver malware loaders. Once installed, the malware loader drops malicious payloads which ultimately results in a network-wide ransomware attack.
A relatively new malware loader – Bumblebee – is now gaining popularity with ransomware gangs and is known to be used by some of the highest profile ransomware operations. According to Symantec, Bumblebee Loader is known to be used by Conti, Quantum, and Mountlocker, and possibly others, and has fast become the ransomware delivery vehicle of choice.
The BumbleBee loader is primarily delivered via phishing emails and is used to create a backdoor in victims’ networks, allowing the attacker to take control of devices and execute commands. Bumblebee has been observed delivering the Cobalt Strike attack framework, which is used for lateral movement within networks. Once a sufficiently high number of devices and systems have been compromised, the BumbleBee loader drops the ransomware payload. After sensitive data has been exfiltrated from the victim’s systems, the file encryption process is initiated.
According to Symantec, the Bumblebee loader has replaced several other malware variants that have proven popular with ransomware gangs in the past, such as the TrickBot Trojan and BazarLoader. The replacement of those malware variants with Bumblebee the loader appears to have been pre-planned. If the Bumblebee loader is detected on any device, rapid action should be taken as it is likely that the malware could lead to a ransomware attack.
The Growing Threat of Ransomware Attacks
Ransomware attacks on businesses increased significantly in 2021. The Federal Bureau of Investigation (FBI) reported in its 2021 Internet Crime Report that the FBI Internet Crime Complaint Center (IC3) received 2,084 reports of ransomware attacks between January 1 and July 31, 2021, which represents a 62% increase year-over-year. The 2021 Ransomware Study by IDC found that 37% of global organizations had suffered at least one ransomware attack in 2021. Verizon reported in its 2021 Data Breach Investigations Report that the number of ransomware attacks doubled in 2021, and ransomware is now involved in 10% of all data breaches.
Ransomware attacks are being conducted on businesses in all industry sectors, with education, retail, professional and legal services, government, IT, manufacturing, energy, healthcare, and the financial services the hardest hit. Attacks can be extremely damaging to businesses and can cost millions of dollars to mitigate. Many businesses have been forced to close as a result of an attack.
How to Protect Against Ransomware Attacks
Many ransomware gangs operate under the ransomware-as-a-service model, where affiliates are recruited to conduct attacks in exchange for a cut of any ransom payments they generate. Having many affiliates conducting attacks means more attacks can be conducted than if ransomware gangs operated alone. Affiliates have specialist skills and excel at certain types of attacks. That means defending against attacks means blocking multiple attack vectors, which means multiple security solutions need to be deployed.
Defending against ransomware attacks requires a defense in-depth approach involving multiple layers of protection. An email security solution – such as SpamTitan – should be used for blocking attacks via email, such as emails distributing the Bumblebee loader. A DNS filter such as WebTitan should be deployed to block attacks over the Internet and prevent employees from visiting malicious and risky websites.
It is important to educate the workforce about the threat of phishing, malware, and ransomware, and train the workforce on how to recognize and avoid threats such as phishing and social engineering. TitanHQ offers the SafeTitan security awareness training and phishing simulation platform for creating a security-aware workforce.
Vulnerabilities are often exploited, so it is important to ensure that patches and software updates are applied promptly. In the event of an attack succeeding, businesses need to be able to recover quickly. One of the biggest causes of losses in ransomware attacks is lost business due to the disruption caused by an attack, not the cost of the ransom payment. To minimize damage and ensure the fastest possible recovery, an incident response plan should be developed that specifically covers ransomware attacks and that plan should be regularly tested in tabletop exercises.
It is naturally also vital for backups to be created of all data to ensure data can be recovered in the event of an attack. Multiple copies of data should be made, the backups need to be tested to ensure file recovery is possible, and the backups should be stored on a non-networked device, with one copy stored securely offsite.
Cybercriminals are constantly developing new tactics to trick individuals into divulging sensitive information or installing malware. One of the latest tactics to be observed is the use of QR codes to direct people to malicious websites where sensitive information is harvested or to sites hosting malware.
A QR code is a machine-readable matrix barcode that is often used for tracking products in a supply chain, but in recent years has been adopted as a convenient way to direct people to web resources without them having to enter a URL or click a link. QR codes have been widely adopted during the COVID-19 pandemic for carrying out contactless operations, such as registering attendance at a venue and for viewing menus in restaurants to help prevent the spread of COVID-19.
Many smartphones have in-built QR code readers and apps can be downloaded for free to allow QR codes to be read. When a smartphone camera picks up a QR code, the user will be directed to whatever web resource has been programmed into the code. While QR codes have many important uses, QR codes can be easily tampered with to direct individuals to malicious websites.
Phishing emails often contain links to malicious websites that have been masked by changing the text in the hyperlink. Hovering a mouse arrow over the hyperlink on a computer will display the URL to which the user will be directed; however, with a QR code the user may be instantly directed to the website and could be prompted to enter their banking credentials, Microsoft 365 credentials, or other sensitive information.
Since QR codes are often used to direct individuals to hosted files, such as PDF restaurant menus, it would be easy to trick people into downloading malicious files through QR codes. The malware could provide a cybercriminal with access to the victim’s mobile device, allowing them to steal sensitive information such as passwords or bank account information.
Many businesses use QR codes to direct customers to websites where payments can be processed, and the use of QR codes for this purpose has increased significantly during the pandemic to avoid contact with Point-of-Sale card readers. QR codes could be abused to direct customers to malicious websites that mimic those used by the business in order to steal payment card information.
The Federal Bureau of Investigation (FBI) has recently issued a warning about the increase in the use of QR codes for conducting malicious activities. The FBI emphasized that QR codes are not malicious in nature but can be abused, so precautions should be taken when using QR codes and not to assume that QR codes are secure.
A study conducted by Ivanti in 2021 revealed 87% of people felt secure conducting financial transactions using QR codes. Given the rise in abuse of QR codes, that confidence is worrying. As with embedded hyperlinks in emails, it is important to exercise caution and to check the URL of the resource that the user is directed to before taking any actions. The domain should be checked to ensure it is correct, and care should be taken to look for any typos or misplaced or substituted letters.
The FBI recommends checking a QR code before scanning to make sure it has not been doctored with, such as by overlaying a sticker on the original QR code. If prompted to download a file after using a QR code, be aware that the file may be malicious. If prompted to download an app, it is more secure to visit an official app store. It is also not necessary to download a QR scanner on most mobile phones, as this increases risk. The apps may be malicious, and many automatically direct users to a resource without requiring confirmation or providing information about the URL that the user will be directed to.
Businesses can protect their corporate-owned devices against QR code scams by installing a web filter. A web filter such as WebTitan can be used to prevent mobile devices from being used to visit malicious websites or web pages that violate acceptable internet usage policies. WebTitan will protect against any redirect to a malicious website, whether via a link in a phishing email or QR code and will also block malware downloads and potentially malicious files.
Ransomware is now one of the biggest threats faced by businesses. When hackers gain access to business networks, it is now common for large quantities of data to be stolen prior to file encryption. Ransomware gangs know all too well that businesses with good backup policies will be able to restore their encrypted data from backups, but they will need to pay the ransom in order to prevent the release or sale of the stolen data. Even when files can be recovered from backups, many businesses feel they have no alternative other than paying the ransom to ensure stolen data are deleted. Data from Coveware indicates 70% of ransomware attacks now involve data theft.
Ransomware attacks are incredibly costly, even if the ransom is not paid. Universal Health Services Inc. in the United States suffered a Ryuk ransomware attack in September 2020 and the health system choose not to pay the ransom. Add up the recovery costs which included data restoration, cybersecurity consultants, notification letters to patients, and the loss of many services during the remediation process, and the cost of the attack rose to $67 million.
While expensive, that high cost is just a fraction of the cost of the recent Conti ransomware attack on Ireland’s Health Service Executive. The May 2021 ransomware attack caused massive disruption to healthcare services in Ireland. Without access to patient records, patient safety was put at risk, non-urgent appointments had to be cancelled, and there were major delays getting test results.
A few days after issuing a ransom demand of €20 million, the Conti ransomware gang gave the HSE the decryption tools free of charge. Even with the valid tools to decrypt data, recovery has been slow and incredibly costly. It has been around a month since the tools were provided to decrypt files, but many systems are still inaccessible. HSE Chief executive Paul Reid said it is likely to take months before all systems are brought back online.
Simply eradicating the attacker from the network and recovering encrypted data is only part of the story. IT systems need to be upgraded, security greatly improved, and a security operation center needs to be set up to monitor the network to prevent any further attacks. The initial costs incurred as a result of the attack were reported to be well over €100 million, but the overall cost of the attack is expected to rise to around half a billion Euros – Around $600 million.
An attack on such a major healthcare provider is naturally going to be incredibly costly, but ransomware attacks on small businesses can be catastrophic. Following a ransomware attack, an estimated 60% of small businesses fail within 6 months. One study showed the cost of remediating a ransomware attack doubled between 2020 and 2021, with the average cost now around $1.85 million. Attacks are also increasing. An analysis of the data leak sites used by ransomware gangs by cybersecurity firm Mandiant showed there has been a 422% increase in ransomware-related data leaks between Q1, 2020 and Q1, 2021.
How to Improve Your Defenses Against Ransomware
The most prolific ransomware gangs operate under the ransomware-as-a-service model. The creators of the ransomware do not conduct attacks, instead they employ affiliates to do they attacks for them. That means more attacks can be conducted. The creators run the operation and take a cut of any ransom payments generated, with the affiliates retaining the bulk of the ransom payments from their attacks.
Affiliates conduct attacks using a variety of methods and no two attacks will be exactly the same. Preventing ransomware attacks therefore requires a range of different measures to block all of the attack vectors, but the best place to start is by improving phishing defenses. Phishing emails are increasingly used as the initial entry point into business networks, so if these malicious emails can be blocked at the email gateway, they will not be delivered to inboxes where they can be opened by employees.
That is an area where TitanHQ can help. TitanHQ has developed two advanced solutions that are effective at preventing ransomware attacks. SpamTitan is a powerful email security solution that filters out malicious messages to stop them from causing harm. Rather than be delivered, emails with malicious links and attachments are quarantined.
WebTitan is a DNS-based web filtering solution that complements SpamTitan to provide even greater protection against ransomware and malware attacks. WebTitan prevents employees from visiting the malicious websites where malware and ransomware are downloaded.
Both solutions are consistently given top marks on software review sites such as G2 Crowd, with the solutions given a maximum of 5 stars by users of Spiceworks and Capterra. SpamTitan has also received over 37 consecutive Virus Bulletin Spam awards.
If you want to improve your defenses against phishing, ransomware, and web-based attacks, give the TitanHQ team a call. If you would like more information about protecting against attacks, also be sure to attend the upcoming TitanHQ/Osterman Research webinar on June 30, 2021:
It used to be quite easy to identify a phishing email, but over the past few years, scammers have really upped their game. Some of the phishing emails now being sent can fool even the most security conscious and well-trained people, but if you know the signs of phishing email, you should be able to identify and avoid all but the most sophisticated phishing attempts.
What is Phishing?
Phishing is the name given to a tactic used by cybercriminals to obtain sensitive information through deception, often by impersonating a trusted source. Phishing is also used to deceive people into taking an action that allows the attacker to achieve their aim. This could be installing malware or even changing security settings on a device.
Phishing can be viewed as the digital equivalent of a confidence trickster, so these tactics are certainly nothing new. The attack technique gets the name from fishing. With fishing, a lure or bait is used to trick a fish into swallowing a hook. With phishing, a lure is used to trick an individual into taking an action in the belief that the request is genuine.
Phishing can take place over the telephone, in person, via text messages, social media networks, or chat platforms, although most commonly it occurs via email. Attacks are easy to perform, as all that is needed is an email address to send the messages and a phishing template. If credential theft is the goal, a website hosting a phishing kit is required to harvest credentials. Phishing kits are widely available on hacking forums and malware can also be purchased, so an attacker really only needs email accounts to send the messages.
Phishing emails can range from basic to highly sophisticated, and while email security solutions are effective at identifying phishing emails and ensuring they are not delivered to inboxes, no email security solution is capable of blocking every phishing threat without also blocking unacceptable numbers of genuine emails. It is therefore essential for employees to be told how to spot the signs of a phishing email and for them to be conditioned how to respond when a suspicious email is received.
Phishing Tactics are Constantly Changing!
There are tried and tested phishing techniques that are used time and time again because they are effective, but new lures are constantly being developed to trick individuals and evade email security solutions. It is not possible to train employees how to recognize every lure they are likely to receive, but it is possible to teach employees the most important signs of a phishing email, as there are commonalties shared across most phishing campaigns.
The aim of any training is not to ensure that every employee will recognize every phishing email, only to reduce susceptibility of the workforce to phishing attacks. Over time, employees will get better and will be able to recognize phishing emails and will get used to reporting suspicious emails to their security team.
What Are the Signs of a Phishing Email?
Every email received could potentially be a threat, even emails that appear to come from a known individual or other trusted source. Just because the sender’s name is familiar or the correct logos and contact details of companies are used, it does not mean that the email is genuine.
Some of the most effective phishing lures that are used to target businesses mimic genuine business communications such as purchase orders, receipts, invoices, job applications, shipping notifications, and non-delivery notifications. You should perform some quick checks of any email you receive, specifically looking for the following signs of a phishing email.
Urgency and Threats
Most phishing emails try to get the recipient to act quickly without thinking or checking for the signs of a phishing email. Some of the most effective lures require quick action to be taken to avoid negative consequences. Scare tactics are used, such as the threat of arrest or legal action, loss of service, loss of money, or even fear of missing out (FOMO).
Spelling and grammatical errors
Spelling and grammatical errors are common in phishing emails. These can be accidental – Google translate errors – or can be deliberate. Why deliberately include spelling errors? Anyone who still falls for the email will be more likely to then fall for the next stage of the scam.
When businesses send emails, they are usually careful to ensure there are no spelling and grammatical errors. Most businesses have a spell and grammar check configured for all outbound emails.
Unnecessary or Unusual Attachments
Email attachments are commonly used in phishing emails that distribute malware. Attachments may not be what they seem and could have a double extension. A Word document could in fact be an executable file that installs malware when double clicked. Malicious scripts such as macros are often added to files that will execute and download malware if allowed to run. Malicious hyperlinks are often hidden in attachments such as PDF files, Word documents and Excel spreadsheets to hide them from email security solutions. Exercise caution when opening any attachment, scan it with your AV software before opening, and do not enable content or macros – you do not need to in order to see the contents of a genuine document. If in doubt do not open.
Odd hyperlinks
Hyperlinks are often included in phishing emails to direct the recipient to a website hosting a phishing kit. These links may appear genuine from the link text, but links are often obfuscated to make them appear genuine. Check the true destination before clicking by hovering the mouse arrow over the link. If the link is clicked, make sure the domain you land on is the correct domain used by a company, and be exceptionally careful if you are asked to enter sensitive information such as your Office 365 credentials.
Atypical Requests
Phishing emails will try to get you to take an action you would not normally take. If the request deviates from the normal request received via email you should be suspicious. This could be a request to send sensitive data via email, install a program, or make a call or click a link to install a security update. It pays to make a quick phone call to check the legitimacy of any odd request using previously verified contact information – never contact information in the email. Also look out for unusual greetings and overly familiar or overly formal emails from contacts – These deviations could indicate an email impersonation attack.
Unfamiliar Email Addresses and Domain Names
Phishers often hijack email accounts so phishing emails can come from genuine email accounts, but it is most common for free email accounts to be used or for attackers to create email accounts on their own domains. Those domains often closely resemble the brand that the attackers are impersonating. Watch out for hyphenated domains – e.g. microsoft-updates.com; transposed or missing letters – e.g. mircosoft.com; use of irregular characters – e.g. m1crosoft.com; and subdomains microsoft.phishingdomain.com. Carefully check the email address and the domain name.
Block Phishing Emails with TitanHQ
If run a business and want to improve your security defenses, you should train your employees how to identify the signs of a phishing email. You should also ensure you have an effective email security solution in place that will block the vast majority of email threats to stop them from reaching inboxes. You should also consider implementing other anti-phishing solutions to create layered defenses.
This is an area where TitanHQ can help. TitanHQ offers two award-winning anti-phishing solutions for SMBs and managed service providers (MSPs) serving the SMB market: SpamTitan Email Security and WebTitan Web Security. Both can be used in tandem to greatly improve your defenses.
SpamTitan blocks malware and phishing emails at source and keeps inboxes free of threats, while WebTitan protects against the web-based component of phishing attacks, blocking attempts by users to access known malicious domains and stopping malware downloads from the Internet.
For further information on these solutions and how they can improve your phishing defenses, give the TitanHQ team a call today or drop us a line on email. If you want to test the solutions, both are available on a no-obligation free trial.
Learning how to identify phishing emails is an important skill: One that all employees need to master. Many phishing emails are easy to spot if you know the signs of a phishing email to look for.
It is not necessary to spend a couple of minutes checking every email at work, after all, that would leave little time for doing anything else. There are some quick and easy checks that take a few seconds and can easily allow you to identify phishing emails quickly. Performing these simple checks on each inbound email should become second nature before long.
5 Easy Ways to Identify Phishing Emails
Listed below are 5 basic checks that should be performed to identify phishing emails. These will allow you to identify the most common techniques used by phishers to steal your credentials or get you to install malware.
Check the Sender’s Email Address
Many emails will have a different display name to the actual email address, so it is important to check who the real sender is. The display name can be easily configured by the sender to make you think an email is genuine. You may receive an email that has PayPal as the display name, but the sender’s email address could have a non-PayPal domain or have been sent from a Gmail account or another free email service. Free email services such as Gmail, Yahoo, Hotmail are not used by businesses.
Check that the domain – the part of the email address after the @ symbol – matches the sender. For PayPal that would be PayPal.com. Also check to make sure the domain name is spelled correctly and that there are not any transposed or replaced letters. It is common to replace an i to be replaced with a number 1 for example, an m to be switched to an rn, or hyphens to be added to domains to make them look official. Pay-Pal for instance.
Carefully Check Hyperlinks in Emails
Phishing occurs via email, but the actual credential theft usually occurs online. Hyperlinks are included in emails that direct people to a web page where they are asked to enter sensitive information such as their email login credentials. These web pages are usually carbon copies of genuine login prompts for services such as Office 365, apart from the domain on which the page is hosted.
You should be suspicious of any hyperlink in an email. Even clicking a link could be enough to trigger a malware download. You should check the true destination URL of a link, which may be masked with a button or legitimate looking text. Hover your mouse arrow over any link to check the destination URL.
The domain should match the sender and be the official domain used by the company. If the email has been sent from a company, visit the website by entering the correct domain into the address bar of your browser rather than clicking the link. If you believe the link to be genuine, remember to double check the page you land on, as you may have been redirected to a different website.
Be Wary of Email Attachments
Email attachments are often used in phishing to hide malicious content. Malicious hyperlinks are often added to Word documents and PDF files rather than include them in the message body of the email to evade security solutions.
Attachments commonly have macros – code – which will perform malicious actions if allowed to run. When you open these files, you will be prompted to “enable editing” or “enable content.” Doing so will allow the code to run. You will not need to enable any content in order to view a legitimate file.
Executable files are often attached to emails that will install malware if double clicked. Executable files include files with a .exe, .js, .bat, .scr, .vbs extension. Also check for double extensions, such as .doc.exe or .pdf.exe. Windows may hide the actual extension of the file if it is known and only display the first part. If in doubt, do not open attachments, especially those in unsolicited emails. If you believe the attachment to be genune, make sure you scan it with antivirus software before opening.
Spelling and Grammatical Errors
Many phishing emails are poorly written and contain spelling and grammatical errors. Official emails from a company will have been checked prior to being sent, so spelling and grammatical errors are extremely unlikely. Businesses often have spell checks on emails enabled by default. Many phishing messages are sent from Eastern Europe or other non-English speaking countries and have been translated using Google Translate so may sound a little odd.
Also be wary of any odd or unusual requests, such as a request to open a file when information could easily have been included in the message body or requests to send sensitive information via email.
Threats and Urgency
Most phishing emails attempt to get the recipient to take fast action and not consider the request too carefully. There is often a threat of bad consequences if action is not taken quickly, such as the closure of an account or loss of service. Phishers rely on fear (or fear of missing out) to get people to take action that they would normally not take and to act without thinking.
You may receive an email warning that your Netflix account will be closed due to a security issue unless you login. Emails often threaten arrest or lawsuits of you do not take immediate action. You may receive a too-good-to-be-true email offering you an incredible bargain or claiming you have won a competition you did not enter. Sceptics are less susceptible to phishing!
Phishing is the biggest cyber threat faced by businesses. Phishing emails are malicious email messages that use deception to obtain sensitive information or trick individuals into installing malware. During the pandemic, cybercriminals took advantage of COVID-19 trends and created phishing emails that spoofed trusted entities such as the World Health Organization (WHO) and the Centers for Disease Control and Prevention offering up to date information on the coronavirus. Companies offering personal protective equipment (PPE) were impersonated when there was a shortage of supply, and recently pharmaceutical firms have been spoofed to send offers related to COVID-19 vaccines.
One of the primary aims of these scams is to obtain Microsoft 365 credentials, which give the attackers access to the treasure trove of data that is typically found in email accounts. The compromised emails accounts are used in email impersonation attacks on other individuals in the organization, or in business email compromise (BEC) attacks to trick finance department employees to make fraudulent wire transfers. A single compromised Microsoft 365 account can give attackers the foothold they need for a much more extensive attack on the organization, with phishing emails the initial attack vector used to deliver ransomware.
These phishing emails can be difficult for employees to identify, even when they are provided with security awareness training. Once an email lands in an inbox, there is a high chance to that email being opened and an employee taking the action requested in the email, so it is essential for businesses to have an effective email security solution in place that can identify and block these malicious messages.
Malware Delivery via Email is Increasing
Recent research has shown that phishing emails are now the primary method used to deliver malware and the number of emails distributing malware is increasing. A study recently published by HP in its threat insights report shows 88% of malware is now delivered via email, with the volume of messages distributing malware increasing by 12% from the previous quarter. Many of these emails contain executable files that directly install the malware on devices or run malicious code that launches memory-only malware.
Traditional antivirus software solutions often fail to detect malware variants sent via email. Antivirus software is signature based, so in order for malware to be detected, its signature must have been loaded into the AV software’s virus definition lists. If there is no signature, the malware will not be detected as malicious. The HP study showed almost a third of all phishing emails used to distribute malware involve previously unseen malware variants.
The threat groups conducting these phishing campaigns use obfuscation techniques and packers that allow malware to evade antivirus software. It typically takes an average of 8.8 days for the hashes of malware variants to be added to AV engines.
Blocking new malware variants is difficult, but not impossible. One of the ways that these emails can be detected is through the use of a sandbox. Email security gateways with sandboxes first scan inbound messages and check attachments using AV engines. Email attachments that are suspicious but are not determined to be malicious from the AV scan are then sent to the sandbox for in-depth analysis. Within the secure environment of the sandbox, the files are investigated for any malicious actions such as command and control center callbacks.
No anti-malware controls will detect all malware variants but using a spam filtering solution such as SpamTitan that uses sandboxing technology will greatly improve the malware detection rate and will help to keep your inboxes malware free. SpamTitan also allows rules to be created for departments, job roles, and individuals that will further improve protection against malware attacks. Rules can be set to prohibit certain file types from being delivered to inboxes – the types of files that are commonly used to deliver or mask malware.
For instance, a recent phishing campaign conducted to distribute NanoCore malware used a .zipx (compressed) file to hide the malware from email security solutions and JavaScript (.js) files are similarly used to install malware. By blocking these uncommon file types for individuals who do not need to run those files will also help to reduce risk.
With phishing and malware attacks increasing, businesses need to ensure that their cybersecurity defenses are up to scratch and are capable of detecting and blocking these and other email and web threats. If you are receiving spam and phishing emails in your inboxes, have suffered a malware attack via email, or simply want to improve your defenses against email and web-based threats, give the TitanHQ team a call to find out more about cybersecurity solutions that can greatly improve your security posture at a very competitive price.
Network segmentation is the act of dividing a computer network into smaller physical or logical components. Two devices on the same network segment can then talk directly to each other. For communication to happen between segments, the traffic must flow through a router or firewall. This passage allows for traffic to be inspected and security policies to be applied.
Network segmentation is one of the mitigation strategies in terms of protecting against data breaches and multiple types of cyber security threats. In a segmented network, device groups have the connectivity required for legitimate business use only. The ability of ransomware to spread is greatly restricted. However all too often organizations operate an unsegmented network.
Network segmentation can also help to boost performance. With fewer hosts on each subnet, local traffic is minimized. It can also improve monitoring capabilities and helps IT teams identify suspicious behavior.
If you follow network segmentation best practices and set up firewall security zones you can improve security and keep your internal network isolated and protected from web-based attacks.
Looking to get enterprise-grade protection from malware and phishing? Sign up for a free WebTitan demo today. Book Free Demo
Network Segmentation Benefits
There are many benefits to be gained from network segmentation, of which security is one of the most important. Having a totally flat and open network is a major risk. Network segmentation improves security by limiting access to resources to specific groups of individuals within the organization and makes unauthorized access more difficult. In the event of a system compromise, an attacker or unauthorized individual would only have access to resources on the same subnet. If access to certain databases in the data center must be given to a third party, by segmenting the network you can easily limit the resources that can be accessed, it also provides greater security against internal threats.
Network Segmentation Best Practices
Most businesses have a well-defined network structure that includes a secure internal network zone and an external untrusted network zone, often with intermediate security zones. Security zones are groups of servers and systems that have similar security requirements and consists of a Layer3 network subnet to which several hosts connect.
The firewall offers protection by controlling traffic to and from those hosts and security zones, whether at the IP, port, or application level. There are many network segmentation examples, but there is no single configuration that will be suitable for all businesses and all networks, since each business will have its own requirements and functionalities. However, there are network segmentation best practices that should be followed. We have outlined these and firewall DMZ best practices below.
Suggested Firewall Security Zone Segmentation
Suggested Firewall Security Zone Segmentation
In the above illustration we have used firewall security zone segmentation to keep servers separated. In our example we have used a single firewall and two DMZ (demilitarized) zones and an internal zone. A DMZ zone is an isolated Layer3 subnet.
The servers in these DMZ zones may need to be Internet facing in order to function. For example, web servers and email servers need to be Internet facing. Because they face the internet, these servers are the most vulnerable to attack so should be separated from servers that do not need direct Internet access. By keeping these servers in separate zones, you can minimize the damage if one of your Internet facing servers is compromised.
In the diagram above, the allowed direction of traffic is indicated with the red arrows. As you can see, bidirectional traffic is permitted between the internal zone and DMZ2 which includes the application/database servers, but only one-way traffic is permitted between the internal zone and DMZ1, which is used for the proxy, email, and web servers. The proxy, email, and web servers have been placed in a separate DMZ to the application and database servers for maximum protection.
Traffic from the Internet is allowed by the firewall to DMZ1. The firewall should only permit traffic via certain ports (80,443, 25 etc.). All other TCP/UDP ports should be closed. Traffic from the Internet to the servers in DMZ2 is not permitted, at least not directly.
A web server may need to access a database server, and while it may seem a good idea to have both of these virtual servers running on the same machine, from a security perspective this should be avoided. Ideally, both should be separated and placed in different DMZs. The same applies to front end web servers and web application servers which should similarly be placed in different DMZs. Traffic between DMZ1 and DMZ2 will no doubt be necessary, but it should only be permitted on certain ports. DMZ2 can connect to the internal zone for certain special cases such as backups or authentication via active directory.
The internal zone consists of workstations and internal servers, internal databases that do not need to be web facing, active directory servers, and internal applications. We suggest Internet access for users on the internal network to be directed through an HTTP proxy server located in DMZ 1.
Note that the internal zone is isolated from the Internet. Direct traffic from the internet to the internal zone should not be permitted.
The above configuration provides important protection to your internal networks. In the event that a server in DMZ1 is compromised, your internal network will remain protected since traffic between the internal zone and DMZ1 is only permitted in one direction.
Looking to get enterprise-grade protection from malware and phishing? Sign up for a free WebTitan demo today. Book Free Demo
Risks of an Unsegmented Network
A real world example of an unsegmented network and resulting attack is the massive Target data breach of 2013. Reportedly, the Target breach had its origin in a phishing email opened by an employee at a small HVAC company that did business with Target. The malware lurked in the HVAC network for two months before moving on to attack the Target network.
Once inside they were able to move laterally through Target’s internal network, eventually installing malware on point-of-sale (POS) terminals throughout the stores. In the wake of the attack, Target implemented network segmentation to prevent the lateral movement that allows the attackers move with the system in this breach.
It’s no surprise a breach this huge is massively expensive and the cleanup represents an almost overwhelming challenge. Bloomberg BusinessWeek reported that Target spent $61 million through Feb. 1 on the breach.
The damage?
The data of 110 million customers was compromised.
Over 100 lawsuits have been filed.
Banks have already spent $200 million related to the Target breach, and it’s unclear if there’s an even bigger payout on the horizon.
Effective network segmentation also makes it easier to detect signs of an attack. It’s not uncommon for a company’s Intrusion Detection System to generate such a large number of alerts that many go uninvestigated.
By concentrating on alerts related to sensitive parts of the network, security teams can prioritize incidents likely to be the most dangerous. Network segment traffic can also be monitored for unusual patterns or activity potentially indicating an attack.
Effective Network Segmentation is not enough
Many sectors including manufacturing, retail and industrial are prime target for cyberattacks. Often organizations in these sectors are not up to date in terms of implementing key cybersecurity controls in order to be prepared for advanced and evolving attack methods.
By adhering to network segmentation best practices, you can optimize network security. There's no silver bullet to take down every attacker, but it’s possible to implement several layers of security that work together as a whole to defend against a myriad of attacks.
Looking to get enterprise-grade protection from malware and phishing? Sign up for a free WebTitan demo today. Book Free Demo
Layered Security to Prevent Data Breaches
Layered security allows for each security layer to compound with the others to form a fully functioning, complete sphere of security. The internal network (ideally segmented) and its data are surrounded by powerful, interwoven layers that an attacker must defeat. These layers make security much more complex for a successful breach.
Cybercriminals are already exploiting the lack of security at the DNS layer to conduct phishing attacks and gain access to proprietary enterprise data. Not securing the DNS layer is making it far too easy for hackers to take advantage. Securing the DNS layer is a straightforward process that requires no additional computer hardware or even any software installations. Many vendors now offer cloud based DNS filtering solutions that can be set up in minutes.
Isn’t it about time you started securing the DNS layer and making it much harder for cybercriminals to compromise your network? If you’re looking to get enterprise-grade protection from malware and phishing, check out >WebTitan Cloud DNS filtering today.
FAQs
What does network segmentation mean?
Network segmentation is concerned with dividing a network up into smaller segments called subnets. This can improve network performance and is important for security. By using firewalls between each segment, you can carefully control access to applications, devices, and databases and can block lateral movement in the event of a successful cyberattack.
What is logical network segmentation?
Logical network segmentation is a popular way of segmenting a network. Instead of segmenting physical parts of the network such as routers and access points, logical segmentation uses concepts built into network infrastructure for segmentation, such as creating virtual local area networks (VLANS) that may share physical hardware.
Is network segmentation necessary for PCI compliance?
Organizations that store, process, and/or transmit cardholder data must comply with PCI DSS. One of the requirements is to use network segmentation to keep the cardholder data environment (CDE) separate from other parts of the network. Through network segmentation, organizations can isolate credit card data from all other computing processes.
Can network segmentation protect against ransomware attacks?
Network segmentation is a best practice that can help to reduce the damage caused by a malware or ransomware attack. If a computer is compromised, attackers will attempt to more laterally and access other devices and parts of the network. With network segmentation, lateral movement is much harder, so it is easy to contain malware and limit file encryption by ransomware.
What are the main benefits of network segmentation?
There are three main benefits of network segmentation. First is security. It reduces your attack surface and limits lateral movement in the event of a breach. Second, you can improve network performance, as traffic will be confined to the part of the network where it is required. Thirdly, it makes compliance easier by allowing you to separate regulated data from other computer systems.
Phishing remains the number one cyber threat to businesses and there are no signs that cybercriminals will be abandoning phishing any time soon. Phishing is defined as the use of deception to fraudulently obtain sensitive information, which often involves impersonating trusted individuals and using social engineering techniques to trick people into disclosing their login credentials.
It is not necessary to be a hacker to conduct phishing campaigns. All that is needed is a modicum of technical expertise and the ability to send emails. The actual phishing kits that are loaded onto websites to harvest credentials do not need to be created from scratch, as they can simply be purchased on hacking forums and dark net websites. A potential phisher only needs to pay for the kit, which typically costs between $20 and $1,000, then host it on a website, and send emails, SMS messages, or instant messages to direct users to the website.
The ease of obtaining a phishing kit makes this this method of attacking businesses simple. All that is needed is a plausible lure, and many people will disclose their credentials. Figures released by security awareness training companies show just how frequently employees fall for these scams. Around 30% of phishing emails are opened by recipients, and 12% of those individuals either open attachments or click hyperlinks in emails.
One 2020 study, conducted on 191 employees of an Italian company, showed no significant difference between employees’ demographics and susceptibility to phishing. Anyone can fall for a phishing scam. Interestingly, that study, published by the Association for Computing Machinery, also found that while the employees believed their security awareness training had been effective, it did not appear to have any effect on their susceptibility to phishing attacks.
Phishing is popular with cybercriminals, it is one of the easiest scams to perform, and it is often successful and profitable. Security awareness training will help to prepare employees and, if performed properly, regularly, and with subsequent phishing simulations to reinforce the training, can help to reduce susceptibility, but what is most important is to ensure that phishing emails do not land in inboxes where they can be opened by employees.
To block the phishing emails at source you need an advanced email security solution. Many email security solutions are heavily reliant on blacklists of IP addresses and domains that have previously been used for phishing and other malicious activities. Along with SPF, DKIM, and DMARC to identify email impersonation attacks, it is possible to identify and block around 99% of phishing emails.
However, to block the remaining 1% without also miscategorizing genuine emails as potentially malicious requires more advanced techniques. SpamTitan achieves independently verified catch rate of 99.97%, which is due to standard anti-phishing measures coupled with greylisting and machine learning techniques.
Greylisting is the process of initially rejecting a message and requesting it be resent. Since phishers’ mail servers are usually too busy on spam runs, the delay in the message being resent is a red flag. Along with other indicators, this helps SpamTitan catch more spam and phishing emails. Machine learning techniques are used to identify the typical emails that a company receives, which allows deviations from the norm to be identified which raises a further red flag.
In addition to a high detection rate and low false positive rate, SpamTitan is easy to implement and use, and regularly receives top marks in user reviews. SpamTitan has achieved 5 out of 5 on Expert Insights, is the most reviewed and best reviewed email security solution on G2, and is also a top-rated solution on Capterra, GetApp, and Software Advice.
SpamTitan works seamlessly with Office 365 and greatly improves phishing email detection, is priced to make it affordable for small- and medium-sized businesses, and has a much-loved managed service provider offering, allowing MSPs to incorporate highly effective spam and phishing protection into their service stacks.
If you want to improve your defenses against phishing attacks, why not give SpamTitan a try. You can trial the solution for two weeks free of charge, during which time you will be able to try the full product and will have access to full product support, should you need it.
Give the TitanHQ team a call today to find out more!
DNS filtering – or Domain Name System filtering to give it its full title – is a technique of blocking access to certain websites, webpages, and IP addresses. The DNS is what allows easy to remember domain names to be used – such as Wikipedia.com – rather than typing in very difficult to remember IP addresses – such as 198.35.26.96. The DNS maps IP addresses to domain names to allow computers to find web resources.
When a domain is purchased from a domain register and that domain is hosted, it is assigned a unique IP address that allows the site to be located. When you attempt to access a website, a DNS query will be performed. Your DNS server will look up the IP address of the domain/webpage, which will allow your browser to make a connection to the web server where the website is hosted. The webpage will then be loaded. The actual process involves several different steps, but it is completed in a fraction of a second.
So how does DNS Web Filtering Work?
With DNS filtering in place, rather than the DNS server returning the IP address if the website exists, the request will be subjected to certain controls. DNS blocking occurs if a particular webpage or IP address is known to be malicious. The DNS filter will use blacklists of known malicious websites, previous crawls of new websites and web pages, or web content will be assessed in real time if the web page or website has not previously been crawled and categorized. If the website trying to be accessed is determined to be malicious or otherwise violates pre-defined policies, instead of the user being connected to the website, the browser will be directed to a local IP address that displays a block page explaining why the site cannot be accessed.
This control could be applied at the router level, via your ISP, or by a web filtering service provider. In the case of the latter, the user – a business for instance – would point their DNS to the service provider. That service provider maintains a blacklist of malicious webpages/IP addresses and access to those sites is prevented.
Since the service provider will also categorize webpages, the DNS filter can also be used to block access to certain categories of webpages – pornography, child pornography, file sharing websites, gambling, and gaming sites for instance. Provided a business creates an acceptable usage policy (AUP) and sets that policy up with the service provider, the AUP will be enforced. Since DNS filtering is low-latency, there will be next to no delay in accessing safe websites that do not breach an organization’s acceptable Internet usage policies.
Block web-based threats and carefully control online activities. Sign up for a free WebTitan demo today. Book Free Demo
Will a DNS Filter Block All Malicious Websites?
Unfortunately, no DNS filtering solution will block all malicious websites, as in order to do so, a webpage must first be determined to be malicious. If a cybercriminal sets up a brand-new phishing webpage, there will be a delay between the page being created and it being checked and added to a blacklist. However, a DNS web filter will block the majority of malicious websites.
The purpose of a web filter is to reduce risk, not eradicate it entirely. Since the vast majority of malicious web content will be blocked, risk can be significantly reduced and there will only be a low chance of a website being accessed that violates your policies.
Can a DNS Filtering Service be Bypassed?
The short answer is yes. Proxy servers and anonymizer sites could be used to mask traffic and bypass the DNS filter. Your DNS filtering service should allow you to easily block access to anonymizer websites and prevent the use of proxy servers and virtual private networks (VPNs). Configuring the DNS filtering service to block access to these services will prevent all but the most determined employees from bypassing the DNS filtering service.
The other key way of bypassing a DNS filtering service is to manually change the DNS settings locally, so it is important for these settings to be locked down. Determined individuals may be able to find a way to bypass DNS filtering, but for most end users, a DNS filter will block any attempt to access forbidden or harmful website content.
There may be a legitimate need to bypass a DNS filtering service. Some DNS content filtering solutions have a feature that allows administrators to temporarily remove content filtering controls. WebTitan Cloud uses cloud keys for this. The cloud key can be issued to a user to bypass content filtering settings for a set time period, such as if research needs to be conducted.
Block web-based threats and carefully control online activities. Sign up for a free WebTitan demo today. Book Free Demo
DNS Content Filtering for CIPA Compliance
Schools and libraries in the United States are required to comply with the Children's Internet Protection Act (CIPA) in order to receive E-rate discounts and qualify for federal grants. There are several requirements of CIPA, one of the most important being to block or filter Internet access to prevent access to images that are obscene, involve child pornography or child abuse, or could otherwise be harmful to minors.
DNS content filtering is the easiest and most cost-effective way of complying with this requirement of CIPA and applying content filtering controls for both wired and Wi-Fi networks. DNS content filtering solutions require no hardware purchases, no software needs to be installed, and they are easy to implement and maintain. DNS content filtering solutions have highly granular filtering controls and allow precision control over content, without overblocking.
DNS Web Filtering Software from TitanHQ
Now you have a better idea about how DNS filtering works, we will introduce you to WebTitan Cloud. WebTitan Cloud is a powerful, easy to implement DNS filtering solution that allows you to filter the internet and block access to malicious content and enforce your acceptable internet usage policies. Being DNS-based, there are no hardware requirements and no software downloads are required. To get started you simply point your DNS to WebTitan, set your filtering parameters through an easy to use web-based interface, and you will be filtering the internet in minutes.
WebTitan Cloud can be used to protect users on and off the network, so it is the perfect choice for protecting remote workers from online threats as well as office staff. The WebTitan DNS web filtering solution - WebTitan Cloud - is a feature-rich, cloud-based solution with a low maintenance overhead and a three-tiered filtering mechanism for maximum granularity. Universally compatible and infinitely scalable, WebTitan Cloud has SSL inspection to provide the highest level of defense against online threats.
WebTitan Cloud can be integrated with multiple management applications (Active Directory, LDAP, etc.) for easier administration. WebTitan can also be remotely configured and adjusted from any Internet-enabled device. An unlimited number of users can be filtering at any time.
Block web-based threats and carefully control online activities. Sign up for a free WebTitan demo today. Book Free Demo
Try DNS Filtering Software with SSL Inspection for Free
If you would like to evaluate the benefits of the WebTitan DNS filtering solution in your own environment, please get in touch. Our team of experienced security professionals will answer any questions you have about DNS Internet filtering and guide you step by step through the process of registering for your free trial.
Once you are registered, we will walk you through the process of redirecting your DNS to receive our service. There are no credit cards required, no contracts to sign and no commitment from you to continue with our DNS filtering software once the trial period is over. Simply call us today, and you could be adding an extra level of security to your organization´s web browsing activity within minutes.
WebTitan incorporates an intelligent AI-based component that provides real-time classification of websites for precision control over the content that can be accessed. WebTitan Cloud provides real-time categorization of over 500 million websites, and 6 billion web pages in 200 languages, including coverage of Alexa 1 million most visited websites. Industry leading antivirus is also incorporated to identify and block malware and ransomware threats. A full suite of reports gives you full visibility into the online activities of your employees and any guest users of your network. The reports can be scheduled or run on demand.
These and more features will allow you to block web-based threats and carefully control online activities for only a few dollars per user per year.
Why WebTitan is a Vital DNS Web Security Layer for Your Business
DNS Security Layer - Filter URLs, detect malicious threats, create flexible policies, and more with an API driven DNS security filter
Full Path Detection - Provide analytical credibility to any activity marked as malicious with page and path-level reporting.
User Identification - Assign custom policies to a user or group of users with uniquely identifiable user names.
Scaleable Support - Handle any volume of usage with no latency and receive support from our top-class team.
Reporting - full suite of reports including behavior, trend and security reports.
API Driven - robust API set that allows our MSP customers to easily incorporate WebTitan DNS filtering directly into their existing cloud offering.
URL Filtering - block access to websites known to contain malware.
Remote & Roaming Users - allows off-network roaming by users while continuing to apply their policy.
Content Filtering - highly granular content controls with multiple integration options and comprehensive malware protection.
AI Threat Intelligence - real time AI driven DNS protection from malicious online threats such as viruses, malware, ransomware, phishing attacks and botnets.
What WebTitan Customers Have to Say
"WebTitan is an outstanding tool for most reliable content filtering. The monitoring feature of this specific product is quite unique that totally monitors all the process of online working and also secures all the data. Additionally, its set-up is superb easy and it can be done in just few minutes that save my time and energy as well." Kristie H. Account Manager
"WebTitan is fairly easy to setup. It is available as a cloud based solution or on prem. You can get as simple or as complicated with your filtering as you like, it will handle most situations with ease. [It] has provided us with a stable web filtering platform that has worked well for us for many years. "Derek A. Network Manager
What 3 things are most important about employee internet access?
Employees need internet access to complete their work duties, but it is essential to develop an acceptable Internet usage policy and get employees to sign it, that policy should be enforced using a web filtering solution, and you should have a sanctions policy for when employees violate the rules.
What is best, a web filtering appliance of cloud-based web filter?
Both options will provide clean, safe Internet access, but cloud-based web filtering does not require the purchase of a costly appliance, it is more flexible and scalable, and there is no patching burden. For SMBs and MSPs, cloud-based web filtering is the easiest and most cost-effective Internet filtering solution.
Does web filtering slow Internet speed?
Some web filtering solutions involve a degree of latency, but a DNS filtering solution will not slow internet speed as all filtering takes place at the DNS lookup stage of a web request before any content is downloaded. Filtering occurs in the same time as it takes to perform a standard DNS lookup so there is no latency.
How can I provide DNS filtering as a managed service as an MSP?
Adding the WebTitan DNS filtering service to your service stack couldn’t be easier. WebTitan is can be set up in minutes, APIs allow easy integration into your existing back office systems, you will be provided with a white label version ready to take your branding, and you can even host the solution in your own environment.
How much does DNS content filtering cost?
There is considerable variation in price between different web filtering solutions. The most expensive solution will not necessarily be the best option for your business. Price depends on contract term, the number of users, and add-ons. TitanHQ’s DNS content filtering solution, WebTitan, typically costs around $1 per user, per month.
COVID-19 presented many new opportunities for cybercriminals, many of which have proven to be highly successful. In the early days of the pandemic, when it became clear that the new coronavirus was spreading beyond the borders of China and concern about the virus grew, cybercriminals switched from their normal phishing campaigns and started adopting COVID-19 lures.
Phishing campaigns were conducting offering advice about the virus, potential cures, and advice as people craved information that was in short supply. Fake COVID-19 tracking apps and websites were set that collected sensitive information or installed malware, and PPE shortages saw fake shops set up offering non-existent supplies. Then there were fake charities, disinformation campaigns, and phishing scams related to job retention schemes, self-employment income support, government coronavirus loans, and fake tax rebates.
The move to remote working due to the pandemic saw hackers targeting vulnerabilities in remote working solutions such as VPNs and throughout 2020, ransomware gangs have been extremely active, especially in Q3 and Q4, 2020 when attacks soared.
As we move into 2021, cybercriminals are likely to continue to exploit the pandemic to steal credentials, access sensitive data, and spread malware and ransomware, so it is important for businesses not to let their guard drop and to continue to ensure that they have appropriate protections in place to block threats.
The Cyber Threat Landscape in 2021
The high level of ransomware attacks in the last quarter of 2020 is likely to continue in 2021. There are no signs that cybercriminals will reduce attacks, as they are still proving to be profitable. The healthcare industry is likely to continue to be targeted, with cyberattacks on pharmaceutical and clinical research firms also extremely likely.
Now that COVID-19 vaccines have been approved and are starting to be rolled out, cybercriminals have yet another opportunity. The vaccine rollout is likely to take many months and it could well be the autumn or later before most people receive the vaccine. Cybercriminals have already adopted COVID-19 vaccine lures to obtain sensitive information and spread malware and ransomware.
These COVID-19 vaccine scams have impersonated the World Health Organization, Centers for Disease Control and Prevention, and vaccine manufacturers, and are likely to increase over the coming weeks and months. Campaigns have been identified in 2021 that impersonate public health authorities and trick users into clicking links and download files that install Trojans when opened.
We are also likely to see the scams offering financial support, virus information, and infection alerts continue, and offers of fake vaccine can be expected over the coming weeks and months.
One vaccine-related scam to be recently identified involved messages sent to businesses asking recipients to click a link to confirm their email in order to receive the vaccine. Clicking the link directed them to a phishing website where Microsoft 365 credentials were harvested.
Since many employees will continue to work from home in 2021 until the risk of infection is reduced, attacks on remote working infrastructure are also likely to continue.
There is good reason to be hopeful in 2021 now that the vaccines are starting to be rolled out, but it is important for businesses not to let their guard down and to ensure that they have adequate protections in place to identify and block current and new threats.
Many scams are conducted via email, as it is the easiest way for cybercriminals to obtain the credentials they need to gain a foothold in business networks. It is therefore important to ensure that email security is up to scratch and an advanced spam filtering solution is in place that can block phishing and malware threats. If it is possible to implement multi-factor authentication, this should be widely used, especially on email accounts and remote access solutions.
Web filtering solutions are an important cybersecurity measure to deploy to block the web-based component of phishing attacks and to prevent malware and ransomware downloads over the internet. Web filters can be used to block access to known malicious websites and restrict access to risky websites, and cloud-based solutions are easy to deploy to protect both office-based and remote workers.
With many employees still working remotely, it is important to provide regular updates on threats and security awareness training on the threats they are likely to face. Patches and software updates should be applied promptly to prevent cybercriminals exploiting vulnerabilities, especially in remote access solutions such as VPNs which are being actively targeted.
Since ransomware attacks are an ever-present risk, ensure your critical data is regularly backed up and test your backups to make sure data recovery is possible in the event of disaster. A good strategy to adopt is the 3-2-1 approach. Make three backups, store on 2 separate media, and make sure one copy is stored on a non-networked device.
The 2021 threat outlook may be bleak, but with preparation and the above solutions in place, it is possible to prevent most attacks, detect attacks in progress, and recover quickly should an attack succeed.
The importance of choosing strong and unique passwords for every account you create has been highlighted by a recent data breach at the music streaming service Spotify. Security researchers identified a database that had been exposed on the Internet which contained the usernames and password combinations of around 300 million individuals. It is unclear where the database came from, although it is likely that it had been amalgamated from data leaks from several major data breaches of online platforms.
Interestingly, within the 300 million-record database was a field stating whether the username/password could be successfully used to login to a Spotify account. According to the researchers, an estimated 300,000 to 350,000 Spotify accounts had been breached.
This breach clearly demonstrates how a data breach at one company can provide the usernames and passwords to gain access to accounts at another. When a username/password is obtained in a cyberattack, it can be used to try to access other accounts that share the same username. A username is often an email address. People may have more than one email address, but there is usually one that is used across most platforms. There is nothing wrong with that of course, but there is a problem with using the same password with that email address on multiple online platforms.
If there is a breach at one platform, the password can be used to access many other accounts. In this example, up to 350,000 Spotify users had reused their password on more than one platform. The Spotify breach victims may well have had several other accounts breached if they used their password on other platforms too.
The credentials to the breached Spotify accounts could easily be sold to anyone who wanted a cheap Premium Spotify account. There have been many reports of passwords being changed to block the real account holder out of their account. The accounts also contain personal information that could be used in further attacks, such as to make convincing phishing emails to obtain the information necessary for identity theft and other types of fraud.
Trying 300 million username and password combinations is a time-consuming process, but that process is automated. An army of bots will work its way through a huge list of username/password combos to see which passwords work. Hackers can also include a list of commonly used passwords against a particular username which will increase the hit rate further. Many people choose easy to remember passwords for their accounts, which are also easy to guess.
The process of trying multiple passwords against a username is called credential stuffing, and it is an effective way of breaching accounts. Recently there have been a swathe of credential stuffing attacks on companies in the retail, travel, and hospitality sectors. One report indicates that out of the 100 billion credential stuffing attacks between July 1, 2018 and June 30, 2020, 64% were on companies in those sectors.
Successful data breaches can result in the theft of hundreds of millions of usernames and password combos. Those credentials could be used on a wide range of different accounts, and since many people reuse passwords from personal accounts for their work accounts – such as Office 365 – one set of Spotify credentials could easily lead to a business Office 365 breach. An Office 365 account is all that is needed to launch further attacks on the company and achieve a more widespread and harmful data breach.
The solution to protecting against credential stuffing attacks is simple. Use a unique, strong password on every different account and use a password manager so you do not have to remember all of those passwords. Just set a very strong password for your password manager, and that means you just have one password to remember.
Businesses also need to take steps to block these attacks and prevent compromised credentials being used to access employee accounts. Multi-factor authentication is a must to block attempts to use stolen credentials to access accounts. Breaching Spotify accounts was easier than on other platforms as Spotify does not yet support multi-factor authentication.
An email security solution such as SpamTitan Cloud is also important for protecting against the email vector in the attacks on businesses. SpamTitan Cloud blocks malicious messages such as phishing attempts and, through outbound email scanning, will help you prevent any compromised mailboxes from being used in more extensive attacks on your organization.
Many companies now allow employees to work from home for at least some of the week. The number of companies allowing remote working increased by 300% from 1996 to 2016, according to a Gallup poll. In 2016, Gallop found that 43% of employees said they spent at least some time working away from their co-workers.
Then came the COVID-19 pandemic, which forced companies to allow virtually their entire workforce to work from home as countrywide lockdowns were introduced. Lockdowns have now been eased and employees are returning to their offices, but many have got used to home working and want to have the option to continue. Since many employers noticed no drop in productivity – some even saw productivity increases – it is likely that some employers will continue to allow employees to work from home if preferred. A study by cartridge People in the UK found 32% of UK office workers were planning to continue to work from home after the lockdown was eased.
Remote Working Increases Security Risks
While productivity may not decrease and employees may be happy with some employees working from home, home working is not without its risks. There are security concerns with remote working. It is harder for IT teams to secure devices and networks when the workforce is spread geographically and are not under the protection of the corporate firewall. With many workers connecting to their corporate networks remotely, it becomes harder to identify malicious connections. It is also much easier for threat actors to attack remote workers who connect to the Internet via consumer-grade routers, which are often never updated and have many security holes.
With office workers, it is easy to check if a request to change bank account information is genuine or other out-of-band request is made. All it takes is a quick visit to the employee’s desk. While phone calls can be made, performing these checks is more time consuming and complicated with remote workers. The pandemic also forced many companies to allow their employees to work remotely using their personally-owned devices, which may lack the security measures implemented on corporate-owned devices.
There are also many distractions in the home that are not present in the office, which can increase the risk of mistakes being made such as responding to a phishing email. Many employees have reported working longer hours during the COVID-19 lockdown and have felt pressured to do so, or at least check their emails outside of standard office hours in an effort to show that they are present and productive.
These long hours and the reduction in true off-time, along with the distractions in the home, can make mistakes more likely. Mistakes are more likely to occur when workers are stressed, tired, or distracted. One recent study conducted by a Stanford University researcher found 47% of employees who fell for a phishing scam were distracted, and 57% of remote workers said they are more distracted working from home.
The boundaries between home and work life become blurred with home working, and there is a tendency for work computers to also be used for personal purposes, especially personal internet access, which further increases risk.
Managing Home Working Security Risks
Remote working is here to stay, but employers have a responsibility to their remote workers and must take steps to ensure that those workers remain productive, do not feel overworked, and to reduce the risk of burnout, cases of which have increased during the pandemic.
Steps must also be taken to ensure that cybersecurity doesn’t suffer. Additional measures should be implemented to reduce the risks associated with home working and with phishing the leading cause of data breaches, taking steps to improve protection against phishing attacks is a good place to start.
It is essential for cybersecurity training to be provided to the entire workforce, but especially remote workers. If workers are not taught how to identify phishing emails, they cannot be expected to spot a phishing email when one lands in their inbox. Training needs to be provided frequently and should include training on the new techniques being used by phishers. Phishing email simulations should also be conducted to identify employees that are susceptible and to single them out for further training.
Anti-phishing solutions need to be implemented to block phishing emails at source. No single solution will provide total protection, so it is best to implement multiple overlapping layers of protection to block phishing and other email-based cyberattacks. If you are using Office 365, you will have Microsoft’s Exchange Online Protection (EOP) protection in place, which is provided free with the license. You should also layer a third-party solution on top of EOP, as many phishing threats bypass EOP. TitanHQ has developed SpamTitan to work seamlessly with Office 365 and complement Office 365 antispam and anti-phishing protections and greatly increasing protection against phishing and social engineering attacks.
Phishing attacks usually have an email and web-based component. Users click links in emails and are directed to malicious websites where credentials are harvested. A web filter will help to protect against the web-based component of the attack by preventing employees from visiting known phishing websites and for blocking malware downloads from the Internet. WebTitan, for example, can be used to protect both office and remote workers with no latency.
These protections will help you to block phishing attacks, but should one succeed and credentials be obtained, multi-factor authentication will help to prevent the credentials from being used to access accounts. Not all MFA solutions are created equal, so it is important to evaluate each solution to ensure it does not affect usability.
It is also important for Virtual Private Networking (VPN) solutions to be used for remote access, but these are not without their weaknesses. VPN software must be kept up to date as vulnerabilities are targeted by threat actors. MFA for VPN logins must also be used. It is also important to log all events and to monitor those logs for signs of compromise and investigate any anomalous behavior.
With these measures in place, employers and employees can enjoy the benefits that come from remote working while effectively managing and reducing security risks.
Phishing is one of the biggest cyber threats faced by businesses and stopping phishing attacks from succeeding can be a big challenge. The purpose of phishing is usually to obtain sensitive information, most commonly employee credentials to email accounts, cloud services, social media accounts, or credit card or banking credentials. This is also achieved through the use of malware that is delivered using phishing emails.
Phishing attacks can take place over the telephone, via text message, social media networks, instant messaging, or any other form of communication, but most commonly the attack vector is email. For a phishing attack to be successful, user interaction is usually required. An employee must be convinced to part with the information that the phisher is targeting, and a wide range of lures are used to encourage that. Social engineering techniques are also used to encourage prompt action to be taken – To respond without really thinking too much about the legitimacy of the request.
At its most basic level, a phishing attack requires little skill and next to no financial outlay; however, many phishing campaigns now being conducted have been carefully crafted, research is conducted on the companies and individuals being targeted, and the websites used to harvest credentials are skillfully created and often carbon copies of the genuine websites that they spoof. Phishing emails often appear to have been sent from a trusted brand or contact, either by spoofing a genuine email address or using a compromised email account.
Some phishing attempts are laughable and are easily identified, others are much harder to identify, with some of the most sophisticated phishing emails virtually indistinguishable from genuine email requests.
As a business, you should take steps to improve your defenses against phishing attacks, as failure to do so could easily result in a malware or ransomware infection, costly data breach, theft of intellectual property, and damage to the reputation of your company.
Tips for Businesses to Improve Their Defenses Against Phishing Attacks
To help you improve your defenses and prevent phishing attacks from succeeding we have listed some of the steps you can take below. No one solution will be totally effective. The key to preventing phishing attacks is to implement overlapping layers of protection. For a phishing attack to succeed, it should be necessary for an attacker to bypass several layers of security.
Use an advanced spam filtering solution
The number one protection against phishing is a spam filter. A spam filter will prevent the majority of phishing and other malicious emails from reaching inboxes where they can be opened by employees. Advanced spam filters such as SpamTitan use many different methods to detect phishing emails. The message body and email headers will be analyzed for the signatures of phishing, blacklists are used to block emails from known malicious IP addresses and domains, and machine learning techniques are used predict the likelihood of a message being malicious. SPF and DMARC is used to block email impersonation attacks, along with greylisting to identify new IP addresses that are being used for phishing.
Provide regular anti-phishing training to employees
Even with an advanced spam filter, some phishing emails will sneak through so it is essential for employees to be trained how to identify phishing emails. They should be taught cybersecurity best practices, the dangers of macros and email attachments, and conditioned not to click on embedded hyperlinks in emails. You need to train your employees and provide regular refresher training sessions. You should also conduct phishing email simulations, otherwise you will not know if your training has been effective.
Implement 2-factor authentication
2-factor authentication requires the use of a second factor in addition to a password to gain access to accounts. In the event of a password being compromised in a phishing attack, without that second factor, it is difficult for the attacker to access the account. Many businesses fail to implement 2-factor authentication, even though it is highly effective at preventing unauthorized account access using stolen credentials.
Implement a web filtering solution
Spam filters are important, but many businesses fail to implement measures to block the web-based component of phishing attacks. A web filter will block attempts by employees to visit known phishing sites when they click links in emails, but also block redirects to phishing websites from general web browsing. Not all phishing attacks involve email. With a web filter in place, any attempt to visit a known malicious website will see that attempt blocked.
Make sure you patch promptly and update your software
Phishing emails are not always concerned with getting employees to disclose their credentials, oftentimes the aim is to simply get them to click a link in an email and visit a malicious website. Compromised websites are loaded with malicious code that probes for vulnerabilities and exploits those vulnerabilities to silently download malware. After the link is clicked, no further user interaction is required. By patching promptly, these exploits will not work.
TitanHQ has developed two anti-phishing solutions for SMBs and managed service providers (MSPs) serving the SMB market. SpamTitan is a powerful anti-spam solution with advanced features for blocking phishing attacks and is an ideal solution for layering on top of Office 365 to improve your phishing defenses. WebTitan is a cloud-based web filtering solution that prevents employees and guest users from visiting malicious websites. For further information on these solutions, to register for a free trial, or to book a product demonstration, give the TitanHQ team a call today.