If you want to keep your computers and networks protected from malware, it is important to train your staff how to identify a malicious website. You should also install a powerful web filtering solution to ensure your employees’ malicious website identification skills are never put to the test.
Cybercriminals are developing ingenious ways of compromising networks
Scammers and cybercriminals used to mainly send out emails with infected attachments. Double clicking on the attachment would result in the computer, and possibly the network, being infected with malware. Oftentimes, this action would go undetected by anti-virus software programs. A full system scan would need to be conducted before the malicious software was identified.
Computer users are now much wiser and know never to open file attachments that have been sent to them by unknown individuals, and certainly never to double click on an executable file. Hackers and other cybercriminals have therefore needed to get smarter, and are now developing ever more sophisticated ways of obtaining user credentials and getting people to install malware manually. One of the ways they are doing this is by developing malicious websites.
End users are contacted via email and are sent links to websites along with a valid reason for visiting the site. Links to malicious websites are also frequently sent out in social media posts or are placed in third party website adverts. Some sites are hijacked and visitors are redirected to fake sites automatically.
What is a malicious website?
Malicious websites host malware or are used to phish for sensitive information. In the case of the latter, users are tricked into revealing sensitive data such as login credentials for online banking websites.
Malware may require some user interaction before it is installed. Visitors may be tricked into downloading a security program, for instance, by being informed their computer is already infected with malware. They may be offered a free screensaver, or asked to download a fake PDF invoice.
Increasingly, malicious websites are used to host exploit kits. Exploit kits probe visitors’ browsers to identify security vulnerabilities that can be exploited without any user interaction required. If a vulnerability is detected, malware can be installed automatically on the computer or network. This method of cyberattack is called a drive-by download. Drive-by downloads can involve malware being installed onto the computer’s hard drive, a network drive, or even loaded into the computer’s memory.
Learning how to identify a malicious website is important if you want to prevent your computer from being infected, and it is essential for system administrators and other IT professionals to conduct staff training to help end users avoid these dangerous sites.
How to identify a malicious website
There are some easy ways to tell if a website is attempting to install malware:
- The website asks you to download software, save a file, or run a program
- Visiting the website automatically launches a download window
- You are asked to download an invoice or receipt, such as a PDF file, .zip or .rar, or an executable file or .scr screensaver file
A malicious website may also tell you:
- Your computer is already infected with malware
- Your plug-ins or browser are out of date
- You have won a competition or free prize draw. You may also be offered free money or vouchers that require you to enter your credit card or banking information
If you are asked to download any files or update your software, conduct a check of the site via Google and try to determine whether the site is genuine. If in doubt, do not download any files.
If you are told your browser is out of date, visit the official browser website and check your version number. Only ever download updates from official websites.
If you have accidentally visited a drive-by download site, by the time that you have connected it may be too late to prevent malware from being downloaded. To protect against drive by downloads you must ensure that your browser, add-ons, and plugins are 100% up to date. You should also use a software solution to block access to drive-by download sites.
How to block end users from visiting a malicious website
Even legitimate websites can be hacked and used to host malicious code. They may use advertising networks that are used by cybercriminals to direct visitors to malware-hosting websites. The best defense is to block these adverts and malicious websites.
Blocking access to these websites is a simple process. All it requires is a powerful web filtering solution to be installed. WebTitan web filtering solutions for the enterprise will help you keep your network secure by preventing users from visiting sites known to host malware.
WebTitan uses two powerful anti-malware and anti-phishing engines – Kaspersky Lab and Clam AV – to detect malware-hosting websites. When malicious sites are detected; they will be blocked. WebTitan can also be configured to block access to questionable or illegal content.
If employees are trained how to identify a malicious website, and web filtering software is installed, your networks will be much better protected from malware infections.
Have you been considering implementing a honeypot for malware? Attracting malware may seem counterintuitive but there are great benefits to be had from setting up a honeypot. You will attract malware regardless, so why not make sure it gets installed somewhere safe?
Practical advice about implementing a honeypot for malware
A honeypot for malware can be highly beneficial for an organization; however, it is important to set it up correctly and to commit enough resources for maintenance and upkeep. A honeypot for malware will be of little use if it can easily be identified as a fake system, and even worse if it can be used as a platform to attack your real system.
Listed below are some tips and pointers to get started:
How much interaction are you looking for?
When setting up a honeypot for malware, you need to decide on the level of interaction you want. How much leeway will you give an attacker? How much activity are you willing to allow? Generally speaking, the more interaction you want to allow, the more time you will need to spend setting up your malware honeypot and maintaining it.
You must also bear in mind that the more interaction you allow, the higher the risk of the attacker breaking out of the honeypot and launching an attack on your real systems. High-interaction malware honeypots actually run real operating systems. If you are happy with low-level interaction, you can use emulation and it will require less maintenance and involve less risk.
Off the shelf malware honeypot systems are perhaps the easiest place to start, although there are open-source options available that can be tweaked to suit your needs. Just because you use a commercial honeypot, it doesn’t mean you need to spend big. There are many free options to try out.
Honeypots for malware and more…
A package is usually the logical place to start before progressing to open-source options or expensive, comprehensive honeypot systems. You can gauge how beneficial running a honeypot for malware is. If it proves to be useful, you can commit more time and resources to developing a fully customized honeypot for your organization. You can also start with a honeypot for malware and, if you are happy with the results, also set up a honeypot for SCADA/ICS and your web services.
We suggest the following to get started:
A great choice for simulating multiple hosts and services on a single machine using virtualization. This low-interaction honeypot allows a convincing network to be set up involving numerous operating systems such as Windows, Linux, and Unix at the TCP/IP stack level. Capable of identifying remote hosts passively.
A SSH server honeypot with medium interaction. Excellent logging capabilities allowing a rerun of an attack to be viewed. Kippo allows complete file systems to be created.
A good honeypot for malware. Windows-based.
A honeypot for malware spread via USB drives.
A honeypot with low interaction that emulates web vulnerabilities that can be exploited using SQL injection.
A honeyclient (client-side honeypot) that emulates a web browser. A useful tool for exploring and interacting with a malicious website to determine what malicious code and objects it contains
Powerful honeypot packages
There are three excellent comprehensive honeypot packages listed below. It may be better to pay for these packages than to commit the time and resources to developing your own custom honeypot system.
A Windows-based honeypot system with excellent functionality and flexibility. It is expensive, but it is the choice of professionals.
MHN, or Modern Honeypot Network to give it its full name, is open source allowing for easy configuration and customization, with an extensive range of tools. Operates using a Mongo database.
A virtual appliance (OVA) with Xubunti for Linux. A good range of analysis tools is provided, along with a choice of 10 pre-installed honeypot software packages.
Your honeypot may be detected!
It may only be a matter of time before your honeypot is detected, and when that happens the information is likely to be shared with other hackers. Fortunately, there are many different packages to choose from and custom honeypots can be created. Hackers cannot therefore look for a single signature to identify a system as a honeypot.
There are common tell-tale signs that a system is a honeypot. We recommend taking action to address the following issues if you want to make sure your honeypot is not detected as a fake system.
- Ensure there is system activity – One sure sign of a fake system is it is not being used by anyone!
- You make it far too easy to compromise the system – setting “password” as the password for example
- Odd ports are left open and out of the ordinary services are being run
- Hardly any software has been installed
- Default configurations of software and operating systems have been installed
- The file structure is too regular, and file names are obviously fake – file names such as “user password list” and “staff social security numbers” are unrealistic
Also worth considering is whether to include a deception port. A deception port is an open port that will allow an attacker to detect a honeypot. What is the point? This will show any would-be attacker that they are dealing with an organization that has devoted a lot of time and effort to cybersecurity. That, in itself, may be enough to convince attackers to look elsewhere and pursue much easier targets.
Do you think a honeypot is worth the effort?
A chronic lack of cybersecurity funding is a common problem. Network administrators and IT managers alike must learn to deal with a small budget and do more with the money they have available. Unfortunately, budgets are unlikely to be increased substantially, even when faced with new threats and a greater risk of suffering cyberattacks. You will be expected to do your job with the money that has been allocated. At best you may get a slight funding increase for next year. In the meantime, you will just need to do your best. Your best must also be good enough.
Get organized and stop wasting time on repetitive tasks
You will get request after request via your support line, and many support tickets will be submitted requiring you to do the same thing over and over again. You can spend time dealing with the same problems, commit an extraordinary amount of time to fixing the same email, network, hardware, and software issues, but that is time and money that could be spent on other more important tasks. What you must do is tackle these problems and determine the root cause. Sort these out, and the support tickets will stop. It will take longer initially, but will save you a considerable amount of time in the long run.
Deal with a lack of cybersecurity funding by saving money and achieving more in less time
You may be thinking that is easier said than done. There may not be money to spend on new hardware or software. You cannot pay for solutions if the money is not available. There is a solution though. You can address these problems by cutting back on the time and resources devoted to other tasks. Like tackling the root cause of malware issues, virus infections, phishing scams, and many system malfunctions.
You can prevent a great deal of support tickets and save a lot of time by implementing two software solutions that have been designed to stop network administrators, IT helpdesk staff, and IT managers wasting time. A lack of cybersecurity funding need not mean you have to leave your network open to hacker attack, or leave your end users (and your network) exposed.
SpamTitan and WebTitan are two cybersecurity solutions that are cost-effective, easy to implement, and easy to manage. They will also help to keep your end users and network protected. A lack of cybersecurity funding need not spell disaster.
Coping with a lack of cybersecurity funding: SpamTitan and WebTitan anti-spam and web filtering solutions
SpamTitan offers IT professionals an easy option for dealing with email spam and the problems it causes. Cut down on the common reasons for end users submitting support tickets and calling IT support helplines, and save time and money. Your resources can then be diverted to dealing with more critical IT issues.
SpamTitan will clean inbound and outbound emails and will prevent issues created by:
- Spam and bulk emails
- Malware and viruses
- Dangerous email attachments
- Spam websites and spam hosts
- Phishing emails and malicious links
- Outbound spam
- IP address blocking and blacklisting
- Rate threshold violations
- IT related business reputation damage
WebTitan web filtering solutions keep users protected and cut back on wasted time from:
- Drive-by attacks
- Malicious websites
- Social media usage issues
- Accessing of inappropriate content
- Loss of bandwidth
- Malicious adverts
- Inappropriate Internet use
- Rogue app threats
For further information on how WebTitan and SpamTitan can save your company – and the IT department – time and money, visit: www.spamtitan.com and www.webtitan.com