HTTPS Phishing Websites Increase as Cybercriminals Exploit Trust in Encrypted Connections

Awareness of the additional security provided by HTTPS websites is increasing, but so too are HTTPS phishing websites. Cybercriminals are taking advantage of consumer trust of websites that encrypt connections with web browsers.

The risks of disclosing sensitive information such as credit card numbers on HTTP sites has been widely reported, with more sites now using the Hypertext Transfer Protocol Secure (HTTPS) to prevent man-in-the-middle attacks and improve security for website visitors. However, just because a website starts with HTTPS does not mean that website is safe.

HTTPS phishing websites also secure the connection. Divulging login credentials or other sensitive information on those sites will place that information in the hands of criminals.

A recent report from Netcraft shows more phishing websites are now using HTTPS to communicate, with the percentage of HTTPS phishing websites jumping from 5% to 15% since the start of 2017.

Internet users are now being warned if they are visiting a website that does not encrypt connections. Google Chrome and Firefox browsers have recently started displaying warnings on sites that are not secure.

The problem is that many users automatically assume that if a website starts with HTTPS it is safe and secure when that is far from the case.

Even if a website is genuine and encrypts communications, that does not mean the website cannot be compromised. If a hacker gained access to a website with a SSL certificate it would be possible to add pages that phish for sensitive information. The website would still display the green lock symbol and start with HTTPS.

HTTPS phishing websites may also have valid digital certificates meaning even Firefox and Google Chrome browsers will not flag the sites as potentially malicious. Those sites may also include the brand names of legitimate websites such as Facebook, Amazon, or PayPal. In the case of the latter, a recent report from the SSL Store revealed that there were 15,270 websites that contained the word PayPal which had been issued with SSL certificates.

The rise in HTTPS phishing websites shows that simply checking the protocol used by the site is no guarantee that the site is not malicious. Care must be taken when accessing any website, regardless of the protocol used by the site.

Businesses can improve protection by implementing a web filtering solution capable of reading encrypted web traffic. This will help to ensure employees are prevented from visiting malicious websites on their work computers, regardless of the protocol used by the sites.

WebTitan not only allows organizations to block websites by category, content or keyword, the web filtering solution also decrypts, reads, and then re-encrypts connections and will block phishing and other malicious websites. By inspecting HTTPS websites, WebTitan will also ensure access to any secure website is blocked if the site or webpage violates user-set rules on website content.

Purple Protects Customers with TitanHQ’s WebTitan WiFi Content Filtering Solution

TitanHQ is proud to announce a new partnership with the intelligent spaces company Purple.  Purple has chosen TitanHQ’s WiFi content filtering solution – WebTitan – to keep its WiFi networks secure and to carefully control the content that can be accessed by its clients and their customers.

The importance of securing WiFi networks has been highlighted by recent cyberattacks, including the WannaCry ransomware attacks on May 12. Consumers can be provided with WiFi access, but need to be protected from web-borne threats such as drive-by ransomware downloads and phishing attacks.

WebTitan offers protection against a wide range of web-borne threats including exploit kits, phishing websites, malicious web adverts and drive-by downloads of malware and ransomware. Every day, WebTitan detects more than 60,000 web threats and protects customers by blocking access to harmful webpages. WebTitan also allows businesses to carefully control the content that can be accessed via WiFi networks, filtering out obscene, harmful, and illegal website content.

As a leading provider of WiFi analytics and marketing services, Purple is well aware of the potential risks that come from unsecured WiFi hotspots. The company is committed to securing its WiFi networks and ensuring its customers are protected in the right way. Purple required exceptional protection for its customers, yet not all WiFi filtering solutions matched the company’s unique requirements.

Purple explained those requirements to TitanHQ, which was able respond with a solution that matched the company’s exacting needs. James Wood, Head of Integration at Purple said, “From day one it was evident that they were capable of not only providing what we needed but were very responsive and technically adept.”

WebTitan allows companies to manage WiFi content controls in multiple locations from a single administration console, making it an ideal solution for global WiFi businesses. For companies such as Purple, whose clients need to have control over their own filtering controls, WebTitan was ideal. Wood explained that WebTitan “allows us to extend the control to our customers via their API. Our customers can now manage their own filtering settings directly from the Purple Portal.”

TitanHQ was able to respond rapidly roll out WebTitan in a matter of days. Purple customers are now protected by the leading WiFi content filtering solution and can access the Internet safely and securely. Wood said, “With demanding timescales involved for the migration, we invested heavily in WebTitan and they have not failed to deliver.”

TitanHQ CEO Ronan Kavanagh is delighted that Purple has chosen TitanHQ has its WiFi filtering partner. Kavanagh said, “Purple is now a valued member of the TitanHQ family and we are delighted to welcome the firm onboard. This is a partnership that illustrates just how well suited WebTitan is to Wi-Fi environments.”

Library Internet Filters to be Added in Watertown, SD

The use of library Internet filters to protect minors from harmful web content is a hot topic that is causing much debate in the United States. Libraries promote free research and learning. Having Internet filters in libraries naturally places restrictions on the types of content that can be accessed, potentially hampering both.

Many parents argue that library Internet filters are required to protect their children from accessing harmful web content or accidentally seeing obscene content on other patron’s screens.

Pornography is one of the biggest worries. Many individuals visit libraries to use the computers to access hardcore adult material, even though it is a public place with children present.  Parents argue that such actions must be prevented. There can be free research, but within limits.

It is not only parents that are concerned about the lack of library Internet filters. In many states, legislation is being considered to make it mandatory for library Internet filters to be put in place to restrict access to pornography.

Many libraries are resisting calls to restrict access to the Internet with web filters. The Library Board in Watertown, South Dakota is a good example. As a center for free research, the library board opposed the use of web filters. If library Internet filters were applied, it could potentially have an adverse effect on research and would result in the blocking of legitimate website content.

However, the library board has been under pressure to start filtering the Internet, with citizens petitioning the library board to start restricting access to inappropriate content, with city officials and law enforcement also appealing to the library board to start filtering the Internet.

The library board has now accepted that a web filter should now be used to control the content that can be accessed through its computers. A web filtering solution will be applied to block patrons from accessing obscene and illegal material. The web filtering solution is expected to be applied in the next few weeks and will be used to restrict access to certain web content via its wired and WiFi networks.

The Library Board was not opposed to the blocking of pornography, but to the other content that may accidentally be also blocked by the filtering solutions. Prior to making the decision to use liberary Internet filters, the Watertown police department assured the library board that filtering solutions are now far more sophisticated than they once were and can allow libraries to very carefully control the content that can be accessed.

The need to do something was made clear following a report that particularly concerning material had been downloaded by one patron through the library’s WiFi network. The library board is also keen to prevent its Internet connections from being used for illegal purposes, such as copyright infringing file downloads.

Additional controls will be applied to make this more difficult, such as limiting download speeds and applying timers on Internet access, with stricter controls on the wireless WiFi network since it is not possible to verify the age of the individual accessing the Internet.

In order to prevent the overblocking of website content, controls will be applied carefully and a system will be set up to allow patrons to request the unblocking of website content that has been accidently blocked by the filtering solution.

Watertown Library board is just the latest in an increasing number of libraries that has discovered it is possible to protect patrons’ First Amendment rights while also ensuring minors are protected from harmful website content. With highly granular library Internet filters such as WebTitan, it is possible to do both.

EternalRocks Worm Poses Far Greater Threat than WannaCry

The EternalRocks worm is a new threat that comes hot on the heels of WannaCry ransomware. The self-replicating network work uses similar tactics to infect computers and spread to other connected devices; however, in contrast to the worm used to spread WannaCry ransomware, there is no kill switch. In fact, at present, there is also no malicious payload. That is unlikely to be the case for very long.

The WannaCry ransomware attacks were halted when a security researcher discovered a kill switch. Part of the infection process involved checking a nonsense domain that had not been registered. If no connection was made, the ransomware element would proceed and start encrypting files. By registering the domain, the encryption process didn’t start. Had the domain not been registered, the attacks would have been more far reaching, affecting more than the 300,000 computers believed to have been affected by the Friday 12 attacks.

New threats were predicted to be released in the wake of WannaCry, either by the same group or copycats. The EternalRocks worm therefore does not come as a surprise. That said, EternalRocks could be far more dangerous and cause considerably more harm than WannaCry.

The WannaCry ransomware attacks involved just used two exploits developed by the NSA – EternalBlue and DoublePulsar. EternalRocks uses six NSA hacking tools (EternalBlue, DoublePulsar, EternalChampion, EternalRomance, EternalSynergy, ArchiTouch and SMBTouch).

In addition to the Windows Server Message Block (SMBv1) and SMBv2 hacking tools, this threat uses a SMBv3 exploit in addition to a backdoor Trojan, the latter being used to spread infection to other vulnerable computers on a network. Two SMB reconnaissance tools have also been incorporated to scan open ports on the public Internet.

EternalRocks is also capable of hiding on the infected machine after deployment. With the WannaCry attacks, users were alerted that their computers had been compromised when the ransomware encrypted their files and a note was placed on the desktop.

Once on a computer, the EternalRocks worm waits for 24 hours before downloading the Tor browser, contacting the attackers, and replicating and spreading to other devices on the network.

The self-replicating network worm was discovered by security researcher Miroslav Stampar from CERT in Croatia. While the threat has only just been discovered, Stampar says the first evidence of infections dates back to May 3.

At present, the EternalRocks worm does not have any malicious payload. It neither installs malware nor ransomware, but that does not mean it poses no risk. Worms can be weaponized at any point, as was seen on Friday 12 May, when WannaCry ransomware was deployed.

For the time being, it is unclear how many computers have already been infected and how EternalRocks will be weaponized.

Preventing infection with EternalRocks worm and other similar yet to be released – or discovered – threats is possible by ensuring operating systems and software are patched promptly. Older operating systems should also be upgraded as soon as possible. As Kaspersky Lab reported, 95% of the WannaCry attacks affected Windows 7 devices. No Windows 10 devices were reportedly attacked.

New Uiwix Ransomware Variant Targets SMB Flaw

A new Uiwix ransomware variant has been detected using EternalBlue to gain access to vulnerable systems. Businesses that have not yet patched they systems are vulnerable to this new attack.

In contrast to the WannaCry ransomware variant that was used in Friday’s massive ransomware campaign, Uiwix ransomware is a fileless form of ransomware that operates in the memory. Fileless ransomware is more difficult to detect as no files are written to the hard drive, which causes problems for many antivirus systems. Uiwix ransomware is also stealthy and will immediately exit if it has been installed in a sandbox or virtual machine.

Trend Micro reports that the new Uiwix ransomware variant also “appears to have routines capable of gathering the infected system’s browser login, File Transfer Protocol (FTP), email, and messenger credentials.”

As with WannaCry ransomware, the ransomware is not being spread via email. Instead the attackers are searching for vulnerable systems and are taking advantage of SMB vulnerabilities and attacking computers over TCP port 445. Infection with Uiwix sees the Uiwix extension added to encrypted files. The ransom demand to supply keys to decrypt locked files is $200.

The threat does not appear to be as severe as WannaCry, as the attackers are manually targeting vulnerable systems. Crucially, the ransomware lacks the wormlike properties of WannaCry. If one machine is infected, the ransomware will not then spread to other networked devices.

Since the WannaCry attacks, many businesses have now implemented the MS17-010 patch and have blocked EternalBlue attacks. Microsoft has also released a patch for Windows XP, Windows Server 2003, and Windows 8, allowing users of older, unsupported Windows versions to secure their systems and prevent attacks.

However, the search engine Shodan shows there are still approximately 400,000 computers that have not yet been patched and are still vulnerable to cyberattacks using the EternalBlue exploit.

Another threat that uses the EternalBlue and DoublePulsar exploits is Adylkuzz; however, the malware does not encrypt data on infected systems. The malware is a cryptocurrency miner than uses the resources of the infected computer to mine the Monero cryptocurrency. Infection is likely to see systems slowed, rather than files encrypted and data stolen.

Other malware and ransomware variants are likely to be released that take advantage of the exploits released by Shadow Brokers. The advice to all businesses is to ensure that software is patched promptly and any outdated operating systems are upgraded. Microsoft has issued a patch for the older unsupported systems in response to the WannaCry attacks, but patches for Windows Server 2003, Windows XP and Windows 8 are unlikely to become a regular response to new threats.