Month: April 2023

Threat Actors Increasingly Using Google Ads for Malware Distribution

Malicious actors are abusing Google Ads to drive traffic to malicious websites where malware is downloaded, and abuse of Google Ads for malware distribution is increasing. Google places its Ad blocks at the top of the page, so the adverts are the first thing people see when the search results are generated. The adverts are tailored to specific search terms and are effective at driving traffic to legitimate websites. Consumers are made aware that the links displayed at the top of the search results are sponsored but users trust that the adverts will direct them to businesses that provide legitimate products and services. Google has many checks in place to prevent abuse of its ad network and conducts stringent verification checks on new ads before allowing them to be displayed; however, malicious actors are able to circumvent these checks.

One technique that malicious actors deploy to get their malicious adverts displayed is to create a clone of a legitimate website or product and offer a Trojanized version of a product for download on that page. Alternatively, a benign website can be used until verification has taken place and it can then be updated to include malicious content.

These malicious webpages typically offer popular software products such as AnyDesk, Teamviewer, Dashlane, and Malwarebytes software. Since the website used by the scammers looks legitimate, there is a reasonable chance that the malicious software will be downloaded and installed. Since the user gets the product they are seeking, they are unlikely to realize anything untoward has happened, but while the legitimate software is installing, malware will also be silently installed. A variety of malware families are being delivered using this method, such as RacoonStealer, RedLine, Cobalt Strike, and the IcedID malware loader.

Security-aware individuals may check the domain of the site before downloading any files to make sure it is legitimate, so to make these campaigns more believable, the domains used are very similar to the legitimate domains, often differing by one or two characters or using hyphenated domains relevant to the product being offered – for example.

A new campaign has recently been detected that offers the AnyDesk remote desktop application. Google Ads are displayed for related search queries, and the user is directed to the attacker-controlled site where they download an MSI installer, which uses PowerShell to download the malware payload, which is executed via rundll32. Once installed, the malware connects with its C2 server and awaits instructions.

The malware – Lobshot – is a financial Trojan and information stealer for Windows systems that was first detected in the summer of 2022. The malware is stealthy and can remain undetected in systems and gives hackers hidden VNC access to Windows devices. The malware is capable of stealing from more than 50 cryptocurrency wallets in popular web browsers but also allows the hackers to remotely access an infected device and control that device without being detected by the user.

Malicious actors are increasingly using Google Ads for malware distribution, as well as search engine poisoning. The latter involves using search engine optimization techniques to get malicious websites to appear high up in the organic search engine listings for key business search terms, such as searches for business software and contract and agreement templates.

Businesses can protect against malware downloads via the web by using a web filter. Web filters will block access to known malicious URLs and can be configured to block specific file downloads from the internet, such as executable files, thereby preventing unauthorized software installations. They can also be used to carefully control the websites that employees can access when on or off the network.

For more information on Internet content control and web filtering, give the TitanHQ team a call. WebTitan is available on a free trial to allow you to test the product in your own environment before making a decision about a purchase.

Effective Healthcare Cybersecurity Awareness Training

Healthcare cybersecurity awareness training is an essential part of HIPAA compliance. The HIPAA Security Rule calls for all HIPAA-regulated entities to “Implement a security awareness and training program for all members of its workforce (including management).” The HIPAA Security Rule implies that security awareness training should be ongoing, and the HHS’ Office for Civil Rights has confirmed this in its cybersecurity newsletters and guidance.

What the HIPAA Security Rule does not specify is the content of training courses. This stands to reason, as the speed at which technology is advancing far outpaces legislative processes. Any specific training requirements would quickly become dated. Instead, it is left to the discretion of each HIPAA-regulated entity what healthcare cybersecurity awareness training should entail, and that should be guided by a risk analysis.

The provision of healthcare cybersecurity awareness training should not be viewed as a checkbox item to ensure HIPAA compliance and avoid a financial penalty from the HHS’ Office for Civil Rights. Training really does make a difference and can greatly improve resilience to cyberattacks. The Verizon Data Breach Investigations Report for 2022 indicates 4 out of 5 data breaches in 2021 involved the human element – mistakes by employees that provided hackers with a foothold in the network or exposed sensitive data to unauthorized individuals. Healthcare cybersecurity awareness training will not prevent all of those breaches, but it will go a long way toward improving awareness of risks and eradicating risky behaviors.

Security awareness training should cover cybersecurity basics, from the importance of not remaining logged in when leaving a computer unattended to setting strong passwords, and the risks of unauthorized app installations, emails, and Internet risks. Employees should be made aware of the extent to which they are being targeted and the consequences of cyberattacks and data breaches, making sure that everyone understands that cybersecurity is a patient safety issue.

Healthcare cybersecurity awareness training also needs to cover the specific threats that employees are likely to encounter, with phishing one of the most vital components since it is one of the most common ways that cybercriminals gain access to healthcare networks. Training modules are important for teaching the theory, but when it comes to phishing, employees need to be given practice at recognizing phishing attempts, and the easiest way to do that is through phishing simulations.

Phishing simulations are not about catching employees out, they should be conducted as part of the training process to give employees practice at recognizing phishing and should include a range of difficulties. Simulations also help the IT department to discover the types of emails that are fooling employees. When employees are tricked by simulations, they can be provided with a short refresher training module that explains how the email could have been recognized as malicious. The next time that type of email is received, there will be a much better chance it will be identified and avoided. Providing on-the-spot training in response to these failures is vital, as that is the moment when the training is likely to be most effective.

TitanHQ’s SafeTitan platform is a comprehensive training platform covering all aspects of security that is delivered through computer-based training sessions. The modules take no longer than 10 minutes each to maximize knowledge retention, and modules can be chosen for individuals, groups, and departments to ensure the training is relevant to each individual’s role. The platform includes behavior-driven training in response to security mistakes, with content automatically generated when mistakes for real-time intervention training. The training content includes training sessions, videos, and quizzes and has been developed to be enjoyable and entertaining, as well as informative, and the content is regularly updated to incorporate emerging threats.

You will not be able to develop a security culture overnight, but through ongoing training and regular phishing simulations, security awareness of the workforce will improve. Training data from the SafeTitan platform and the phishing simulator show organization can reduce susceptibility to phishing by up to 92% through regular training.

For more information on the SafeTitan platform, for a product demonstration or to sign up for a free trial, contact the TitanHQ team today.

Major Phishing Campaign Targets Facebook Credentials

While many phishing scams target Microsoft 365 credentials due to the usefulness of the accounts and the data they hold, social media credentials are also highly prized. If a phisher is able to steal Facebook credentials, they can gain access to valuable personal information and the accounts can be used for conducting further scams. Accounts can be put to use distributing malicious posts, conducting phishing attacks on the user’s contacts, and distributing malware. Further, since password reuse is incredibly common, a scammer could try to use the compromised credentials to try to access other platforms using the same username and password combination. The password for a social media account can be changed and the account holder issued with a ransom demand for the return of the account, which for individuals heavily reliant on social media for income, could see the ransom paid.

One such campaign is currently being conducted using thousands of fake Facebook profiles with a view to stealing the Facebook credentials of legitimate account holders. The campaign has been active for at least two months and is ongoing. Researchers at Group-IB have been tracking the campaign and have so far identified more than 3,200 fake profiles that are being used for the campaign, which targets Facebook users in more than 20 languages.

The fake Facebook accounts impersonate Meta and use Facebook’s parent company’s logos in their profiles, posts, and phishing pages that users are directed to. More than 220 phishing sites have been identified that are associated with this campaign and more are being added. When Meta/Facebook detect these fake profiles and sites they are rapidly taken down, but the huge numbers of accounts and phishing sites used in this campaign ensure the scammers can keep the campaign running at scale.

Victims are tricked into clicking the link in a post or direct message that directs them to a Meta-branded webpage where they are prompted to log in using their Facebook credentials. If the credentials are disclosed, they are used to access the user’s account. Scammers also access accounts by stealing cookies in session hijacking attacks.

The primary goal is to hijack the Facebook accounts of prominent individuals such as celebrities, businesses, and sports teams, as these accounts have the greatest value and can be used to reach large numbers of individuals. One tactic observed by the researchers involves renaming a compromised account to make it appear that it is an official Meta account, and using words like account, recovery, retrieval, and other similar terms. The account is then used for posts that will appear in the news feeds of platform users that follow the compromised account. The bigger the brand name or popularity of the celebrity, the greater the reach. The posts are often signed as Meta Business Service or a similar name to make it appear that the account is owned by Meta.

Facebook users can reduce the risk of falling victim to these attacks by ensuring that 2-factor authentication is enabled for accounts. If they fall for a phishing scam, this provides an extra level of protection to prevent their credentials from being used to access their accounts. This is especially important for businesses to protect their corporate accounts, as they are the accounts that are being sought by the scammers.

Social media networks can be a huge productivity drain for businesses and can expose businesses to risks, such as malware infections and phishing. Despite the risk of password reuse, many individuals use the same passwords for their work and personal accounts, so if they fall for a scam their password could also provide access to their work accounts. Many businesses place restrictions on social media use by employees by using a web filter to block access to the sites on work computers. With WebTitan, this can be done with a click of a mouse. WebTitan also allows social media use to be controlled, by placing time-based restrictions on the sites, such as blocking access during working hours or busy times. WebTitan also allows partial blocking, such as allowing access to Facebook but blocking access to Messenger.

If you would like to restrict employee access to the Internet with precision, are interested in finding out more about improving your defenses against Internet threats, or would like to improve the security awareness of your workforce through training, give the TitanHQ team a call.