Phishing is one of the main ways that malicious actors distribute and install malware. Phishing emails are sent to users with attachments containing malicious code or hyperlinks are included in the emails that direct users to a website where malware is downloaded. Businesses should ensure they implement layered defenses to combat phishing, which should include an advanced spam filter such as SpamTitan, multifactor authentication for email accounts, security awareness training for employees to teach them how to recognize and avoid phishing emails, and a web filter for blocking access to the malicious websites where the malware is hosted.
A web filter also provides protection against another common attack vector – The use of search engine advertisements for driving traffic to malicious websites. This attack vector is commonly referred to as malvertising, and it is currently being used by threat actors to distribute ransomware and for stealing login credentials for cryptocurrency exchanges and financial accounts. The Federal Bureau of Investigation (FBI) has recently issued a warning about the use of malicious search engine advertisements due to the increase in the use of this attack vector this year.
One of the main problems for threat actors looking to drive traffic to their websites through search engines is getting their websites to rank sufficiently high in the search engine listings to attract enough visitors. Using search engine advertisements gets around this problem. Threat actors pay for search engine advertisements that appear at the top of the search results for specific search terms. The adverts they use mimic legitimate businesses and offer services related to a specific search term, with the adverts containing a link to the threat actor’s website. These adverts are difficult to distinguish from the actual search results.
The web pages linked in the adverts impersonate businesses and often host phishing kits for harvesting credentials. Financial institutions are impersonated to obtain credentials to access online accounts; however, most commonly, these phishing scams impersonate cryptocurrency exchange platforms. Malicious adverts are also used to direct traffic to websites hosting malware. The adverts used to deliver malware usually offer downloads of business software. The advertised software looks legitimate, and in some cases, a legitimate program will be installed, but malware is also bundled with the installer that gives the attacker access to the user’s device. Since the user gets the software they are looking for, they are unaware that their device has been compromised. One recently identified campaign impersonated the GIMP image editor and was used to deliver the Vidar information stealer. Other campaigns have been used to distribute ransomware, often via another malware variant with dropper capabilities.
A web filter – such as WebTitan – helps businesses to protect against these malicious adverts by providing time-of-click protection. When a user clicks a link in a search engine advert, the URL is checked against a constantly updated blacklist of malicious URLs. If the URL is known to be malicious, the attempt to connect to the URL will be blocked and the user will instead be directed to a local block page. If the URL is not in the blacklist and has not previously been assessed, it will be assessed in real-time. Businesses can also use a web filter to block access to certain categories of websites, such as those offering software, and the web filter can be configured to block downloads of certain file types such as executable files. This also helps businesses to block shadow IT – Software downloaded by employees that has not been authorized by the IT department.
Malicious adverts should be covered in security awareness training. Users should be told about the dangers of clicking adverts and instructed to carefully check URLs for any typos or transposed letters before clicking. It is important to stress that the URL listed in the advert may appear to be a legitimate URL, with the threat actor using redirects to send a user to their malicious URL. Employees should therefore be encouraged never to click adverts in search engines, and to instead either type the website of the company they are looking for in the address bar of their browser or find the legitimate website of that company in the organic search engine listings. Businesses should also consider using an ad-blocker to prevent advertisements from being displayed.