Email & Web Spam

Our news section dedicated to email & web spam highlights many scenarios in which organizations – and individuals within organizations – act on fraudulent communications sent via email or presented to them on a hacked website. The news items report not only cyberattacks launched via email and the web, but also on the damage that is caused and the consequences of the attack.

Trends in email & web spam attacks are also identified within our news items, plus information on how many of the attacks can be avoided – typically with an email spam filter and/or a web content filter. If yours is an organization at risk from email & web spam, we recommended that you speak with one of our technical sales team today.

Terdot Trojan Steals Banking Credentials and Hijacks Social Media Accounts

The Terdot Trojan is a new incarnation of Zeus, a highly successful banking Trojan that first appeared in 2009. While Zeus has been retired, its source code has been available since 2011, allowing hackers to develop a swathe of new banking Trojans based on its sophisticated code.

The Terdot Trojan is not new, having first appeared in the middle of last year, although a new variant of the credential-stealing malware has been developed and is being actively used in widespread attacks, mostly in Canada, the United States, Australia, Germany, and the UK.

The new variant includes several new features. Not only will the Terdot Trojan steal banking credentials, it will also spy on social media activity, and includes the functionality to modify tweets, Facebook posts, and posts on other social media platforms to spread to the victim’s contacts. The Terdot Trojan can also modify emails, targeting Yahoo Mail and Gmail domains, and the Trojan can also inject code into websites to help itself spread.

Further, once installed on a device, Terdot can download other files. As new capabilities are developed, the modular Trojan can be automatically updated.

The latest variant of this nasty malware was identified by security researchers at Bitdefender. Bitdefender researchers note that in addition to modifying social media posts, the Trojan can create posts on most social media platforms, and suspect that the stolen social media credentials are likely sold on to other malicious actors, spelling further misery for victims.

Aside from social media infections, the Trojan is distributed via phishing emails. One such spam email campaign includes buttons that appear to be PDF files, although a click will launch JavaScript which starts the infection process. However, Bitdefender researchers note that the primary infection vector appears to be the Sundown exploit kit – exploiting vulnerabilities in web browsers.

Unfortunately, detecting the Terdot Trojan is difficult. The malware is downloaded using a complex chain of droppers, code injections and downloaders, to reduce the risk of detection. The malware is also downloaded in chunks and assembled on the infected device. Once installed, it can remain undetected and is not currently picked up by many AV solutions.

“Terdot goes above and beyond the capabilities of a Banker Trojan. Its focus on harvesting credentials for other services such as social networks and e-mail services could turn it into an extremely powerful cyber-espionage tool that is extremely difficult to spot and clean,” warns Bitdefender.

Protecting against threats such as banking Trojans requires powerful anti-malware tools to detect and block downloads, although businesses should consider additional protections to block the main attack vectors: Exploit kits and spam email.

Spam filtering software should be used to block phishing emails containing JavaScript and Visual Basic downloaders. A web filter is also strongly advisable to block access to webpages known to host malware and exploit kits. Even with powerful anti-virus, web filters, and spam filters, employees should be trained to be more security aware. Regular training and cybersecurity updates can help to eradicate risky behavior that can lead to costly malware infections.

Combosquatting: Study Reveals Extent of Use of Trademarks in Web Attacks

Combosquatting is a popular technique used by hackers, spammers, and scammers to fool users into downloading malware or revealing their credentials.

Combosquatting should not be confused with typosquatting. The latter involves the purchasing of domains with transposed letters or common spelling mistakes to catch out careless typists – Fcaebook.com for example.

Combosquatting is so named because it involves the purchasing of a domain that combines a trademarked name with another word – yahoofiles.com, disneyworldamusement.info, facebook-security.com or google-privacy.com for example.

The technique is not new, but the extent that it is being used by hackers was not well understood. Now researchers at Georgia Tech, Stony Brook University and London’s South Bank University have conducted a study that has revealed the extent to which hackers, spammers, and scammers are using this technique.

The research, which was supported by the U.S. Department of Defense, National Science Foundation and the U.S. Department of Commerce, was presented at the 2017 ACM Conference on Computer and Communications Security (CCS) on October 31, 2017.

For the study, the researchers analyzed more than 468 billion DNS records, collected over 6 years, and identifed combosquatting domains. The researchers noted the number of domains being used for combosquatting has increased year over year.

The extent to which the attack method is being used is staggering. For just 268 trademarks, they identified 2.7 million combosquatting domains, which they point out makes combosquatting more than 100 times as common as typosquatting. While many of these malicious domains have been taken down, almost 60% of the domains were active for more than 1,000 days.

The team found these domains were used for a wide variety of nefarious activities, including affiliate abuse, phishing, social engineering, advanced persistent threats, malware and ransomware downloads.

End users are now being taught to carefully check domain names for typos and transposed letters to detect typosquatting, but this technique fools users into thinking they are on a website that is owned by the brand included in the domain.

First author of the study, Georgia Tech researcher Panagiotis Kintis, said, “These attacks can even fool security people who may be looking at network traffic for malicious activity. When they see a familiar trademark, they may feel a false sense of comfort with it.”

In order to prevent these types of trademark use attacks, many companies register hundreds of domains that contain their trademark. The researchers found that many of the domains being used by hackers had previously been owned by the holders of the trademark. When the domains were not renewed, they were snapped up by hackers. Many of the malicious domains that had been previously purchased by hackers, had been re-bought by other scammers when they came up for renewal.

Users are being lured onto the domains using a variety of techniques, including the placing of adverts with the combosquatting domains on ad-networks, ensuring those adverts are displayed on a wide variety of legitimate websites – a technique called malvertising. The links are also distributed in spam and phishing emails. These malicious URLS are also frequently displayed in search engine listings, and remain there until complaints are filed to have the domains removed.

Due to the prevalence of this attack technique, organizations should include it in their cyber awareness training programs to alert users to the attack method and ensure they exercise caution.

The researchers also suggest an organization should be responsible for taking these domains down and ensuring they cannot be re-bought when they are not renewed.

Health Tips Used as Lure in Smoke Loader Malware Malvertising Campaign

Cybercriminals are delivering Smoke Loader malware via a new malvertising campaign that uses health tips and advice to lure end users to a malicious website hosting the Terror Exploit Kit.

Malvertising is the name given to malicious adverts that appear genuine, but redirect users to phishing sites and websites that have been loaded with toolkits – exploit kits – that probe for unpatched vulnerabilities in browsers, plugins, and operating systems.

Spam email is the primary vector used to spread malware, although the threat from exploit kits should not be ignored. Exploit kits were used extensively in 2016 to deliver malware and ransomware, and while EK activity has fallen considerably toward the end of 2016 and has remained fairly low in 2017, attacks are still occurring. The Magnitude Exploit it is still extensively used to spread malware in the Asia Pacific region, and recently there has been an increase in attacks elsewhere using the Rig and Terror exploit kits.

The Smoke Loader malware malvertising campaign has now been running for almost two months. ZScaler first identified the malvertising campaign on September 1, 2017, and it has remained active throughout October.

Fake advertisements are frequently used to lure users to the malicious sites, although the latest campaign is using weight loss promises and help to quit smoking to attract clicks. Obfuscated JavaScript is incorporated into adverts to redirect users to malicious websites hosting the Terror exploit kit.

Exploit kits can be loaded with several exploits for known vulnerabilities, although the Terror EK is currently attempting to exploit two key vulnerabilities: A scripting engine memory corruption vulnerability (CVE-2016-0189) that affects Internet Explorer 9 and 11, and a Windows OLE automation array RCE vulnerability (CVE-2014-6332) affecting unpatched versions of Windows 7 and 8. ZScaler also reports that three Flash exploits are also attempted.

Patches have been released to address these vulnerabilities, but if those patches have not been applied systems will be vulnerable to attack. Since these attacks occur without any user interaction – other than visiting a site hosting the Terror EK – infection is all but guaranteed if users respond to the malicious adverts.

Smoke Loader malware is a backdoor that if installed, will give cybercriminals full access to an infected machine, allowing them to steal data, launch further cyberattacks on the network, and install other malware and ransomware. Smoke Loader malware is not new – it has been around since at least 2011 – but it has recently been upgraded with several anti-analysis mechanisms to prevent detection. Smoke Loader malware has also been associated with the installation of the TrickBot banking Trojan and Globelmposter ransomware.

To protect against attacks, organizations should ensure their systems and browsers are updated to the latest versions and patches are applied promptly. Since there is usually a lag between the release of a new patch and installation, organizations should consider the use of a web filter to block malicious adverts and restrict web access to prevent employees from visiting malicious websites.

For advice on blocking malvertisements, restricting Internet access for employees, and implementing a web filter, contact the TitanHQ team today.

The Rapid Evolution of Ransomware

There has been a rapid evolution of ransomware over the past two years. New variants of ransomware are now being released on an almost daily basis, and the past two years have seen a massive explosion in new ransomware families. Between 2015 and 2016, Proofpoint determined there had been a 600% increase in ransomware families and Symantec identified 100 totally new ransomware families in 2016.

The development of new ransomware variants has largely been automated, allowing developers to massively increase the number of threats, making it much harder for the developers of traditional, signature-based security solutions such as antivirus and antimalware software to maintain pace.

The latest ransomware variants use a wide variety of techniques to evade detection, with advanced obfuscation methods making detection even more problematic.

Ransomware is also becoming much more sophisticated, causing even greater problems for victims. Ransomware is now able to delete Windows Shadow Volume copies, hampering recovery. Ransomware can interfere with file activity logging, making an infection difficult to detect until it is too late. Ransomware can encrypt files on removable drives – including backups – and spread laterally on a network, encrypting files on network shares and multiple end points.

Not only have the ransomware variants become more sophisticated, so too have the methods for distributing the malicious code. Highly sophisticated spam campaigns use a variety of social engineering techniques to fool end users into visiting malicious links and opening infected email attachments. Droppers with heavily obfuscated code are used to download the malicious payload and a considerable amount of effort is put into crafting highly convincing emails to maximize the probability of an end user taking the desired action.

Then, there is ransomware-as-a-service – the use of affiliates to spread ransomware in exchange for a cut of the profits. Ransomware kits are now supplied, complete with intuitive web based interfaces and instructions for crafting ransomware campaigns. Today, it is not even necessary to have any technical skill to conduct a ransomware campaign.

The profits from ransomware are also considerable. In 2016, the FBI estimated profits from ransomware would exceed $1 billion. With such high returns, it is no surprise that ransomware has become the number one malware threat for businesses.

The Evolution of Ransomware – Notorious Ransomware Variants from the Past Two Years

  • Locky: Deletes volume shadow copies from the compromised system, thereby preventing the user from restoring files without paying the ransom.
  • Jigsaw: An extremely aggressive ransomware variant that deletes encrypted files every hour until the ransom is paid, with total file deletion in 72 hours.
  • Petya: Rather than encrypting files, Petya changes and encrypts the master boot record, preventing files from being accessed. Petya is also capable of installing other malware payloads.
  • NotPetya: A wiper that appears to be ransomware, although NotPetya permanently changes the master boot record making file recovery impossible.
  • CryptMix: Attackers claim they will donate the ransom payments to a children’s charity, in an effort to get victims to pay up. There is no evidence ransom payments are directed to worthy causes.
  • Cerber: Now used to target users of cloud-based Office 365, who are less likely to have backed up their data. Some Cerber variants speak to their victims and tell them their files have been encrypted.
  • KeRanger: One of the first ransomware strains to target Mac OS X applications.
  • Gryphon: Spread via remote desktop protocol (RDP) using brute force tactics to guess weak passwords.
  • TorrentLocker: A ransomware variant being used to target SMBs, spread via spam email attachments claiming to be job applications
  • HDDCryptor: A ransomware variant that targets network shares, file, printers, serial ports, and external drives. HDDCryptor locks the entire hard disk
  • CryptMIC: A ransomware variant that does not change file extensions, making it harder for victims to identify the threat
  • ZCryptor: Ransomware with worm-like capabilities, able to rapidly spread across a network and infect multiple networked devices and external drives
  • WannaCrypt: A 2017 ransomware variant with worm-like capabilities, able to spread rapidly to infect all vulnerable computers on a network.

Ransomware is most commonly spread via spam email, exploit kits and by remotely exploiting vulnerabilities. To protect against ransomware you need an advanced spam filter, a web filter such as WebTitan to block access to sites containing exploit kits, and you need to ensure software and operating systems are kept 100% up to date.

In the event that you are infected with ransomware, you must be able to recover files from a backup. Use the 321 approach to ensure you can recover files without paying the ransom – Make three backup copies, on two different media, with one copy stored securely off site. Also make sure backups are tested to ensure files can be restored in an emergency.

Rising Popularity of Ransomware-as-a-Service is More Bad News for Businesses

Cybercriminals have realized they can greatly increase the number of infections – and profits – by adopting an affiliate model – termed ransomware-as-a-service. The affiliate model works well for online retailers, who can generate sales from customers they would be unlikely to reach if they worked on their own. The same applies to ransomware developers.

Affiliates are recruited to distribute ransomware in exchange for a cut of the profits. Ransomware developers can recruit would-be cybercriminals to send out their malicious code in targeted attacks around the world, extending their reach considerably. The greater the number of affiliates, the wider ransomware can be spread and the more payments are received. The returns are substantial for relatively little effort.

In addition to developing the ransomware, kits have been created that make it simple for affiliates to launch their own campaigns. No technical skill is required, affiliates simply enter in their own parameters via an online interface and they can start conducting their own campaigns. Affiliates just need to know how to distribute the ransomware. Full instructions are usually provided.

With an army of spammers sending out the ransomware, the number of devices infected has soared. In 2017, Cerber became the most widely used ransomware variant, even surpassing Locky. The secret of the success was adopting the ransomware-as-a-service model.

For the most part, ransomware is a numbers game. The more individuals that are actively distributing ransomware, the greater the number of infections. With the threat of email and web-based attacks growing, businesses must invest in new technologies to counter the threat.

There are two key solutions that should be adopted by all businesses to improve protections against ransomware. A spam filter is a must – a fact not lost on the majority of businesses. However, even though email is the primary vector used to spread ransomware and malware, there are still businesses that have not yet purchased a spam filtering solution.

A recent survey by PhishMe indicates only 85% of businesses are using spam filtering technology to block phishing emails. That means 15% of businesses have yet to implement this most fundamental of ransomware defenses.

The second key solution is a web filter. Web filters allow employers to carefully control the websites that their employees can access, including blocking websites known to host malware. If an email makes it past a spam filter and an employee clicks on a malicious hyperlink, a web filter can prevent the malicious site from being accessed. A web filter also offers protection from malvertising – malicious adverts that direct users to phishing websites and sites hosting exploit kits.

Of course, technology can only go so far. Even layered defenses can be breached, which is why employees need to be taught how to identify potentially malicious emails. Employees should receive regular security awareness training and be encouraged to report potentially malicious emails. When those emails are reported, IT teams can add the malicious links to the web filter to prevent other individuals in the organization from visiting the malicious websites.

For further information on spam and web filtering, contact the TitanHQ today.

Equifax Breach Victims Directed to Phishing Website

The cyberattack on Equifax affected almost half the population of the United States. 143 million U.S. consumers potentially had their sensitive data stolen by hackers, as did around 400,000 individuals in the United Kingdom and 100,000 consumers in Canada.

To notify victims of the Equifax data breach by mail would have been a monumental and incredibly costly task. Instead, Equifax set up a website where breach victims could check to see if their data had been exposed and also register for free credit monitoring and identity theft protection services.

The official website used for this purpose is equifaxsecurity2017.com. Visitors to the website are required to enter some personal information as identification – the last six digits of their Social Security number and their full name.

That site then directed visitors to a second site, Trustedidpremier.com – which, it has to be said, does seem somewhat phishy. The site is owned by Equifax, with the name taken from its identity theft protection service, but the site did not mention Equifax, which led to many consumers questioning whether the site was real.

These choices gave phishers with a gilt-edged opportunity to take advantage. By registering a website similar to that used by Equifax, it would be possible to fool many U.S. consumers into revealing their sensitive information. For instance, instead of asking for the last six digits of the Social Security number, criminals could ask for the full SSN, along with a date of birth and a full name. If the fake website had official Equifax logos, many consumers would be fooled.

If Equifax had put the information on a subdomain of its official website, it would be easy for consumers to verify that they were on the correct site. The decision to use a new website for this purpose has made it too easy for scammers to take advantage.

There have already been many fake Equifax domains registered and used for phishing. While these sites are being identified quickly and shut down, during the time they are online they can be used to capture large volumes of sensitive information. Some of the recently registered domains featured transposed letters and common misspellings, such as replacing the y with a u to catch out careless typists.

However, it is not only bad typists that could be fooled by such a scam. One fake site – securityequifax2017.com – was registered that would likely fool many consumers. Such a site should also have been purchased by Equifax to prevent it being purchased by a scammer.

Fortunately, the website had been purchased by a software developer called Nick Sweeting specifically to demonstrate how easy it would be to take advantage. It was made clear on the site that the website was fake, and was not actually being used for phishing, only to raise awareness of the risk of similar sites being purchased by phishers.

However, so realistic was the site that it even fooled one Equifax employee. On at least eight occasions, that individual Tweeted the fake domain via the official Equifax Twitter account. The incorrect link was tweeted on at least 8 occasions according to Sweeney.

The fake site has since been blocked and taken offline; however, for two weeks the site was active. Had this been a real Equifax phishing website, many consumers could have been fooled.

Beware of Hoeflertext Warnings: Popups Used to Deliver Ransomware

Popup warnings of missing fonts, specifically the Hoeflertext font, are being used to infect users with malware. The Hoeflertext warnings appear as popups when users visit compromised websites using the Chrome or Firefox browsers. The warnings flash up on screen with the website in the background displaying jumbled or unreadable text.

Hoeflertext is a legitimate font released by Apple in 1991, although popup warnings that the font is missing are likely to be a scam to fool users into downloading Locky Ransomware or other malware.

Visitors to the malicious websites are informed that Hoeflertext was not found, which prevents the website from being displayed. The popup contains an option to “update” the browser with a new font pack, which will allow the website content to be displayed.

Clicking on the update button will not install a font pack, instead it will launch a download of a JavaScript script file – Win.JSFontlib09.js. If that file is saved and opened, it will download Locky ransomware onto the user’s device.

This is not the first time the Hoeflertext font scam has been used. NeoSmart Technologies discovered the scam in February this year, although recently both Palo Alto Networks and SANS Internet Storm Center have both report it is being used in a new campaign.

Another version of the campaign is being used to deliver the NetSupport Manager remote access tool (RAT). In this case, the file downloaded is called Font_Chrome.exe, which will install the RAT if it is run. The researchers suggest the RAT is being favored as it offers the attackers a much wider range of capabilities than ransomware. The RAT is commercially available and has been used in several malware campaigns in the past, including last year’s campaign using hacked Steam accounts.

The RAT, once installed, gives the attackers access to the infected computer allowing them to search for and steal sensitive information and download other malware.

The actors behind this campaign have been using spam email to direct users to the malicious websites where the popups are displayed. The SANS Internet Storm Center says one campaign has been identified using emails that appear to have been sent via Dropbox, asking the user to verify their email address to complete the sign-up process.

Clicking on the ‘verify your email’ box will direct the user to a malicious website displaying fake Dropbox pages where the popups appear. Internet Explorer users do not have the popups displayed, instead they are presented with a fake anti-virus alerts linked to a tech support scam.

The latest campaign shows why it is so important for businesses to use an advanced spam filtering solution to block malicious messages. A web filtering solution is also beneficial to prevent end users from visiting malicious websites in case the messages are delivered and opened. Along with security awareness training for employees to alert them to the risks of email and web-based attacks such as this, businesses can protect themselves from attack.

New Facebook Messenger Malware and Adware Campaign Detected

A new Facebook Messenger malware and adware campaign has been detected by Kaspersky Lab. The malware is capable of gathering information about the user and directing them to websites that offer downloads tailored to the users’ operating system and browser. Landing pages are also customized to maximize the probability of the user taking the required actions. This advanced Facebook Messenger malware and adware campaign works on Windows PCs and Macs and is not dependent on the browser being used.

The Facebook Messenger malware and adware campaign starts with a Messenger message containing a link to a video file, with that link pointing to Google Docs. Since Facebook Messenger is used with Bitly URLs it is hard for users to determine that the links are not what they seem.

Cleverly, a picture is taken from the user’s Facebook page which is incorporated into a dynamic landing page that is tailored to the individual. The landing page appears to host a playable video file. Clicking on the video will direct the user to a website where information is gathered on their environment, including their operating system, browser type and other information. The user is then directed to another website that is tailored to the information obtained from the first website.

Windows users using Firefox are directed to one website, IE users to another, and Mac users elsewhere. Those sites offer updates such as Flash downloads and malicious Chrome extensions. At present, these campaigns are being used to download adware, although they could easily be tweaked to install malware.

The Chrome extension is adware, but also includes a downloader which will allow further payloads to be delivered to the user’s device. What is not currently known is how the messages are being sent via Messenger. David Jacoby, the Kaspersky Lab researcher who discovered the Facebook Messenger malware and adware campaign, said, “It may be from stolen credentials, hijacked browsers or clickjacking. At the moment, we are not sure because this research is still ongoing.”

While the messages could be sent by unknown individuals, they may also be sent from Facebook contacts whose accounts have been compromised. Any hyperlinks sent via Messenger should therefore be treated with suspicion, especially when they appear out of the blue.

This new campaign is clever, although it is just one of many that are distributed via Messenger. Businesses can protect themselves against Facebook Messenger malware campaigns by using a Web Filtering solution such as WebTitan.

Many businesses choose not to block Facebook due to the negative impact it has on staff morale. However, with WebTitan it is possible to block Facebook Messenger without blocking the Facebook website. Employees can still access Facebook, while employers are protected from malicious messages that could result in malware downloads.

What is the Cost of a Malware Attack? $300 Million for Maersk

The cost of a malware attack is difficult to predict. There are many factors that affect the cost. The type of malware, whether data were stolen, the extent of the infection, how easy it is to mitigate, and how much business is lost while the infection is resolved. For many companies, the customer churn rate increases after a cyberattack, and certainly one in which sensitive data are stolen.

For Maersk, the NotPetya attack did not result in any theft of customer data. Consequently, there was no need to pay for credit monitoring services or mail breach notification letters to customers – Two additional and sizable costs associated with a malware attack. That said, the cost was considerable. Maersk has estimated the NotPetya wiper attack has cost as much as $300 million.

NotPetya was initially thought to be ransomware. The malware had a number of similarities to Petya ransomware – The malware overwrote and encrypted the master file table and a ransom demand was issued. However, in the case of NotPetya, paying the ransom would not result in keys being sent to unlock the encryption. The purpose of the attack was sabotage. The attackers had no intention of providing keys and allowing firms to recover their data.

For A.P. Møller – Maersk, the consequences of the attack were considerable. After its systems were taken out of action, the company was unable to load and unload its cargo ships in ports around the world. Many ships had to be rerouted as a result of the attack. Systems had to be rebuilt and the firm suffered considerable disruption while the infection was resolved.

A Model Response to A Cyberattack

Maersk was extremely quick to announce it had been attacked. The attacks occurred on June 27, 2017 and Maersk announced the following day that it had been affected. The company also maintained transparency throughout the following days and weeks while it attempted to recover, giving frequent updates on its progress in resolving the infection. The transparency has been applauded, with many security experts saying the company executed a model breach response. Not all companies were nearly as transparent.

The company recently issued an interim statement explaining how severe the attack was and how it would dent profits saying, “Business volumes were negatively affected for a couple of weeks in July. We expect that the cyberattack will impact results negatively by $200-$300 million.”

Nuance Communications was also affected, and similarly gave frequent updates to its customers on the impact of the attack and its efforts to resolve the infection. That communication undoubtedly reduced customer churn, although with its systems taken out of action for more than three weeks, many customers were forced to seek alternate vendors. Whether they will return remains to be seen. Nuance believes its Q2 profits are down about $15 million as a result of the attack, although losses are likely to be ongoing and the attack will certainly affect its Q3 profits. The manufacturer Reckitt Benckiser has estimated the NotPetya attack has cost the company around $129 million in lost revenue.

These are just three large companies to have disclosed the cost of the malware attack. Logistics firm TNT suffered considerable disruption as a result of the attack, as did FedEx, Mondelez, Merck, Heritage Valley Health System, WPP, Rosneft, DLA Piper, Saint-Gobain and many firms in Ukraine – the country worst affected by the attacks. The total cost of these malware attacks will certainly be measured in billions.

The Ponemon institute calculated the average cost of a malware attack that results in a data breach to be $3.62 million. This malware attack clearly shows the devastating effect of a malware attack and why it is so important for companies to invest improving policies, procedures and cybersecurity defenses.

New Disdain Exploit Kit Being Rented on the Cheap on Darknet Forums

Exploit kit activity has fallen considerably since last year, but new variants are being developed, one of the latest being the Disdain exploit kit.

An exploit kit is a web-based toolkit capable of probing web users’ browsers for vulnerabilities. If vulnerabilities are discovered, they can be exploited to silently download ransomware and malware.

All that is required for an attack to take place is for web users to be directed to the domain hosting the exploit kit and for them to have a vulnerable browser or out of date plugin. Currently, the author of the Disdain exploit kit claims his/her toolkit can exploit more than a dozen separate vulnerabilities in Firefox, IE, Edge, Flash and Cisco WebEx – Namely, CVE-2017-5375, CVE-2016-9078, CVE-2014-8636, CVE-2014-1510, CVE-2013-1710, CVE-2017-0037, CVE-2016-7200, CVE-2016-0189, CVE-2015-2419, CVE-2014-6332, CVE-2013-2551, CVE-2016-4117, CVE-2016-1019, CVE-2015-5119, and CVE-2017-3823. Many of those exploits are recent and would have a high chance of success.

No malware distribution campaigns have so far been identified using the Disdain exploit kit, although it is likely to just be a matter of time before attacks are conducted. The Disdain exploit kit has only just started being offered on underground forums.

Fortunately, the developer does not have a particularly good reputation on the forums, which is likely to slow the use of the exploit kit. However, it is being offered at a low price which may tempt some malware distributors to start conducting campaigns. The EK can be rented for as little as $80 a day, with discounts being offered for weekly and monthly use. The Disdain exploit kit is being offered for considerably less than some of the other exploit kits currently being touted on the forums, including the Nebula EK.

All that is required is for someone to rent the kit, provide the malicious payload, and direct traffic to the domain hosting the Disdain exploit kit – such as via a malvertising campaign or botnet. The price and capabilities of the EK mean it has potential to become a major threat.

Protecting Your Business from Online Threats

Cybercriminals may be favouring spam email over exploit kits for delivering malware, although the threat of web-based attacks should not be ignored. To a large extent, good patch management practices can reduce the risk of exploit kit attacks, although not entirely. Exploit kits are frequently updated with new vulnerabilities for which patches have yet to be released. If end users are directed to domains hosting exploit kits, malware and ransomware downloads can be expected.

Along with prompt patching, businesses should consider implementing a web filtering solution. A web filter can be configured to carefully control the websites that end users can visit. A web filter will block access to all webpages known to host malware or contain exploit kits. Risky categories of website, which end users have no work purpose for visiting, can also easily be blocked reducing the risk of phishing attacks and improving employee productivity.

An appliance-based web filter can be costly to implement and can have a negative effect on Internet speed. A DNS-based web filter on the other hand requires no hardware purchases and has no latency. Internet speed is unaffected. Since a web filter can also be used to restrict access to websites that take up a lot of bandwidth, Internet speeds for all can actually improve.

WebTitan Cloud – and WebTitan Cloud for WiFi – are DNS-based web filtering solutions for enterprises that allow precision control over the sites that can be accessed by end users and offer excellent protection against web-based threats such as exploit kits and phishing websites.

The solutions require no hardware purchases, no software downloads, there is no latency, and they are highly scalable. Implementing and configuring the solutions is quick and easy and they require minimal maintenance.

WebTitan is also ideal for MSPs, being available in full white-label form with a choice of hosting options – including hosting in an MSPs environment.

If you want to improve the productivity of your workforce and effectively manage online threats – or offer web filtering to your clients – contact the TitanHQ team today to discuss your options and register for a free trial.

Mamba Ransomware Attacks Resume

In November last year, the San Francisco Municipal Transportation Agency (Muni) was attacked with Mamba ransomware. The attackers issued a ransom demand of 100 Bitcoin – $73,000 – for the keys to unlock the encryption. Muni refused to pay up, instead opting to recover files from backups. However, the Mamba ransomware attack still proved costly. The attack took its fare system out of action and passengers had to be allowed to travel for free for more than a day. The average take on fares on a weekend day is $120,000.

It has been relatively quiet on the Mamba ransomware front since that attack, although this month has seen several Mamba ransomware attacks, indicating the gang behind the malware is back in action. Those attacks are geographically targeted with businesses in Saudi Arabia and Brazil currently in the firing line, according to Kaspersky Lab researchers who first detected the attacks.

Mamba ransomware uses DiskCryptor for full disk encryption rather than searching for and encrypting certain file types. That means a Mamba ransomware attack will prevent the operating system from running.

Once installed, the malware forces a reboot of the system and modifies the Master Boot Record and encrypts disk partitions and reboots again, this time victims are presented with a warning screen advising data have been encrypted. The attacks share some similarities with the NotPetya (ExPetr) attacks of June.

The algorithms used to encrypt the data are strong and there is no known decryptor for Mamba Ransomware. If the disk is encrypted, victims face permanent file loss if they do not have a viable backup and refuse to pay the ransom demand. However, the latest attacks make no mention of payment of a ransom. Victims are just instructed to email one of two email addresses for the decryption key.

The reason for this approach is it allows ransoms to be set by the attackers on an infection by infection basis. Once the extent of encryption is determined and the victim is identified, the attackers can set the ransom payment accordingly.

It is currently unclear whether the attackers hold the keys to unlock the encryption and whether payment of the ransom will result in file recovery. Kaspersky reports that the group behind this ransomware variant has not been identified. This may be a criminal attack by an organized crime gang or a nation-state sponsored cyberattack where the intention is not to obtain ransoms but to sabotage businesses.

Businesses can enhance their defences against this and other malware variants by implementing WebTitan.

WebTitan is a web filtering solution for the enterprise that allows businesses to prevent end users from visiting malicious websites, such as those used for phishing and for downloading malware and ransomware. By blocking access to malicious sites and carefully controlling access to sites known to carry a high risk of malware delivery – file sharing websites for example – businesses can prevent web-based malware attacks.

2017 Sees Huge Rise in Malware Attacks on Schools

2017 has seen a major rise in malware attacks on schools. While cybercriminals have conducted attacks using a variety of different malware, one of the biggest problems is ransomware. Ransomware is malicious code that encrypts files, systems and even master file tables, preventing victims from accessing their data. The attack is accompanied by a ransom demand. Victims are required to pay a ransom amount per infected device. The ransom payments can range from a couple of hundred dollars to more than a thousand dollars per device. Ransom demands of tens of thousands of dollars are now common.

Data can be recovered from a backup, but only if a viable backup of data exists. All too often, backup files are also encrypted, making recovery impossible unless the ransom is paid.

Ransomware attacks can be random, with the malicious code installed via large-scale spam email campaigns involving millions of messages. In other cases, schools are targeted. Cybercriminals are well aware that cybersecurity defenses in schools are often poor and ransoms are more likely to be paid because schools cannot function without access to their data.

Other forms of malware are used to record sensitive information such as login credentials. These are then relayed back to the attackers and are used to gain access to school networks. The attackers search for sensitive personal information such as tax details, Social Security numbers and other information that can be used for identity theft. With ransomware, attacks are discovered immediately as ransom notes are placed on computers and files cannot be accessed. Keyloggers and other forms of information stealing malware often take many months to detect.

Recent malware attacks on schools have resulted in entire networks being sabotaged. The NotPetya attacks involved a form of malware that encrypts the master file table, preventing the computer from locating stored data. In this case, the aim of the attacks was to sabotage critical infrastructure. There was no way of recovering the encrypted MFT apart from with a full system restore.

The implications of malware attacks on schools can be considerable. Malware attacks on schools result in considerable financial losses, data can be lost or stolen, hardware can be rendered useless and educational institutions can face prosecution or law suits as a result of attacks. In some cases, schools have been forced to turn students away while they resolve infections and bring their systems back online.

Major Malware Attacks on Schools in 2017

Listed below are some of the major malware attacks on schools that have been reported in 2017. This is just a very small selection of the large number of malware attacks on schools in the past 6 months.

Minnesota School District Closed for a Day Due to Malware Attack

Malware attacks on schools can have major consequences for students. In March, the Cloquet School District in Minnesota experienced a ransomware attack that resulted in significant amounts of data being encrypted, preventing files from being accessed. The attackers issued a ransom demand of $6,000 for the keys to unlock the encryption. The school district is technology-focused, so without access to its systems, lessons were severely disrupted. The school even had to close for the day while IT support staff restored data. In this case, sensitive data were not compromised, although the disruption caused was severe. The ransomware is understood to have been installed as a result of a member of staff opening a phishing email that installed the ransomware on the network.

Swedesboro-Woolwich School District Suffers Cryptoransomware Attack

The Swedesboro-Woolwich School District in New Jersey comprises four elementary schools and has approximately 2,000 students. It too suffered a crypto-ransomware attack that took its computer systems out of action. The attack occurred on March 22, resulting in documents and spreadsheets being encrypted, although student data were apparently unaffected.

The attack took a significant part of the network out of action, including the District’s internal and external communications systems and even its point-of-sale system used by students to pay for their lunches. The school was forced to resort to pen and paper while the infection was removed. Its network administrator said, “It’s like 1981 again!”

Los Angeles Community College District Pays $28,000 Ransom

Ransomware was installed on the computer network of the Los Angeles County College District, not only taking workstations out of action but also email and its voicemail system. Hundreds of thousands of files were encrypted, with the incident affecting most of the 1,800 staff and 20,000 students. A ransom demand of $28,000 was issued by the attackers. The school had no option but to pay the ransom to unlock the encryption.

Calallen Independent School District Reports Ransomware Attack

The Calallen Independent School District in northwestern Corpus Christi, TX, is one of the latest victims of a ransomware attack. In June, the attack started with a workstation before spreading to other systems. In this case, no student data were compromised or stolen and the IT department was able to act quickly and shut down affected parts of the network, halting its spread. However, the attack still caused considerable disruption while servers and systems were rebuilt. The school district also had to pay for improvements to its security system to prevent similar attacks from occurring.

Preventing Malware and Ransomware Attacks on Schools

Malware attacks on schools can occur via a number of different vectors. The NotPetya attacks took advantage of software vulnerabilities that had not been addressed. In this case, the attackers were able to exploit the vulnerabilities remotely with no user interaction required. A patch to correct the vulnerabilities had been issued by Microsoft two months before the attacks occurred. Prompt patching would have prevented the attacks.

Software vulnerabilities are also exploited via exploit kits – hacking kits loaded on malicious websites that probe for vulnerabilities in browsers and plugins and leverage those vulnerabilities to silently download ransomware and malware. Ensuring browsers and plugins are 100% up to date can prevent these attacks. However, it is not possible to ensure all computers are 100% up to date, 100% of the time. Further, there is usually a delay between an exploit being developed and a patch being released. These web-based malware attacks on schools can be prevented by using a web filtering solution. A web filter can block attempts by end users to access malicious websites that contain exploit kits or malware.

By far the most common method of malware delivery is spam email. Malware – or malware downloaders – are sent as malicious attachments in spam emails. Opening the attachments results in infection. Links to websites that download malware are also sent via spam email. Users can be prevented from visiting those malicious sites if a web filter is employed, while an advanced spam filtering solution can block malware attacks on schools by ensuring malicious emails are not delivered to end users’ inboxes.

TitanHQ Can Help Schools, Colleges and Universities Improve Defenses Against Malware

TitanHQ offers two cybersecurity solutions that can prevent malware attacks on schools. WebTitan is a 100% cloud-based web filter that prevents end users from visiting malicious websites, including phishing sites and those that download malware and ransomware.

WebTitan requires no hardware, involves no software downloads and is quick and easy to install, requiring no technical skill. WebTitan can also be used to block access to inappropriate website content such as pornography, helping schools comply with CIPA.

SpamTitan is an advanced spam filtering solution for schools that blocks more than 99.9% of spam email and prevents malicious messages from being delivered to end users. Used in conjunction with WebTitan, schools will be well protected from malware and ransomware attacks.

To find out more about WebTitan and SpamTitan and for details of pricing, contact the TitanHQ team today. Both solutions are also available on a 30-day no-obligation free trial, allowing you to test both products to find out just how effective they are at blocking cyberthreats.

Secure WiFi Access for Shops to Attract More Repeat Business

Providing free WiFi in shops helps to attract more foot traffic and improves the shopping experience, although retailers are now realizing the benefits of providing secure WiFi access for shops. Over the past two years, there has been considerable media coverage of the dangers of public WiFi hotspots. Consumer websites are reporting horrifying cases of identity theft and fraud with increasing regularity.

With public awareness of the risks of connecting to public WiFi networks now much greater than ever before, secure WiFi access for shops has never been more important. Consumers now expect free WiFi access in shops, but they also want to ensure that connecting to those WiFi networks will not result in a malware infection or their personal information being obtained by hackers.

Fortunately, there are solutions that can easily be adopted by retailers that mitigate the risks and ensure consumers can connect to WiFi networks safely, but before we cover those options, let’s look a little more closely at the risks associated with unsecured WiFi networks.

The Risks of Unsecured WiFi Networks

If retailers provide free WiFi access in store it helps to attract more foot traffic, individuals are encouraged to stay in stores for longer, they have access to information and reviews about products and studies have shown that customers spend more when free WiFi is provided. A survey by iGT, conducted in 2014, showed that more than 6 out of ten customers spend longer in shops that provide WiFi access and approximately 50% of customers spend more money.

Connecting to a public WiFi network is different from connecting to a home network. For a start, considerably more people connect, including individuals who are intent on stealing information for identity theft and fraud. Man-in-the-middle attacks are common. Man-in-the-middle attacks involve a hacker intercepting or altering communications between a customer and a website. If login details or other sensitive information is entered, a hacker can obtain that information.

Malware and ransomware can be downloaded onto users’ devices and phishing websites can easily be accessed if secure WiFi access for shops is not provided. Consumers typically have Internet security solutions in place on home networks that block these malicious websites. They expect the same protections on retailers’ WiFi networks. Malware poses a significant threat. Alcatel-Lucent, a French telecommunications company, reports that malware attacks on mobile devices are increasing by 25% per year.

Then there is the content that can be accessed. Recently, before Starbucks took steps to block the accessing of pornography via its WiFi networks, the coffee shop chain received a lot of criticism from consumers who had caught glimpses of other customers accessing pornography on their devices.

Secure WiFi Access for Shops Brings Many Benefits

The provision of secure WiFi access for shops tells customers you are committed to ensuring they can access the Internet safely and securely on your premises. It tells parents that you are committed to protecting minors and ensuring they can access the Internet without being exposed to adult content. It tells consumers that you care, which helps to improves the image of your brand. It is also likely to result in positive online reviews.

Providing secure WiFi access for shops makes it easier for you to gain an insight into customer behavior. A web filtering solution will provide you with reports on the sites that your consumers are accessing. This allows you to profile your customers and find out more about their interests. You can see what sites they access, which can guide your future advertising programs and help you develop more effective marketing campaigns. You can also find out more about your real competitors from customers browsing habits.

The provision of secure WiFi access for shops will also help you to reduce legal liability. If you do not block illegal activities on your WiFi network, such as file sharing (torrents) sites, you could face legal action for allowing the downloading of pirated material. The failure to block pornography could result in a lawsuit if a minor is not prevented from accessing adult content.

WebTitan – Secure WiFi Access for Shops Made Simple

Secure WiFi access for shops doesn’t have to be complicated or expensive. TitanHQ offers a solution that is cost effective, easy to implement, requires no technical skill, has no effect on Internet speed and the solution can protect any number of shops in any number of locations. The filtering solution can be managed from an intuitive web-based graphical user interface for all WiFi access points, and a full suite of reports provides you with invaluable insights into customer behavior.

WebTitan Cloud for WiFi is a 100% cloud-based DNS filtering solution. Point your DNS records to WebTitan and you will be filtering the Internet in minutes and blocking undesirable, dangerous and illegal web content. You do not need any additional hardware, you do not need to download any software and configuring the filtering settings typically takes about 30 minutes.

To find out more about WebTitan Cloud for WiFi, including details of pricing and to register for a 30-day, no obligation free trial, contact TitanHQ today.

Family-Guard Saves Tens of Thousands of Dollars by Deploying WebTitan Cloud for WiFi

Family-Guard offers its customers online protection by blocking access to adult website content such as pornography and stopping malware infections, ensuring the Internet can be accessed safely and securely by all family members.

Family-Guard supplies WiFi routers with pre-configured DNS settings to its customers. Plug in the router and customers are instantly protected from online threats and inappropriate content. As more families take steps to prevent their children from harm online, the company has gone from strength to strength.

However, the firm was not entirely satisfied with its previous web filtering provider and sought a partnership with a new company. Before deciding to deploy WebTitan Cloud for WiFi, Family-Guard needed to be certain that WebTitan offered the required level of protection for its customers. It was essential that all harmful and dangerous website content could be filtered out to ensure customers received the service they paid for. TitanHQ could reassure Family-Guard that its URL filtering technology was up to the task.

The problem with the firm’s previous partner was the inaccuracies in categories and site classifications. Those problems could not be overcome. WebTitan on the other hand offers accurate classification of websites, with more than 500 million web addresses present in its database, including sites in more than 200 languages. Since deploying WebTitan Cloud for WiFi through its router packages, Family-Guard has not experienced the accuracy problems of its previous provider.

Another key consideration when selecting a service provider was the ability to provide the solution in white-label form. It was essential for Family-Guard to incorporate its own branding, which includes the product as well as the user interface for setting filtering controls. With WebTitan, the solution can be supplied without any branding, ready for customization. The white label option and choice of hosting also makes WebTitan an ideal web content filter for managed service providers.

While reassurances could be provided by TitanHQ, the proof of the pudding is in the eating. Before committing, Family-Guard needed to perform extensive testing of the solution. The firm signed up for a free trial and conducted independent tests. Tanner Harman, President of Family-Guard said, “In terms of the trial everything was very straightforward, it was good to speak to an engineer that was able to answer all my questions, this is not common in the technology industry.”

WebTitan is incredibly easy to use and maintain. There are no software updates necessary as all are managed by TitanHQ. Setting up the solution is also straightforward. Once the DNS has been directed to WebTitan, it is just a case of configuring the web filtering controls. For Family Guard, it took staff around 30 minutes to become familiar and comfortable with using the solution. The company is now reaping the benefits.

“For our technical staff, it reduced the time spend on support calls as the number of support calls reduced dramatically almost immediately,” the solution has also dramatically reduced the time the support team has spent dealing with malware. Tanner said, “WebTitan Cloud blocks all the bad stuff before it hits the customers location so issues that previously occurred regularly are now avoided.”

It can take some time following deployment to fully appreciate the benefits that WebTitan brings to an organization. Family-Guard implemented the solution in April 2016. The cost saving from deploying WebTitan Cloud has been considerable. In the 12 months following the implementation of WebTitan Cloud, Family Guard has enjoyed savings of more than $10,000.

Further, as Family-Guard grows, it is not limited by its license. With WebTitan, additional licenses can be added as and when required with a dynamic pricing plan lacking the barriers and wastage typical of other web filtering solutions.

Whether you are looking for a web content filter for public hotspots, a filtering solution to package into your products and services or a content filtering solution for your business WiFi network, TitanHQ can help.

For further information on the features and benefits of WebTitan, answers to technical questions and to register for a free trial, contact the TitanHQ team today.

WebTitan at the Kaseya Connect Europe User Conference

The Kaseya Connect Europe User Conference will be taking place on October 3, 2017 in Amsterdam, Netherlands with the company recently having announced its line-up of speakers and exhibiting partners for the event.

The Kaseya Connect Europe User Conferences are hugely popular. The events provide an excellent networking and learning opportunity with attendees able to see technical presentations with hands on demonstrations to improve usage of Kaseya solutions and find out more about the latest product releases.

Attendees benefit from expert advice, gain strategic insights and receive useful practical knowledge from industry experts and thought leaders and have the opportunity of taking part in product training and other instructional sessions to help them get the most out of their business, optimize their technical operations and boost revenues.

The upcoming Kaseya Connect Europe User Conference will include a business track to help MSPs monetize their business, increase their service stack and boost revenues.

Sue Gilkes, faculty member of CompTIA and founder and managing director of Your Impact Ltd, will be providing her insights into how MSPs can grow their business and improve revenues, while Transmentum’s Adam Harris – Author of “Check-In Strategy Journal” – will be delivering a keynote speech – “7 Sales Strategies to Take Away and Implement Immediately” – a must attend session for all MSPs.

Next year, the General Data Protection Regulation (GDPR) will come into effect in May. MSPs need to start preparing to ensure the deadline for compliance is met. With the deadline just a few months away, a session will be focused on helping MSPs prepare.

TitanHQ is pleased to announce it is an Emerald Sponsor for the event and will be demonstrating its WebTitan and SpamTitan solutions for MSPs.

WebTitan is an innovative web filtering solution ideal for MSPs. The solution can easily be added to MSPs service stacks allowing them to improve the cybersecurity defenses of their clients. WebTitan is a DNS-based web filtering solution that blocks a wide range of online threats and allows users to carefully control the web content that can be accessed via their wired and wireless networks.

SpamTitan is a leading spam filtering solution that blocks more than 99.9% of spam and malicious emails to keep end users protected from phishing attacks, malware and ransomware infections.

Both solutions are provided as white labels with a range of hosting options, including hosting within an MSPs own environment.

Following the massive global ransomware attacks of recent months, businesses are demanding additional protections, with both solutions offering MSPs a golden opportunity to generate regular additional monthly revenue with minimal management time.

“It’s exciting to bring together hundreds of our European customers and partners for this conference, and provide them with convenient access to educational sessions, networking opportunities and insightful discussions from industry leader, said Sabine Link, vice president, customer success for Kaseya” Through this event, we can deliver a unique experience for our European users that will empower them with the knowledge they need to achieve the results they desire.”

The event is free of charge for MSP executives, regardless of whether they are already Kaseya users. However, registration is required in advance of the event. If you are interested in attending the Kaseya Connect Europe User Conference in October, you can register for the conference here.

RoughTed Malvertising Campaign Impacts 28% of Organizations

The RoughTed malvertising campaign was rampant in June, causing problems for 28% of organizations around the world according to Check Point.

Malvertising is the name given to adverts that redirect users to malicious websites – sites hosting exploit kits that download malware and ransomware, phishing kits that gather sensitive information for malicious purposes or are used for a variety of scams.

Malvertising campaigns pose a significant threat because it is not possible to avoid seeing the malicious adverts, even if users are careful about the websites they visit. Malicious adverts are displayed through third party ad networks, which are used on a wide range of websites. Even well known, high traffic websites such as the BBC, New York Times, TMZ and MSN have all been discovered to have displayed malicious adverts. Cybercriminals only need to place their adverts with one advertising network to see their adverts displayed on many thousands of websites.

The RoughTed malvertising campaign was first identified in May, although activity peaked in June. By that time, it had resulted in infections in 150 countries throughout North and South America, Europe, Africa, Asia and Australasia.

It is sometimes possible to block malvertising using ad blockers, which prevent adverts from being displayed; however, the RoughTed malvertising campaign can get around these controls and can bypass ad blockers ensuring adverts are still displayed.

A web filtering solution can be useful at preventing categories of websites from being accessed that commonly host malicious adverts – sites hosting pornography for example – although due to the wide range of websites that display third party adverts, it would not be possible to eradicate risk. That said, an advanced web filtering solution such as WebTitan offers excellent protection by blocking access to the malicious sites rather than the malvertising itself.

Websites are rapidly added to blacklists when they are detected as being used for nefarious purposes. WebTitan supports blacklists and can block these redirects, preventing end users from visiting malicious sites when they click on the ads.

In addition to blacklists, WebTitan URL classification uses a multi-vector approach to deeply analyze websites. The URL classification uses link analysis, content analysis, bot detection and heuristic analysis to identify websites as malicious. These advanced techniques are used to block ad fraud, botnets, C2 servers, sites containing links to malware, phishing websites, spam URLs, compromised websites and malware distribution sites including those hosting exploit kits. The URL classification system used by WebTitan leverages data supplied by 500 million end users with the system continuously updated and optimized.

If you want to protect your organization from the actions of your end users and block the majority of online threats, contact the TitanHQ team today for further information on WebTitan and take a closer look at the web filtering solution in action.

Internet Filtering Controls for Public WiFi Hotspots Promoted in New Friendly WiFi Campaign

The sharp rise in the use of smartphones by children and the increase Internet access points has prompted Friendly WiFi to launch a new campaign to promote the adoption of Internet filtering controls for public WiFi hotspots.

Businesses in the UK are being encouraged to implement web filtering controls to ensure children can connect their WiFi networks without being exposed to potentially harmful material.

Friendly WiFi is a government initiated scheme launched in 2014 to promote Internet filtering controls for public WiFi hotspots. Businesses that filter the Internet and block inappropriate content from being accessed via their WiFi networks can display the digital Friendly WiFi banner. This banner lets parents know their children can connect to the Internet safely.

Friendly WiFi is the only scheme of its kind in the world. The main aim of the initiative is to make the UK the safest place in the world for children to venture online. When the scheme was launched in 2014 there were 5.6 million WiFi hotspots in the UK; however, that number is estimated to triple by the end of next year.

A recent study has shown that nearly half the population of the UK uses public WiFi hotspots and research suggests more than 40% of children aged between 5 and 15 now have a smartphone and connect to the Internet. The growth in hotspots and smartphone usage among children makes it more important than ever for public WiFi hotspots to have harmful content filtered out.

Figures supplied by Friendly WiFi suggest the number of WiFi access points around the globe is likely to increase to 432.5 million by 2020, which represents a 700% increase from 2015. Even though many of these WiFi networks can be accessed by minors, fewer than half of those hotspots have internet filtering controls in place.

In the UK the use of Internet filtering controls for public WiFi hotspots is growing. Major high street names such as Starbucks and Tesco have already adopted Internet filtering controls, as have McDonalds and IKEA and many small businesses. The aim of the latest Friendly WiFi campaign is to accelerate adoption of Internet filtering controls.

To be able to display the Digital Friendly WiFi symbol, businesses must implement Internet filtering controls for public WiFi hotspots to block all websites and web pages that display pornographic content. Businesses must also block all webpages containing child pornography using the blacklist maintained by the Internet Watch Foundation. Organizations must also prevent advertisements or links to such content from being displayed.

Bev Smith, director of Friendly WiFi said “Now is the right time for all businesses which provide public WiFi to prove they take the same care for their customer’s online safety as they do for their physical wellbeing.”

New Report Shows Changing Trends in Phishing

The Anti-Phishing Working Group (APWG) has recently released a new report showing the changing trends in phishing in 2016. The report provides interesting insights into how cybercriminal activity is changing and the attack methods most commonly used by cybercriminals to fool end users into installing malware or revealing their login credentials.

The report uses data from more than 250,000 phishing attacks that were detected between 2015 and 2016; clearly showing some of the new trends in phishing and how phishers have been conducting their attacks. The report is focused on phishing rather than spear phishing, with the latter involving highly varied targeted attacks on specific individuals in an organization.

Phishing emails often contain malicious email attachments with scripts and macros used to silently download malware onto end users’ computers. However, the report shows there was a major increase in phishing domains in 2016 with criminals registering more domains than ever before. Phishing attacks also reached record levels last year. Phishing is now the number one cyber threat faced by organizations.

APWG says that almost half of new top-level domains that were available for open registration in 2016 were used for phishing. APWG suggests the increase in malicious domain registrations demonstrates that domain registrars are struggling to detect and take down malicious domains.

While it was previously thought that phishers registered domains for immediate use in phishing attacks, the study suggests domains are most commonly held for up to three weeks before they are used.

Phishing attacks were failry evenly split between domains registered by phishers and compromised websites. One in 20 attacks used a subdomain for phishing, with the number of attacks using subdomains continuing to fall. See here for phishing examples.

Brand spoofing is becoming increasingly common, with major brands are now experiencing thousands of phishing attacks a year. However, the number of targeted brands in 2016 fell to 679 from 783 the previous year. The most targeted brands – which experienced three quarters of attacks – were Apple, PayPal, Yahoo and Taobao.com. Each experienced more than 30,000 attacks each in 2016.

2016 saw a 10% increase in unique phishing attacks, rising from 230,280 in 2015 to 255,065 attacks in 2016. Those attacks were spread across 195,475 unique domain names – the most domains ever detected and almost three times the number used in 2015. While a variety of TLDs are used for phishing websites, 75% involved just four TLDs – .com; .cc, .pw and .tk. APWG says 90% of phishing domains are spread across just 16 TLDs.

Attacks in 2016 were spread across a wide range of industries although 92% of attacks affected four industries:  eCommerce & software/SaaS (30%), banking and finance (25%), social networking/email (19%) and money transfer firms (18%).

Astrim Exploit Kit Now Delivering Mole Ransomware

The recent ransomware attack on University College London has been discovered to have occurred as a result of an end user visiting a website hosting the Astrim exploit kit. Exploit kits are used to probe for vulnerabilities and exploit flaws to download malware.

Most ransomware attacks occur via email. Phishing emails are sent in the millions with many of those emails reaching end users’ inboxes. Ransomware is downloaded when infected email attachments are opened or malicious links are clicked. Organizations can reduce the threat of ransomware attacks by implementing an advanced spam filtering solution to prevent those malicious emails from being delivered.

However, spam filtering would not have stopped the University College London ransomware attack – one of many ransomware attacks on universities in recent months.

In order for an exploit kit to work, traffic must be sent to malicious websites hosting the kit. While spam email can be used to direct end users to exploit kits, the gang behind this attack was not using spam email.

The gang behind the Astrim exploit kit – AdGholas – has been using malvertising to direct traffic to sites hosting the EK. Malvertising is the name for malicious adverts that have been loaded onto third party ad networks. Those adverts are displayed to web users on sites that sign up with those advertising networks. Many high traffic sites display third party adverts, including some of the most popular sites on the Internet. The risk of employees visiting a website with malicious adverts is therefore considerable.

Exploit kit attacks are far less common than in 2015 and 2016. There was a major decline in the use of exploit kits such as Magnitude, Nuclear and Neutrino last year. However, this year has seen an increase in use of the Rig exploit kit to download malware and the Astrim exploit kit is also attempting to fill the void. Trend Micro reports that the Astrim exploit kit has been updated on numerous occasions in 2017 and is very much active.

The risk of exploit kit attacks is ever present and recent ransomware and malware attacks have shown that defenses need to be augmented to block malicious file downloads.

An exploit kit can only download malware on vulnerable systems. If web browsers, plugins and software are patched promptly, even if employees visit malicious websites, ransomware and malware cannot be downloaded.

However, keeping on top of patching is a difficult task given how many updates are now being released. Along with proactive patching policies, organizations should consider implementing a web filtering solution. A web filter can be configured to block third party adverts as well as preventing employees from visiting sites known to contain exploit kits.

With exploit kit attacks rising once again, now is the time to start augmenting defenses against web-based attacks. In the case of University College London, a fast recovery was possible as data were recoverable from backups, but that may not always be the case. That has been clearly highlighted by a recent ransomware attack on the South Korean hosting firm Nayana. The firm had made backups, but they too were encrypted by ransomware. The firm ended up paying a ransom in excess of $1 million to recover its files.

Retail Industry Data Breaches Most Common with U.S. Companies Heavily Targeted

The healthcare industry has been heavily targeted by cybercriminals, but retail industry data breaches are now the most common according to a recent study by Trustwave. Retail industry data breaches account for 22% of all reported breaches, closely followed by the food and beverage industry on 20%.

In 2016, corporate and internal networks were the most commonly breached systems although there was a marked increase in POS system breaches, which are now the second most targeted systems accounting for 31% of all reported breaches. Last year, POS data breaches only accounted for 22% of the total. POS data breaches were most common in the United States. In 2015, E-commerce platforms were heavily targeted accounting for 38% of all breaches, although in 2016 the percentage fell to 26%.

Healthcare data is in high demand, although it is still credit card numbers that are most commonly stolen. 63% of data breaches involved card data, split between card track data (33% of incidents) – mostly from hospitality and retail industry data breaches – and card-not-present data (30% of incidents) which came from breaches of e-commerce platforms.

The United States was also the most targeted country, accounting for 49% of all breaches – more than double the percentage of Asia-Pacific in second place with 21% of reported breaches. Europe was in third place with 20%.

Zero-day exploits are in high demand, commanding an initial price of $95,000 on the black market, although there were only 9 zero-day vulnerabilities exploited in the wild in 2016 – 5 for Adobe Flash, 3 for Internet Explorer and one for Microsoft Silverlight.

The top two methods of compromise were remote access – 29.7% of attacks – and phishing and social engineering, which accounted for 18.8% of attacks.

Exploit kit activity has fallen since the fall of the Angler, Magnitude and Nuclear exploit kits, although others such as Rig are increasing in popularity. Exploit kits activity could increase further due to the low cost of conducting malvertising campaigns – malicious adverts on third party ad networks that direct individuals to sites hosting exploit kits. Trustwave reports it now costs cybercriminals $5 to target 1,000 vulnerable computers with malicious adverts. Trustwave warns that while exploit kit activity has fallen, it would be wrong to assume it is gone for good. If it is profitable to use exploit kits, more will be developed.

Spam email is still the primary attack vector. In 2016, there was an increase in spam email messages rising from 54% of message volume in 2015 to 60% of total email volume in 2016. 35% of those messages contained malicious attachments, which Trustwave reports is up from 3% in 2015.

The most common malware variants discovered in 2016 data breach investigations attacked POS systems and were PoSeidon (18%) and Alina (13.5%) with Carbanak/Anunak in third place on 10%.

A recent Ponemon Institute study suggest data breaches take more than six months to detect, while Trustwave’s figures suggest the median number of days between intrusion and detection for external incidents was 65 days in 2016, although some companies took up to 2,000 days to discover a breach. Detection rates have improved from 2015, when it took an average of 80.5 days to detect a breach.

Fear of WannaCry Being Exploited to Push Fake Antivirus Apps

Following the massive WannaCry ransomware attacks there has been heightened interest in cybersecurity products. Marketers have capitalized on the fear of an imminent attack to increase downloads of fake antivirus apps.

The apps are sold to worried users promising to protect them from WannaCry and other ransomware threats. In some cases, a free scan is offered that reveals the user’s device is already infected with any number of malicious programs. Installing the app will allow users to rid their device of the malicious software.

In many cases, the fake antivirus apps misreport infections to scare users into buying and installing an unnecessary app. Some of those apps will offer no protection whatsoever, but others are more sinister. Many of the new fake antivirus apps that are sneaking their way into the Google Play store are far from benign. PUPs, Trojans and adware are packaged with the apps. Users download the fake antivirus apps to protect themselves against malware, when the reality is downloading the app results in infection.

A study of antivirus apps has recently been conducted by RiskIQ. The firm discovered almost 6,300 antivirus apps that were either an antivirus solution, reviews of antivirus software or were otherwise associated with an antivirus program. More than 700 of those apps triggered blacklist detections on VirusTotal, with many of the apps coming packaged with malware.

131 of the 655 antivirus apps on the Google Play Store triggered blacklist detections. Many of the apps are no longer active, although 55 out of 508 active AV apps on the Google Play Store were blacklisted. In total, 20% of blacklisted antivirus apps were in the Google Play store with 10.8% still active.

RiskIQ reports that some of the blacklisted apps are false positives and not all of those apps are bundled with malware. However, many of the apps were rated as malicious by multiple AV vendors and were not all they claimed to be.

While it is important to have antivirus software on mobile devices, users should exercise caution when downloading any app. Just because an app claims to protect you and your device, it does not mean that it will do as it says. Downloading the app could even result in infection.

Users can reduce the risk of downloading a fake antivirus app by only using official app stores such as Google Play, but additional checks should be performed. An app should not be installed if the developer is using a free email address such as Gmail or Outlook. RiskIQ recommends checking the descriptions of the apps, specifically looking for spelling mistakes or grammatical errors. The app should ideally be checked against VirusTotal to see if it raises any red flags and users should carefully check the permissions requested.

Fireball Malware: 250 Million+ Infections and Rising

Over the past few days, a new threat called Fireball malware has been spreading rapidly and has allegedly been installed on more than 250 million computer systems. An estimated 20% of corporate networks have been infected with the malware. 10% of infections are in India, 9.6% in Brazil, 6.4% in Mexico, 5.2% in Indonesia and 2.2% in the United States.

The new malware variant was discovered by security researchers at Check Point, who claim the malware campaign is “possibly the largest infection operation in history.”

Fireball malware targets web browsers and is used to manipulate traffic. Once infected, the end user is redirected to fake search engines, which redirect search queries to Google and Yahoo. Fireball malware is being used to generate fake clicks and boost traffic, installing plugins and new configurations to boost the threat actor’s advertisements.

The malware is also capable of stealing user information using tracking pixels and can easily be turned into a malware downloader. Once installed, Fireball malware can run any code on the victims’ computer, making the infection especially dangerous. While Fireball malware is not believed to be dropping additional malware at this stage, it remains a very real possibility. The malware has a valid certificate, hides the infection and cannot be easily uninstalled.

The malware is being distributed bundled with other software such as the Mustang browser and Deal WiFi, both of which are provided by a large Chinese digital marketing agency called Rafotech. It is Rafotech that is understood to be behind Fireball malware.

Rafotech is not using the malware for distributing other malware, nor for any malicious purposes other than generating traffic to websites and serving end users adverts, but Fireball may not always remain as adware. At any point, Fireball could simultaneously drop malware on all infected systems.

The recent WannaCry ransomware attacks serve as a good comparison. Once the network worm had spread, it was used to deploy WannaCry. More than 300,000 computers were infected the worm, which then dropped the ransomware. If a more advanced form of malware had been used that did not have a kill switch, the WannaCry attacks would have been far more severe. Now imagine a scenario where the same happened on 250 million computers… or even more as Fireball malware spreads further.

Fireball could also drop botnet malware onto those computers. A botnet involving 250 million or more computers would result in absolutely devastating DDoS attacks on a scale never before seen. As a comparison, Mirai is understood to include around 120,000 devices and has wreaked havoc. A botnet comprising 250 million or more devices could be used to take down huge sections of the internet or target critical infrastructure. It would be a virtual nuclear bomb.

HTTPS Phishing Websites Increase as Cybercriminals Exploit Trust in Encrypted Connections

Awareness of the additional security provided by HTTPS websites is increasing, but so too are HTTPS phishing websites. Cybercriminals are taking advantage of consumer trust of websites that encrypt connections with web browsers.

The risks of disclosing sensitive information such as credit card numbers on HTTP sites has been widely reported, with more sites now using the Hypertext Transfer Protocol Secure (HTTPS) to prevent man-in-the-middle attacks and improve security for website visitors. However, just because a website starts with HTTPS does not mean that website is safe.

HTTPS phishing websites also secure the connection. Divulging login credentials or other sensitive information on those sites will place that information in the hands of criminals.

A recent report from Netcraft shows more phishing websites are now using HTTPS to communicate, with the percentage of HTTPS phishing websites jumping from 5% to 15% since the start of 2017.

Internet users are now being warned if they are visiting a website that does not encrypt connections. Google Chrome and Firefox browsers have recently started displaying warnings on sites that are not secure.

The problem is that many users automatically assume that if a website starts with HTTPS it is safe and secure when that is far from the case.

Even if a website is genuine and encrypts communications, that does not mean the website cannot be compromised. If a hacker gained access to a website with a SSL certificate it would be possible to add pages that phish for sensitive information. The website would still display the green lock symbol and start with HTTPS.

HTTPS phishing websites may also have valid digital certificates meaning even Firefox and Google Chrome browsers will not flag the sites as potentially malicious. Those sites may also include the brand names of legitimate websites such as Facebook, Amazon, or PayPal. In the case of the latter, a recent report from the SSL Store revealed that there were 15,270 websites that contained the word PayPal which had been issued with SSL certificates.

The rise in HTTPS phishing websites shows that simply checking the protocol used by the site is no guarantee that the site is not malicious. Care must be taken when accessing any website, regardless of the protocol used by the site.

Businesses can improve protection by implementing a web filtering solution capable of reading encrypted web traffic. This will help to ensure employees are prevented from visiting malicious websites on their work computers, regardless of the protocol used by the sites.

WebTitan not only allows organizations to block websites by category, content or keyword, the web filtering solution also decrypts, reads, and then re-encrypts connections and will block phishing and other malicious websites. By inspecting HTTPS websites, WebTitan will also ensure access to any secure website is blocked if the site or webpage violates user-set rules on website content.

Purple Protects Customers with TitanHQ’s WebTitan WiFi Content Filtering Solution

TitanHQ is proud to announce a new partnership with the intelligent spaces company Purple.  Purple has chosen TitanHQ’s WiFi content filtering solution – WebTitan – to keep its WiFi networks secure and to carefully control the content that can be accessed by its clients and their customers.

The importance of securing WiFi networks has been highlighted by recent cyberattacks, including the WannaCry ransomware attacks on May 12. Consumers can be provided with WiFi access, but need to be protected from web-borne threats such as drive-by ransomware downloads and phishing attacks.

WebTitan offers protection against a wide range of web-borne threats including exploit kits, phishing websites, malicious web adverts and drive-by downloads of malware and ransomware. Every day, WebTitan detects more than 60,000 web threats and protects customers by blocking access to harmful webpages. WebTitan also allows businesses to carefully control the content that can be accessed via WiFi networks, filtering out obscene, harmful, and illegal website content.

As a leading provider of WiFi analytics and marketing services, Purple is well aware of the potential risks that come from unsecured WiFi hotspots. The company is committed to securing its WiFi networks and ensuring its customers are protected in the right way. Purple required exceptional protection for its customers, yet not all WiFi filtering solutions matched the company’s unique requirements.

Purple explained those requirements to TitanHQ, which was able respond with a solution that matched the company’s exacting needs. James Wood, Head of Integration at Purple said, “From day one it was evident that they were capable of not only providing what we needed but were very responsive and technically adept.”

WebTitan allows companies to manage WiFi content controls in multiple locations from a single administration console, making it an ideal solution for global WiFi businesses. For companies such as Purple, whose clients need to have control over their own filtering controls, WebTitan was ideal. Wood explained that WebTitan “allows us to extend the control to our customers via their API. Our customers can now manage their own filtering settings directly from the Purple Portal.”

TitanHQ was able to respond rapidly roll out WebTitan in a matter of days. Purple customers are now protected by the leading WiFi content filtering solution and can access the Internet safely and securely. Wood said, “With demanding timescales involved for the migration, we invested heavily in WebTitan and they have not failed to deliver.”

TitanHQ CEO Ronan Kavanagh is delighted that Purple has chosen TitanHQ has its WiFi filtering partner. Kavanagh said, “Purple is now a valued member of the TitanHQ family and we are delighted to welcome the firm onboard. This is a partnership that illustrates just how well suited WebTitan is to Wi-Fi environments.”

WannaCry Ransomware Attacks Halted… Temporarily

The WannaCry ransomware attacks that crippled hospitals in the United Kingdom on Friday have temporarily halted, although not before infections spread to 150 countries around the globe.  The massive ransomware campaign saw 61 NHS Trusts in the UK affected.

As the NHS was cancelling appointments and scrambling to halt the spread of the infection and restore its systems, the WannaCry ransomware attacks were going global. Organizations around the world were waking up to total chaos, with systems taken out of action and data access blocked. Other victims include FedEx, Telefonica, Deutsche Bahn and the Russian Interior Ministry and around 200,000 others.

The victim count rose considerably throughout Friday and Saturday morning, before a security researcher in the UK accidentally flicked the ransomware’s kill switch, preventing further WannaCry ransomware attacks. Had it not been for that researcher’s actions, the victim count would have been considerably higher.

The researcher in question prefers to remain anonymous, although he tweets under the Twitter account @MalwareTechBlog. While analyzing the ransomware, he discovered a reference to a nonsense web domain. He checked to see who owned the domain and discovered it had not been registered. He bought it and realized that his actions had stopped the ransomware in its tracks. If the domain could be contacted, encryption would not take place. If contact was not possible, the ransomware would proceed and encrypt files on the infected device.

This kill switch could have been put in place by the authors as a way to stop infections getting out of control. However, far more likely is the domain check was performed to determine if the ransomware was running in a test environment.

For now at least, the WannaCry ransomware attacks have stopped, although that does not mean they will not continue. New versions of the ransomware – without the kill switch – will almost certainly be released. In the meantime, IT security professionals have some time to plug the vulnerability that was exploited.

The exploit takes advantage of a vulnerability in Windows Server Message Block (SMB) that allows the attackers to download files onto a vulnerable machine. Microsoft issued a patch to plug the vulnerability on March 13 (MS17-010). Even though this was a high priority patch for which an exploit had been developed (ETERNALBLUE) and released online, many companies failed to update Windows leaving them vulnerable to attack.

Of course, any organization using an unsupported version of Windows – Windows XP for example – would not be able to apply the patch. Many NHS Trusts in the UK still use the unsupported version of Windows even though it is vulnerable to this and other exploits.

The attackers have reportedly made around $50,000 so far from the WannaCry ransomware attacks. That figure will rise, as victims are given 7 days to pay before the decryption keys held by the attackers will be permanently deleted. If payment is not made within 3 days, the $300 ransom doubles.

There are no clues as to who was behind the attack, although it was made possible by the actions of the hacking group Shadow Brokers, who published the exploit used in the WannaCry ransomware attacks in April. The exploit was not developed by Shadow Brokers however. That appears to have been developed by the National Security Agency in the USA. Shadow Brokers allegedly stole the exploit.

Microsoft has responded to the WannaCry ransomware attacks saying they should serve as a “wake-up call.” That’s not just the need to apply patches promptly to prevent cyberattacks, but also a wake up call for governments not to secretly stockpile exploits.

Mac Malware Warning Issued: Handbrake for Mac App Infected with RAT

A Mac malware warning has been issued for any individual who recently downloaded Handbrake for Mac. A server was compromised and a remote access Trojan was bundled with the Handbrake Apple Disk Image file.

A credential-stealing Remote Access Trojan was discovered to have been bundled with the Handbrake video transcoder app for the MacOS, with Handbrake for Mac downloads between May 2 and May 6, 2017 potentially also installing the MacOS Proton RAT.

A Mac malware warning has been issued for all users who recently downloaded the app. It is strongly recommended that any individual who downloaded the app between the above dates verifies that they have not been infected. According to a statement issued by the developers of the app, individuals have a 50/50 change of infection if they downloaded the app between the above dates.

Cybercriminals were able to compromise a server and bundle the malware with the app, with all users who used the download.handbrake.fr mirror potentially infected.

Apple has now updated its OSX’s XProtect to detect and remove the infection although individuals at risk should check to see if their device has been infected. Infection can be detected by looking for the Activity_agent process in the OSX Activity Monitor. If the process is running, the device has been infected with the Trojan.

Any user infected with the malware will need to change all passwords stored in the MacOS keychain. Any password stored in a browser will also need to be changed, as it is probable it has also been compromised.

The Trojan can be easily removed by opening the Terminal and entering the following commands before removing all instances of the Handbrake app:

  • launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
  • rm -rf ~/Library/RenderFiles/activity_agent.app
  • if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder

The MacOS Proton RAT was first identified earlier this year. It is capable of logging keystrokes to steal passwords, can execute shell commands as root, steal files, take screenshots of the desktop and access the webcam. Once installed, it will run every time the user logs on.

Only Handbrake for Mac downloads were affected. Any user who recently upgraded through the Handbrake update mechanism will not be affected, as checks are performed to prevent the downloading of malicious files.

The compromised server has now been shut down to prevent any further malware downloads. At this stage it is unclear how access to the server was gained and how the Handbrake Apple Disk Image file was replaced with a malicious version.

‘Crazy Bad’ Microsoft Malware Protection Engine Bug Patched

A patch has been rushed and released to address a serious Microsoft Malware Protection Engine bug, termed ‘Crazy Bad’ by the researchers who discovered the flaw. If exploited, the vulnerability would allow threat actors to turn the malware protection software against itself.

If the Microsoft Malware Protection Engine bug is exploited, Microsoft’s malware protection engine could be used to install malware rather than remove it. Instead of searching for infected files that have been downloaded, the system would be downloading malware and infecting end users.

The Microsoft Malware Protection Engine bug affects a number of anti-malware software products including Windows Defender, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, Windows Intune Endpoint Protection and Microsoft Forefront Endpoint Protection.

The remotely exploitable bug could allow a system to be completely compromised, giving attackers full access to an infected computer or server, since the software and all associated processes run at LocalSystem privilege level.

The flaw was discovered by Natalie Silvanovich and Tavis Ormandy of Google Project Zero who alerted Microsoft three days ago. Ormandy said the flaw was “The worst in recent memory.” Microsoft worked fast to patch the flaw and an update was pushed out yesterday.

While extremely serious, Microsoft does not believe any malicious actors have taken advantage of the flaw, although all unpatched systems are at risk.  Threat actors could take advantage of the Microsoft Malware Protection Engine bug in a number of ways, including sending specially crafted email messages. The Project Zero researchers note that simply sending a malicious email would be enough to allow the bug to be exploited. It would not be necessary for the user to open the email or an infected email attachment.  The researchers explained that “writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine.” Alternatively, the flaw could be exploited by visiting a malicious website if a link was sent via email or through instant messaging.

The patch for the vulnerability (CVE-2017-0290) will be installed automatically if users have auto-update turned on. System administrators who have set updates to manual should ensure the patch is applied as soon as possible to prevent the flaw from being exploited. The current, patched Malware Protection Engine is version 1.1.13704.0.

New Locky Ransomware Attacks Use Techniques Similar to Dridex Malware Campaigns

Locky is back. The latest Locky ransomware attacks leverage an infection technique used in Dridex malware campaigns.

It has been all quiet on the western front, with Locky ransomware attacks dropping off to a tiny fraction of the number seen in 2016. In the first quarter of 2017, Locky ransomware campaigns all but stopped, with Cerber becoming the biggest ransomware threat.

That could be about to change. Locky has returned, its delivery mechanism has changed, and the crypto ransomware is now even harder to detect.

The latest campaign was detected by Cisco Talos and PhishMe. The Talos team identified a campaign involving around 35,000 spam emails spread over just a few hours. The researchers suggest the emails are being delivered using the Necurs botnet, which has until recently been used to send out stock-related email spam.

New Infection Method Used in Latest Locky Ransomware Attacks

The latest Locky campaign uses a different method of infection. Previous Locky campaigns have used malicious Word macros attached to spam emails. If the email attachment is opened, end users are requested to enable macros to view the content of the document. Enabling macros will allow a script to run that downloads the payload. For the latest campaign, spam emails are used to deliver PDF files.

The change in infection method can be easily explained. Over the past few months, Word macros have been extensively used to infect end users with ransomware. Awareness of the danger of Word macros has been widely reported and companies have been warning their staff about malicious Word documents containing macros.

If an end user is fooled into opening an email attachment that asks them to enable macros, they are now more likely to close the document and raise the alarm. To increase the probability of the end user taking the desired action, the authors have made a change. Macros are still involved, but later in the infection process.

The emails contain little in the way of text, but inform the recipient that the PDF file contains a scanned image or document, a purchase order, or a receipt. PDF files are more trusted and are more likely to be opened. Opening the PDF file will see the user prompted to allow the PDF reader to download an additional file. The second file is a Word document containing a macro that the end user will be prompted to enable.

The rest of the infection process proceeds in a similar fashion to previous Locky ransomware attacks. Enabling the macros will see a Dridex payload downloaded which will then download Locky. Locky will proceed to encrypt a similarly wide range of file types on the infected computer, connected storage devices and mapped network drives.

The ransom payment demanded is 1 Bitcoin – currently around $1,200. This is considerably more that the ransom payments demanded when Locky first arrived on the scene just over a year ago.

One slight change for this campaign is the user is required to install the Tor browser in order to visit the payment site. This change is believed to be due to Tor proxy services being blocked.

Adding the extra step in the infection process is expected to result in more infections. Many users who would not open a Word attachment may be fooled into opening the PDF.

Businesses should raise the alarm and send out warning emails to staff alerting them to the new campaign and advising them to be wary of PDF files in emails.

Mac Malware Infections Increased by 700% in 2016

Windows-based systems are far more likely to be infected by viruses and malware; however, Mac users are far from immune to malware infections. A new report from McAfee suggests Mac malware infections increased substantially in 2016. Malware instances rose by a staggering 700% in the space of just one year.

The Threats Report by McAfee Labs shows that its anti-virus solutions detected and prevented 460,000 Mac malware infections in the final quarter of 2016 alone. That is a significant jump from the previous quarter when 150,000 Mac malware infections were detected and blocked – a rise of 247% from Q3 to Q4.

Compared to the number of infections of Windows based systems, the number of mac malware infections is still very low. McAfee detected more than 600 malware samples on Windows devices and 15 million attempted virus attacks on Android devices. At its highest, Mac malware infections were at 1.3% of the level seen on Windows-based devices.

However, the rise in Mac malware attacks should not be ignored. While Mac users are far better protected against malware attacks than Windows users, they should not be complacent. Cybercriminals are now developing more malware to target Mac users and they are no longer content with attacking Windows devices.

McAfee reports that malware developers are increasingly tailoring their malicious software to be capable of attacking multiple platforms. As more consumers and businesses use Macs and other Apple devices, attacks become more profitable. When there is potential for profit, malware developers are quick to take advantage.

The Threats Report indicates much of the new Mac malware is adware, with OSX/Bundlore one of the main malware variants discovered in Q4, 2016. Adware usually comes bundled with legitimate apps, especially apps on non-official stores. Downloading apps from the Mac app store is unlikely to result in infection.

Other forms of Mac malware have also increased in prevalence. As with Windows-based malware, the malware has been developed to steal login credentials and banking details. Remote access Trojans have also increased in number as has Mac ransomware – OSX/Keydnap being a notable example. OSX/Keydnap was bundled with the torrent client BitTorrent and even found its way onto the official download site.

To prevent Mac malware infections, businesses and consumers should be security aware and not take unnecessary risks. Apps should only be downloaded from official stores, security software should be installed, updates to software and apps should be applied promptly and strong, secure passwords should be used.

Philadelphia Ransomware Used in Target Attacks on U.S Healthcare Organizations

A new variant of Stampedo ransomware – called Philadelphia ransomware – is being used in targeted attacks on the healthcare sector in the United States. The ransomware variant is being spread using spear phishing emails.

Spear phishing emails have been detected that incorporate the healthcare organization’s logo along with the name of a physician at the organization. The use of a logo and a name adds credibility to the email, increasing the likelihood of the targeted individual clicking the link and downloading the malicious file. Information about organization’s and details of potential targets can easily be found on social media websites such as LinkedIn.

Cyber security firm Forcepoint analyzed Philadelphia ransomware and detected a string called “hospitalspam” in the encrypted JavaScript. A similarly named directory was also found on the ransomware C2, suggesting a campaign is being conducted that specifically targets the healthcare sector. Forcepoint reports that two hospitals – one in Oregon and one in Washington – have already been infected with the ransomware.

In recent months, cybercriminals have favored email attachments for spreading ransomware and malware, with Word documents containing malicious Word macros one of the most popular methods of ransomware and malware infection. The latest campaign, which was identified by Forcepoint, also uses malicious Word documents. However, rather than sending a malicious Word document as an attachment, the emails contain a link to a website where the Word document is automatically downloaded.

As with email attachments, the document must be opened and macros enabled in order for the ransomware to be downloaded.

Philadelphia Ransomware Attacks Likely to Increase

Philadelphia ransomware attacks are likely to increase thanks to a professional affiliate campaign. Would-be attackers are being recruited using a video that highlights the many features of the ransomware. The video calls Philadelphia ransomware “the most advanced and customizable ransomware ever,” and shows just how easy it is for someone with little technical skill to start their own ransomware campaign.

Would-be cybercriminals are able to rent out the ransomware and use it for their own spamming campaigns, provided they pay the author an initial fee of around $400. The one-off payment, so the authors claim, gives a user lifetime use of the ransomware. Affiliates will then be given a cut of any ransom payments they are able to generate.

Affiliate campaigns such as this – known as ransomware-as-a-service – are becoming increasingly popular. They allow non-technical spammers to jump on the ransomware bandwagon and start generating ransom payments. There is likely to be no shortage of takers.

Fortunately, the ransomware is not as advanced as the promotional video makes out. Furthermore, a decryptor for Philadelphia ransomware has been developed and can be downloaded for free via Softpedia. No ransom needs to be paid, although infection with Philadelphia ransomware can still result in considerable disruption. Healthcare organizations should therefore be on their guard.

Sundown Exploit Kit Now a Significant Threat

Researchers have identified changes to the Sundown exploit kit. Sundown is now in transition and is being actively developed. It now poses a significant threat.

Exploit kit activity has fallen over the past year as cybercriminals have turned to other methods of infecting end users. Spam email is now favored by many cybercriminals and exploit kit activity has dropped to next to nothing. However, over the past few weeks there has been an increase in exploit kit activity, with the Sundown exploit kit fast becoming a major threat.

Researchers at Cisco Talos report that the Sundown exploit kit has been upgraded and has now matured. While it was once a relatively unsophisticated exploit kit, that is no longer the case. The researchers point out that Sundown is likely to become one of the most widely used exploit kits, taking the place of the larger exploit kits that were used extensively in early 2016.

A number of upgrades have been made to the Sundown exploit kit in recent weeks. The individuals behind the Sundown exploit kit have removed many of the identifiers previously associated with the exploit kit. The exploit kit is now much harder to identify.

The Sundown exploit kit is one of a very small number that have had new exploits added in recent months. Some of the old exploits have also been removed. The actors behind Sundown have also increased the likelihood of infection. In a recent alert, Cisco Talos researchers explain that the exploit kit does not attempt to gain access to a system via a single exploit, instead the Sundown EK uses an extensive arsenal of malware tools to maximize the chance of compromising a system.

While the payload used to be downloaded via the browser, now the exploit kit uses the command line and wscript. A change has also been made to how the malicious payload is downloaded. The payload is now located on a different server to the landing page and exploit kit. The same root domain is used for both, although the subdomains are different.

The actors behind the kit are also purchasing large numbers of established domains, typically domains that are more than 6 months old. Those domains are used for a short time and are then resold. Using older domains allows the attacker to bypass screening controls that blacklist recently registered domains.

The discovery of major updates made to the Sundown EK could indicate there will soon be a major increase in exploit kit attacks. Angler, Neutrino, and Nuclear may have virtually disappeared, but exploit kits still pose a significant threat.

Businesses can protect their endpoints from malware and ransomware infections via exploit kits by using a web filtering solution. A web filtering solution can be configured to carefully control the websites that can be accessed by end users to reduce the risk of infection, and domains known to host exploit kits can be blocked.

For further information on web filtering and protecting end points from malware and ransomware, contact the TitanHQ team today.

Safari Scareware Used to Extort Money from Porn Viewers

A flaw in the mobile Safari browser has been exploited by cybercriminals and used to extort money from individuals who have previously used their mobile device to view pornography or other illegal content. The Safari scareware prevents the user from accessing the Internet on their device by loading a series of pop-up messages.

A popup is displayed advising the user that Safari cannot open the requested page. Clicking on OK to close the message triggers another popup warning. Safari is then locked in an endless loop of popup messages that cannot be closed.

A message is displayed in the background claiming the device has been locked because the user has been discovered to have viewed illegal web content. Some users have reported messages containing Interpol banners, which are intended to make the user think the lock has been put on their phone by law enforcement. The only way of unlocking the device, according to the messages, is to pay a fine.

One of the domains used by the attackers is police-pay.com; however, few users would likely be fooled into thinking the browser lock was implemented by a police department as the fine had to be paid in the form of an iTunes gift card.

Other messages threaten the user with police action if payment is not made. The attackers claim they will send the user’s browsing history and downloaded files to the Metropolitan Police if the ransom is not paid.

This type of Safari scareware is nothing new, although the zero-day flaw that was exploited to display the messages was. The attackers loaded code onto a number of websites which exploited a flaw in the way the Safari browser handles JavaScript pop-up windows. The code targeted iOS versions 10.2 and earlier.

The Safari scareware campaign was recently uncovered by Lookout, which passed details of the exploit onto Apple last month. Apple has now released an update to its browser which prevents the attack from taking place. Users can protect their devices against attack by updating their device to iOS version 10.3.

Scareware is different from ransomware, although both are used to extort money. In the case of ransomware, access to a device is gained by the attacker and malicious file-encrypting malware is downloaded. That malware then locks users’ files with powerful encryption. If a backup of the encrypted files is not owned, the user faces loss of data if they do not pay the attackers for the key to decrypt their locked files.

Scareware may involve malware, although more commonly – as was the case with this Safari scareware campaign – it involves malicious code on websites. The code is run when a user with a vulnerable browser visits an infected webpage. The idea behind scareware is to scare the end user into paying the ransom demand to unlock their device. In contrast to ransomware, which cannot be unlocked without a decryption key, it is usually possible to unlock scareware-locked browsers with a little computer knowhow. In this case, control of the phone could be regained by clearing the Safari cache of all data.

MajikPOS Malware Used in Targeted Attacks on PoS Systems of U.S. Businesses

A new form of PoS malware – called MajikPOS malware – has recently been discovered by security researchers at Trend Micro. The new malware has been used in targeted attacks on businesses in the United States, Canada, and Australia.

The researchers first identified MajikPOS malware in late January, by which time the malware had been used in numerous attacks on retailers. Further investigation revealed attacks had been conducted as early as August 2016.

MajikPOS malware has a modular design and has been written in .NET, a common software framework used for PoS malware. The design of MajikPOS malware supports a number of features that can be used to gather information on networks and identify PoS systems and other computers that handle financial data.

The attackers are infecting computers by exploiting weak credentials. Brute force attacks are conducted on open Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP) ports. A variety of techniques are used to install the MajikPOS malware and evade detection, in some causes leveraging RATs that have previously been installed on retailers’ systems. The malware includes a RAM scraping component to identify credit card data and uses an encrypted channel to communicate with its C&C and exfiltrate data undetected.

MajikPOS malware is being used by a well-organized cybercriminal organization and credit card details are being stolen on a grand scale. The stolen information is then sold on darknet ‘dump shops’. The stolen credit card numbers, which the researchers estimate to number at least 23,400, are being sold individually for between $9 and $39. The gang also sells the credit card numbers in batches of 25, 50, or 100. The majority of credit cards belong to individuals in the United States or Canada.

POS Malware Infections Can be Devastating

A number of different attack vectors can be used to install PoS malware. Malware can be installed as a result of employees falling for spear phishing emails. Cybercriminals commonly gain a foothold in retailers’ networks as a result of employees divulging login credentials when they respond to phishing emails.

While exploit kit activity has fallen in recent months, the threat has not disappeared and malvertising campaigns and malicious links sent via emails are still used in targeted attacks on U.S retailers.

Brute force attacks are also common, highlighting how important it is to change default credentials and set strong passwords.

POS malware infections can prove incredibly costly for retailers. Just ask Home Depot. A PoS malware infection has cost the retailer more than $179 million to resolve, with the cost of the security breach continuing to rise. That figure does not include the loss of business as a result of the breach. Consumers have opted to shop elsewhere in their droves following the 2014 PoS malware attack.

This latest threat should serve as a warning for all retailers. Security vulnerabilities can – and are – exploited by cybercriminals. If inadequate protections are put in place to keep consumers’ data secure, it will only be a matter of time before systems are attacked.

PetrWrap Ransomware: An Old Threat Has Been Hijacked by a Rival Gang

There is a new ransomware threat that businesses should be aware of, but PetrWrap ransomware is not exactly anything new. It is actually a form of ransomware that was first discovered in May last year. PetrWarp ransomware is, to all intents and purposes, almost exactly the same as the third incarnation of Petya ransomware. There is one key difference though. PetrWrap ransomware has been hijacked by a criminal gang and its decryption keys have been changed.

The criminal organization behind PetrWrap ransomware have taken Petya ransomware, for which there is no free decryptor, and have exploited a vulnerability that has allowed them to steal it and use it for their own gain. The attackers have simply added an additional module to the ransomware that modifies it on the fly. After all, why bother going to all the trouble of developing your own ransomware variant when a perfectly good one already exists!

Petya ransomware is being offered to spammers and scammers under an affiliate model. The ransomware authors are loaning the ransomware to others and take a percentage of the profits gained from ransoms that are paid. This is a common tactic to increase overall profits, just as retailers pay affiliate marketers to sell their products for a commission. In the case of ransomware-as-a-service, this allows the authors to infect more computers by letting others do the hard work of infecting computers.

Yet the gang behind PetrWrap has chosen not to give up a percentage of the profits. They are keeping all of the ransom payments for themselves. The module modifies and repurposes the malware code meaning even the Petya ransomware authors are unable to decrypt PetrWrap ransomware infections.

Kaspersky Lab research Anton Ivenov says “We are now seeing that threat actors are starting to devour each other and from our perspective, this is a sign of growing competition between ransomware gangs.” He pointed out the significance of this, saying “the more time criminal actors spend on fighting and fooling each other, the less organized they will be, and the less effective their malicious campaigns will be.”

Petya – and PetrWrap ransomware – is not a typical ransomware variant in that no files are encrypted. While Locky, CryptXXX, and Samsa search for a wide range of file types and encrypt them to prevent users from accessing their data, Petya uses a different approach. Petya modifies the master boot record that launches the operating system. The ransomware then encrypts the master file table. This prevents an infected computer from being able to locate files stored on the hard drive and stops the operating system from running. Essentially, the entire computer is taken out of action. The effect however is the same. Users are prevented from accessing their data unless a ransom is paid. Petya and PetrWrap ransomware can spread laterally and infect all endpoint computers and servers on the network. Rapid detection of an infection is therefore critical to limit the harm caused.

Cyberattacks on Educational Institutions in 2017 Paints Bleak Outlook

The financial services sector and healthcare industry are obvious targets for cybercriminals, but cyberattacks on educational institutions in 2017 have risen sharply. There have been a multitude of cyberattacks on educational institutions in 2017, and February is far from over. The list paints a particularly bleak outlook for the rest of the year. At the current rate, cyberattacks on educational institutions in 2017 are likely to smash all previous records, eclipsing last year’s total by a considerable distance.

Why Have There Been So Many Cyberattacks on Educational Institutions in 2017?

Educational institutions are attractive targets for cybercriminals. They hold large quantities of personal information of staff and students. Universities conduct research which can fetch big bucks on the black market.

While some of the finest minds, including computer scientists, are employed by universities, IT departments are relatively small, especially compared to those at large corporations.

Educational institutions, especially universities, are often linked to government agencies. If hackers can break into a university network, they can use it to launch attacks on the government. It is far easier than direct attacks on government agencies.

Cybersecurity protections in universities are often relatively poor. After all, it is hard to secure sprawling systems and huge networks that are designed to share information and promote free access to information by staff, students and researchers. Typically, university networks have many vulnerabilities that can easily be exploited.

Schools are also often poorly protected due to a lack of skilled staff and funding. Further, many schools are now moving to one-to-one programs, which means each student is issued with either a Chrome tablet or a Windows 10 laptop. More devices mean more opportunities for attack, plus the longer each student is connected to the Internet, the more time cybercriminals have to conduct attacks.

Another problem affecting K12 schools is the age of individuals who are accessing the Internet and email. Being younger, they tend to lack awareness about the risks online and are therefore more susceptible to social engineering and phishing attacks. The data of minors is also much more valuable and can be used for far longer by cybercriminals before fraud is detected.

While college students are savvier about the risks online, they are targeted using sophisticated scams geared to their ages. Fake job offers and scams about student loans are rife.

The threat of cyberattacks doesn’t always come from outside an institution. School, college and university students are hacking their own institution to gain access to systems to change their grades or for sabotage. Students with huge debts may also seek data to sell on the black market to help make ends meet.

While all of these issues can be resolved, much needs to be done and many challenges need to be overcome. It is an uphill struggle, and without additional funding that task can seem impossible. However, protections can be greatly improved without breaking the bank.

Major Cyberattacks on Educational Institutions in 2017

There have been several major cyberattacks on educational institutions in 2017, resulting in huge losses – both financial losses and loss of data. Educational institutions have been hacked by outsiders, hacked by insiders and ransomware attacks are a growing problem. Then there are the email-based social engineering scams that seek the tax information of staff. Already this year there have been huge numbers of attacks that have resulted in the theft of W-2 forms. The data on the forms are used to file fraudulent tax returns in the names of staff.

Notable cyberattacks on educational institutions in 2017 include:

Los Angeles Valley College

One of the most expensive cyberattacks on educational institutions in 2017 was a ransomware infection at Los Angeles Valley College. The attack saw a wide range of sensitive data encrypted, taking its network, email accounts and voicemail system out of action. The systems could not be restored from backups leaving the college with little alternative but to pay the $28,000 ransom demand. Fortunately, valid decryption keys were sent and data could be restored after the ransom was paid.

South Carolina’s Horry County Schools

The Horry County School District serves almost 43,000 students. It too was the victim of a ransomware attack that saw its systems taken out of action for a week, even though the ransom demand was paid. While it would have been possible to restore data from backups, the amount of time it would take made it preferable to pay the $8,500 ransom demand.

South Washington County Schools

Hackers do not always come from outside an organization, as discovered by South Washington County Schools. A student hacked a server and copied the records of 15,000 students onto a portable storage device, although the incident was detected and the individual apprehended before data could be sold or misused.

Northside Independent School District

One of the largest cyberattacks on educational institutions in 2017 was reported by Northside Independent School District in San Antonio, Texas. Hackers gained access to its systems and the records of more than 23,000 staff and students.

Manatee County School District

Manatee County School District experienced one of the largest W-2 form phishing attacks of the year to date. A member of staff responded to a phishing email and sent the W-2 forms of 7,900 staff members to tax fraudsters.

Huge Numbers of W-2 Form Phishing Attacks Reported

This year has seen huge numbers of W-2 form phishing attacks on educational institutions. Databreaches.net has been tracking the breach reports, with the following schools, colleges and educational institutions all having fallen for phishing scams. Each has sent hundreds – or thousands of W-2 forms to tax fraudsters after responding to phishing emails.

  • Abernathy Independent School District
  • Argyle School District
  • Ark City School District
  • Ashland University
  • Barron Area School District
  • Belton Independent School District
  • Ben Bolt Independent School District
  • Black River Falls School District
  • Bloomington Public Schools
  • College of Southern Idaho
  • Corsicana Independent School District
  • Davidson County Schools
  • Dracut Schools
  • Glastonbury Public Schools
  • Groton Public Schools
  • Independence School District
  • Lexington School District 2
  • Manatee County School District
  • Mercedes Independent School District
  • Mercer County Schools
  • Mohave Community College
  • Morton School District
  • Mount Health City Schools
  • Neosho County Community College
  • Northwestern College
  • Odessa School District
  • Powhatan County Public Schools
  • Redmond School District
  • San Diego Christian College
  • Tipton County Schools
  • Trenton R-9 School District
  • Tyler Independent School District
  • Virginian Wesleyan College
  • Walton School District
  • Westminster College
  • Yukon Public Schools

*List updated June 2017

These cyberattacks on educational institutions in 2017 show how important it is to improve cybersecurity defenses.

If you would like advice on methods/solutions you can adopt to reduce the risk of cyberattacks and data breaches, contact TitanHQ today. TitanHQ offers cost-effective cybersecurity solutions for educational institutions to block email and web-based attacks and prevent data breaches.

Phishing Attacks on Law Firms Are Soaring

The past few months have seen an increase in phishing attacks on law firms. Cybercriminals are attacking law firms to gain access to the highly confidential data held by attorneys and solicitors. Healthcare industry attacks are often conducted to obtain sensitive patient data that can be used for identity theft and tax fraud. Phishing attacks on law firms on the other hand are conducted to steal data for insider trading. Data are also stolen to allow cybercriminals to blackmail law firms.

Law firms are threatened with reputation-killing publication of highly sensitive client data if sizeable payments are not made. Since law firms hold secret documents, including potentially damaging information on their clients, it is not only the law firm that can be blackmailed. Clients are also contacted and threatened. The profits that can be made from insider trading are enormous. The data held by law firms is incredibly valuable. It is therefore no surprise that phishing attacks on law firms are increasing. Cybercriminals see law firms as perfect targets.

Last year, more than 50 law firms were targeted by Russian hackers using a spear phishing campaign. The aim of that attack was to gather information that could be used for insider trading. The group, called Oleras, attacked some of the best-known law firms operating in the United States, including Cravath Swaine & Moor LLP and Gotshal and Manges LLP.

However, while those attacks were damaging, they arguably caused less harm than the Panama Papers Breach – The largest law firm data breach of the year. That attack resulted in an astonishing 2.6 Terabytes of data being stolen by the attackers – Documents that revealed highly sensitive banking activities of criminals, politicians, athletes and businessmen and women. More than 214,000 companies had data revealed as a result of that law firm data breach.

While law firms must ensure that firewalls are in place along with a host of other cybersecurity protections to prevent their systems from being hacked, all too often data breaches start with phishing attacks on law firms. A simple email containing a link to a website is sent to attorneys’ and solicitors’ inboxes. The links are clicked and users are fooled into revealing login credentials to networks and email accounts. The credentials are captured and used to gain access to sensitive data.

Website filtering for law firms is now as essential a protection as the use of antivirus software. Antivirus software may be able to detect attempted malware installations – although it is becoming less effective in that regard – although it will do little to prevent phishing attacks.

A web filter protects law firms by preventing users from visiting malicious links in emails. A website filtering solution also prevents end users from downloading malware, or accessing websites known to carry a high risk of infection with ransomware or malware. A web filter also prevents law firm staff from accidentally visiting phishing websites when browsing the Internet. Along with a robust spam filtering solution to prevent phishing emails from being delivered, law firms can make their networks and email accounts much more secure.

Further information on recent phishing attacks on law firms, along with steps that can be taken to prevent security breaches, can be found by clicking the image below. Clicking the image will direct you to a useful phishing infographic on this website.

 

Phishing Attacks on Law Firms

US Ransomware Attacks Quadrupled in 2016

According to a new report from data breach insurance provider Beazley, US ransomware attacks on enterprises quadrupled in 2016. There is no sign that these attacks will slow, in fact they are likely to continue to increase in 2017. Beazley predicts that US ransomware attacks will double in 2017.

Half of US Ransomware Attacks Affected Healthcare Organizations

The sophisticated nature of the latest ransomware variants, the broad range of vectors used to install malicious code, and poor user awareness of the ransomware threat are making it harder for organizations to prevent the attacks.

For its latest report, Beazley analyzed almost 2,000 data breaches experienced by its clients. That analysis revealed not only that US ransomware attacks had increased, but also malware infections and accidental disclosures of data. While ransomware is clearly a major threat to enterprises, Beazley warned that unintended disclosures of data by employees is actually a far more dangerous threat. Accidental data breaches increased by a third in 2016.

US ransomware attacks and malware incidents increased in the education sector, which registered a 10% rise year on year. 45% of data breaches experienced by educational institutions were the result of hacking or malware and 40% of data breaches suffered by companies in the financial services. However, it was the healthcare industry that experienced the most ransomware attacks. Nearly half of 2016 US ransomware attacks affected healthcare organizations.

The report provides some insight into when organizations are most at risk. US ransomware attacks spiked at the end of financial quarters and also during busy online shopping periods. It is at these times of year when employees most commonly let their guard down. Attackers also step up their efforts at these times. Beazley also points out that ransomware attacks are more likely to occur during IT system freezes.

Ransomware Attacks on Police Departments Have Increased

Even Police departments are not immune to ransomware attacks. Over the past two years there have been numerous ransomware attacks on police departments in the United States. In January, last year, the Midlothian Police Department in Chicago was attacked with ransomware and paid a $500 ransom to regain access to its files.

The Dickson County Sheriff’s Office in Tennessee paid $572 to unlock a ransomware infection last year, and the Tewksbury police department in Massachusetts similarly paid for a key to decrypt its files. In 2015, five police departments in Maine (Lincoln, Wiscasset, Boothbay Harbor, Waldboro and Damariscotta) were attacked with ransomware and in December 2016, the Cockrell Hill Police Department in Texas experienced a ransomware infection. The attack resulted in video evidence dating back to 2009 being encrypted. However, since much of that information was stored in backup files, the Cockrell Hill Police Department avoided paying the ransom.

Defending Against Ransomware

Unfortunately, there is no silver bullet to protect organizations from ransomware attacks. Ransomware defenses should consist of a host of technologies to prevent ransomware from being downloaded or installed, but also to ensure that infections are rapidly detected when they do occur.

Ransomware prevention requires technologies to be employed to block the main attack vectors. Email remains one of the most common mediums used by cybercriminals and hackers. An advanced spam filtering solution should therefore be used to prevent malicious emails from being delivered to end users. However, not all malicious attachments can be blocked. It is therefore essential to not only provide employees with security awareness training, but also to conduct dummy ransomware and phishing exercises to ensure training has been effective.

Many US ransomware attacks in 2016 occurred as a result of employees visiting – or being redirected to – malicious websites containing exploit kits. Drive-by ransomware downloads are possible if browsers and plugins are left unpatched. Organizations should ensure that patch management policies are put in place to ensure that all systems and software are patched promptly when updates are released.

Given the broad range of web-based threats, it is now becoming increasingly important for enterprises to implement a web filtering solution. A web filter can be configured to prevent employees from visiting malicious websites and to block malvertising-related web redirects. Web filters can also be configured to prevent employees from downloading malicious files and engaging in risky online behavior.

The outlook for 2017 may be bleak, but it is possible to prevent ransomware and malware attacks. However, the failure to take adequate preventative steps to mitigate risk is likely to prove costly.

Why a Restaurant WiFi Filtering Service is Now Essential

A restaurant WiFi filtering service can help to keep customers safe when they use the Internet by blocking access to websites known to contain malware. A restaurant WiFi filtering service will also ensure that patrons can only view website content that is suitable for families.

WiFi networks are often abused and used by some individuals to view pornography or other material that has no place in a restaurant. If one diner chooses to view such material on a personal device while in a restaurant, other diners may catch glimpses of the screen – That hardly makes for a pleasant dining experience.

However, there is another important reason why a restaurant WiFi filtering service should be used. Diners can be protected from a range of web-borne threats while using free wi-Fi networks, but also the computer systems of the restaurant.

Each year, many restaurants discover that their computers and networks have been infected with malware. Malware infections are often random; however, restaurants are now being targeted by cybercriminals.  If a hacker can gain access to a restaurant’s computer network and succeeds in loading malware onto its POS system, every customer who pays for a meal with their debit or credit card could have their credentials sent to the hacker.

Restaurants, especially restaurant chains, are targeted for this very reason. One infected POS system will give a cybercriminal a steady source of credit card numbers. Each year, there are many examples of restaurants that have been attacked in this manner. One of the latest restaurant chains to be attacked was Popeye’s Louisiana Kitchen – A multinational chain of fried chicken and fast food restaurants.

Popeyes recently discovered a cyberattack that resulted in malware being installed on its systems. The attack started on or around May 5, 2016 and continued undiscovered until August 18, 2016. During that time, certain customers who paid for their meals on their credit and debit cards had their card numbers stolen by the malware and passed on to the attackers.

Popeyes only discovered the cyberattack when it received notification from its credit card processor of suspicious activity on customers’ accounts. CCC Restaurant Enterprises, which operates Popeyes, retained a forensic expert to analyze its systems for signs of its systems having been compromised. That analysis revealed a malware infection. The information stealing malware was passing credentials to the attacker and those details were being used to defraud customers. Ten restaurants in the chain were known to have been affected. Those restaurants were located in Georgia, North Carolina, and Texas. The malware infection has now been removed and customers are no longer at risk, although the cyberattack undoubtedly caused reputation damage for the chain.

Malware can be installed via a number of different vectors. Vulnerabilities can be exploited in servers and software. It is therefore essential to ensure that all software is patched and kept up to date. Attacks can occur via email, with malicious links and attachments sent to employees. A spam filter can block those emails and prevent infection. Attacks can also take place over the Internet. The number of malicious websites now produced every day has reached record levels and the threat level is critical.

A restaurant WiFi filtering service will not protect against every possible type of attack but it does offer excellent protection against web-borne threats. A web filtering service can also prevent users from visiting malicious links sent in spam and phishing emails, blocking users’ attempts to click the links. A restaurant WiFi filtering service will also ensure family-friendly Internet access is provided to customers. Something that is increasingly important for parents when choosing a restaurant.

To find out more about how a restaurant WiFi filtering service can be implemented, the wide range of benefits that such a service offers, and for details of how you can trial the WebTitan restaurant WiFI filtering service for 30 days without charge, contact the TitanHQ team today.

Are You Prepared for a Ransomware Attack?

Are You Prepared for a Ransomware Attack?

It doesn’t matter which security report you read; one thing is clear. The ransomware problem is becoming worse and the threat greater than ever.

While ransomware attacks in 2015 were few and far between, 2016 has seen an explosion of ransomware variants and record numbers of attacks across all industry sectors. For every ransomware variant that is cracked and decryption software developed, there are plenty more to take its place.

200 Ransomware Families Now Discovered

As if there were not enough ransomware milestones reached this year, there is news of another. The total number of detected ransomware families has now surpassed 200. That’s families, not ransomware variants.

The ransomware families have been catalogued by the ID Ransomware Service; part of the Malware Hunter Team. The current count, which may well be out of date by the time this article is finished, stands at 210.

Not only are new ransomware being developed at an unprecedented rate, the latest variants are even sneakier and have new capabilities to avoid detection. They are also more virulent and capable of encrypting a far wider array of data, and can delete backup files and quickly spread across networks and storage devices.

More people are getting in on the act. Ransomware is being rented out as a service to affiliates who receive a cut of the ransoms they collect. Campaigns can now be run with little to no skill. Unsurprisingly there are plenty of takers.

Massive Campaign Spreading New Locky Ransomware Variant

One of the biggest threats is Locky, a particularly nasty ransomware variant that first appeared in February 2016. Even though Locky has not been cracked, new variants continue to be released at an alarming rate. This week yet another variant has been discovered. The developers and distributers are also using a variant of techniques to evade detection.

Three separate campaigns have been detected this week after a two-week period of relative quiet. The ransomware is now back with a vengeance, with one of the campaigns reportedly involving an incredible 14 million emails on October 24 alone; 6 million of which were sent in a single hour.

There have been some successes in the fight against ransomware. Earlier this year the No More Ransom project was launched. The No More Ransom Project is a joint initiative Europol and the Dutch National Police force, although a number of security firms have now collaborated and have supplied decryptors to unlock files encrypted by several ransomware strains. So far, decryptors have been uploaded to the site that can unlock several ransomware variants: Chimera, Coinvault, Rannoh, Rakhni, Shade, Teslacrypt, and Wildfire.

Ransomware Problem Unlikely to Be Solved Soon

Despite the sterling efforts of security researchers, many of the most widely used ransomware strains have so far proved impossible to crack. The authors are also constantly developing new strains and using new methods to avoid detection. The ransomware problem is not going to be resolved any time soon. In fact, the problem is likely to get a lot worse before it gets better.

Last year, an incredible 113 million healthcare records were exposed or stolen. This year looks like it will be a record-breaking year for breaches if incidents continue at the current rate. The sheer number of healthcare records now available to cybercriminals has had a knock-on effect on the selling price. Whereas it was possible to buy a complete set of health data for $75 to $100 last year, the average price for healthcare records has now fallen to between $20 and $50.

Cybercriminals are unlikely to simply accept a lower price for data. That means more attacks are likely to take place or profits will have to be made up by other means. The glut of stolen data is seeing an increasing number of cybercriminals turn to ransomware.

Are you Prepared for a Ransomware Attack?

With the threat from ransomware increasing, organizations need to prepare for an attack and improve defenses against ransomware. Policies should be developed for a ransomware attack so rapid action can be taken if devices are infected. A fast response to an attack can limit the spread of the infection and reduce the cost of mitigation; which can be considerable.

Defending against ransomware attacks is a challenge. Organizations must defend against malicious websites, malvertising, drive-by downloads, malicious spam emails, and network intrusions. Hackers are not only stealing data. Once a foothold has been gained in a network and data are stolen, ransomware is then deployed.

An appropriate defense strategy includes next generation firewalls, intrusion detection systems, web filtering solutions, spam filters, anti-malware tools, and traditional AV products. It is also essential to provide regular security awareness training to staff to ensure all employees are alert to the threat.

Even with these defenses attacks may still prove successful. Unless a viable backup of data exists, organizations will be left with two options: Accept data loss or pay the ransom. Unfortunately, even the latter does not guarantee data can be recovered. It may not be possible for attackers to supply valid keys to unlock the encryption and there is no guarantee that even if the keys are available that they will be sent through.

Since Windows Shadow copies can be deleted and many ransomware variants will also encrypt backup files on connected storage devices, backup devices should be air-gapped and multiple backups should be performed.

With attacks increasing, there is no time to wait. Now is the time to get prepared.

Top Websites Fail to Prevent Email Spoofing

Many top companies have not done enough to prevent email spoofing using their domains. A new study conducted by security firm Detectify has revealed that many top website domains are wide open to abuse because email servers have been misconfigured or do not use authentication.

Website Owners are Not Doing Enough to Prevent Email Spoofing

Detectify conducted the study to determine how widespread the problem really is. The top 500 Alexa ranked websites were scanned to determine whether vulnerabilities existed that would allow spammers to send spoofed emails from the domains. The Swedish security firm found that fewer than half of the websites tested had configured their email servers correctly. The majority had either misconfigured their email servers or had failed to use authentication, which could prevent email spoofing. 276 of the domains were discovered to be vulnerable. More than half of the most visited websites could therefore be used by spammers to send spoofed emails.

Email spoofing is the sending of emails using a forged email address. This can either be the sending of an email that appears to come from a particular domain – Using a very similar domain name for example – or sending fake emails from the domain itself. In the case of the former, there is little companies can do to prevent this and it is largely down to email recipients to carefully check the sender’s address.

However, organizations can take steps to prevent spammers from sending emails from their own domains. If fake emails are sent from their domains customers may be fooled into thinking the messages are genuine. Criminals use email spoofing for phishing, spearphishing, and malware/ransomware campaigns. It is easier for them to achieve their objective if the message recipients trust the domain from which the email is sent.

How to Prevent Email Spoofing

There are three main ways that companies can address vulnerabilities and prevent domain spoofing. The most common method is to use the Sender Policy Framework, or SPF.  By using this setting the website owner can specify which servers are permitted to send emails using the domain. There are three possible settings – hardfail, softfail, and neutral. To prevent email spoofing, hardfail should be selected. This will reject suspected spam emails and will ensure they are not delivered. If the softfail setting is used, emails will still be delivered although they should be marked as suspected spam. If neutral is used there is no control and all emails will be sent and delivered.

The 276 domains that Detectify discovered were vulnerable had used the softfail or neutral settings. Softfail is often used instead of hardfail to prevent the loss of emails that are incorrectly flagged. However, many free email providers such as Gmail fail to mark messages as spam if the softfail setting has been used.

Detectify recommended that websites use the hardfail setting and also use DMARC – Domain Based Message Authentication Reporting and Conformance. DMARC is a much more reliable way to prevent spoofed emails from a domain.  DMARC creates a link between the email and the domain name. This makes it easier to determine whether an email is genuine or if it just looks real. DMARC also sends reports to advise the domain owner who is sending emails from their domain.

However, only 42% of the websites tested used DMARC, and in many cases, the settings had been configured incorrectly. While SPF and DMARC are not infallible, they can make it much harder for spammers to send spoofed emails.