Whereas news about Internet security often focuses solely on the latest threats or vulnerabilities, in addition to reporting hacks, data breaches and exposures, we also include advice about the best practices organizations should adopt to mitigate the threat from malware and other malicious software.
Consequently we strongly advise that individuals and organizations never use the same passwords for different accounts, make passwords as complex as possible and change them frequently. We also recommend that sensitive online accounts have 2-factor authentication whenever possible.
Ideally, organizations should implement a web filter to prevent Internet users from accessing websites that could compromise Internet security. With a web filter in place, the potential exists for productivity to increase and also for employees to enjoy a hostility-free workplace environment.
A House of Lords report on Internet safety for children calls for ISP web filtering controls to be applied as standard.
The UK government is keen for Internet service providers to apply web filtering controls to make it harder for children to access inappropriate website content such as pornography. In 2013, the UK government called on ISPs to implement web filters as standard. Four of the leading ISPs in the UK – Sky, Talk Talk, BT and Virgin Media – responded and have offered filtering controls to their customers.
However, not all ISPs in the United Kingdom provide this level of content control and the House of Lords report suggest that many ISP web filtering controls do not go far enough to ensure children are protected. The report explains that the ‘big four’ ISPs only cover 90% of all Internet users, leaving 10% of users without any form of Internet filtering service.
It is also pointed out in the report that only Sky has opted for a default-on web filter to prevent adult content from being accessed by minors. If new customers want to access adult content they must request that the filter be taken off. The other ISPs have made the service available but do not provide a filtered Internet service that is turned on by default.
The new report calls for ISP web filtering controls to be improved and for ISPs “to implement minimum standards of child-friendly design, filtering, privacy, data collection, and report and response mechanisms for complaints.” The House of Lords report also calls for ISP web filtering controls to be put on all accounts by default, requiring users to specifically request it be turned off if required. Further, the report says the default standard of Internet control should offer the strictest privacy protections for users.
Not everyone agrees with this level of control. The Internet Service Provider Association (ISPA) says that such a move is ‘disproportionate,’ and while the association is committed to keeping children safe when online, mandating ISP web filtering controls is not the way forward. For instance, if an ISP makes it clear that it offers an unfiltered service, that should be permitted. Chairman of the ISPA, James Blessing, believes the best way forward is “a joint approach based on education, raising awareness and technical tools.”
While parents will be well aware of the risks their children face when they go online, the House of Lords report does not believe Internet safety education should be left to parents. addition to making it harder for children to access inappropriate website content, the report calls for mandatory lessons in schools on safe use of the Internet, covering risks, acceptable behavior and online responsibilities.
In all likelihood, 2016 will be forever remembered as The Year of Ransomware, in the same way that 2014 was the year of the healthcare data breach.
2016 Will be Remembered as The Year of Ransomware
Ransomware first appeared in the late 1980’s, although at the time, cybercriminals did not fully embrace it. Instead, they favored viruses, worms, and other forms of malware. That’s not to say that ransomware was not used, only that there were more lucrative ways for cybercriminals to make money.
That all started to change in 2015, when the popularity of cryptomalware was fully realized. By 2016, many actors had got in on the act and the number of ransomware variants started to soar, as did attacks on healthcare providers, educational institutions, government departments, businesses, and even law enforcement agencies. In 2016, it appeared that no one was immune to attack. Many organizations were simply not prepared to deal with the threat.
Early in the year it became clear that healthcare organizations were starting to be targeted for the first time. In February, one of the most notable ransomware attacks of the year occurred. Hollywood Presbyterian Medical Center in Hollywood, CA., was attacked and its computers were taken out of action for well over a week while the medical center grappled with the infection. The decision was taken to pay the ransom demand of $17,000 to obtain the key to decrypt its data.
Not long afterwards, MedStar Health suffered a massive infection involving many of the computers used by the hospital system. In that case, the $19,000 ransom was not paid. Instead, encrypted data were recovered from backups, although the disruption caused was considerable. 10 hospitals and more than 250 outpatient centers had their computers shut down as a result of the infection and many operations and appointments had to be cancelled.
In the first quarter of 2016 alone, the FBI reported that more than $206 million in ransom payments had been made by companies and organizations in the United States. To put that figure in perspective, just $24 million had been paid in the whole of 2015 – That represents a 771% increase in ransom payments and only three months had passed. The year of ransomware had barely even begun!
Biggest Ransomware Threats in 2016
TeslaCrypt was one of the biggest ransomware threats at the start of the year, although the emergence of Locky ransomware in February saw it become an even bigger threat. It soon became the ransomware variant of choice. Locky was used in attacks in 114 countries around the world last year, and cybercriminals continue to tweak it and release new variants. Locky has yet to be cracked by security researchers. Then came Cerber, CryptXXX, Petya (which was defeated in April), and Dogspectus for smartphones, to name just a few.
By the summer, The Guardian newspaper reported that 40% of UK businesses had been attacked with ransomware, although the majority of ransomware attacks were concentrated in the United States. By the autumn, more than 200 ransomware families had been discovered, each containing many variants.
Reports of attacks continued to flood in over the course of the year, with ransomware arguably the biggest cybersecurity threat seen in recent years.
2016 was certainly The Year of Ransomware, but 2017 doesn’t look like it will get any easier for security professionals. In fact, 2017 is likely to be even worse. Some experts have predicted that ransomware revenues will reach $5 billion in 2017.
You can find out more interesting – and horrifying – ransomware statistics by clicking the image below to view the TitanHQ ransomware infographic. The ransomware infographic also includes information on the protections that should be put in place to prevent ransomware attacks and the encryption of sensitive data.
A recent university cyberattack in the United States resulted in more than 5,000 systems being taken out of action.
The university cyberattack only became apparent after the IT department was flooded with complaints from staff and students that the Internet had slowed to a snail’s pace. By the time that the cyberattack was identified, the attack had spread to multiple systems and devices, resulting in major headaches for the IT department. Attempts were made to bring systems back online but they failed. Not only had IoT devices been compromised, passwords were changed by the attackers. The IT department was locked out and was prevented from gaining access to any of the compromised devices.
The attack involved a range of devices. Even campus vending machines had been loaded with malware and were under the control of the attackers. In total, 5,000 smart devices were compromised in the attack and had been added to an emerging IoT botnet.
An investigation was launched which revealed the extent of the attack. Virtually the entire IoT network had been lost to the attackers. Everything from smart lightbulbs in street lamps to drink-dispensing vending machines had been infected with malware and made part of a botnet.
The IoT devices were making hundreds of DNS lookups, preventing users from performing web searches or visiting websites. In this case, the devices were being used to make seafood-related searches. So many searches that genuine use of the Internet was prevented.
Once the first devices were compromised, the infection spread rapidly. Every IoT device connected to the network was attacked, with the devices brute-forced until the correct username and password combo was found. The devices were then loaded with malware and added to the botnet. The speed at which the IoT devices were compromised and loaded with malware was due to the use of weak passwords and default login credentials. The university, for convenience, had also made the mistake of loading all IoT devices onto one network.
Once the attackers had gained access to an IoT device and loaded their malware, they had full control of the device. To prevent removal of the malware, the attackers changed the password on the device, locking the IT department out.
Once that had occurred, the only way the IT department thought it would be possible to remove the malware and regain control would be to replace every IoT device. All 5,000 of them.
However, before such a drastic measure was taken, the university sought external assistance and was advised to use a packet sniffer to intercept clear-text passwords sent by the attackers to the malware-compromised devices. The university was able to read the new passwords and regain access to its IoT devices. Passwords were then changed on all 5,000 devices and the malware was removed.
A university cyberattack such as this can cause considerable IT headaches, major disruption for staff and students, and involves a not insignificant resolution cost. However, the university cyberattack could have been avoided. Even if an attack was not prevented, its severity could have been greatly reduced.
Had strong passwords been set, the attackers would have found it much harder to infect devices, buying the IT department time and allowing action to be taken to mitigate the attack.
While it is easy to see why all IoT devices were included on a single network, such a move makes it far too easy for cybercriminals to spread malware infections. It is never wise to put all of one’s eggs in the same basket. It is also important to ensure that networks are separated. If access to devices on one network is gained, damage will be limited.
There are many cybersecurity solutions for managed service providers to add to their service stacks and offer to clients. However, the failure to offer a comprehensive range of cybersecurity solutions can prove costly. There is considerable demand for managed services, and the failure to provide them could see clients effectively handed to competitors.
Furthermore, there is now increased competition. Managed service providers have offered preventative cybersecurity solutions to their clients for many years, but competition in this sphere is increasing.
IT companies that have previously relied on fixing computer problems or providing data breach investigative services as their core business have realized there is big money to be made from providing cybersecurity services to prevent problems. An increasing number of IT companies are now capitalizing on high profile data breaches and demand for preventative solutions from SMBs and are now providing these services.
In order to capitalize on the opportunity for sales and to make sure clients do not start looking elsewhere, managed service providers need to make sure that they offer a full suite of cybersecurity solutions. Solutions that will keep their clients protected from the barrage of cybersecurity attacks that are now occurring.
Fortunately, the move away from hardware-based solutions to cloud-based services is making it easier for managed services providers. Cloud-based solutions are not only cheaper for clients, they are easier for MSPs to deliver and manage. While providing solutions that prevent cyberattacks may have been impractical and provided little return for the effort, that is no longer the case.
There are many potential cybersecurity solutions for managed service providers, although one area in particular where MSPs can take advantage is to offer solutions to prevent phishing attacks. Phishing – obtaining sensitive information from employees – is one of the main ways that cybercriminals gain access to networks and sensitive data.
Companies are spending big on network security to prevent direct attacks, yet cybercriminals know all too well that even multi-million-dollar security defenses can be breached. The easiest way to gain network access is to be provided with it by employees.
It is much easier to fool an employee into downloading malware, ransomware, or revealing their email or login credentials that it is to find security vulnerabilities or use brute force tactics. All it takes is for a phishing email to reach the inbox of an employee.
Anti-phishing training companies, which provide security awareness training for employees and teach them how to identify phishing emails, know all too well that training alone is ineffective. Some employees are poor at putting training into practice.
Even if security awareness training is provided, employees will still open email attachments from strangers and click on links sent to them in emails. Furthermore, cybercriminals are getting better at crafting emails to get links clicked and malware-ridden attachments opened.
We have already seen this year (and last tax season) how effective phishing emails can be. At least 145 companies in the United States (that we know about) emailed W-2 Forms of employees to scammers via email last year. This year looks like it will be even worse.
A high percentage of malware infections occur as a result of spam emails with infection either through email attachments (downloaders) or links to malicious sites where malware is silently downloaded. The same is true of many ransomware infections.
Given the high risk of a phishing attack occurring or information-stealing malware and ransomware being installed, organizations are happy to pay for managed solutions that can block phishing emails, prevent malware-infecting emails from being delivered, and stop employees from visiting malicious links.
MSPs can take advantage by providing these services. Since cloud-based solutions are available that offer the required level of protection, adding these solutions to an MSPs service stack is a no brainer. Cloud-based solutions to protect against phishing, malware, and ransomware infections require no hardware, no site visits, and require little management overhead.
TitanHQ can provide cloud-based solutions ideal for inclusion in MSPs service stacks. TitanHQ’s email and web protection solutions – SpamTitan and WebTitan – are effective at blocking a wide range of email and web-borne threats.
SpamTitan blocks over 99.97% of spam email, has a low false positive rate and blocks 100% of known malware. Inboxes are kept spam and malware free, and an anti-phishing component prevents phishing emails from being delivered to end users.
WebTitan offers excellent protection from web-borne threats, protecting employees and networks from drive-by malware and ransomware downloads and blocking links to malicious websites.
Furthermore, these solutions can be run in a public/private cloud, can be provided in white-label format ready for MSP’s branding, have low management overhead and include generous margins for MSPs.
If you are an MSP and are looking to increase the range of cybersecurity services you can offer to clients, give TitanHQ a call today and find out more about the our cybersecurity solutions for managed service providers.
With our cybersecurity solutions for managed service providers, you can improve your cybersecurity portfolio, provide better value to your clients and boost your bottom line.
The past few months have seen an increase in phishing attacks on law firms. Cybercriminals are attacking law firms to gain access to the highly confidential data held by attorneys and solicitors. Healthcare industry attacks are often conducted to obtain sensitive patient data that can be used for identity theft and tax fraud. Phishing attacks on law firms on the other hand are conducted to steal data for insider trading. Data are also stolen to allow cybercriminals to blackmail law firms.
Law firms are threatened with reputation-killing publication of highly sensitive client data if sizeable payments are not made. Since law firms hold secret documents, including potentially damaging information on their clients, it is not only the law firm that can be blackmailed. Clients are also contacted and threatened. The profits that can be made from insider trading are enormous. The data held by law firms is incredibly valuable. It is therefore no surprise that phishing attacks on law firms are increasing. Cybercriminals see law firms as perfect targets.
Last year, more than 50 law firms were targeted by Russian hackers using a spear phishing campaign. The aim of that attack was to gather information that could be used for insider trading. The group, called Oleras, attacked some of the best-known law firms operating in the United States, including Cravath Swaine & Moor LLP and Gotshal and Manges LLP.
However, while those attacks were damaging, they arguably caused less harm than the Panama Papers Breach – The largest law firm data breach of the year. That attack resulted in an astonishing 2.6 Terabytes of data being stolen by the attackers – Documents that revealed highly sensitive banking activities of criminals, politicians, athletes and businessmen and women. More than 214,000 companies had data revealed as a result of that law firm data breach.
While law firms must ensure that firewalls are in place along with a host of other cybersecurity protections to prevent their systems from being hacked, all too often data breaches start with phishing attacks on law firms. A simple email containing a link to a website is sent to attorneys’ and solicitors’ inboxes. The links are clicked and users are fooled into revealing login credentials to networks and email accounts. The credentials are captured and used to gain access to sensitive data.
Website filtering for law firms is now as essential a protection as the use of antivirus software. Antivirus software may be able to detect attempted malware installations – although it is becoming less effective in that regard – although it will do little to prevent phishing attacks.
A web filter protects law firms by preventing users from visiting malicious links in emails. A website filtering solution also prevents end users from downloading malware, or accessing websites known to carry a high risk of infection with ransomware or malware. A web filter also prevents law firm staff from accidentally visiting phishing websites when browsing the Internet. Along with a robust spam filtering solution to prevent phishing emails from being delivered, law firms can make their networks and email accounts much more secure.
Further information on recent phishing attacks on law firms, along with steps that can be taken to prevent security breaches, can be found by clicking the image below. Clicking the image will direct you to a useful phishing infographic on this website.
Malware and phishing attacks on healthcare organizations are all but guaranteed. In fact, they are almost as certain as death and taxes. Healthcare organizations hold huge volumes of data on patients and more types of data than virtually any other industry.
Healthcare providers store personal information and Social Security numbers, which are needed for identity theft and tax fraud. Insurance information that can be used for health insurance fraud; Medicare/Medicaid numbers and health information that can be used for medical fraud. Bank account information and credit card numbers are also often stored. For cybercriminals, breaching a healthcare organization’s defenses means a big payday.
Further, health data does not expire like credit card numbers. Social Security numbers never change. It is therefore no surprise that malware and phishing attacks on healthcare organizations are on the rise.
As if there was not enough incentive to attack healthcare organizations, the healthcare industry has underinvested in cybersecurity defenses, lagging behind other industries when it comes to implementing the latest technologies to thwart cybercriminals. Healthcare networks are also highly complex and difficult to protect. They also contain many outdated software and operating systems. Many healthcare organizations still run medical devices on the unsupported Windows XP OS, which contains many vulnerabilities.
The Health Insurance Portability and Accountability Act (HIPAA) has helped to bring cybersecurity standards up to an acceptable level. HIPAA compliance has made it harder for cybercriminals, although far from impossible. With the healthcare industry, firmly in cybercriminals’ crosshairs, healthcare organizations need to look beyond meeting the minimum standards for data security to avoid a HIPAA fine and ensure that defenses are improved further still.
One of the biggest problems comes from cyberattacks on healthcare employees. Even advanced firewalls can be easily avoided if employees can be fooled into clicking on a malicious link or opening an infected email attachment. Phishing attacks on healthcare organizations are the most common way that cybercriminals gain access to healthcare networks. Most cyberattacks start with a spear phishing email.
In addition to perimeter defenses, it is essential for healthcare organizations to employ technologies to block phishing attacks. Advanced spam filters will prevent the vast majority of phishing emails from being delivered, while web filtering solutions will block phishing attacks on healthcare organizations by preventing malicious links from being clicked and malicious websites from being accessed.
Fortunately, with appropriate defenses in place, cyberattacks can be prevented and the confidentiality, integrity, and availability of ePHI can be preserved.
For further information on the major healthcare cyberattacks of 2016, the key threats to healthcare organizations, and the impact of data breaches, click the image below to view our healthcare hacking infographic.
Credential stuffing attacks on enterprises are soaring according to a recent study conducted by Shape Security. The massive data breaches at the likes of LinkedIn, Yahoo, MySpace have provided cybercriminals with passwords aplenty and those passwords are used in these automated brute force login attempts.
Organizations that have discovered data breaches rapidly force password-resets to prevent criminals from gaining access to users’ accounts; however, stolen passwords can still be incredibly valuable. A study conducted by Microsoft in 2007 suggested that the average computer user has 25 accounts that require the use of a username and password, while Sophos suggests users have an average of 19 accounts.
Password managers can be used to help individuals remember their login credentials, but many people have not signed up for such a service. To remember passwords people just recycle them and use the same password over and over again. Cybercriminals are well aware of that fact and use stolen passwords in credential stuffing attacks on websites and mobile applications.
Shape Security suggests that for many enterprises, 90% of login traffic comes from credential stuffing attacks. Those attacks can be highly effective and since they are automated, they require little effort on the part of the attacker. A batch of passwords is purchased from any number of sellers and resellers on darknet marketplaces. A target site is identified and an automated script is developed to login. The criminals then scale up the assault by renting a botnet. It is then possible to conduct hundreds of thousands of login attempts simultaneously.
Many of the stolen credentials are old, so there is a high probability that passwords will have been changed, but not always. Many people keep the same passwords for years.
The success rate may be low, but the scale of the credential stuffing attacks gives cybercriminals access to hundreds of thousands of accounts.
Shape Security researchers suggest the success rate of these attacks is around 2%. To put this into perspective, if the passwords from the Yahoo data breach were used in credential stuffing attacks, which they almost certainly are, a success rate of 2% would give criminals access to 20 million user accounts.
There is certainly no shortage of passwords to attempt to use to gain access to accounts. According to the report, more than 3 billion username and password combinations were stolen by cybercriminals in 2016 alone. That would potentially give the attackers access to 60 million accounts.
These attacks are not hypothetical. During a 4-month observation period of just one major U.S. retailer in 2016, Shape Security discovered that 15.5 million attempted logins occurred. Even more worrying was that more than 500,000 of the retailer’s customers were using recycled passwords that had previously been stolen from other websites.
Additionally, as a recent report from SplashData has shown, weak passwords continue to be used. The top 25 list of the worst passwords in 2016 still contains very weak passwords such as 123456 and password. These commonly used passwords will also be attempted in brute force attacks. SplashData suggests as many as 10% of Internet users use at least one of the passwords in the top 25 worst password list.
These studies highlight the seriousness of the risk of recycling passwords and send a clear message to organizations: Develop mitigations to prevent the use of stolen credentials and ensure that password policies are developed and enforced.
Internet censorship laws in two U.S. states may be augmented, forcing Internet service providers and device manufacturers to implement technology that blocks obscene material from being viewed on Internet-connected devices.
North Dakota has recently joined South Carolina in proposing stricter Internet censorship laws to restrict state residents’ access to pornography. There is growing support for stricter Internet censorship laws in both states to block pornography and websites that promote prostitution, and it is believed that stricter Internet censorship laws will help reduce human trafficking in the states.
The new Internet censorship laws would not prevent state residents from accessing pornography on their laptops, computers and smartphones, as the technology would only be required on new devices sold in the two states. Any new device purchased would be required to have “digital blocking capability” to prevent obscene material from being accessed. Should the new Internet censorship laws be passed, state residents would be required to pay $20 to have the Internet filter removed.
The proposed law in North Dakota – Bill 1185 – classifies Internet Service Provider’s routers and all laptops, computers, smartphones, and gaming devices that connect to the Internet as “pornographic vending machines” and the proposed law change would treat those devices as such. The bill would also require device manufacturers to block ‘prostitution hubs’ and websites that facilitate human trafficking. If passed, the ban on the sale of non-filtered Internet devices would be effective from August 1, 2017.
Lifting of the block would only be possible if a request to remove the Internet filter was made in writing, the individual’s age was verified in a face to face encounter, and if a $20 fee was paid. Individual wishing to lift the block would also be required to receive a written warning about the dangers of removing the Internet filter.
The fees generated by the state would be directed to help offset the harmful social effects of obscene website content, such as funding the housing, legal and employment costs of victims of child exploitation and human trafficking. Fees would be collected at point of sale.
Device manufacturers would have a duty to maintain their Internet filter to ensure that it continues to remain fully functional, but also to implement policies and procedures to unblock non-obscene website content that has accidentally been blocked by filtering software. A system would also be required to allow requests to be made to block content that has somehow bypassed the Internet filtering controls. Requests submitted would need to be processed in a reasonable time frame. Failure to process the requests promptly would see the company liable to pay a $500 fine per website/webpage.
State Representative Bill Chumley (R‑Spartanburg) introduced similar updates in South Carolina last month, proposing changes to the state’s Human Trafficking Prevention Act. Both states will now subject the proposed bills to review by their respective House Judiciary Committees.
Companies must now deal with a new ransomware threat: 2017 is likely to see a proliferation of doxware attacks.
2016 was the year when cybercriminals fully embraced ransomware and used it to devastating effect on many organizations. As 2016 started, the healthcare industry was heavily targeted. Cybercriminals rightly assumed that the need for healthcare professionals to access patient data would mean ransom payments would likely be paid. That was certainly the case with Hollywood Presbyterian Medical Center. An attack resulted in a ransom of $17,000 being paid to allow the medical center to regain access to patient data and computer systems
Hospitals throughout the United States continued to be attacked, but not only in the United States, Attacks spread to the United Kingdom and Germany. The education sector was also hit heavily. Many schools and universities were attacked and were forced to pay ransoms to obtain keys to unlock their data.
Between April 2015 and March 2016, Kaspersky Lab reported that ransomware infections rose by 17.7%. The figures for April 2016 to March 2017 are likely to show an even bigger rise. Ransomware has rarely been out of the news headlines all year.
Cybercriminals are making stealthier and more sophisticated ransomware variants to avoid detection and cause more widespread disruption. Widespread media coverage, warnings by security companies and law enforcement agencies, and the likely costs of dealing with attacks has led many companies to improve their defenses and develop strategies to recover from infections.
With ransom demands of tens of thousands of dollars – or in some cases hundreds of thousands of dollars – and widespread attacks, the threat can no longer be ignored
One of the best ways of avoiding having to pay a sizeable ransom is to ensure data are backed up. Should ransomware be installed, IT departments can wipe their systems, restore files from backups, and make a quick recovery.
Ransomware is only an effective income generator for cybercriminals if ransoms are paid. If companies can easily recover, and restoring data from backups is cheaper than paying a ransom, cybercriminals will have to look elsewhere to make their money.
However, ransomware is far from dead. Cybercriminasl are changing their tactics. Ransomware is still being used to encrypt data, but an extra incentive is being added to the mix to increase the chance of a ransom being paid.
Doxware: The New Ransomware Threat
Doxware, like ransomware, encrypts data and a ransom demand is issued. However, in addition to encrypting data, information is also stolen. The gangs behind these attacks up the ante by threatening to publish sensitive data if the ransom is not paid.
If access is gained to corporate emails or other electronic conversations, the potential harm that can be caused is considerable. Reputation damage from doxware can be considerable, making payment of a ransom far more preferable to recovering data from a backup. If intellectual property is stolen and published the consequences for a company could be catastrophic.
2016 has already seen extortion attempts by hackers who have infiltrated networks, stolen data, and threatened its release if ransom payments are not made. TheDarkOverlord attacks on healthcare providers are just one example. However, in those attacks data were simply stolen. The combination of data theft with ransomware would be more likely to see ransoms paid. Already we have seen ransomware variants that combine an information stealing component and 2017 is likely to see the problem get far worse.
The increase in cyberattacks and proliferation of web-borne threats has made web filtering for Managed Service Providers one of the most important, and profitable, opportunities for MSPs. However, not all MSPs have started offering a web filtering service to their clients, even though web filtering is now an essential cybersecurity defense
Why is web filtering for Managed Service Providers now so important? Listed below – and in a useful infographic – are some of the reasons why businesses need to control the websites that can be visited by their employees and why web filtering for Managed Service Providers is an important addition to any MSPs service stack.
Cybercriminals Have Switched from Email to the Web to Spread Malware
Email remains one of the most likely routes that malware can be installed. Malicious email volume is growing and in Q3, 2016, Proofpoint discovered 96.8% of malicious attachments were used to download Locky ransomware. Blocking malicious spam email messages is therefore an essential element of any organization’s cybersecurity defense strategy. However, times are a changing. The threat from web-borne attacks has increased significantly in the past few years.
Cybercriminals are well aware that most organizations now use a spam filter to block malicious messages and that they now conduct end user training to warn employees of the risks of opening email attachments or clicking on hyperlinks sent by strangers.
However, far fewer businesses have implemented a solution that blocks web-borne threats. Consequently, cybercriminals have changed their focus from email to the Internet.
The shift to the web means cybercriminals can reach a much bigger target audience and can spread malware and ransomware more effectively. The extent of this paradigm shift is deeply concerning.
Now, more than 80% of malware is web-related and spread via malicious web adverts, hijacked websites, and websites that have been created with the sole purpose of infecting visitors with malware.
As TitanHQ CTO Neil Farrell points out, “the average business user now encounters 3 malicious links per day.” Those links are rarely identified as malicious and the malware downloads that result from visiting malicious websites go undetected.
Web-Borne Threats have Increased Substantially in Recent Years
Cybercriminals use exploit kits – malicious software that probes for vulnerabilities in browsers – on hijacked webpages and purpose designed, malware-laced websites. Zero-day vulnerabilities are frequently identified in web browsers, browser plugins, and extensions and these flaws can be exploited and leveraged to download malware and ransomware. Each time a new flaw is identified, it is rapidly added to a swathe of exploit kits.
Anti-virus software is capable of detecting a high percentage of malware and preventing the malicious software from being installed on computers; however, new forms of malware are being released at an unprecedented rate. A new malware is now released every 4 seconds. Naturally, there is a lag between the release of new malware and the addition of its signature into antivirus software companies’ virus definition lists. Visits to malicious websites all too often result in malware installations that go undetected.
Malicious websites are constantly being created. Google reports that since July 2013, 113,132 new phishing websites have been created and it is businesses that are being targeted. TitanHQ now adds over 60,000 new malware-spreading websites to its blocklists every single day.
Companies that fail to block these web-borne threats face a high risk of their computers and networks being infected with malware. Figures from IDC show that 30% of companies employing more than 500 staff have experienced malware infections as a result of end users surfing the Internet.
New Threats are Constantly Being Developed
Malware is used to log keystrokes to obtain login credentials for further, more sophisticated attacks. Banking credentials are stolen and fraudulent transfers are made. Businesses also have to contend with the current ransomware epidemic. 40% of businesses have now been attacked with ransomware.
Malware and ransomware infections do not just occur via obscure websites that few employees visit. Hugely popular news sites such as the New York Times and the BBC have been discovered to display adverts containing malicious code. Social media websites are also a major risk. 24% of organizations have been infected with malware via Facebook and 7% via LinkedIn/Twitter, according to a recent study by Osterman Research.
These and other serious threats, along with the extent to which infections are occurring, have been summarized in a new infographic that can be accessed by clicking on the image below:
WebTitan Cloud – Web Filtering for Managed Service Providers
Fortunately, there is an easy solution to prevent web-borne attacks: WebTitan Cloud. WebTitan Cloud is a 100% cloud-based web filtering solution that can be used to prevent end users from visiting websites known to contain malware. WebTitan can be configured to block malicious adverts and can prevent end users from being directed to malware-infected websites if malicious links are clicked.
Given the range of threats and the extent to which cybercriminals are using the web, it is now essential for organizations to add web filtering to their cybersecurity defenses. Consequently, web filtering for Managed Services Providers presents a huge opportunity for growth. TitanHQ has seen a significant increase in uptake of its web filtering for Managed Service Providers in recent months as MSPs have started to appreciate the huge potential web filtering for Managed Services Providers has to improve bottom lines.
WebTitan can be rapidly added to an MSPs service stack and is an easy sell to clients. WebTitan can be deployed remotely and rapidly installed and configured. The solution is automatically updated, requires little to no IT support, is technology agnostic, and therefore so has an extremely low management overhead. The solution also has excellent scalability and can be used to protect any number of end users.
MSPs can be provided with a white-label version of WebTitan Cloud ready for branding and WebTitan Cloud can even be hosted within an MSPs own environment. Perhaps most important for MSPs is the high margin recurring SaaS model. That means high recurring revenues for MSPs and better bottom lines.
Contact TitanHQ today to find out more about web filtering for Managed Service Providers, for full technical specifications, and to discover just how easy it is to add WebTitan to your service stack and start boosting profits.
Many employers are not entirely happy with employees using social media sites in the workplace, and with good reason: There are many risks of social media in business and the costs can be considerable.
Social Media Use Can be a Huge Drain on Productivity
When employees are spending time updating their Facebook accounts or checking Twitter they are not working. All those minutes spent on social media platforms really do add up. Social media site use can be a major drain on productivity.
If every employee in an organisation spends an hour a day on social media sites, the losses are considerable. Unfortunately, many employees spend much more than an hour a day on the sites.
Salary.com reports that around 4% of employees waste more than half of each day on non-work related tasks. For a company employing 1,000 members of staff, that equates to more than 160 hours lost each day, not including the hour or two spent on social media sites by the remaining 96% of the workforce.
Social media site use is not all bad, in fact, the use of the sites can be good for productivity. Employees cannot be expected to work solidly for 8 or more hours each day; at least not 8 highly productive hours. If employees enjoy some ‘Facetime’ every hour or two, it can help them to recharge so they are more productive when they return to their work duties.
The problem for employers is how to control the use of Facebook in the workplace and ensure that social media site use is kept within acceptable limits. Taking 5 minutes off every hour or two is one thing. Taking longer can have a seriously negative impact. Unfortunately, relying on employees to self-moderate their use of social media sites may not be the best way to ensure that Internet use is not abused.
The Cost of Social Media Use Can Be Severe
Productivity losses can have a serious negative impact on profits, but there are far biggest costs to employers from social media site use. In fact, the risks of social media in business are considerable.
The cost from lost productivity can be bad, but nowhere near as bad as the cost of a malware or ransomware infection. Social media sites are commonly used by hackers to infect computers. Just visiting a malicious Facebook or Twitter link can result in a malware or ransomware infection. The cost of resolving those infections can be astronomical. The more time employees spend on non-work related Internet activities, the greater the risk of a malware infection.
Is there a genuine risk? According to PC Magazine, the risks are very real. There is a 40% chance of infection with malicious code within 10 minutes of going online and a 94% chance of encountering malicious code within an hour.
Controlling employees’ use of the Internet can not only result in huge increases in productivity, Internet control can help to reduce the risk of malware and ransomware infections. Further, by limiting the sites that can be accessed by employees, organizations can greatly reduce legal liability.
Fortunately, there is a simple, cost-effective, and reliable solution that allows organisations to effectively manage the risks of social media in business: WebTitan.
Managing the Risks of Social Media in Business
WebTitan is an innovative web filtering solution that allows organizations to accurately enforce Internet usage policies. Employers can block inappropriate content to effectively reduce legal liability, block or limit the use of social media sites to improve productivity, and prevent users from encountering malicious code that could give cybercriminals a foothold in the network.
If you have yet to implement a web filtering solution to control Internet use in the workplace or you are unhappy with the cost or performance of your current web filtering product, contact TitanHQ today and find out more about the difference WebTitan can make to your bottom line.
To find out more about the risks of social media in business and why it is now so important to manage social media use in the workplace, click the image below to view our informative infographic.
Most employees are required to agree to use the Internet responsibly and are made to sign an acceptable usage policy as part of their induction before being supplied with a user ID. The policies vary in their content from organization to organization, but typically prohibit individuals from using the Internet to access illegal material, visit websites containing pornography, or engage in online activities that have no work purpose. The policies detail prohibited uses and state the penalties if individuals are discovered to have abused their access rights.
For many businesses, this may be deemed to be sufficient. If policies are breached, there are serious repercussions for the individual. For most employees AUPs alone will be sufficient to stop Internet abuse. However, while a breach of AUPs could result in termination of a work contract or serious disciplinary action against an employee, the consequences for a business can be much more severe.
AUPs can cover employers and prevent legal issues resulting from inappropriate Internet use, but they cannot protect against malware and ransomware infections. The consequences of malware and ransomware infections can be considerable. Data can be lost or corrupted by malware, to confidential information stolen, used for nefarious purposes, or sold on the darknet to criminals. The financial and reputational consequences for a business could be catastrophic.
In the case of ransomware infections, the cost can be considerable. Earlier this year, Hollywood Presbyterian Medical Center experienced a ransomware attack that required a ransom payment of $17,000 to be paid to recover data. The costs of dealing with the infection even after the ransom was paid was considerable, not to mention the disruption to operations while data were locked. Full access to data was not regained for more than a week.
AUPs used to be sufficient to reduce risk – legal and otherwise – but today much more rigorous controls are required to keep networks secure. To manage the risk effectively, it is important to enforce acceptable usage policies with a technological solution.
The most effective way of ensuring AUPs are adhered to is to enforce acceptable usage polices with a web filtering solution. A web filter can be configured to ensure the Internet can only be used for activities that an employer permits. Controls can be applied to ensure that illegal websites are not visited or to block pornography in the workplace, or stricter controls can be applied to severely restrict access. Most importantly given the massive rise in ransomware and malware attacks, controls can be enforced to keep networks secure.
To find out more about the benefits of implementing a web filtering solution, how networks can be secured with WebTItan, and for details of pricing, contact the TitanHQ team today.
Although many businesses use configured DNS filters to prevent cyberattacks, UK ISPs tend to blanket-block complete categories of websites to limit access to those most likely to be harboring malware. This hit-and-miss approach to online security often blocks genuine websites, or exposes consumers who opt out of DNS filtering to every type of online threat.
However, plans have now been announced that will see the UK´s spy agency – GCHQ – partner up with leading ISPs in the UK in order to develop a more finely-tuned approach to consumer security. Effectively GCHQ will advise the ISPs on how to configure their DNS filters to prevent cyberattacks on consumers based on individual sites known to harbor malware.
By preventing consumers from accessing “bad addresses” that appear to be legitimate domains, GCHQ hopes to reduce the number of malware and phishing attacks launched on the UK public each year. The organization is reported to routinely use DNS filtering to filter out some parts of the internet that the government asks to be banned, and this new initiative is an extension of its existing service.
The plans were announced by Ciaran Martin – head of GCHQ and the recently formed National Cyber Security Centre (NCSC) – at the Billington Cyber-Security Summit. Martin told Summit attendees, “We’re exploring a flagship project on scaling up DNS filtering: what better way of providing automated defenses at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?”
A few years ago, former UK Prime Minister David Cameron attempted to introduce legislation that would require ISPs to block pornography. While legislation was not passed, ISPs entered into a voluntary agreement to block pornography by default. Since 2013, all new customers have been prevented from accessing online pornography by their ISPs unless they choose to opt out and lift the DNS filter. Under this voluntary arrangement, UK citizens are protected from inappropriate content, yet their civil liberties are not violated.
There would likely be considerable backlash if the government was to introduce legislation to block the accessing of certain websites, even if those sites were known to contain threats such as malware or ransomware. Martin is well aware of the potential problems that could arise. He told Summit attendees, “The government does not own or operate the Internet,” explaining that any move to use DNS filters to prevent cyberattacks would need to come from the private sector.
Martin explained that, as with ISPs blocking pornography, consumers would be given a choice to opt out of using DNS filters to prevent cyberattacks. He said “addressing privacy concerns and citizen choice is hardwired into our program.”
The plan to use DNS filters to prevent cyberattacks on consumers and UK businesses has been applauded. “The Great Firewall of Britain” will help to protect consumers from cybercriminal activity and keep electronic devices free from malware and ransomware.
There are currently millions of malicious websites that have been set up with the sole purpose of spreading malware such as banking Trojans, ransomware, spyware, or to commit online fraud. Data from the Information Commissioner’s Office (ICO) shows the number of reported online security incidents has doubled in the past year and cyber-infection rates are growing at an exponential level around the globe.
The use of DNS filters to prevent cyberattacks should go some way towards preventing consumers from inadvertently downloading malware or falling victim to a phishing campaign. However, while this is a step in the right direction, when the plan is implemented it will not spell an end to malware and ransomware attacks.
ISP DNS filters can only block websites that are known to be malicious or have been discovered to host exploit kits or malware. Cybercriminals are constantly changing tactics and are using ever more sophisticated methods of attacking individuals, businesses, and governments. The use of ISP DNS filters to prevent cyberattacks will help to deal with low level attacks, but organizations should not rely on their ISPs to block online threats.
It will still be essential for organizations to carefully control the website content that can be accessed by their employees, and to do that they will need their own web filtering solution.
Kaspersky Lab has published a new ransomware study that clearly shows the rise in use of the malicious file encrypting software over the past two years. The research shows that companies are firmly in attackers’ sights, with attacks on companies having soared in recent months.
Kaspersky Ransomware Study 2016
For the ransomware study, Kaspersky Lab looked at crypto-ransomware, which uses encryption to lock critical business files as well as windows blockers – ransomware that simply locks victims’ computer screens to prevent files from being accessed. Kaspersky Lab took de-identified data from the Kaspersky Security Network (KSN) and assessed the data from individuals that had encountered ransomware between April 2014 and March 2016.
Kaspersky Lab notes that while the prevalence of Windows blockers is still high, there has been a massive rise in the use of crypto-ransomware over the past 12 months. Between April 2015 and March 2016 there was a 17.7% rise in the number of individuals who encountered ransomware or Trojan downloaders that installed ransomware. During that time frame, 2,315,931 users had encountered ransomware.
The figures show that cybercriminals are now increasingly turning to ransomware to make money, although in terms of the total number of malware encounters, ransomware remains relatively low. From April 2015 to March 2016, the proportion of users who encountered ransomware out of the total number who encountered other forms of malware increased from 3.63% to 4.34%, a rise of 0.7 percentage points.
Ransomware Study Shows Rise in Popularity of Crypto-Ransomware
The Kaspersky ransomware study clearly shows the rise in popularity of crypto-ransomware with cybercriminals. Compared to 2014-2015, the last 12 months has seen the percentage of individuals who encountered crypto-ransomware rise by 25 percentage points. 31.6% of ransomware encounters are now with cryptors. Attacks using cryptors jumped by 5.5% to 718,536 attacks between 2015 and 2016.
Kaspersky Lab also noted a fall in the use of Windows lockers. Attacks using Win-lockers fell by 13.03% over the same period, falling from 1,836,673 attacks in 2014-2015 to 1,597,395 attacks in 2015-2016.
Windows blockers are not particularly sophisticated and are relatively easy to resolve; however, the same is not true of crypto-ransomware infections. An infection with a Windows-blocker can be reversed without paying a ransom demand. The victim could simply re-install their operating system. This may not be an ideal solution, and it can be time consuming, but the victim would be able to recover all of their files.
With crypto-ransomware that is not the case. If a ransom demand is not paid, the victim would not be able to unlock their files. The decryption keys are all held by the attackers. The only way to recover from a crypto-ransomware attack without paying the ransom demand is by restoring files from a backup. If no backup exists, the victim must pay the ransom or forever lose their files. Because of this, victims are more likely to pay the ransom. It is therefore no surprise that cybercriminals are increasingly trying to cryptors.
Businesses Increasingly Being Targeted
The Kaspersky Lab ransomware study shows that businesses are now increasingly being targeted. Not only will businesses be more likely to pay the ransoms, since ransoms are set per device, the infection of a business network of multiple computers would represent a big pay day for an attacker. Between 2014 and 2016, attacks on businesses rose from 6.80% of all attacks to 13.13%.
The ransomware variants used to attack businesses and individuals has changed significantly over the past 12 months. In 2014-2015, CryptoWall accounted for the lion’s share of attacks (58.84%). Other attacks used a variety of different ransomware variants, the main other variants were Cryaki (5.66%) and Scatter (4.40%).
In 2015-2016, the main ransomware variant was Teslacrypt, which accounted for 48.81% of ransomware attacks. However, many new variants were also extensively used. CTB-Locker accounted for 21.61% of attacks, Scatter 8.66%, Cryaki 7.13%, CryptoWall 5.21%, and Shade 2.91%. Attacks using Locky were just starting late in the year. Locky accounted for 0.62% of all attacks between 2015 and 2016. The “Others category” decreased considerably from 22.55% of attacks in 2014-2015, to 2.41% in 2015-2016. Kaspersky Lab attributes this to the sharing of crypto-ransomware kits by ransomware developers.
Healthcare ransomware infections have made the headlines in recent weeks, although the University of Calgary ransomware attack shows that no organization is immune: In fact, university ransomware attacks are on the rise.
Organizations in the healthcare and financial sectors are the main targets for cybercriminals, although education is the third most likely industry to be attacked. Universities store huge volumes of highly sensitive data and state-sponsored hacking groups frequently conduct attacks.
Foreign governments are keen to obtain research data and ransomware attacks on universities may just be a smokescreen. All too often DDoS attacks are performed for this purpose, yet ransomware can be just as effective. While IT departments scramble to secure systems and recover data, attackers may be plundering data.
University of Calgary Ransomware Attack: $20K Paid for Decryption Keys
The University of Calgary ransomware attack occurred late last month and resulted in computer systems being severely disrupted. The IT department worked around the clock in an attempt to contain the infection and restore computer services one by one. While the University had made backups of critical data, the decision was taken to pay the attackers’ ransom demand as a precaution. To obtain the decryption keys the University had to pay the attackers $20,000.
However, even after paying the ransom, unlocking the encryption and recovering data has been a long winded process. The decryption keys had to be assessed and evaluated, and the process of decrypting the infection took a considerable amount of time.
If multiple computers are infected with ransomware, separate decryption keys are required for each device. Each computer must be restored separately and decryption keys do not always work and may not allow all data to be recovered.
The keys have to be used with care and an infection can take up a considerable amount of an IT department’s time to resolve. Systems and data need to be checked after the infection has been removed and additional cybersecurity measures implemented to protect against future attacks.
The University of Calgary ransomware attack has cost tens of thousands of dollars to resolve and shows that paying the attackers ransom demand is not a quick fix that will enable files to be quickly recovered. The recovery process is time consuming, expensive, and requires a considerable amount of resources.
During the time that systems are down, workflows are seriously disrupted. In the case of university ransomware attacks lives may not be put at risk as is the case with healthcare attacks, but the costs of ransomware attacks on universities can be considerable. The total cost of resolving a ransomware infection is far in excess of any ransom payment.
Protecting Against University Ransomware Attacks
Unfortunately for universities, protecting against ransomware can be difficult as public and private networks often overlap. Staff and students are often allowed to connect personal devices to networks, and controlling devices that connect to networks can be a difficult task. While businesses can conduct cybersecurity training and can teach staff basic security best practices to adopt, this can be difficult for universities with huge volumes of staff, students and researchers.
It is therefore important to implement a number of strategies to reduce the risk of a ransomware attack being successful.
It is essential that regular data backups are made and backup devices must be air-gapped. Staff and students should be encouraged to save files on backed up network drives, and cybersecurity training should be provided where possible. Students should be informed of the risk and advised of security best practices via email and noticeboards.
Many universities already use a web filtering solution to control the content that can be accessed via university wired and WiFi networks. Web filters can also be configured to reduce the risk of drive-by malware downloads. Anti-spam solutions can also prove effective as part of a multi-layered cybersecurity strategy and can prevent malicious emails from being delivered.
Technology should also be implemented to identify intrusions when they occur. A network intrusion detection system is a wise precaution alongside traditional anti-virus and anti-malware solutions.
It may not be possible to prevent all university ransomware attacks, but it is possible to manage risk and reduce the damage caused if ransomware is installed on devices or networks.
This week saw a host of updates issued by Microsoft to address critical flaws in Windows, although 44 security vulnerabilities in total have been addressed in the updates. These vulnerabilities affect a wide range of its products including Windows, Internet Explorer, Edge, and many of its Microsoft Office products. The updates were spread across 16 security bulletins, 6 of which were rated by Microsoft as critical. The remaining patch bundles were marked as important.
Critical Flaws in Windows Addressed this Patch Tuesday
To address the latest critical flaws in Windows, all of the patches should be applied as soon as possible. However, some are more important than others and should be prioritized. MS16-071 is perhaps the most important, especially for organizations that run their DNS server on the same machine as their Active Directory server. This update addresses critical flaws in Windows Server 2012 and Windows Server 2012 R2.
MS16-071 addresses a single flaw in Microsoft’s DNS server; however, the flaw is highly serious. Malicious actors could potentially exploit this vulnerability which allows remote code execution if an attacker send malicious requests to the DNS server. The update modifies how the DNS servers handle requests.
Microsoft has also issued updates to address vulnerabilities in Internet Explorer – MS16-063 – and Microsoft Edge – MS16-068. These two flaws would allow an attacker to gain the same rights as the current user if that individual visits malicious websites configured to exploit the vulnerability.
MS16-070 should also be updated as a priority. This security bulletin addresses a number of flaws, one of which could be exploited via spam email. It addresses vulnerability CVE-2016-0025, which concerns the Word RTF format. This could be exploited to yield RCE to the attacker. Worryingly, an attacker could exploit the flaw without an email even being opened, should that message be viewed using message preview in Microsoft Outlook.
Adobe Flash Zero Day Being Actively Exploited
While all of these updates are important, there is an even bigger worry. A new zero-day vulnerability in Adobe Flash Player has been discovered by Kaspersky Lab researchers. Adobe has been alerted that an exploit already exists for CVE-2016-4171 and that it is being actively exploited in the wild. At present, the vulnerability is being exploited in targeted attacks on organizations by a new hacking group referred to by Kaspersky Lab as “ScarCruft.”
Earlier this week, Adobe said it will delay the issuing of updates in order to address this new vulnerability. CVE-2016-4171 affects Adobe Flash v 220.127.116.11 and previous Windows, Mac, Chrome OS, and Linux versions. Updates are expected to start rolling out today.
The Zuckerberg Twitter hack has clearly demonstrated the danger of password reuse. Zuckerberg used the same password for Twitter as he did for his Pinterest and LinkedIn accounts. In spite of the Facebook founder, chairman, and CEO’s lofty position at the top of the world’s most popular social media network, he is guilty of poor data security practices like many others.
In addition to reusing passwords, Zuckerberg also chose a password of 6 digits with no capital letters, symbols, or numbers and did not change it for at least three years. The password was revealed to be “dadada.”
Mark Zuckerberg Twitter Hack Stemmed from the LinkedIn Data Breach
A collective known as OurMine was responsible for the Mark Zuckerberg Twitter hack. The collective, which is understood to hail from Saudi Arabia, gained access to data from the LinkedIn breach. The data were listed for sale a few days previously by a hacker operating under the name of “Peace”.
The LinkedIn passwords were not stored as plaintext, so a little effort was required to reverse the hash to obtain the password. While SHA-1 was thought to be impossible to reverse, it has since been shown to be a relatively straightforward task unless the passwords are also salted. In the case of LinkedIn, they were not.
Simply enter in the SHA-1 hash of a password into one of many reverse hash calculators and the plaintext password will be revealed. A search of the keyword phrase “how to reverse a sha1 password” will reveal many online options for doing so. Once the password had been obtained, access to online accounts was possible.
The Zuckerberg Twitter hack did not appear to cause anything other than some embarrassment. The group notified Zuckerberg of the hack by tweeting him using his own account, saying “we are just testing your security.” While the tweet said that Zuckerberg’s Instagram account was compromised, it has since been confirmed that this account was secure all along, as was Zuckerberg’s Facebook account.
While it is embarrassing, it should be pointed out that Zuckerberg was not a regular Twitter user, having only sent 19 tweets from his account in the past four years. His compromised Pinterest account was similarly rarely used.
Spate of Account Hacks Reported After Major Data Leaks
Other individuals were not quite so fortunate. Since the data from the LinkedIn breach was made available online, numerous celebrity social media accounts have been compromised. The Twitter accounts of celebrities such as Keith Richards and Kylie Jenner were hacked, as was the account of Tenacious D. The latter’s account was used to send a tweet saying Jack Black had died.
While these hacks have not been confirmed as stemming from the LinkedIn breach (or the MySpace or Tumblr breaches) the spate of account hijacks suggest as much.
TeamViewer GmbH was also a victim, having had numerous accounts compromised recently. The company provides remote desktop software and a number of users claim that the hacking of GmbH employee accounts enabled attackers to compromise their computers and authorize PayPal and Amazon transactions. This was attributed to “password mismanagement” by GmbH rather than any flaws in their software.
All of these account hacks show how common the reuse of passwords is, and the danger of doing so. What should be particularly worrying for businesses, is many people use their LinkedIn passwords for work accounts, or vice versa. If that password is obtained via a data breach, malicious actors could do a considerable amount of damage.
Important Online Security Best Practices
To improve security and reduce the risk of more than one account being compromised….
- Never reuse passwords
- Create a complex password for each platform – use symbols, capitals, and numerals
- Change your passwords regularly – every month or three months
- Use 2-factor authentication if available
- Use a password manager to help keep track of passwords
- Don’t store your passwords in your browser
- Regularly check your email address/username against the Have I Been Pwned? database
A recent ransomware research study has shown the individuals running ransomware campaigns do not actually earn that much money and the success rate of attacks is relatively low. However, the threat from attacks cannot be ignored due to the volume of individuals now running their own ransomware campaigns.
For the ransomware research study, web intelligence company Flashpoint trawled underground forums and marketplaces and monitored communications over a period of five months. The purpose of the ransomware research study was to improve understanding of how ransomware campaigns are run, to learn about the players involved, and the tactics they used to run campaigns and infect end users. It helps to know thy enemy when forming a defense strategy against attacks.
For its ransomware research study, Flashpoint investigated Russian ransomware campaigns from December 2015. The attacks were predominantly carried out on organizations and individuals in the West.
Ransomware Research Study Shows Campaigns are Not as Profitable as Many People Think
Considering the disruption caused and the money lost by victims of ransomware attacks, many people believe the criminals behind the campaigns are making big bucks, but that is not necessarily the case. In fact, even “ransomware bosses” – the individuals offering ransomware-as-a-service – are not raking in anywhere near as much money as many people think.
The majority of cybercriminals who run ransomware campaigns earn well under $10,000 a month. According to the ransomware research study report, only one in five individuals who run ransomware campaigns admitted to earning in excess of this figure. The report suggests that the average monthly earnings from this type of campaign is around $600 per month.
The typical ransom is around $300 per infected computer, although the people who run the campaigns have to give the ransomware bosses 60% of their earnings. They are allowed to keep the remaining 40%, suggesting most of the people running these campaigns only get 2-3 ransoms per month.
The ransomware research study data suggest that far from allowing criminals to obtain big money from ransomware campaigns, the attacks only yield similar returns to other forms of cybercriminal activities. The only difference being the attackers can usually get their hands on money faster. Stealing data such as credit card numbers or healthcare data requires the attacker to find a buyer for those data before any money is received.
The report suggests that the typical infection rate from a campaign is between 5% and 10%, yet few of the victims end up paying the ransom. Many ransomware victims are protected having made backup copies of important files and some are able to unlock the infections using tools from security companies. Others are willing to lose data rather than pay the ransom.
Ransomware bosses that push ransomware-as-a-service using an affiliate model can make around $7,500 per month, which equates to around $90,000 a year – approximately 30 ransom payments per month for the bosses.
Most Ransomware Campaigns are Run by Novices
While there are criminal gangs and highly skilled cybercriminals who invest a lot of time and effort into their ransomware attacks, the report suggests that the majority of attackers are novices; not skilled hackers. The report suggests that many individuals choose to run campaigns using ransomware-as-a-service in the hope that they will get lucky and get a big payout. These individuals tend to run spamming campaigns based on quantity rather than quality, and send high numbers of spam emails using botnets.
Flashpoint’s ransomware research study shows just how easy it is to start sending out ransomware campaigns. This is why so many individuals choose to give it a try. All that is needed is a very small injection of capital to get started, a lack of morals about how money is earned online, and a modicum of knowledge to allow individuals to send out mass spam emails.
Adverts for ransomware-as-a-service are easy to find with the Tor browser and advice on distribution is not difficult to find. Would-be criminals with no experience are recruited with a promise of a big payout, even though the reality is that for most people the payouts will be low.
More experienced and skilled individuals send phishing emails directing victims to websites containing exploit kits, which probe for vulnerabilities and automatically download the ransomware. Another popular method of infection is to sneak adverts containing malicious links onto legitimate advertising networks.
Only a small percentage of attackers are highly skilled. These individuals tend to send out targeted campaigns. These attackers target organizations and businesses with the aim of infecting multiple machines and infiltrating networks causing widespread disruption.
These campaigns tend to involve a considerable amount of planning, and require the attacker to research targets and design targeted emails that have a high change of eliciting the desired response. According to Flashpoint’s director of Eastern European Research and Analysis, Andrei Barysevich, “The success rate of this type of operation is significantly higher, enabling criminals to earn upwards of $10,000 a month or more.”
For organizations infected with ransomware the costs can be severe. Add up the cost of disruption to the business, the time and resources required to remove infections and restore files, and the cost of implementing more robust security measures, and the cost of a ransomware attack could be tens of thousands of dollars.
With no shortage of takers for ransomware-as-a-service, and ever more sophisticated ransomware being developed, organizations must develop a host of defenses to prevent attacks from being successful.
Security researchers have discovered a serious Jetpack plugin vulnerability that places sites at risk of attack by hackers. If you run WordPress sites for your company and you use the Jetpack website optimization plugin, you must perform an update as soon as possible to prevent the flaw from being exploited.
The flaw can also be exploited by competitors to negatively affect search engine rankings by using SEO spamming techniques, which could have serious consequences for site ranking and traffic.
Over a Million WordPress Websites Affected by the New Jetpack Plugin Vulnerability
The Jetpack plugin vulnerability was recently discovered by researchers at Sucuri. The flaw is a stored cross-site scripting (XSS) vulnerability that was first introduced in 2012, affecting version 2.0 of the plugin. All subsequent versions of Jetpack also contain the same Shortcode Embeds Jetpack module vulnerability.
Jetpack is a popular WordPress plugin that was developed by the people behind WordPress.com – Automattic – and has been downloaded and used on more than one million websites. This is not only a problem for website owners, but for web visitors who could easily have this flaw exploited to infect their computers with ransomware or malware. Flaws such as this highlight the importance of using web filtering software that blocks redirects to malicious websites.
While many WordPress plugin vulnerabilities require a substantial skill level to exploit, the jetpack plugin vulnerability takes very little skill at all to exploit. Fortunately, Jetpack has not discovered any active exploits in the wild; however, now the vulnerability has been announced, and details provided online about how to exploit the vulnerability, it is only a matter of time before hackers and malicious actors take advantage.
The flaw can only be exploited if the Shortcode Embeds Jetpack module is enabled, although all users of the plugin are strongly advised to perform a site update as soon as possible. Jetpack has worked with WordPress to get the update pushed out via the WordPress core update system. If you have version 4.0.3 installed, you will already be protected.
Jetpack reports that even if the flaw has already been exploited, updating to the latest version of the software will remove any exploits already on the website.
Over the past few days, rumors have been circulating about a massive MySpace data breach. Initial reports suggested that 427 million usernames and passwords had been obtained by a hacker going by the name of “Peace”. The name should sound familiar. The Russian hacker is the same individual who recently listed 117 million LinkedIn login credentials for sale on an illegal darknet marketplace. The hacker was also allegedly responsible for the 65 million-record data breach at Tumblr.
360 Million Login Credentials Stolen in MySpace Data Breach
Yesterday, Time Inc., confirmed that login credentials had been listed for sale online and that a MySpace data breach had occurred, although it would appear that the stolen data was obtained some time ago. The login credentials are for the old MySpace platform and date to before June 11, 2013. While Time Inc., did not confirm exactly how many login names and passwords had been stolen, Time confirmed that the figure of 360 million that had been reported in the press in the last couple of days was probably accurate.
Usernames, passwords, email addresses, and secondary passwords are reportedly being offered for sale. Out of the 360 million logins, Leakedsourrce.com suggests that 111,341,258 of the stolen records include a username and a password, and 68,493,651 records had a secondary password compromised. Not all of those stolen records also included a primary password.
Since 2013, data security has improved considerably and many companies have enforced the use of numerals, capital letters, and symbols when creating passwords. The stolen data reportedly includes only a small percentage of accounts with a capital letter in the password. This makes the passwords much easier to crack. The algorithm used to encrypt the passwords was also weak.
The login credentials from the MySpace data breach are reportedly being offered for sale for 5 Bitcoin – approximately $2,800.
All old users of the MySpace platform, and current users who joined the website before June 11, 2013 are potentially at risk. MySpace has responded to the breach by resetting all passwords on accounts created before June 11, 2013. When these users visit MySpace again they will be required to authenticate their account and supply a new password.
Additional security measures have been employed to identify suspicious account activity and the data theft is now being investigated. It would appear that no one at MySpace was aware that its database had been breached until the data were offered for sale just before the Memorial Day weekend.
MySpace Breach Shows Why It is Important Never to Reuse or Recycle Passwords
Since the data breach appears to have occurred some time ago, it is probable that many users will have changed their passwords on the site long ago, but the data could still be used to attack past and current users. All too often passwords are recycled and used for other online accounts, and many individuals use the same passwords for different platforms or rarely (or never) change them.
The MySpace data breach shows why it is important to use a different password for each online account and to regularly change passwords on all platforms. In the event of a breach of login credentials, users will only have to secure one account. If there is a possibility that only passwords are still in use on other platforms, MySpace account holders should update their passwords as soon as possible.
Hackers have access to tools that can check to see if account login and password combos have been used on other websites.