Web Filtering

Our news section dedicated to web filtering reports on instances in which a web filter can be used to protect organizations against online threats and the consequences of phishing campaigns. We also report on how filtering web access can protect the vulnerable against exposure to inappropriate online content – particularly minors viewing pornography.

Several of our news items will be of particular interest to MSPs and service providers who wish to add web filtering to their portfolio of products. With TitanHQ´s solutions, MSPs can incorporate white-labelled web filtering into an existing service package or market the solutions as stand-alone packages.

Astrim Exploit Kit Now Delivering Mole Ransomware

The recent ransomware attack on University College London has been discovered to have occurred as a result of an end user visiting a website hosting the Astrim exploit kit. Exploit kits are used to probe for vulnerabilities and exploit flaws to download malware.

Most ransomware attacks occur via email. Phishing emails are sent in the millions with many of those emails reaching end users’ inboxes. Ransomware is downloaded when infected email attachments are opened or malicious links are clicked. Organizations can reduce the threat of ransomware attacks by implementing an advanced spam filtering solution to prevent those malicious emails from being delivered.

However, spam filtering would not have stopped the University College London ransomware attack – one of many ransomware attacks on universities in recent months.

In order for an exploit kit to work, traffic must be sent to malicious websites hosting the kit. While spam email can be used to direct end users to exploit kits, the gang behind this attack was not using spam email.

The gang behind the Astrim exploit kit – AdGholas – has been using malvertising to direct traffic to sites hosting the EK. Malvertising is the name for malicious adverts that have been loaded onto third party ad networks. Those adverts are displayed to web users on sites that sign up with those advertising networks. Many high traffic sites display third party adverts, including some of the most popular sites on the Internet. The risk of employees visiting a website with malicious adverts is therefore considerable.

Exploit kit attacks are far less common than in 2015 and 2016. There was a major decline in the use of exploit kits such as Magnitude, Nuclear and Neutrino last year. However, this year has seen an increase in use of the Rig exploit kit to download malware and the Astrim exploit kit is also attempting to fill the void. Trend Micro reports that the Astrim exploit kit has been updated on numerous occasions in 2017 and is very much active.

The risk of exploit kit attacks is ever present and recent ransomware and malware attacks have shown that defenses need to be augmented to block malicious file downloads.

An exploit kit can only download malware on vulnerable systems. If web browsers, plugins and software are patched promptly, even if employees visit malicious websites, ransomware and malware cannot be downloaded.

However, keeping on top of patching is a difficult task given how many updates are now being released. Along with proactive patching policies, organizations should consider implementing a web filtering solution. A web filter can be configured to block third party adverts as well as preventing employees from visiting sites known to contain exploit kits.

With exploit kit attacks rising once again, now is the time to start augmenting defenses against web-based attacks. In the case of University College London, a fast recovery was possible as data were recoverable from backups, but that may not always be the case. That has been clearly highlighted by a recent ransomware attack on the South Korean hosting firm Nayana. The firm had made backups, but they too were encrypted by ransomware. The firm ended up paying a ransom in excess of $1 million to recover its files.

Vulnerable Flash Versions Found on 53% of Enterprise End Points

A new report from RSA Security has revealed 40,000 subdomains linked to the Rig exploit kit have been taken down, which is just as well considering how many enterprises are failing to update Adobe Flash promptly and are still using vulnerable Flash versions.

Exploit kits such as Rig are used to probe for vulnerabilities in browsers and plugins, with several exploits loaded to the kit. When the EK finds an exploitable vulnerability, malware is silently downloaded. The Rig EK has previously been used to distribute a variety of malicious payloads including banking Trojans and Cerber ransomware.

While the news of the shutdown of tens of thousands of subdomains used by the Rig exploit kit is good news, this week has also seen some worrying news emerge.

A recent study conducted by Duo Security has revealed the reason why exploit kits are such an effective means of malware delivery. Enterprises are failing to update software and are still using vulnerable Flash versions and other out-of-date plugins, even though those plugins and software versions contain several critical vulnerabilities that are being actively exploited.

53% of Enterprise End Points Have Vulnerable Flash Versions Installed

The study involved an analysis of key indicators of device health on 4.5 million Windows computers, Macs, Android smartphones and Apple mobiles. In the security firm’s Trusted Access Report, it was revealed that 53% of enterprise end points were running outdated versions of Adobe Flash. Last year when a similar study was run, there were 10% fewer devices running outdated Flash versions.

Far from revealing enterprise computers to be one version out of date, 21% of devices were discovered to be running Flash version 24.0.0.194, released in January 2017. That version has 13 critical code execution vulnerabilities that were addressed in February, all of which had the most severe rating for Windows, MacOS and Chrome.

Keeping up to date with the latest software releases can be difficult. New versions of software and plugins are frequently released to correct known flaws and many IT security professionals suffer from update fatigue. Updates are often delayed as a result, but that leaves the door open to cybercriminals.

Update Software and Block Malicious Domains

To protect against exploit kits and malicious downloads, organizations should ensure software versions are kept 100% up to date, especially browsers and browser plugins. It is a tiresome, never ending process, but failure to update promptly leaves organizations vulnerable to attack.

To ease the pressure on IT departments, an additional control can be implemented to block access to malicious websites containing exploit kits.

WebTitan is a web filtering that prevents downloads of malicious files by blocking access to malicious websites. Links to malicious sites are often sent in spam email, the clicking of which directs users to webpages hosting exploit kits. WebTitan blocks these links preventing the sites from being accessed. WebTitan can also be configured to prevent malicious file downloads and malvertising redirects, further protecting organizations from attack.

For full details on the capabilities of WebTitan, advice on web filtering and to register for a free 30-day trial of WebTitan, contact the TitanHQ team today.

HTTPS Phishing Websites Increase as Cybercriminals Exploit Trust in Encrypted Connections

Awareness of the additional security provided by HTTPS websites is increasing, but so too are HTTPS phishing websites. Cybercriminals are taking advantage of consumer trust of websites that encrypt connections with web browsers.

The risks of disclosing sensitive information such as credit card numbers on HTTP sites has been widely reported, with more sites now using the Hypertext Transfer Protocol Secure (HTTPS) to prevent man-in-the-middle attacks and improve security for website visitors. However, just because a website starts with HTTPS does not mean that website is safe.

HTTPS phishing websites also secure the connection. Divulging login credentials or other sensitive information on those sites will place that information in the hands of criminals.

A recent report from Netcraft shows more phishing websites are now using HTTPS to communicate, with the percentage of HTTPS phishing websites jumping from 5% to 15% since the start of 2017.

Internet users are now being warned if they are visiting a website that does not encrypt connections. Google Chrome and Firefox browsers have recently started displaying warnings on sites that are not secure.

The problem is that many users automatically assume that if a website starts with HTTPS it is safe and secure when that is far from the case.

Even if a website is genuine and encrypts communications, that does not mean the website cannot be compromised. If a hacker gained access to a website with a SSL certificate it would be possible to add pages that phish for sensitive information. The website would still display the green lock symbol and start with HTTPS.

HTTPS phishing websites may also have valid digital certificates meaning even Firefox and Google Chrome browsers will not flag the sites as potentially malicious. Those sites may also include the brand names of legitimate websites such as Facebook, Amazon, or PayPal. In the case of the latter, a recent report from the SSL Store revealed that there were 15,270 websites that contained the word PayPal which had been issued with SSL certificates.

The rise in HTTPS phishing websites shows that simply checking the protocol used by the site is no guarantee that the site is not malicious. Care must be taken when accessing any website, regardless of the protocol used by the site.

Businesses can improve protection by implementing a web filtering solution capable of reading encrypted web traffic. This will help to ensure employees are prevented from visiting malicious websites on their work computers, regardless of the protocol used by the sites.

WebTitan not only allows organizations to block websites by category, content or keyword, the web filtering solution also decrypts, reads, and then re-encrypts connections and will block phishing and other malicious websites. By inspecting HTTPS websites, WebTitan will also ensure access to any secure website is blocked if the site or webpage violates user-set rules on website content.

Purple Protects Customers with TitanHQ’s WebTitan WiFi Content Filtering Solution

TitanHQ is proud to announce a new partnership with the intelligent spaces company Purple.  Purple has chosen TitanHQ’s WiFi content filtering solution – WebTitan – to keep its WiFi networks secure and to carefully control the content that can be accessed by its clients and their customers.

The importance of securing WiFi networks has been highlighted by recent cyberattacks, including the WannaCry ransomware attacks on May 12. Consumers can be provided with WiFi access, but need to be protected from web-borne threats such as drive-by ransomware downloads and phishing attacks.

WebTitan offers protection against a wide range of web-borne threats including exploit kits, phishing websites, malicious web adverts and drive-by downloads of malware and ransomware. Every day, WebTitan detects more than 60,000 web threats and protects customers by blocking access to harmful webpages. WebTitan also allows businesses to carefully control the content that can be accessed via WiFi networks, filtering out obscene, harmful, and illegal website content.

As a leading provider of WiFi analytics and marketing services, Purple is well aware of the potential risks that come from unsecured WiFi hotspots. The company is committed to securing its WiFi networks and ensuring its customers are protected in the right way. Purple required exceptional protection for its customers, yet not all WiFi filtering solutions matched the company’s unique requirements.

Purple explained those requirements to TitanHQ, which was able respond with a solution that matched the company’s exacting needs. James Wood, Head of Integration at Purple said, “From day one it was evident that they were capable of not only providing what we needed but were very responsive and technically adept.”

WebTitan allows companies to manage WiFi content controls in multiple locations from a single administration console, making it an ideal solution for global WiFi businesses. For companies such as Purple, whose clients need to have control over their own filtering controls, WebTitan was ideal. Wood explained that WebTitan “allows us to extend the control to our customers via their API. Our customers can now manage their own filtering settings directly from the Purple Portal.”

TitanHQ was able to respond rapidly roll out WebTitan in a matter of days. Purple customers are now protected by the leading WiFi content filtering solution and can access the Internet safely and securely. Wood said, “With demanding timescales involved for the migration, we invested heavily in WebTitan and they have not failed to deliver.”

TitanHQ CEO Ronan Kavanagh is delighted that Purple has chosen TitanHQ has its WiFi filtering partner. Kavanagh said, “Purple is now a valued member of the TitanHQ family and we are delighted to welcome the firm onboard. This is a partnership that illustrates just how well suited WebTitan is to Wi-Fi environments.”

Library Internet Filters to be Added in Watertown, SD

The use of library Internet filters to protect minors from harmful web content is a hot topic that is causing much debate in the United States. Libraries promote free research and learning. Having Internet filters in libraries naturally places restrictions on the types of content that can be accessed, potentially hampering both.

Many parents argue that library Internet filters are required to protect their children from accessing harmful web content or accidentally seeing obscene content on other patron’s screens.

Pornography is one of the biggest worries. Many individuals visit libraries to use the computers to access hardcore adult material, even though it is a public place with children present.  Parents argue that such actions must be prevented. There can be free research, but within limits.

It is not only parents that are concerned about the lack of library Internet filters. In many states, legislation is being considered to make it mandatory for library Internet filters to be put in place to restrict access to pornography.

Many libraries are resisting calls to restrict access to the Internet with web filters. The Library Board in Watertown, South Dakota is a good example. As a center for free research, the library board opposed the use of web filters. If library Internet filters were applied, it could potentially have an adverse effect on research and would result in the blocking of legitimate website content.

However, the library board has been under pressure to start filtering the Internet, with citizens petitioning the library board to start restricting access to inappropriate content, with city officials and law enforcement also appealing to the library board to start filtering the Internet.

The library board has now accepted that a web filter should now be used to control the content that can be accessed through its computers. A web filtering solution will be applied to block patrons from accessing obscene and illegal material. The web filtering solution is expected to be applied in the next few weeks and will be used to restrict access to certain web content via its wired and WiFi networks.

The Library Board was not opposed to the blocking of pornography, but to the other content that may accidentally be also blocked by the filtering solutions. Prior to making the decision to use liberary Internet filters, the Watertown police department assured the library board that filtering solutions are now far more sophisticated than they once were and can allow libraries to very carefully control the content that can be accessed.

The need to do something was made clear following a report that particularly concerning material had been downloaded by one patron through the library’s WiFi network. The library board is also keen to prevent its Internet connections from being used for illegal purposes, such as copyright infringing file downloads.

Additional controls will be applied to make this more difficult, such as limiting download speeds and applying timers on Internet access, with stricter controls on the wireless WiFi network since it is not possible to verify the age of the individual accessing the Internet.

In order to prevent the overblocking of website content, controls will be applied carefully and a system will be set up to allow patrons to request the unblocking of website content that has been accidently blocked by the filtering solution.

Watertown Library board is just the latest in an increasing number of libraries that has discovered it is possible to protect patrons’ First Amendment rights while also ensuring minors are protected from harmful website content. With highly granular library Internet filters such as WebTitan, it is possible to do both.

‘Crazy Bad’ Microsoft Malware Protection Engine Bug Patched

A patch has been rushed and released to address a serious Microsoft Malware Protection Engine bug, termed ‘Crazy Bad’ by the researchers who discovered the flaw. If exploited, the vulnerability would allow threat actors to turn the malware protection software against itself.

If the Microsoft Malware Protection Engine bug is exploited, Microsoft’s malware protection engine could be used to install malware rather than remove it. Instead of searching for infected files that have been downloaded, the system would be downloading malware and infecting end users.

The Microsoft Malware Protection Engine bug affects a number of anti-malware software products including Windows Defender, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, Windows Intune Endpoint Protection and Microsoft Forefront Endpoint Protection.

The remotely exploitable bug could allow a system to be completely compromised, giving attackers full access to an infected computer or server, since the software and all associated processes run at LocalSystem privilege level.

The flaw was discovered by Natalie Silvanovich and Tavis Ormandy of Google Project Zero who alerted Microsoft three days ago. Ormandy said the flaw was “The worst in recent memory.” Microsoft worked fast to patch the flaw and an update was pushed out yesterday.

While extremely serious, Microsoft does not believe any malicious actors have taken advantage of the flaw, although all unpatched systems are at risk.  Threat actors could take advantage of the Microsoft Malware Protection Engine bug in a number of ways, including sending specially crafted email messages. The Project Zero researchers note that simply sending a malicious email would be enough to allow the bug to be exploited. It would not be necessary for the user to open the email or an infected email attachment.  The researchers explained that “writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine.” Alternatively, the flaw could be exploited by visiting a malicious website if a link was sent via email or through instant messaging.

The patch for the vulnerability (CVE-2017-0290) will be installed automatically if users have auto-update turned on. System administrators who have set updates to manual should ensure the patch is applied as soon as possible to prevent the flaw from being exploited. The current, patched Malware Protection Engine is version 1.1.13704.0.

Software Exploit Attacks Rose by 25% in 2016 with Businesses the Worst Affected

Kaspersky Lab has released new figures showing software exploit attacks increased by almost a quarter in 2016. In total, more than 702 million attempted software exploit attacks were performed; a rise of 24.54% year on year. Corporate users were the worst affected, registering 690,000 attacks in 2016; a rise of 28.35% year on year.

According to the report, 69.8% of software exploit attacks took advantage of flaws in web browsers, Microsoft Windows, Microsoft Office or the Android platform. Software exploit attacks involve malware leveraging flaws in software to run malicious code or install other malware. Last year, the most common exploit took advantage of the Stuxnet vulnerability on unpatched systems.

Software exploits are difficult to identify because they occur silently without alerting the user. Unlike email-based attacks, software exploits require no user interaction. A user must only be convinced to visit a website hosting an exploit kit. A hyperlink can be sent via email or users can be redirected to malicious sites using malvertising. Attacks can occur through general web browsing. Hackers often take advantage of flaws to hijack websites and install exploit kits.

While attacks on companies have increased, attacks on private users fell by around 20% to 4.3 million attacks. This has been attributed to two major exploit kits – Neutrino and Angler – being shut down. Without those exploit kits, criminal groups have lost the ability to spread malware and have had to resort to different tactic to spread malware, with spam email the delivery mechanism of choice.

Exploit kits are expensive to develop and require considerable work, and since software developers are reacting faster and patching vulnerabilities, exploit kits are no longer as profitable for cybercriminals. However, exploits are still being used by sophisticated criminal gangs in targeted attacks aimed at stealing highly sensitive data.

This year has seen an increase in exploit activity using the Rig exploit kit, while last month Checkpoint noted a major rise in software exploit attacks.

Exploit kits may not pose as big a threat as in late 2015, but they are still a significant threat for businesses. Organizations can improve their defenses against software exploits by installing patches promptly and ensuring anti-virus and anti-malware solutions are kept up to date. A web filtering solution should also form part of organizations’ defenses. Web filters prevent end users from visiting, or being redirected to, websites known to host exploit kits.

GDPR Compliance: Is your Organization Prepared?

On May 25, 2018, the General Data Protection Regulation (GDPR) comes into force and GDPR compliance will be mandatory. Now is the time to get prepared. GDPR compliance is likely to require considerable effort and resources. If your organization is not prepared, you may miss the GDPR compliance deadline.

GDPR is a new regulation that will apply to all organizations based in EU member states, as well as those based in non-member states that capture, hold or process the data of EU citizens. GDPR is a replacement of the 1995 EU Data Protection Directive and will address web-based technology that was not widely available in 1995. Use of the cloud for instance.

The new regulation will help to ensure the personal data of EU citizens is protected and the risk of sensitive data being exposed is minimized. The new regulation will also allow EU citizens to have much greater control over the personal data that is collected and stored by organizations, and how those data are used.

How Will GDPR Protect Consumers?

One of the main elements of GDPR is improving the rights of EU citizens with regards to the personal data that is collected, stored and used by organizations. GDPR requires organizations to obtain informed consent from consumers prior to collecting and using their data.  Consumers must be told the reason why data are being collected, how data will be used, and consumers must be told that they can withdraw their consent at any time. A mechanism must be put in place that will allow an organization to delete data when it is no longer required or when consent is withdrawn.

GDPR gives consumers the right to:

  • Find out how their data will be used
  • Discover how data were obtained if informed consent was not provided
  • Access personal data
  • Find out how long data will be stored
  • Correct errors in stored data
  • Move data to a different processor
  • Restrict or prohibit the processing of data
  • Find out with whom data have been or will be shared
  • Have data permanently erased
  • Avoid being evaluated on the basis of automated processing

Organizations must also limit the data collected to the minimum necessary amount for the purpose that has been described to consumers to be performed.

While organizations that have an online presence and actively collect data will have to comply with GDPR – Amazon for example – GDPR will apply to a much broader range of companies. In fact, many companies that do not have an online presence will need to comply with GDPR. GDPR will apply to any company that collects the types of data covered by the GDPR definition of personal information. That includes organizations that store ‘personal data’ of employees in an electronic database.

What Data are Covered by GDPR?

Under GDPR, personal information includes an individual’s name and a host of other identifiers, including online identifiers such as location data, IP addresses, cookies and other “pseudonymous data”. Information such as race and ethnic origin, religious or philosophical beliefs, political opinions, sexual orientation, details of sex life, criminal convictions, trade union membership, health data, biometric data, and genetic data are all covered.

Data Security Standards Necessary for GDPR Compliance

GDPR also covers the protections that must be put in place by organizations to ensure the confidentiality, integrity, and availability of data. That includes stored data and all data that flows through systems or applications.

GDPR compliance requires organizations to conduct a risk/gap analysis to assess potential vulnerabilities in their current systems and processes.

Companies must “implement appropriate technical and organizational measures” to ensure the confidentiality, integrity and availability of data. Those measures should “ensure a level of security appropriate to the risk.”

Companies must adopt a privacy and security-by-design approach, and ensure that controls are implemented during the planning stages, development, implementation, and use of applications and systems. Regular testing and security assessments must also be performed.

Systems must also be implemented that allow data to be recovered and restored in the event of a security incident or technical problem being experienced.

Data Breach Notification Requirements of GDPR

Any organization that experiences a breach of data covered by GDPR must inform their Data Protection Authorities (DPAs) within 72 hours of the breach being discovered. Individuals impacted by a data breach must also be notified, if such a breach has potential to result in identity theft or fraud, discrimination, financial loss, reputation damage, or other significant economic or social disadvantage. Notifications will not be required if stored data are encrypted or are otherwise undecipherable and unusable.

Preparing for GDPR

Many organizations currently lack the necessary systems to ensure GDPR compliance. For instance, many do not have systems that allow them to easily identify consumer data, retrieve it, and delete it as necessary.

Privacy policies will need to be drafted and published to incorporate the new regulation and ensure GDPR compliance. Forms explaining consent to use data will need to be developed and published. Staff will need to be trained on the new rights of individuals. Policies must also be developed – or updated – covering data breach notifications in case personal information is exposed, accessed, or stolen. Additional security solutions will need to be implemented. GDPR compliance will involve considerable cost and resources and ensuring GDPR compliance will take time.

Organizations must therefore start preparing for the introduction of the new regulation. It may be a year before GDPR compliance is necessary, but given the necessary changes, organizations should start planning now. From May next year, GDPR compliance will be mandatory and there will be severe penalties for non-compliance.

What are The Penalties for Non-Compliance with GDPR?

Any organization that fails to comply with GDPR can be fined by their DPAs. DPAs will be given more powers to investigate data breaches and non-compliance. The potential fines for non-compliance with GDPR are considerable.

If an organization does not comply with the GDPR security standards, a fine of up to €10 million can be issued or 2% of global annual turnover, whichever is the greater. The failure to comply with GDPR privacy standards can attract a fine of up to €20 million or 4% of global annual turnover, whichever is the greater.

Fines will be dictated by the extent of the violation or data breach, the number of individuals impacted, and the extent to which the organization has implemented controls and standards to ensure GDPR compliance.

Individuals also have the right to seek compensation if their personal information is misused or stolen, if they have suffered harm as a result. Criminal sanctions may also be applied, such as if data is collected without consent.

Organizations are likely to suffer reputational damage in the event of a data breach, as the EU will be naming and shaming organizations that fail to implement appropriate measures to protect data and prevent data breaches. Details of organizations that have not complied with GDPR will be published and made available to the public.

How Can TitanHQ Help with GDPR Compliance?

TitanHQ offers a range of data security solutions that offer real-time protection against viruses, malware, ransomware and spyware to help organizations effectively manage risk, prevent data breaches, and ensure GDPR compliance.

TitanHQ offers award-winning security solutions to prevent web-based and email-based cyberattacks, in addition to helping organizations protect themselves from insider breaches.

SpamTitan is an advanced email security solution that protects organizations from email-based attacks such as phishing, blocking the most common method of malware and ransomware delivery. SpamTitan detects and blocks 99.97% of spam email, with a range of deployment options to suit the needs of all businesses.

WebTitan offers industry-leading protection against a wide range of web-based threats such as exploit kits, malvertising, phishing websites and drive-by malware downloads.  The solution allows data protection officers to limit the types of websites that can be accessed by employees to minimize risk.

ArcTitan is an easy to use email archiving system that copies all inbound and outbound messages and stores them in an encrypted email archive, preventing loss of data and ensuring emails can be recovered and audited. The solution satisfies GDPR compliance requirements for identifying, retrieving, and deleting individuals’ personal data, when its purpose has been served or consent is withdrawn.

For more information on TitanHQ’s cybersecurity solutions and how they can help with GDPR compliance, contact the TitanHQ team today.

Chipotle Mexican Grill Security Breach: Customers’ Credit Card Numbers Potentially Stolen

A recent Chipotle Mexican Grill security breach has potentially resulted in customers’ credit card details being accessed by unauthorized individuals.

A statement released by the fast casual restaurant chain confirms that unauthorized individuals gained access to its network hosting its payment processing system. The initial findings of its investigation suggest access was first gained on March 24, 2017. Customers who visited its restaurants between March 24 and April 18, have potentially been affected. The investigation into the Chipotle Mexican Grill security breach is continuing to determine how many of the chain’s 2,000+ restaurants have been affected.

Few details about the Chipotle Mexican Grill security breach have been released as the investigation is ongoing, although the threat is now believed to have been blocked.

Chipotle Mexican Grill called in external cybersecurity experts to investigate a potential breach after unusual activity was detected on the network hosting its payment processing system. Law enforcement was alerted, as was its payment processor. Additional security protections have already been installed to bolster cybersecurity defenses in response to the suspected attack. Efforts are continuing to confirm the exact dates of the attack and the restaurants that have been affected.

The Chipotle Mexican Grill security breach is one of many incidents reported by restaurant chains this year. Restaurants are being targeted by cybercriminals due to the high number of credit cards that are processed. If attackers can gain access to restaurant payment processing systems, many thousands of credit card numbers can be stolen.

There are many methods used by cybercriminals to gain a foothold in a network and gain access to payment processing systems.

Typically attacks occur as a result of an employee opening an infected email attachment or visiting a hyperlink in an email that allows malware to be downloaded. Phishing emails are also sent, which aim to get employees to reveal their login credentials. Restaurants can improve their resilience against email-borne attacks by implementing an advanced spam filtering solution.

Web-borne attacks are also common. A recent report from Symantec shows web-based attacks have increased in the past year.

If an employee can be convinced to visit a malicious website, or is directed to such a site via a malvertising campaign, malware can be silently downloaded. Exploit kits on malicious websites probe for vulnerabilities in browsers and exploit those vulnerabilities to download malware.

Web-borne attacks can be prevented by ensuring that patches are applied promptly and all vulnerabilities are plugged. However, the number of patches now being released makes it difficult for restaurants to keep up. New zero day vulnerabilities are also constantly being discovered and added to exploit kits.

Many restaurants are improving their defenses against web-based attacks by implementing a web filtering solution. A web filter can be used to carefully control the websites that can be accessed on restaurant computers.

Web filters block all known malicious websites using black lists. As soon as a website is discovered to be hosting an exploit kit, malware, or used for phishing, it is added to blacklists and the site is blocked by the web filter.

A web filter is also an excellent phishing defense. If an employee clicks on a phishing hyperlink in an email, the web filter can block the URL and prevent the user from visiting the site.

There are other important advantages to implementing a web filtering solution for restaurants. The solution can be used to carefully control the websites that customers can access. Restaurants can therefore ensure that customers do not access malicious sites or inappropriate website content such as pornography. Consumers are increasingly seeking restaurants that offer free Wi-Fi, but also those that implement controls to secure their Wi-Fi networks.

If you would like to improve your resilience against cyberattacks and offer your customers secure and safe Internet access, contact the TitanHQ team today and find out more about your options.

Intercontinental Hotels Group Data Breach Affected 1,184 Hotels

The Intercontinental Hotels Group data breach previously announced in February as affecting 12 hotels in the chain has proven to have been far more extensive than was first thought.

Last week the group announced that the breach affected guests that used their credit cards to pay at franchisee hotels across the United States and in Puerto Rico between September 29, 2016 and December 29, 2016.

According to the chain’s website, the Intercontinental Hotels Group data breach potentially affected guests who stayed at its Holiday Inn, Holiday Inn Express, Crowne Plaza, Staybridge Suites, Candlewood Suites, Hotel Indigo, and InterContinental Hotels. The full list of hotels that have potentially been affected by the malware incident has been listed on the IHG website. In total, 1,184 of the group’s hotels have potentially been affected.

The Intercontinental Hotels Group data breach involved malware that had been downloaded onto its systems, which was capable of monitoring payment card systems and exfiltrating payment card data. It does not appear that any other information other than card details and cardholders’ names were stolen by the attackers.

The hotel group does not believe the data breach extended past December 29, 2016, although that cannot be entirely ruled out as it took until February/March for all of the affected hotels to be investigated and for confirmation to be received that the malware had been removed.

Prior to the malware being installed, IHG had started installing the OHG Secure Payment Solution (SPS), which provides point to point encryption to prevent incidents such as this from resulting in the theft of clients’ data.  Had the process started sooner, the Intercontinental Hotel Group data breach could have been prevented.

Hotels that had implemented the SPS prior to September 29, 2016 were not affected and those that had implemented the solution between September 29, 2016 and December 29, 2016 stopped the malware from being able to locate and steal credit card data. In those cases, only clients that used their credit cards at affected hotels between September 29, 2016 and when the SPS system was installed were affected.

Intercontinental Hotels Group Data Breach One of Many Affecting the Hospitality Sector

The Intercontinental Hotels Group data breach stands out due to the extent to which the group was affected, with well over 1,100 hotels affected. However, this is far from the only hotel group to have been affected by POS malware. Previous incidents have also been reported by Hard Rock Hotels, Hilton Hotels, Omni Hotels & Resorts and Trump Hotels.

Hotels, in particular hotel chains, are big targets for cybercriminals due to the size of the prize. Many hotel guests choose to pay for their rooms and services on credit cards rather than in cash, and each hotel services many thousands – often tens of thousands – of guests each year.

Globally, IHG hotels service more than 150 million guests every year, which is a tremendous number of credit and debit cards. Such a widespread malware infection would be highly lucrative for the attackers. Credit card numbers may only sell for a couple of dollars a time, but with that number of guests, an attack such as this would be a huge pay day for the attackers.

The Hospitality Sector is a Big Target and Vulnerable to Cyberattacks

While many tactics are used to gain access to POS systems, oftentimes it is weak or default passwords that allow hackers to gain access to hotel computer systems. Stolen credentials are another common way that access is gained.  The Verizon’s Data Breach Investigations Report (DBIR) for 2016 shows that in each of the reported breaches affecting the hospitality sector, access to systems was gained by the attackers in less than an hour.

Malware can also be inadvertently downloaded by employees and guests. Poor segregation of the POS system from other parts of the network is commonplace. That makes it easy for hackers to move laterally within the network once a foothold has been gained. Doubling up POS systems as workstations makes it too easy for hackers to gain access to POS systems.

Many hotels also fail to perform adequate risk assessments and do not conduct penetration tests or vulnerability scans. Even malware scans are performed infrequently. Some hotels also fail to implement appropriate security solutions to block access to malware-laden websites.

The Intercontinental Hotels Group data breach could have been prevented, and certainly discovered more quickly. The same is true for many hotel data breaches.

Unless hotels and hotel groups improve their cybersecurity posture and implement appropriate technology, policies and procedures to prevent cyberattacks, data breaches of this nature will continue to occur.

TitanHQ offers a range of products that can prevent hackers from gaining access to computers and POS systems. For further information on how you can protect your hotel or chain against cyberattacks, contact the TitanHQ team today.

The True Cost of a Ransomware Attack

The cost of a ransomware attack is far higher than the amount demanded by cybercriminals to unlock encrypted files. The final cost of a ransomware attack is likely to be many times the cost of the ransom payment, in fact, the ransom payment – if it is made – could be one of the lower costs that must be covered.

Typically, cybercriminals charge between $400 and $1,000 per infected computer to supply the keys to decrypt data. If one member of staff is fooled into clicking on an infected email attachment or downloading ransomware by another means, fast action by the IT team can contain the infection. However, infections can quickly spread to other networked devices and entire networks can have files encrypted, crippling an organization.

Over the past 12 months, ransomware attacks have increased in number and severity. New ransomware variants are constantly being developed. There are now more than 600 separate ransomware families, each containing many different ransomware variants.

Over the past year there has also been an increase in ransomware-as-a-service (RaaS). RaaS involves developing a customizable ransomware which is rented out to affiliates. Any individual, even someone with scant technical ability, can pay for RaaS and conduct ransomware campaigns. Access to the ransomware may be as little as $50, with the affiliate then given a cut of the profits. There has been no shortage of takers.

Figures from FireEye suggest ransomware attacks increased by 35% in 2016. Figures from the FBI released in March 2016 suggested ransomware had already netted cybercriminals $209 million. Herjavec Group estimated that ransomware profits would top $1 billion in 2016; a considerable rise from the $24 million gathered during the previous calendar year. Figures from Action Fraud indicate ransom payments in the United Kingdom topped £4.5 million last year.

While ransom demands for individual infections can be well below $1,000, all too often ransomware spreads to multiple computers and consequently, the ransom increases considerably. Cybercriminals are also able to gather information about a victim and set ransoms based on ability to pay.

In June 2016, the University of Calgary paid $16,000 to recover its email system. In February last year, Hollywood Presbyterian Medical Center (HPMC) paid a ransom payment of $17,000 to unlock its system. A ransom demand in excess of $28,000 was demanded from MIRCORP following an infection in June 2016. The MUNI metro ransomware attack in San Francisco saw a ransom demand of $73,000 issued!

Figures from Malwarebytes suggest globally, almost 40% of businesses experienced a ransomware attack in the previous year. Ransomware is big business and the costs are considerable.

What is the Cost of a Ransomware Attack?

Ransomware infections can cause considerable financial damage. The cost of a ransomware attack extends far beyond the cost of a ransom payment. The Malwarebytes study suggests more than one third of businesses attacked with ransomware had lost revenue as a result, while 20% were forced to stop business completely.

The FBI and law enforcement agencies strongly advise against paying a ransom as this only encourages further criminal activity. Organizations that are unprepared or are unable to recover data from backups may have little choice but to pay the ransom to recover data essential for business.

However, the true cost of a ransomware attack is far higher than any ransom payment. The HMPC ransomware infection resulted in systems being out of action for 10 days, causing considerable disruption to hospital operations.

System downtime is one of the biggest costs.  Even if backup files exist, accessing those files can take time, as can restoring systems and data. Even if a ransom is paid, downtime during recovery is considerable. One study by Intermedia suggests 32% of companies that experienced a ransomware attack suffered system downtime for at least five days.

A study by Imperva on 170 security professionals indicates downtime is the biggest cost of a ransomware attack. 59% of respondents said the inability to access computer systems was the largest cost of a ransomware attack. 29% said the cost of system downtime would be between $5,000 and $20,000 per day, while 27% estimated costs to be in excess of $20,000 per day.

One often forgotten cost of a ransomware attack is notifying affected individuals that their data may have been compromised. Healthcare organizations must also notify individuals if their protected health information (PHI) is encrypted by ransomware under HIPAA Rules.

Major attacks that potentially impact tens of thousands of patients could cost tens of thousands of dollars in mailing and printing costs alone. Credit monitoring and identity theft protection services may also be warranted for all affected individuals.

Many affected individuals may even choose to take their business elsewhere after being notified that their sensitive information may have been accessed by cybercriminals.

Following a ransomware attack, a full system analysis must be conducted to ensure no backdoors have been installed and all traces of malware have been removed. Additional protections then need to be put in place to ensure that future attacks do not occur.

The true cost of a ransomware attack is therefore considerable. The final cost of a ransomware attack could be several hundred thousand dollars or more.

It is therefore essential that businesses of all sizes have appropriate protections in place to prevent ransomware attacks and limit their severity if they do occur.

To find out more about some of the key protections that you can put in place to improve your resilience against ransomware attacks, contact the TitanHQ team today.

Anti-Pornography Legislation in Alabama Proposed

Anti-pornography legislation in Alabama could be introduced from January 1, 2018, following the introduction of a new bill last month. House Bill 428 was introduced by Jack Williams (R-Montgomery) to prevent state residents from using Internet-enabled devices to view obscene material.

The anti-pornography legislation classes obscene material as material that would, to an average person, appeal to prurient interest. Pornography, child abuse images and child pornography are included in the definition of obscene content, as is any other material that depicts patently offensive sexual conduct or excretory functions, lacks artistic, political or scientific value, or facilitates or promotes prostitution, sexual cyber-harassment or human trafficking.

If the anti-pornography legislation is passed, the sale of any Internet-enabled device without a web filtering solution in place would be classed as a Class A misdemeanour and would be punishable with a maximum fine of $6,000 per incident and up to one year in jail. However, should such a device be sold to a minor, the offense would increase to a Class C misdemeanor for which the fine would rise to a maximum of $30,000 per incident and a jail term of up to 10 years.

While an Internet filtering solution must be in place at the point of sale, it would not be an offence for the purchaser of the device to remove the filter, provided a request is submitted to the seller in writing, proof that the individual is over 18 years old is supplied and a one-time filter deactivation fee of $20 is paid.

The fees will be collected by the Department of Revenue. 60% of the fees will be directed to the Alabama Crime Victims Compensation Fund, 20% will be directed to grants programs which will in part, be devoted to helping victims of human trafficking, with the remaining 20% of fees deposited in the General State Fund.

It is unclear at this stage how vendors of Internet-enabled devices would ensure that their devices are protected. The legislation describes a filter as a hardware or software solution that can be used to block websites, email, chatrooms, or other Internet-based communications based on category, content or site. The type of filter used will be left to the discretion of the seller.

Since there is a possibility that webpages or websites may be incorrectly categorized, the solution would also require a mechanism that allows websites or content to be blocked or unblocked. The vendor would be required to supply a phone number to a call center to allow requests to block/unblock content to be submitted. Failure to act on those requests in a reasonable time frame would be punishable with a $500 fine for each failure to block an obscene website or webpage.

Alabama is not the only state to propose anti-pornography legislation. Similar bills have also been introduced in New Mexico, North Dakota and South Carolina.

Sundown Exploit Kit Now a Significant Threat

Researchers have identified changes to the Sundown exploit kit. Sundown is now in transition and is being actively developed. It now poses a significant threat.

Exploit kit activity has fallen over the past year as cybercriminals have turned to other methods of infecting end users. Spam email is now favored by many cybercriminals and exploit kit activity has dropped to next to nothing. However, over the past few weeks there has been an increase in exploit kit activity, with the Sundown exploit kit fast becoming a major threat.

Researchers at Cisco Talos report that the Sundown exploit kit has been upgraded and has now matured. While it was once a relatively unsophisticated exploit kit, that is no longer the case. The researchers point out that Sundown is likely to become one of the most widely used exploit kits, taking the place of the larger exploit kits that were used extensively in early 2016.

A number of upgrades have been made to the Sundown exploit kit in recent weeks. The individuals behind the Sundown exploit kit have removed many of the identifiers previously associated with the exploit kit. The exploit kit is now much harder to identify.

The Sundown exploit kit is one of a very small number that have had new exploits added in recent months. Some of the old exploits have also been removed. The actors behind Sundown have also increased the likelihood of infection. In a recent alert, Cisco Talos researchers explain that the exploit kit does not attempt to gain access to a system via a single exploit, instead the Sundown EK uses an extensive arsenal of malware tools to maximize the chance of compromising a system.

While the payload used to be downloaded via the browser, now the exploit kit uses the command line and wscript. A change has also been made to how the malicious payload is downloaded. The payload is now located on a different server to the landing page and exploit kit. The same root domain is used for both, although the subdomains are different.

The actors behind the kit are also purchasing large numbers of established domains, typically domains that are more than 6 months old. Those domains are used for a short time and are then resold. Using older domains allows the attacker to bypass screening controls that blacklist recently registered domains.

The discovery of major updates made to the Sundown EK could indicate there will soon be a major increase in exploit kit attacks. Angler, Neutrino, and Nuclear may have virtually disappeared, but exploit kits still pose a significant threat.

Businesses can protect their endpoints from malware and ransomware infections via exploit kits by using a web filtering solution. A web filtering solution can be configured to carefully control the websites that can be accessed by end users to reduce the risk of infection, and domains known to host exploit kits can be blocked.

For further information on web filtering and protecting end points from malware and ransomware, contact the TitanHQ team today.

Researchers Discover Increase in Exploit Kit Activity

Exploit kits have been one of the attack vectors of choice for cybercriminals, although research from Trustwave shows exploit kit activity has been in decline over the past 12 months. Trustwave reports exploit kit activity fell by around 300% over the course of 2016.

Exploit kits are used to probe for vulnerabilities in web browsers and web browser plugins. When a user visits a website hosting an exploit kit, their browser is probed for flaws. If a flaw is found, it is exploited to silently download malware and ransomware.

However, as the middle of the year approached, exploit kit activity started to fall. There are many possible reasons why exploit kit activity has declined. Efforts have increased to make browsers more secure and defenses against exploit kits have certainly been improved.

Adobe Flash vulnerabilities were the most exploited, but last year Adobe started issuing patches faster, limiting the opportunity for the attackers to exploit flaws. The fall in exploit kit activity has also been attributed to the takedown of cybercriminal gangs that extensively used and developed exploit kits. In 2016, the Russian outfit Lurk was broken up and a number of high profile arrests were made. Lurk was the outfit behind the infamous Angler exploit kit. Angler, along with Neutrino, Nuclear and Magnitude were extensively used to download malware and ransomware.

The recently published 2017 IBM X-Force Threat Intelligence Index shows spam email volume increased around the middle of 2016 and there was a marked increase in malicious email attachments. Spam email has now become the attack vector of choice, but that doesn’t mean exploit kits have died. Exploit kits are still being used in attacks, but at a much-reduced level.

Exploit kits are now being used in smaller, more targeted attacks on specific geographical regions, rather than the global attacks using Angler, Nuclear and Magnitude.

Over the past few months, exploit kit activity has started to rise and new exploit kits have been discovered. Late last year, the DNSChanger exploit kit was discovered. While most exploit kits target vulnerabilities in browsers, the DNSChanger exploit kit targets vulnerabilities in routers.

Researchers from Zscaler’s ThreatLabz report there has been an increase in exploit kit activity in the first quarter of 2017. The researchers have noticed a new KaiXin campaign and Neutrino activity has increased. The researchers also detected a new exploit kit called Terror. The Terror exploit kit has been compiled from other exploit kits such as Sundown. The RIG EK continues to be one of the most commonly used kits and has been found to be delivering the ransomware variants Cerber and Locky.

Malicious email attachments may still be the attack vector of choice for spreading ransomware and malware payloads, but the threat from exploit kits is still significant and should not be ignored.

To find out how you can improve your defenses against exploit kits, contact the TitanHQ team today.

RIAA Wants Internet Service Providers to Filter Pirated Content

The Recording Industry Association of America (RIAA) wants regulations to be introduced that will force Internet Service Providers to filter pirated content, rather relying on the current system of DCMA takedowns, which the RIAA believes to be ‘antiquated.’ The RIAA claims the current DCMA notice and takedown system is ‘extremely burdensome’ and ‘ineffective’ and that the system invites abuse.

The RIAA and 14 other organizations wrote to the U.S. Copyright Office last week explaining the inadequacies of current DCMA Safe Harbors and suggesting a number of potential solutions to the problem.

Currently, Internet Service Providers are required to take down copyright-infringing content after receiving a DMCA request. The request must be acted on expeditiously and ISPs are legally protected from copyright infringement lawsuits.  The legislation has so far protected Internet Service Providers from legal action. Were it not for the legislation, an ISP could potentially be sued every time one of its users uploaded content that violated copyright.

One of the main problems is while the current system protects innocent Internet service providers who have passively, or unwittingly, allowed their services to be used for copyright infringing activities, some entertainment services are protected, even though their businesses are based entirely on copyright infringement, such as the streaming of sports, entertainment and movies.

A number of suggestions have been made such as amending Digital Millennium Copyright Act to include a timeframe for processing DCMA takedowns as well as requiring Internet Service Providers to filter pirated content and use automated systems that identify pirated content and prevent it from being uploaded once the content has been flagged.

The RIAA suggests that when a DCMA request is received requiring specific content to be removed, that content should then be flagged. A system should be put in place that blocks that content from being uploaded in the future on a different webpage or website. Currently, a takedown of content just means the individual or organization can simply upload the content again on another webpage or domain and the process must start over again. The RIAA says the current system is like an endless game of Whac-A-Mole.

The proposals have been criticized as any automated process is likely to result in the removal of web content that is protected under fair use laws and that automated systems could result in the overblocking of website content.

This argument has been countered by the RIAA saying the risk has been exaggerated and that argument is often used by ISPs to avoid implementing content identification technologies. The RIAA argues that current technologies are sufficiently granular to allow them to be calibrated to filter pirated content and protect fair uses.

Default ISP Web Filtering Controls Required, Says House of Lords Report on Internet Safety for Children

A House of Lords report on Internet safety for children calls for ISP web filtering controls to be applied as standard.

The UK government is keen for Internet service providers to apply web filtering controls to make it harder for children to access inappropriate website content such as pornography. In 2013, the UK government called on ISPs to implement web filters as standard. Four of the leading ISPs in the UK – Sky, Talk Talk, BT and Virgin Media – responded and have offered filtering controls to their customers.

However, not all ISPs in the United Kingdom provide this level of content control and the House of Lords report suggest that many ISP web filtering controls do not go far enough to ensure children are protected. The report explains that the ‘big four’ ISPs only cover 90% of all Internet users, leaving 10% of users without any form of Internet filtering service.

It is also pointed out in the report that only Sky has opted for a default-on web filter to prevent adult content from being accessed by minors. If new customers want to access adult content they must request that the filter be taken off. The other ISPs have made the service available but do not provide a filtered Internet service that is turned on by default.

The new report calls for ISP web filtering controls to be improved and for ISPs “to implement minimum standards of child-friendly design, filtering, privacy, data collection, and report and response mechanisms for complaints.” The House of Lords report also calls for ISP web filtering controls to be put on all accounts by default, requiring users to specifically request it be turned off if required. Further, the report says the default standard of Internet control should offer the strictest privacy protections for users.

Not everyone agrees with this level of control. The Internet Service Provider Association (ISPA) says that such a move is ‘disproportionate,’ and while the association is committed to keeping children safe when online, mandating ISP web filtering controls is not the way forward. For instance, if an ISP makes it clear that it offers an unfiltered service, that should be permitted. Chairman of the ISPA, James Blessing, believes the best way forward is “a joint approach based on education, raising awareness and technical tools.”

While parents will be well aware of the risks their children face when they go online, the House of Lords report does not believe Internet safety education should be left to parents. addition to making it harder for children to access inappropriate website content, the report calls for mandatory lessons in schools on safe use of the Internet, covering risks, acceptable behavior and online responsibilities.

Health Center Malware Potentially Exfiltrated Patient Data for a Year

A health center malware infection has potentially resulted in 2,500 patients’ protected health information (PHI) being sent to unknown individuals over a period of almost a year. Lane Community College health clinic in Eugene, OR, discovered the malware during routine maintenance last month.

Further investigation determined that the malware had been installed on the computer in March 2016. The malware remained active until last month when it was discovered and removed. The malware was identified as Backdoor:Win32/Vawtrak – a Trojan backdoor that enables attackers to steal login information and take full control of an infected PC.

While data access was possible, Lane Community College health clinic uncovered no evidence to suggest patient data had been stolen, although the possibility that PHI was accessed and stolen could not be ruled out. A spokesperson for the clinic said an analysis of 20 other computers used by the clinic uncovered no further malware infections. In this case, the infection was limited as the computer was not connected to other computers on the network.

The only data exposed were those stored on the machine itself. The information potentially exposed included patients’ names, addresses, phone numbers, dates of birth and medical diagnoses.

A health center malware infection can prove costly to resolve. In this case, the infection was limited to one machine, although once access has been gained and malware installed, hackers can often move laterally within a network and spread infections to other machines. Once data have been exfiltrated and there is no further need for access, hackers commonly install ransomware to extort money from their victims.

The exposure or theft of patient data can often lead to lawsuits from patients. While many of those lawsuits ultimately fail, defending a lawsuit can be costly. Healthcare data breaches that result in more than 500 records being exposed are also investigated by the Department of Health and Human Services’ Office for Civil Rights to determine whether the breaches were caused as a result of HIPAA violations. Should HIPAA Rules be found to have been breached, covered entities may have to cover heavy fines.

Health center malware attacks are commonplace due to the value of healthcare data on the black market. Healthcare providers should therefore implement a range of defenses to protect against malware infections.

Malware is commonly inadvertently installed by end users via spam email or redirects to malicious websites. Both of these attack vectors can be blocked with low cost solutions. Backdoor:Win32/Vawtrak – also known as Trojan-PSW.Win32.Tepfer.uipc – is recognized by Kaspersky Lab – one of the dual AV engines used by the SpamTitan spam filtering solution. SpamTitan blocks 100% of known malware and blocks 99.97% of spam emails to keep end users and computers protected.

To protect against Web-borne attacks and to prevent malicious software downloads, WebTitan can be deployed. Web-Titan is a powerful DNS-based web filtering solution that can be used to block a wide range of web-borne threats to keep healthcare networks malware free.

Both solutions are available on a free 30-day trial to allow healthcare providers to experience the benefits first hand before committing to a purchase.

To find out more about TitanHQ’s cybersecurity solutions for healthcare organizations or to sign up for a free trial, give the sales team a call today.

MajikPOS Malware Used in Targeted Attacks on PoS Systems of U.S. Businesses

A new form of PoS malware – called MajikPOS malware – has recently been discovered by security researchers at Trend Micro. The new malware has been used in targeted attacks on businesses in the United States, Canada, and Australia.

The researchers first identified MajikPOS malware in late January, by which time the malware had been used in numerous attacks on retailers. Further investigation revealed attacks had been conducted as early as August 2016.

MajikPOS malware has a modular design and has been written in .NET, a common software framework used for PoS malware. The design of MajikPOS malware supports a number of features that can be used to gather information on networks and identify PoS systems and other computers that handle financial data.

The attackers are infecting computers by exploiting weak credentials. Brute force attacks are conducted on open Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP) ports. A variety of techniques are used to install the MajikPOS malware and evade detection, in some causes leveraging RATs that have previously been installed on retailers’ systems. The malware includes a RAM scraping component to identify credit card data and uses an encrypted channel to communicate with its C&C and exfiltrate data undetected.

MajikPOS malware is being used by a well-organized cybercriminal organization and credit card details are being stolen on a grand scale. The stolen information is then sold on darknet ‘dump shops’. The stolen credit card numbers, which the researchers estimate to number at least 23,400, are being sold individually for between $9 and $39. The gang also sells the credit card numbers in batches of 25, 50, or 100. The majority of credit cards belong to individuals in the United States or Canada.

POS Malware Infections Can be Devastating

A number of different attack vectors can be used to install PoS malware. Malware can be installed as a result of employees falling for spear phishing emails. Cybercriminals commonly gain a foothold in retailers’ networks as a result of employees divulging login credentials when they respond to phishing emails.

While exploit kit activity has fallen in recent months, the threat has not disappeared and malvertising campaigns and malicious links sent via emails are still used in targeted attacks on U.S retailers.

Brute force attacks are also common, highlighting how important it is to change default credentials and set strong passwords.

POS malware infections can prove incredibly costly for retailers. Just ask Home Depot. A PoS malware infection has cost the retailer more than $179 million to resolve, with the cost of the security breach continuing to rise. That figure does not include the loss of business as a result of the breach. Consumers have opted to shop elsewhere in their droves following the 2014 PoS malware attack.

This latest threat should serve as a warning for all retailers. Security vulnerabilities can – and are – exploited by cybercriminals. If inadequate protections are put in place to keep consumers’ data secure, it will only be a matter of time before systems are attacked.

PetrWrap Ransomware: An Old Threat Has Been Hijacked by a Rival Gang

There is a new ransomware threat that businesses should be aware of, but PetrWrap ransomware is not exactly anything new. It is actually a form of ransomware that was first discovered in May last year. PetrWarp ransomware is, to all intents and purposes, almost exactly the same as the third incarnation of Petya ransomware. There is one key difference though. PetrWrap ransomware has been hijacked by a criminal gang and its decryption keys have been changed.

The criminal organization behind PetrWrap ransomware have taken Petya ransomware, for which there is no free decryptor, and have exploited a vulnerability that has allowed them to steal it and use it for their own gain. The attackers have simply added an additional module to the ransomware that modifies it on the fly. After all, why bother going to all the trouble of developing your own ransomware variant when a perfectly good one already exists!

Petya ransomware is being offered to spammers and scammers under an affiliate model. The ransomware authors are loaning the ransomware to others and take a percentage of the profits gained from ransoms that are paid. This is a common tactic to increase overall profits, just as retailers pay affiliate marketers to sell their products for a commission. In the case of ransomware-as-a-service, this allows the authors to infect more computers by letting others do the hard work of infecting computers.

Yet the gang behind PetrWrap has chosen not to give up a percentage of the profits. They are keeping all of the ransom payments for themselves. The module modifies and repurposes the malware code meaning even the Petya ransomware authors are unable to decrypt PetrWrap ransomware infections.

Kaspersky Lab research Anton Ivenov says “We are now seeing that threat actors are starting to devour each other and from our perspective, this is a sign of growing competition between ransomware gangs.” He pointed out the significance of this, saying “the more time criminal actors spend on fighting and fooling each other, the less organized they will be, and the less effective their malicious campaigns will be.”

Petya – and PetrWrap ransomware – is not a typical ransomware variant in that no files are encrypted. While Locky, CryptXXX, and Samsa search for a wide range of file types and encrypt them to prevent users from accessing their data, Petya uses a different approach. Petya modifies the master boot record that launches the operating system. The ransomware then encrypts the master file table. This prevents an infected computer from being able to locate files stored on the hard drive and stops the operating system from running. Essentially, the entire computer is taken out of action. The effect however is the same. Users are prevented from accessing their data unless a ransom is paid. Petya and PetrWrap ransomware can spread laterally and infect all endpoint computers and servers on the network. Rapid detection of an infection is therefore critical to limit the harm caused.

WiFi Filtering for Cities Used to Improve Free WiFi Network in Cape Town

Cape Town’s Century City has implemented a free WiFi network for residents, although to make the network more secure and prevent bandwidth abuse, WiFi filtering for cities has been adopted.

The new service – called Let’s Connect – is provided by the telecoms company that operates the fiber-optic broadband network for the Cape Town suburb – Century City Connect – in partnership with ISP Comtel Communications.

The new WiFi network currently comprises 86 WiFi access points within the Cape Town suburb, although there are plans to increase the range of the free WiFi zone to include an extra 100 access points. At present, the WiFi network is supported by a 200 Mbps fiber-optic line which will provide users with 10Mbps speeds for uploads and downloads. Users will be required to register for the service, after which they will be limited to four hours of free WiFi access per day.

Providing a free WiFi network offers residents a host of benefits, but ensuring upload and download speeds are reasonable requires additional technology. If WiFi filtering for cities was not used, there would be considerable potential for the service to be abused by some users. At times of heavy usage, bandwidth will naturally be squeezed, but to limit this as far as is possible, it was necessary for WiFi filtering for cities to be deployed. The web filtering technology place certain limits on user activities.

The WiFi filtering solution used to control internet access is not overly restrictive. Torrent downloads have been blocked, not only because they are used or illegal file sharing, but the downloading of massive files by multiple users has potential to slow Internet speeds across Century City.

In practice, simply blocking torrent sites may not be sufficient to stop bandwidth crushing downloads. It would be possible for users to circumvent the controls. For more comprehensive blocking, the ISP has used DNS-based WiFi filtering, content filtering, and firewalls. Multiple levels of filtering controls makes it much harder for individuals to gain access to torrent sites and upload and download content.

Torrent sites are not the only drain of bandwidth. Software updates likewise suck up bandwidth. Many users have their devices set to update software only when connected to a WiFi network. Connecting to the city WiFi network could see thousands of devices updating software at the same time, further squeezing bandwidth. To reduce the impact, Century City has rate limiting in place. Updates will still be possible, but at a level that will not have a major negative impact on available bandwidth.

As with many locations around the world that use WiFi filtering for cities, Century City will also be using the technology to block adult content. This control works at the domain-level and is based on blacklists. The filters used at Century City also block botnet activity, prevent users from downloading malware and ransomware, and block phishing websites to keep users protected online.

While users will only be permitted four hours of free usage, limits will not be placed on certain categories of website. Educational sites and job websites will be accessible 24/7, even if the 4-hour quota has been used up. A number of other websites will also be whitelisted to ensure constant access is possible.

The project shows how WiFi filtering for cities can be used to ensure the maximum number of users can get the benefits of city-wide free WiFi networks, and how the Internet can be carefully filtered to keep users protected.