Our news section dedicated to web filtering reports on instances in which a web filter can be used to protect organizations against online threats and the consequences of phishing campaigns. We also report on how filtering web access can protect the vulnerable against exposure to inappropriate online content – particularly minors viewing pornography.
Several of our news items will be of particular interest to MSPs and service providers who wish to add web filtering to their portfolio of products. With TitanHQ´s solutions, MSPs can incorporate white-labelled web filtering into an existing service package or market the solutions as stand-alone packages.
Now that Microsoft has started blocking macros in Office documents delivered via the Internet, distributing malware via email has become more difficult and hackers have been forced to change their tactics, techniques, and procedures. This has been seen in phishing attempts that use a broader range of file types, and malware is increasingly being delivered via malicious websites, with traffic sent to those websites using malvertsing.
Malvertising is the term given to the use of malicious adverts to send visitors to websites hosting phishing kits, malware, or web pages that are used for a range of scams. The malicious adverts are added to advertising networks such as Google Ads and drive traffic to the malicious sites. With Google Ads, these malicious adverts are displayed at the top of the page for key search terms, and often masquerade as adverts for legitimate software, such as the free-to-use open-source 3D computer graphics software, Blender.
Many websites boost revenues by including third party ad blocks on their websites, with those adverts delivered through legitimate advertising networks. Typically, these have been the option of choice for malvertising due to the extent of the checks conducted by Google and the speed at which Google identifies and removes malicious ads. The malicious websites to which these adverts direct can perform drive-by malware downloads, probe for and exploit vulnerabilities in web browsers, or simply trick users into downloading and installing malicious files.
There is growing evidence that hackers are turning to malvertising for distributing malware, with one of the latest campaigns identified by researchers at SentinelOne. They identified a campaign that distributes .NET malware loaders, which in turn are being used to install FormBook malware variants – Information stealers capable of stealing data from infected systems, including credentials from web browsers, screenshots, and logging keystrokes to obtain passwords.
The developers of FormBook malware make it cheap and easy for threat actors to use their malware, providing it to subscribers under the malware-as-a-service model. Since 2016 when the malware first appeared, it has primarily been delivered via phishing emails containing Office files with malicious macros. Now that macros are being blocked by default, other methods of delivery need to be used. In this campaign, a virtualized .NET malware loader dubbed MalVirt is used to obfuscate the implementation and execution, with the loaders used to deliver FormBook variants, including the latest XLoader variants. One of the benefits of this method of delivery, aside from getting around Microsoft’s macro protections, is the massive reach of these campaigns, allowing far more individuals to be attacked than is possible using phishing emails.
How to Protect Against Malvertising
There are several ways that businesses can protect against malvertising, the easiest of which is to install antivirus software on all endpoints; however, the speed at which new malware variants are being developed is reducing the effectiveness of signature-based detection mechanisms. Antivirus software requires the signatures of malware to be added to malware definition lists before the malware can be detected and blocked. It is increasingly common for new malware variants to be used and then dropped by the time the signatures are added to antivirus software.
It is important to keep web browsers up to date to ensure that vulnerabilities cannot be exploited, and ad blockers can be used to prevent the adverts from being displayed, although many websites now require visitors to enable adverts to be displayed, since they are a vital source of revenue for website owners.
One anti-malvertising control that should be considered is a web filter. Web filters are used to carefully control the web content that users can access. WebTitan Cloud is used by many businesses to block access to malicious websites and carefully control access to the Internet by blocking websites that serve no work purpose and preventing access to risky and kn own malicious URLs. WebTitan Cloud can also protect against malvertising by blocking downloads of specific file types from the Internet, such as executable files. In addition to preventing malware infections, WebTitan Cloud can also prevent the unauthorized installation of software without the knowledge of the IT department – Shadow IT.
If you want to improve your security posture and better protect against web-delivered attacks, contact TitanHQ for more information about WebTitan Cloud. WebTitan Cloud is available on a free trial to allow you to see for yourself how easy the solution is to install, configure, and use, and how effective it is at blocking threats and controlling Internet access.
Password managers are used by individuals and businesses to improve password security. They help individuals create complex passwords, eliminate the need to remember passwords, and provide a degree of protection against phishing attacks, but their very nature makes them a target for cybercriminals.
A password manager is used to store an individual’s entire collection of passwords and other sensitive data such as documents, credit card information, and more. When these solutions are provided to employees, they contain credentials for corporate accounts. That information is extremely valuable to cybercriminals. Password managers incorporate all the security features necessary to protect that information, and many password managers operate under the zero-knowledge model, so even the password manager provider does not know and cannot discover users’ passwords; however, that does not mean that password manager vaults cannot be accessed by unauthorized individuals.
One of the easiest ways to access password vaults is through phishing. Phishing is commonly conducted via email and social engineering techniques are used to trick individuals into visiting a malicious website that spoofs a particular brand. Phishing attacks may also solely be conducted via the Internet, with traffic sent to the malicious websites through malicious adverts or search engine poisoning – getting malicious websites to appear high in the listings for specific search terms.
The Bitwarden phishing campaign involves malicious adverts. A threat actor has created web pages that closely resemble the official Bitwarden domain (bitwarden.com) and is using Google Ads to promote their fake website. Those ads are appearing above the legitimate Bitwarden site in the search engine listings for certain search terms.
The malicious domains contain the name Bitwarden – appbitwarden.com for example – but that domain is not owned by Bitwarden. Clicking the link will direct the user to a webpage that is a virtual carbon copy of the official Bitwarden website. The user is prompted to supply their email address and password to log in to their cloud Bitwarden account, or to create a new account.
If a Bitwarden user enters their credentials, they will be captured and used to access the user’s password vault, providing the attacker with the passwords for the user’s entire digital footprint. Even if the individual does not have a Bitwarden account and attempts to sign up, the threat actor will have a username and password combination that could be used in a credential stuffing attack or a future attempt to access to user’s password manager vault. If a user attempts to sign up for a new account, the credentials are captured and the user is redirected to the official Bitwarden page, where they would be likely to try again to create an account, possibly using the same password.
This particular campaign targets Bitwarden users, but the same technique could be used to target users of other cloud-based password managers. Google has controls in place to prevent malicious adverts from being created on its platform and has since removed the malicious adverts, but this campaign shows that those controls are not always effective. These campaigns are also conducted on other ad networks, allowing malicious adverts to be displayed in other search engines and on high-traffic web pages.
This campaign clearly shows why businesses need to look beyond email filtering solutions to protect against phishing attacks. A secure email gateway or spam filter will block malicious messages sent via email but will do nothing to protect against web-based phishing attacks. The easiest way to prevent these types of phishing attack is to use a web filter. TitanHQ’s web filtering solution, WebTitan Cloud, is constantly fed threat intelligence of malicious URLs and domains, ensuring access to these domains is prevented. WebTitan also scans URLs in real-time and can be configured to restrict access to web content by the category of website or web page, or the presence of certain keywords on the page. Web filters also protect against malware by allowing controls to be set to prevent downloads of specific file types from the Internet and can identify malicious DNS traffic.
When a web filter is combined with a spam filter, multi-factor authentication, and security awareness training for employees, businesses will be well protected against all forms of phishing.
A new malware variant dubbed RisePro has been detected which is being distributed via websites offering fake software cracks. Software cracks, product activators, and keygens are used for activating software without paying the software developer for the license. Software can be expensive, so these tools have proven popular, and many of these tools are available free of charge; however, these executable files have long been used to install malware and adware.
RisePro malware is a previously unseen malware variant that was first detected in December 2022. RisePro is an information stealer that will steal passwords, credit card details, and cryptocurrency wallets from infected devices and the malware has already been installed on many devices, with the data stolen by the malware already being sold on Russian dark web sites, according to Flashpoint.
RisePro malware is being distributed via the PrivateLoader pay-per-install malware distribution service, which has been in operation since early 2021. The operators of PrivateLoader have a network of websites that offer cracked software, with PrivateLoader offering its clients the ability to install malware on devices in specific countries, environments, or those with certain software installed. PrivateLoader is delivered through software cracks and will deliver the malware of choice on a pay-per-install basis. An analysis of RisePro malware revealed considerable code similarities with PrivateLoader, which suggests the two may be operated by the same threat actor or a developer of PrivateLoader has broken away and has set up a rival malware loader service.
When RisePro malware is installed on an infected device it fingerprints the infected system and sends stolen data via a ZIP archive to the attacker’s command and control server. The malware will steal data from all popular web browsers, common browser extensions, and software such as Discord and Authy Desktop. The malware will also steal cryptocurrency assets from a wide range of wallets. RisePro malware can also scan filesystem folders and will exfiltrate data of interest, such as receipts that include credit card numbers.
Cracks and product activators commonly include malware or adware, and clean product activators are now very difficult to find, so any individual attempting to download and activate pirated software is taking a big risk. If pirated software is installed on a work device, that risk is greater still. A malware infection on one device can easily spread across the network and cause considerable damage. Malware infections from unlicensed/pirated software have been estimated to cost businesses close to $359 billion a year, according to the BSA Global Software Survey. Businesses should therefore take steps to reduce the risk by implementing safeguards to stop employees from accessing the sites that offer pirated software, blocking downloads, and preventing software installers from being run.
One of the easiest ways to protect against malware infections and lawsuits stemming from the use of illegal software is to block the sites used to distribute fake/pirated software with a web filter. WebTitan Cloud is a 100% cloud-delivered DNS-based web filtering service that is easy for businesses to set up and use to control access to the Internet. Users can block access to peer-to-peer file-sharing networks where pirated software is commonly downloaded and the warez sites that distribute software cracks. It is also possible to block downloads of certain file types from the internet, such as executable files. As an additional control, businesses should consider locking down all workstations to prevent non-admin users from running executable files.
For more information on web filtering and the WebTitan Cloud solution, give the TitanHQ team a call. WebTitan Cloud is available on a free trial to allow businesses to discover for themselves how effective the solution is at controlling access to the internet and how easy it is to use. WebTitan Cloud for Wi-Fi is also available for operators of Wi-Fi hotspots for controlling what users can do while connected.
For the first time in almost a decade, changes have been made to the ISO 27001 standard and the code of practices (ISO 27002). Details of the changes were first released on February 15, 2022, and came into effect this October.
ISO 27001 (or ISO/IEC 27001:2005 to be precise) is a specification for an information security management system (ISMS), which is a framework of policies, procedures, and controls to support an organization’s information risk management processes. All ISO 27001 accredited businesses, and those that plan to become ISO 27001 accredited, are required to comply with the updated standard. Businesses that fail to do so will lose their accreditation, but they are given time to make the necessary changes. Any business that fails to make the necessary changes will lose its accreditation after 3 years. It is strongly recommended not to wait and to make the changes as soon as possible, as implementing the controls will help your business better manage and mitigate risk.
ISO 27002, which used to be known as a code of practice, is no longer referred to as such and is more accurately referred to as a set of information security controls. There have been some amendments and reorganization of the security controls, which now list 93 controls as opposed to the 114 in the 2013 version. These controls have also been grouped into 4 themes (people, organizational, technological, and physical) rather than the 14 clauses in the previous version.
Importantly for accredited businesses, 11 new controls have been added to the ISO 27002 information security controls:
Threat intelligence
Information security for use of cloud services
ICT readiness for business continuity
Physical security monitoring
Configuration management
Information deletion
Data masking
Data leakage prevention
Monitoring activities
Web filtering
Secure coding
Some of these controls are very similar to previous controls; however, they have been categorized as new, so organizations should ensure that they are compliant with these controls, even if they seem similar. It should be noted that these controls are not mandatory, as it is possible to exclude a control provided no related risks have been identified and the organization is not required to implement the controls to meet its contractual, regulatory, or legal requirements.
The ISO 27001/27002 Web Filtering Control
The web filtering requirement requires accredited businesses to implement a web filtering solution that allows them to exercise control over the web content that can be accessed to protect against web-borne threats such as malware, ransomware, and phishing. Web filters typically block malicious IP addresses, such as those known to be used for phishing or malware distribution, through blacklists that are constantly updated based on the latest threat intelligence. They also allow businesses to carefully control the web content that can be accessed by users of their network to enforce their acceptable internet usage policies.
Web filtering is important as many threats are delivered via the Internet. Any employee with access to the Internet could easily navigate to a malicious site unless a web filter is in place to block that access, and phishing attempts delivered via email often have a web-based component. Should an attempt be made to visit a blocked site, the user is directed to a local block page that explains why the request has been denied.
WebTitan Cloud – Web Filtering Made Simple
As a provider of a DNS-based web filtering software-as-a-service (SaaS) solution – WebTitan Cloud – we would like to take this opportunity to introduce the solution and explain how it will help organizations comply with the web filtering controls of the revised standard.
WebTitan Cloud is a DNS-based web filtering solution that is delivered as a 100% cloud-based service. The solution uses the Domain Name System for web filtering, which makes it lightning fast with no latency. All web content is checked, with web filtering controls implemented in a fraction of a second, with no content downloaded unless the filtering checks are passed.
WebTitan Cloud is fed threat intelligence from more than 500 million endpoints worldwide, which automatically update the blacklists of known malicious content. Users can filter the Internet via 53 preset categories and 10 customizable categories to broadly block specific types of web content (anonymizers, pornography, gaming, gambling, dating, hacking, etc.). Content controls can also be applied based on the presence of user-defined keywords, with the content blocked if a certain threshold is reached. WebTitan can also be configured to block specific file types from the Internet such as executable files to further reduce risk, and the solution can detect and block malware communications via the DNS.
All controls can be accessed through an intuitive web-based interface, which also provides access to an extensive suite of reports that give administrators full visibility into the online activities of users, including real-time views down to the individual level. Controls can be implemented organization-wide, for locations, user groups, and individuals, with the solution integrating with directory services to make this as simple as possible.
One of the most important aspects of WebTitan Cloud that make it so popular is how easy the solution is to set up and use. Businesses can start blocking malicious content in a couple of minutes by pointing their DNS to WebTitan Cloud, and content control settings can usually be configured in about 20-30 minutes.
For more information on meeting your new web filtering obligations under ISO 27001/2 and details of WebTitan Cloud pricing, contact TitanHQ today. Also, feel free to sign up for a free trial of the solution to see for yourself how easy it is to start web filtering.
TitanHQ is proud to announce that the company has been recognized in the Fall 2022 Expert Insights ‘Best-Of’ awards, and collected five awards for email security, email archiving, web security, phishing simulation, and security awareness training.
The Expert Insights ‘Best-Of’ awards recognize the leading cybersecurity solutions that businesses are using to keep their networks and sensitive data secure. Selecting the best software solutions to use can be a challenge for businesses. Expert Insights makes that process easier by providing objective and honest reviews and advice, producing buyers’ guides, and other valuable information to help businesses choose the best software solutions to meet their needs. Each month, more than 85,000 businesses use the Expert Insights website, with the site having more than 1 million visitors a year.
The Fall 2022 Best-Of awards were split into 41 categories. The Expert Insights editorial team researched to identify the best cybersecurity solutions on the market for inclusion in each category, which contain up to 11 software solutions. Those solutions are selected based on several criteria, such as the feature set of the products, their ease of use, market presence of the company, and how genuine business users of the solutions rate the products. There naturally needs to be a winner in each category, but simply being included in the list confirms the quality of a product.
TitanHQ collected 5 Best-Of awards in the following categories:
Best-Of Email Security – SpamTitan
Best-Of Security Awareness Training – SafeTitan
Best-Of Phishing Simulation – SafeTitan
Best-Of Web Security – WebTitan
Best-Of Email Archiving – ArcTitan
In addition, SpamTitan was rated as the top email security solution in the category and ArcTitan was rated top in the email archiving category. Vendors ESET and CrowdStrike also performed exceptionally well and picked up multiple awards.
“We are honored that TitanHQ was named as a Fall 2022 winner of Expert Insights Best-Of award for phishing simulation, email security, security awareness training, web security and email archiving” said TitanHQ CEO, Ronan Kavanagh. “Our cloud-based platform allows partners and MSPs to take advantage of TitanHQ’s proven technology so they can sell, implement and deliver our advanced network security solutions directly to their client base”.
TitanHQ has announced the release of a new version of the WebTitan DNS filtering solution that incorporates several new features to improve usability, functionality, and security, including advanced off-network DNS protection for remote workers.
WebTitan is an award-winning DNS-based web filtering solution used by thousands of SMBs, enterprises, and managed service providers for exercising control over the web content users can access via wired and wireless networks and for blocking web-borne cyber threats. The latest release adds new features that have been requested by customers.
The new additions in the latest WebTitan release are: Interactive threat intelligence with DNS data offload, remote workforce protection: OTG device exceptions, and DNSSEC security enhancements. A new user interface has also been implemented to improve usability, with several new advanced reporting capabilities that have been requested by managed service providers.
Interactive Threat Intel with DNS Data Offload
For many users, WebTitan is a set-and-forget solution. The solution is easy to set up and configure to restrict access to inappropriate web content and block access to known malicious websites. For restaurants, coffee shops, and retail outlets that offer free Wi-Fi to their customers, these controls can be set and forgotten about. However, many users require access to extensive reports and intelligence to allow them to conduct investigations into the threats that are targeting the organization. WebTitan provides those insights.
The latest version gives users the ability to list the DNS request history and download logs for analysis, access all DNS data, and extract DNS query data for sophisticated integrations and advanced data analysis, which will help with network troubleshooting, security planning, and IT decision-making.
New User Interface with Advanced Reporting
The WebTitan User Interface was designed to be intuitive and easy to use, to allow individuals with all skill levels to navigate through the features of the solution, set their content control policies, add blacklists, and view reports of web activity, including viewing real-time reports of Internet access down to the individual user level.
The latest version includes a new UI that provides access to advanced, relevant, and easy-to-digest data, and features a suite of new, interactive reports and data visualization tools. The latest reports show new behavior, blocked URLs, security reports, and trend reports, which have been embedded into the new UI to greatly improve the user experience. Many of the new reports were added to the solution at the request of users.
Remote Workforce Protection
WebTitan can be used to protect employees accessing the Internet on wired networks, but many businesses need to protect remote workers. During the pandemic, it became even more important to be able to protect remote workers who were accessing the Internet through their home routers, and many businesses now support hybrid working, where employees may access the internet at home, in the office, or through public Wi-Fi hotspots. WebTitan On-The-Go (OTG) allows organizations to extend the protection of WebTitan to remote workers through the WebTitan OTG agent, which protects devices no matter where they access the Internet.
The latest release sees major enhancements to the WebTitan OTG agent which is used to protect, manage, and monitor users when off the network. The latest release includes a replacement for the JSON config filters for OTG devices and makes it much easier to add and update exceptions to OTG devices through a simple and easy-to-use user interface.
DNSSEC Security Enhancements
The DNS was designed to be a scalable distributed system but did not incorporate any security features. The Domain Name System Security Extensions (DNSSEC) is a security system that was developed to add security and combat some of the threats that target the DNS. DNSSEC is used to verify the origin and integrity of data during the DNS resolution process and involves using cryptographic signatures for authentication. DNSSC is the primary way to prevent DNS poisoning attacks, where attackers target the DNS to redirect users to fake web servers and malicious websites. Security enhancements have been made to better protect users and allow DNSSEC to be easily implemented by users.
“This WebTitan release is hitting so many key pillars of success for TitanHQ. The data offload feature has been requested by many customers and creates real differentiation for our solution in the market. This coupled with our new advanced reporting were major requests from our MSP customers,” said Ronan Kavanagh, CEO, TitanHQ. “Finally, security is at the heart of what we do and are, the addition of DNSSEC just continues to add to our credentials.”
It is important for businesses to take steps to improve web security and block the web-based component of phishing attacks and drive-by malware downloads, and one of most important steps to take is to protect browsers against malvertising.
What is Malvertising
Malvertising is the term given to the use of malicious online adverts for downloading malware or directing website traffic to attacker-controlled websites for phishing or other scams. Malicious adverts may be placed on compromised websites, but commonly they are added to legitimate ad networks, which website operators use for improving engagement and generating additional revenue. Third-party advertising blocks are used on many high-traffic websites, and if malicious adverts are added, they can be displayed on large numbers of high-traffic websites to huge volumes of website visitors. Since the adverts may be displayed on trusted websites, that trust is then transferred to the adverts. Website visitors may click the adverts and be directed to a malicious website. Worse, it is possible to embed malicious code into the adverts themselves, so it is not always necessary to click the advert to have malware downloaded.
Malvertising is a significant attack vector and is often used for malware distribution. The attacks can bypass in-built browser security features that protect against website redirects and pop-up adverts. It is also possible for attackers to create malvertising campaigns that are targeted at specific users, and only serve adverts to those users.
How to Defend Against Malvertising
Since people interact with the Internet using a web browser, web browsers should be secured to protect against malvertising. The malicious code in adverts can probe for and exploit vulnerabilities in web browsers. Those vulnerabilities may exist due to the use of an outdated web browser such as Internet Explorer, or a web browser that has not been updated to the latest version. Web browsers may have unsecure configurations that can be exploited, or users could be redirected to a malicious website or web application. Attackers also use malvertising to exploit human weaknesses, such as unsecure browsing habits or untrained or poorly trained users.
The threat from malvertising cannot be totally eliminated, but steps can be taken to reduce risk. Many of the protective measures are low-cost and can be implemented easily. The four main methods for protecting against malvertising, as recommended by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) are:
Standardize and secure web browsers
Deploy ad blocking software
Implement protective domain name system technologies
Isolate web browsers from operating systems
Standardize and secure web browsers
Limit the browsers, versions, and configurations that are used by your organization – The greater the variety, the higher the probability that vulnerabilities will exist that can be exploited. By restricting browsers, versions, and configurations, you will have a more consistent and easily managed network portfolio. You must then ensure that the browsers are kept up to date and new versions are installed as soon as possible after a version has been released.
Deploy ad blocking software
Ad-blocking software can prevent malicious adverts from being displayed. Ad blockers will remove adverts or prevent them from being displayed, often via a web browser extension. In theory, ad blockers are a great choice for defending against malvertising, but this option should be treated with caution as ad blockers have their own security concerns. Ad blockers may operate with high levels of privileges and may therefore access all data traffic between the user workstation and the network, which means they may be able to perform malicious actions with high levels of privileges. Malicious ad blockers have been detected, and some browser extensions accept payments from advertisers to ensure that paid for ads are allowlisted and are not blocked.
Isolate web browsers from operating systems
Browser isolation is an architectural decision that is used by many large organizations to defend against web-based threats, although the design, implementation, and maintenance of Internet browser isolation can be complex and may be beyond the capabilities of some small- and medium-sized businesses. Browser isolation involves creating a logical barrier between the web browser and other systems and operates on a zero-trust principle, assuming that all web traffic is untrustworthy and potentially malicious. Browser isolation is often achieved locally using a sandbox or virtual machine on the user’s computer.
Implement protective domain name system technologies
One of the best steps to take is to use protective domain name system (DNS) technologies such as WebTitan. WebTitan is a DNS-based web filtering solution for blocking access to malicious websites. When a malvertising attempts to redirect a user to a malicious domain, that redirect is blocked, and the user is directed to a locally hosted block page and is advised that the web resource cannot be accessed as a threat was detected. WebTitan can also be configured to block access to risky categories of websites and will block drive-by malware downloads.
WebTitan incorporates threat intelligence feeds and collects data from over 500 million endpoints worldwide to ensure that threats are rapidly blocked for all users when new threats are detected. According to CISA, 91% of malware uses DNS for cyberattacks. WebTitan can block malware command-and-control server communications.
Advice from the U.S. Cybersecurity and Infrastructure Security Agency
In 2021, CISA issued a Capacity Enhancement Guide for all federal agencies calling for them to take steps to secure browsers and defend against malvertising. This year, CISA has recommended all businesses and non-profit organizations follow the guidance and take steps to protect their browsers against malvertising.
Phishing emails are commonly used to distribute malware and in recent years malware loaders have been a common payload. Malware loaders include the likes of BazarLoader and Bumblebee, which are used to infect devices with the goal of delivering the malware and ransomware payloads of other threat groups.
Security researchers have identified a relatively new malware loader dubbed Matanbuchus that is being delivered via phishing emails. Like other malware loaders, Matanbuchus is operated under the malware-as-a-service model, and has been developed to stealthily download and execute second-stage malware payloads and executable files. The Matanbuchus loader has recently been observed dropping Cobalt Strike on infected systems. Cobalt Strike is a legitimate adversary simulation framework that is used in red team operations for detecting vulnerabilities that could potentially be exploited, but is also extensively used by criminal hackers for post-exploitation activities.
The Matanbuchus loader is currently being offered on Russian cybercrime forums for $2,500, and has been available since at least February 2021, with a malware developer operating under the moniker BelialDemon believed to be the developer of the malware. BelialDemon is known to have been involved in the development and sale of other malware loaders, such as TrumpLoader.
Matanbuchus, which is an alternate name for the demon Belial, can be used to launch an .exe or .dll file in the memory, add or modify task schedules, launch PowerShell commands, and execute standalone executable files to load a DLL. The malware has already been used in several attacks in the United States, including entities in the education sector.
Researchers at Palo Alto Networks’ Unit 42 team have identified phishing emails being used to deliver the Matanbuchus loader that use Excel documents with malicious macros. As is common in these types of phishing campaigns, if the user opens the attached file, they are informed that the document was created in an earlier version of Microsoft Excel, so the content cannot be viewed unless the user clicks on Enable Editing and then Enable Content. Should content be enabled, Excel 4.0 macros are then leveraged to drop and execute the Matanbuchus loader.
A campaign has also been detected that uses a .zip file attachment that contains an HTML file, which delivers a second .zip file that includes an MSI installer. If that file is executed, an error message is displayed indicating to the user that something has gone wrong, when in the background a DLL file is delivered and executed, which acts as the loader for delivering the Matanbuchus loader DLL file.
To block the delivery of malware loaders such as Matanbuchus, it is important to implement multiple cybersecurity solutions. A Spam filter such as SpamTitan can be used to block the delivery of the phishing emails. SpamTitan includes dual antivirus engines for detecting and blocking known malware and sandboxing to identify unknown malware through in-depth analysis of the behavior of attached files.
A web filter such as WebTitan should be used to block connections to malicious websites that host the malware. WebTitan can also be configured to block downloads of files often used to deliver malware and command-and-control center communications.
It is also strongly recommended to provide comprehensive security awareness training to all members of the workforce to explain the threat of phishing emails, explain the red flags to look for in emails, and not to open attachments unless they can be verified as authentic. TitanHQ can help in this regard through the SafeTitan Security Awareness Training solution, which includes a phishing simulation platform for simulating phishing emails to test how employees respond. For further information on these solutions, contact TitanHQ today.
Expert Insights has announced its Spring 2022 Best-Of awards and TitanHQ has been given awards in 5 categories, including best-in-class awards for SpamTitan Email Security, WebTitan DNS Filter, ArcTitan Email Archiving, and SafeTitan Security Awareness training.
Expert Insights is an online publication that receives more than 80,000 visitors a month. Business owners and Information Technology professionals rely on the website which provides insights into the best business software solutions, along with blog posts, buyers’ guides, technical product reviews and analyses, interviews with industry experts, and reviews of software solutions by users of those solutions, who give accurate advice on their experiences and how the products perform in practice.
The Best-Of Awards recognize vendors and products that excel in their respective categories and help businesses achieve their goals. “Each of the services recognized in our awards are providing in many cases an essential service to their users, driving business growth, securing users in a challenging cybersecurity marketplace, and massively improving business efficiency,” Joel Witts, Expert Insights’ Content Director.
Each category includes a maximum of 11 products that have been analyzed by Expert Insights’ editorial and technical teams in the UK and US and have achieved excellent ratings from genuine users of the solutions. “These awards recognize the continued excellence of the providers in these categories,” said Witts.
At the Expert Insights Spring 2022 awards, TitanHQ was ranked the number 1 solution in the Best Email Security Gateway category for SpamTitan Email Security, ArcTitan Email Archiving was ranked number 1 in the Email Archiving for Business category, WebTitan DNS Filter ranked second in the Web Security category, and SafeTitan Security Awareness Training was ranked in the top 10 in two categories, Security Awareness Training and Phishing Simulation.
“The recent pandemic and the growth of remote working initiatives have further highlighted the need for multiple layers of cybersecurity and our award-winning solutions form key pillars in this security strategy,” said TitanHQ CEO Ronan Kavanagh. “We will continue to innovate and provide solutions that MSPs can use to deliver a consistent, secure and reliable experience to their customers.”
Information about the 2021 ransomware trends identified by U.S. and European cybersecurity agencies and simple steps you can take to improve your security posture and prevent ransomware attacks.
2021 Ransomware Trends
Cybersecurity agencies identified several 2021 ransomware trends that look set to continue throughout 2022. There was an increase in ransomware attacks in 2021 with education and government the most commonly targeted sectors. The pandemic and lockdowns meant businesses needed to switch to remote working and security teams struggled to defend their networks. Ransomware gangs were quick to exploit vulnerabilities to gain access to networks, steal sensitive data, and encrypt files to extort money from businesses.
2021 also saw an increase in sophisticated ransomware attacks on critical infrastructure. Cybersecurity authorities in the United States said cyber threat actors had conducted attacks on 14 of the 16 critical infrastructure sectors, with the UK’s National Cyber Security Centre reporting an increase in attacks on businesses, charities, legal firms, healthcare, and local government.
While initially, several ransomware threat actors were focused on big game hunting – attacking large, high-value organizations that provide critical services such as Colonial Pipeline, Kaseya, and JBS Foods – the attacks prompted the raising of the status of ransomware attacks to the level of terrorism, and the increased scrutiny on ransomware gangs saw ransomware attack trends change, with the focus shifting to mid-sized organizations.
Double extortion tactics have been the norm for the past two years, where attackers exfiltrate data prior to file encryption and then demand payment for the decryption keys and to prevent the publication of stolen data. A new trend of triple extortion in 2021 saw ransomware gangs also threaten to inform the victim’s partners, shareholders and suppliers about the attack. It is also now common for ransomware gangs to work with their rivals and share sensitive data. There have been multiple cases where ransomware gangs have shared information with other gangs to allow them to conduct follow-on attacks.
2021 saw an increase in attacks on the supply chain. By compromising the supply chain, ransomware gangs are able to conduct attacks on multiple targets. There was also an increase in attacks targeting managed service providers, where MSP access to customer networks is exploited to deploy ransomware on multiple targets. Russian ransomware gangs have been increasingly targeting cloud infrastructure, accounts, application programming interfaces, and data backup systems, which has allowed them to steal large quantities of cloud-stored data and prevent access to essential cloud resources.
Diverse tactics were used in 2021 to gain access to victim networks, including quickly developing exploits for known vulnerabilities, conducting brute force attacks on Remote Desktop Protocol, and using stolen credentials. These tactics have proven effective, helped by the increase in remote working and remote schooling due to the pandemic.
Improve Your Defenses Against Ransomware Attacks
To defend against ransomware attacks, it is important to prevent attackers from using these tactics. The number of reported vulnerabilities increased in 2021 and security teams struggled to keep up with routine patching. Security teams need to prioritize patching and concentrate on patching the vulnerabilities that are known to have been exploited, such as those published in the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog, and critical vulnerabilities where there is a high change of exploitation.
To combat brute force attacks, it is important to ensure all default passwords are changed and strong passwords are set for all accounts. Consider using a password management solution to make this easier. Multifactor authentication should be set up for as many services as possible, especially for access to critical systems, VPNs, and privileged accounts. RDP, other remote access solutions, and risky services should be closely monitored and ports and protocols that are not being used should be disabled.
It is also vital to take steps to prevent phishing attacks. Phishing is commonly used to gain access to credentials to gain a foothold in networks, or for phishing emails to be used to deliver malware. An advanced email security solution should be implemented to detect and block as many phishing threats as possible to prevent then from being delivered to employee inboxes. A web filtering solution can improve defenses by blocking access to the websites linked in phishing emails and to prevent the downloading of malware from the Internet. Security awareness training for the workforce is also important. Training should raise awareness of the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments.
TitanHQ can help with all of these anti-phishing defenses through SpamTitan Email Security, the WebTitan DNS-based Web Filter, and SafeTitan Security Awareness Training. To find out more about these solutions for SMBs, enterprises, Internet Service Providers, and Managed Service Providers, give the TitanHQ team a call.
A campaign has been identified that uses the offer of a free Windows 11 upgrade as a lure to trick people into installing Redline Stealer malware. The Redline Stealer is offered for sale on hacking forums for between $150 and $200 under the malware-as-a-service model. The malware is a popular choice with cybercriminals due to the relatively low cost, ease of use, and the range of sensitive data that the malware can steal.
Redline malware can steal autocomplete data, cryptocurrency, credit card information, FTP and instant messenger credentials, and credentials stored in Chromium-based web browsers. While passwords stored in browsers are encrypted, Redline malware can programmatically decrypt passwords provided the malware runs as the user who was infected. If the user does not store passwords in the browser, the malware can still steal valuable information from browsers, including the sites the user visited and chose not to store a password. Phishing emails can then be crafted targeting those credentials or credential-stuffing attacks could be performed on the accounts for those sites. There have been many cases of Redline malware being installed on endpoints that have antivirus software installed, where the antivirus software has failed to detect and block the malware.
Redline malware is commonly distributed via phishing emails containing an embedded hyperlink to a malicious website, with social engineering tricks used to convince the user to download and run the installer. This approach is often used to target businesses.
Recently, researchers at HP uncovered a campaign that uses a spoofed Microsoft domain offering visitors a free Windows 11 upgrade. The upgrade is offered on the domain windows-upgrade.com, which is a professional-looking domain designed to look like an official Microsoft website. If users click the ‘Download Now’ button, it will trigger the download of a compressed file called Windows11InstallationAssistant.zip, which is downloaded from a Discord CDN.
The zip file contains an executable file called Windows11InstallationAssistant.exe, which will trigger the infection process that will ultimately deliver the Redline stealer payload with no further user interaction required. Now that the domain has been identified as malicious it has been taken down, but the campaign is likely to be relaunched on different domains.
Software installers have long been used for delivering malware, sometimes the installers are fake and only deliver a malicious payload, while others install a genuine application or software but also bundle in malware, spyware, or adware. In the case of the latter, users will likely be unaware that anything untoward has happened, as they will have installed the software they intended to download.
Malicious software installers are often found on peer-2-peer file-sharing networks, legitimate websites that have been compromised, and attacker-owned domains. Search engine poisoning is frequently used to get links to the malicious websites appearing high in the organic search engine listings for key search terms, often those used by businesses. Malicious adverts – malvertising – are often used to send traffic to malicious websites via the third-party ad blocks displayed on legitimate websites. Links to malicious websites may also be added to phishing emails.
While an advanced spam filter can protect against phishing emails containing malicious links, it will do nothing to prevent users from visiting websites hosting malware through web browsing. To protect against web-based attacks, businesses should use a web filter.
A web filter can be used to restrict access to certain categories of website, such as those serving no business purpose. Web filters are fed threat intelligence and use blacklists of known malicious web pages and will prevent access to those web pages or websites. It is also possible to configure a web filter to prevent the downloading of certain file types from the Internet, such as those commonly associated with malware.
Web filters are an important cybersecurity control to add to your arsenal to improve your defenses against malware and ransomware, and they are also effective at blocking the web component of phishing attacks by preventing employees from visiting the websites where credentials are harvested.
TitanHQ has developed an easy-to-use and powerful DNS-based web filter for SMBs, enterprises, and managed service providers. WebTitan Cloud is quick and easy to set up and configure and will allow you to enforce acceptable Internet usage policies and filter out malicious websites in minutes. WebTitan Cloud can protect users of wired and wireless networks, and even remote workers by installing a lightweight client on corporate-owned devices.
If you want to improve your defenses and block more threats, contact TitanHQ for further information on filtering the Internet with WebTitan.
Do you offer Wi-Fi access to your customers? Read on if you do and you are not yet providing a filtered Internet service.
Businesses that offer their customers free Wi-Fi access provide more value and offering free Wi-Fi can help to attract new business. The provision of Wi-Fi does not come at a great cost, and the low cost of providing free WiFi can be easily recovered. Retailers, restaurants, bars, and coffee shops that provide a free Wi-Fi service encourage customers to remain for longer, which can result in more sales. Many people actively seek out businesses that have a free Wi-Fi service. If it was a toss-up between a café with free Wi-Fi and one without, the coffee would have to be considerably better to make up for the lack of Internet access.
Providing Wi-Fi access is however not without risk. If controls are not implemented on the Wi-Fi network to restrict certain online activities, businesses and other public hotspot providers could be exposed to legal risk if their Wi-Fi network is used for illegal activities. Wi-Fi access could also be abused by customers, who could hog bandwidth by downloading large files or using bandwidth-heavy websites, preventing others from accessing the Internet or slowing down page load speeds. Customers could also use the free access for viewing inappropriate web content such as pornography, in full view of other customers. There have been many reports of patrons of libraries doing just that in the United States.
Anyone who uses public Wi-Fi is taking a risk, as public Wi-Fi networks often lack security. There is a risk of a malware infection when connecting, and Internet connections can be monitored, and sensitive information stolen. Cybercriminals often frequent establishments offering free Wi-Fi to prey on the unwary by creating evil twin Wi-Fi networks and eavesdropping on connections.
Businesses offering free Wi-Fi access may not be able to block all types of cyberattack, but they can implement protections to reduce the risk of their customers being harmed. The way to do this is to provide a filtered Internet service.
Businesses that filter the Internet can prevent customers from unwittingly accessing web pages hosting phishing kits and sites known to be used for malware distribution. Internet speed can be kept fast by blocking access to certain types of online activities, especially with a filtering mechanism that allows time-based controls to be implemented. During busy times, access to websites that consume a lot of bandwidth, such as TV and video streaming sites, could be restricted and relaxed at quieter times. Filtering the Internet creates a family-friendly Internet service, which will help to protect minors from coming to harm. A filtered Internet service can attract more business from families especially by signing up for the Friendly Wi-Fi scheme.
It is recommended to block websites promoting hate speech and discrimination, child abuse, drugs, weapons, and pornography to create a sanitized Internet service. Filtering the Internet to block illegal activities such as copyright-infringing file downloads, such as pirated music, videos, and software can reduce legal risk and is also recommended.
As an added advantage, Internet filtering solutions can provide insights into customer behavior. Businesses can get a real-time view of Internet activity, can generate reports of the sites and content that are being accessed, and that can be incredibly valuable for guiding future marketing efforts. If a business can see the sites visited by their customers, they will know the types of sites they should advertise on to get the maximum benefit.
Filtering the Internet is not expensive, but the benefits are considerable. The easiest way of filtering the Internet is to use a DNS filtering solution. DNS filtering solutions can be easily implemented and will not affect Internet speed. They require no hardware purchases, and many implementations filter in the cloud, so require no software downloads.
WebTitan Cloud for Wi-Fi from TitanHQ has been developed to make offering customers a filtered Internet service as simple as possible. Users do not need to be IT experts, as the solution is intuitive and simple to set up, use, and maintain. It requires a simple configuration change, which the TitanHQ support team will talk you through implementing, and you can log in to the web portal and filter categories of Internet content you wish to restrict.
WebTitan Cloud for Wi-Fi is a powerful, feature-rich Internet filtering solution, but for many businesses, it is a set and forget solution. Set your policy and forget about it. Whatever reports or alerts you need can be configured to be sent to you automatically.
If you provide either free or paid Wi-Fi access, and you are not yet offering a filtered Internet service, give the TitanHQ team for more information about WebTitan Cloud for Wi-Fi. A product demonstration can be scheduled if you need it, and you can try the full solution free of charge – with full support – before deciding about a purchase. The team will also be happy to answer any questions you may have about Internet filtering.
January 21, 2022, will see the 2nd ever Channel Pitch Livestream Event – An opportunity for forward-thinking managed service providers, Internet service providers, value-added resellers, and IT service providers to discover new software solutions from some of the most existing and innovative technology vendors that can help them grow their business.
The event serves as an introduction to a carefully curated selection of companies that have developed solutions that can help service providers improve protection against cyber threats, manage Microsoft 365 and Azure workloads more effectively, and streamline back-office processes to improve efficiency.
At this year’s event, hosted by Serial Tech Entrepreneur Kevin Lancaster and Channel Evangelist Matt Solomon, attendees will have the opportunity to hear from 7 companies about their MSP solutions, with each presentation lasting only 7 minutes. During those presentations, attendees will learn about the features and benefits of those solutions, and how they can be deployed in MSP environments to grow revenue and improve profitability. After the presentations, attendees will be able to engage directly with any of the vendors to discover more about the solutions, and feedback can be provided to each of the vendors with 100% anonymity.
TitanHQ is proud to be presenting at this Exclusive Livestream MSP event. Conor Madden, TitanHQ Director of Sales, will explain how TitanHQ’s award-winning email security and web security solutions can be used by MSPs, MSSPs, and ISPs to improve protections against the most common threats faced by MSPs and their clients, how the solutions are quick and easy to deploy, effortless to manage, and can help to improve profitability and win new business.
TitanHQ’s solutions have been adopted by more than 3,000 MSPs and are trusted by over 14,500 businesses worldwide to improve email and web security, with the feature-rich solutions offering multiple integrations via the advanced API set, granular policy controls, with a comprehensive suite of reports. The solutions identify more than 100,000 new malware sites every day through threat intelligence delivered from more than 650 million users worldwide.
The Livestream event is free of charge to register and attend and is a great opportunity for MSPs, MSSPs, ISPs, VARs, IT service providers, and consultants.
LiveStream Event Details
Date: January 21, 2022
Time: 4.00 p.m. GMT ¦ 11 a.m. EST ¦ 8 a.m. PST
Hosts: Kevin Lancaster and Matt Solomon
Presentations:
Biomedical firms and their partners are being targeted by an Advanced Persistent Threat (APT) actor in a campaign that delivers Tardigrade malware. Initial analyses of Tardigrade malware suggest it is a sophisticated threat from the SmokeLoader malware family. SmokeLoader is a generic backdoor that provides threat actors with persistent access to victims’ networks and gives them the ability to download additional modules or other stealthier malware variants onto systems.
Tardigrade malware is a much stealthier and more dangerous malware variant than SmokeLoader. It is far more sophisticated and has greater autonomy. The malware can make decisions about the files to modify and can move laterally within victims’ networks without requiring communication with a command-and-control server. The malware is also capable of immediate privilege escalation to the highest level.
Tardigrade malware is thought to be used for espionage purposes but has far greater capabilities. In addition to exfiltrating sensitive data from pharmaceutical and biomedical firms and vaccine chain companies, the malware is capable of causing major damage to IT systems to disrupt critical processes, including preparing systems for ransomware attacks after sensitive data have been exfiltrated. The analysis of the malware is ongoing, and no specific threat actor has been identified as conducting the attacks, but the attacks are believed to be conducted by a nation-state threat actor.
BIO-ISAC warns of Targeted Attacks on the Biomanufacturing Sector
The Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) has recently issued a warning about Tardigrade malware due to the threat it poses to vaccine manufacturing infrastructure, even though relatively little is currently known about the malware. The early disclosure is believed to be in the public interest.
All firms in the biomanufacturing sector and their partners have been warned that they are likely targets and should assume that attacks will occur. Steps should therefore be taken to ensure that appropriate cybersecurity measures have been implemented to block attacks and limit the damage that can be caused should n attack be successful.
It is too early to tell how many methods are being used to distribute Tardigrade malware, but from the infections detected so far, the APT group behind the attacks is known to be using phishing emails to deliver Tardigrade, with infected file attachments the most likely method of delivery. Hyperlinks in emails that direct individuals to malicious websites where infected files or malware installers are downloaded could also be used.
An analysis of the attacks also indicates the malware could infect USB drives and transfer the malware automatically when those storage devices are used on uninfected computers. That means that if USB drives are used on devices isolated from the network, they too could be infected.
Defending Against Tardigrade Malware
Defending against attacks requires an advanced antispam solution that is not reliant on antivirus engines to detect malicious files. Antivirus engines are effective at blocking known malware variants, but not against previously undetected variants. Since Tardigrade malware is metamorphic, machine learning technology and sandboxing are required to block samples that are not detected as malicious by AV engines. Antivirus software should be installed on all devices which is capable of behavioral analysis, as the malware itself may not be detected as malicious.
A web filter should be installed and should be configured to block downloads of executable files from the Internet, such as .js, .com, .exe, and .bat files. It is also important to raise awareness of the threat of malicious messages with the workforce and teach all employees how to identify phishing emails. Training should cover cybersecurity best practices and inform employees about the procedures to follow if a suspicious email is received. Spear phishing attacks will likely be conducted on key targets. It is therefore recommended to review LinkedIn and other social media posts to identify individuals who may be targeted.
Network segmentation is vital for preventing the spread of Tardigrade malware. In the event of a device being compromised, network segmentation will limit the harm that can be caused. Tests should be run to ensure that corporate, guest, and operational networks are properly segmented. All firms in the biomanufacturing sector should identify their most sensitive data and ensure that it is appropriately protected, and all key infrastructure should be regularly backed up, with backups stored offline. BIO-ISAC also recommends inquiring about lead times for key bio-infrastructure components that need to be replaced
Exploit kits first emerged in 2006 and have since been used as an automated method of malware delivery. Exploit kits are programs that are loaded onto websites that contain exploits for known vulnerabilities. When a visitor lands on a web page that hosts an exploit kit, it performs a scan to determine if certain software vulnerabilities have not been patched. If an unpatched vulnerability is identified, the exploit kit will choose an exploit and will deliver a malware payload with no user interaction required.
Exploit kits became hugely popular with threat actors between 2010 and 2017, and while their use has declined to a fraction of the level seen in 2016 and 2017, they do still pose a threat. There are several exploit kits still being used that are regularly updated with new exploits for known vulnerabilities, and over the past couple of years they have mostly been used to deliver malware loaders that deliver ransomware.
The Fallout exploit kit for example has been used to deliver Maze Locker ransomware, and the Magnitude EK, which was first identified in 2013, is also being used to deliver ransomware, mostly in the Asia Pacific region.
Exploit kits are loaded on legitimate websites that have been compromised, as well as attacker-owned websites, with traffic to the latter often delivered through malicious adverts (malvertising). It is therefore easy to land on a site hosting an exploit kit through general web browsing.
The Magnitude EK is now one of the most extensively used exploit kits which, until recently, was only being used to target Internet Explorer; however, the exploit kit has now been updated and is being used to target Chromium-based web browsers on Windows PCs.
Avast reports that two new exploits have recently been added to the Magnitude EK, one of which targets a vulnerability in Google Chrome – CVE-2021-21224 – and the other targets the Windows kernel memory corruption vulnerability tracked as CVE-2021-31956. The Google Chrome bug is a remote code execution vulnerability, and the Windows bug can be exploited to bypass the Chrome sandbox, allowing an attacker to gain system privileges.
Patches have been released by Google and Microsoft to address both of these flaws; however, the reason why exploit kits are still an effective method of malware distribution is many people delay or ignore software updates. While the Magnitude EK is not believed to be currently exploiting the vulnerabilities to deliver a malware payload, it is unlikely that will remain the case for long.
The best defense against exploit kits is to ensure that software updates and patches are applied promptly, although that is not always possible for businesses and sometimes some devices are missed and remain vulnerable. An additional measure that can protect against exploit kits and other types of web-based malware distribution is a web filter.
Web filters are the Internet equivalent of spam filters. Just as a spam filter prevents the delivery of emails containing malware to inboxes, web filters prevent malware delivery via malicious websites and are a key component of anti-phishing defenses, preventing end-users from visiting websites hosting phishing kits.
TitanHQ has developed WebTitan to protect businesses from web-based threats and carefully control the content that can be accessed by office-based and remote workers. WebTitan is a DNS-based web filter that is quick and easy to implement, which has no impact on page load speeds. WebTitan is used by more than 12,000 businesses and managed service providers for content filtering, blocking malware delivery via the internet, and as an additional security measure to block phishing attacks.
If you want to improve protection against malware, malicious sites, phishing sites, C2 callbacks, ransomware, botnets, spyware, and viruses, give the TitanHQ team a call or put the solution to the test in your own environment by taking advantage of a 100% free 14-day trial of the full solution.
If you want to keep your computers and networks protected from malware, it is important to train your staff on how to identify a malicious website. You should also install a powerful web filtering solution to ensure your employees’ malicious website identification skills are never put to the test.
Cybercriminals are developing ingenious ways of compromising networks
Scammers and cybercriminals used to mainly send out emails with infected attachments. Double-clicking on the attachment would result in the computer, and possibly the network, being infected with malware. Oftentimes, this action would go undetected by anti-virus software programs. A full system scan would need to be conducted before the malicious software was identified.
Computer users are now much wiser and know never to open file attachments that have been sent to them by unknown individuals, and certainly never to double click on an executable file. Hackers and other cybercriminals have therefore needed to get smarter, and are now developing ever more sophisticated ways of obtaining user credentials and getting people to install malware manually. One of the ways they are doing this is by developing malicious websites.
End users are contacted via email and are sent links to websites along with a valid reason for visiting the site. Links to malicious websites are also frequently sent out in social media posts or are placed in third-party website adverts. Some sites are hijacked and visitors are redirected to fake sites automatically.
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
What is a malicious website?
Malicious websites host malware or are used to phish for sensitive information. In the case of the latter, users are tricked into revealing sensitive data such as login credentials for online banking websites.
Malware may require some user interaction before it is installed. Visitors may be tricked into downloading a security program, for instance, by being informed their computer is already infected with malware. They may be offered a free screensaver or asked to download a fake PDF invoice.
Increasingly, malicious websites are used to host exploit kits. Exploit kits probe visitors’ browsers to identify security vulnerabilities that can be exploited without any user interaction required. If a vulnerability is detected, malware can be installed automatically on the computer or network. This method of cyberattack is called a drive-by download. Drive-by downloads can involve malware being installed onto the computer’s hard drive, a network drive, or even loaded into the computer’s memory.
Learning how to identify a malicious website is important if you want to prevent your computer from being infected, and it is essential for system administrators and other IT professionals to conduct staff training to help end users avoid these dangerous sites.
How to identify a malicious website
There are some easy ways to tell if a website is attempting to install malware:
The website asks you to download software, save a file, or run a program
Visiting the website automatically launches a download window
You are asked to download an invoice or receipt, such as a PDF file, .zip or .rar, or an executable file or .scr screensaver file
A malicious website may also tell you:
Your computer is already infected with malware
Your plug-ins or browser are out of date
You have won a competition or free prize draw. You may also be offered free money or vouchers that require you to enter your credit card or banking information
If you are asked to download any files or update your software, conduct a check of the site via Google and try to determine whether the site is genuine. If in doubt, do not download any files.
If you are told your browser is out of date, visit the official browser website and check your version number. Only ever download updates from official websites.
If you have accidentally visited a drive-by download site, by the time that you have connected it may be too late to prevent malware from being downloaded. To protect against drive-by downloads you must ensure that your browser, add-ons, and plugins are 100% up to date. You should also use a software solution to block access to drive-by download sites.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
How to block end users from visiting a malicious website
Even legitimate websites can be hacked and used to host malicious code. They may use advertising networks that are used by cybercriminals to direct visitors to malware-hosting websites. The best defense is to block these adverts and malicious websites.
Blocking access to malicious websites is a simple process. All it requires is a powerful web filtering solution to be installed. WebTitan web filtering solutions for the enterprise will help you keep your network secure by preventing users from visiting sites known to host malware.
WebTitan incorporates a range of measures to detect malicious web content to prevent employees from visiting dangerous websites. WebTitan can also be configured to block access to questionable or illegal content to enforce an organization’s acceptable Internet usage policy.
If employees are trained on malicious website identification and web filtering software is installed, your network will be much better protected from malware infections and other web-based threats.
FAQs on Guest Wi-Fi Network Security and Blocking Malicious Websites
Should I enable guest Wi-Fi?
By enabling guest Wi-Fi, you are creating a separate network for guest users to access the Internet. This is much more secure than allowing a guest user to connect to your main business network. Be aware that your guest Wi-Fi network is still connected to your business so you should control the activities that can be performed while connected.
Are guest Wi-Fi networks secure?
A guest Wi-Fi network keeps guest users away from your servers and company data. While connected to the guest network, individuals will be prevented from accessing your internal resources even if they are able to locate them. If you do not have a separate guest network, you will be at risk of hacking and data theft.
How can I make my guest Wi-Fi network secure?
You can make your guest Wi-Fi network more secure by changing the name of the network (SSID) to something less obviously tied to your business, setting a strong password, and configuring the network to prevent access to local network resources. You should also implement a web filter to prevent users from accessing malicious web content.
Is web filtering complicated?
Setting up content filtering on a wired or wireless network is easy with a cloud-based web filter. Simply change your DNS settings to point to the service provider and you can be blocking threats and restricting access to web content in minutes. You will get a web-based interface to log in and can simply click on the categories of content you want to block.
How much does a web filtering solution cost?
There are many different providers of Wi-Fi filtering solutions and the cost can vary considerably. You could end up paying upwards of $2.50 per user per month; however, solutions such as WebTitan Cloud for Wi-Fi will give you the protection you need at a very reasonable cost, which can be as little as $1 per user, per month. To find out the cost, use our cost calculator.
Many employees access their work emails and work networks via public Wi-Fi hotspots, even though there is a risk that sensitive information such as login credentials could be intercepted by hackers. Many employees are unaware of the Wi-Fi security threats that lurk in their favorite coffee shop and fail to take precautions. Even employees who are aware of Wi-Fi security threats often ignore the risks.
This was highlighted by a 2017 survey by Symantec. 55% of survey participants said they would not hesitate to connect to a free Wi-Fi hotspot if the signal was good and 46% said they would rather connect to a free, open wireless network than wait to get a password for a secure access point.
60% of survey participants believed public Wi-Fi networks are safe and secure but even though 40% are aware of the Wi-Fi security threats, 87% said that they would access financial information such as their online banking portal or view their emails on public Wi-Fi networks.
The majority of users of public Wi-Fi networks who were aware of the Wi-Fi security threats said they ignored the risks. Millennials were the most likely age group to ignore Wi-Fi security threats: 95% of this age group said they had shared sensitive information over open Wi-Fi connections.
Consumers may be willing to take risks on public Wi-Fi networks, but what about employees? According to a 2018 Spiceworks survey, conducted on 500 IT professionals in the United States, employees are also taking risks.
61% of respondents to the survey said their employees connect to public Wi-Fi hotspots in coffee shops, hotels, and airports to work remotely. Only 64% of respondents said their employees were aware of the security threats on Wi-Fi. A similar percentage said their employees were aware of the risks and connect to their work networks using a VPN, which means that 4 out of 10 workers were unaware of the importance of establishing a secure connection.
Even though 64% of respondents were confident that employees were aware of the risks, only half were confident that data stored on mobile devices was adequately protected against threats from public Wi-Fi hotspots. 12% of respondents said they have had to deal with a public Wi-Fi-related security incident, although a further 34% were not sure if there had been a security breach as many incidents are never reported.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
WiFi Security Threats Everyone Should be Aware of
All employers should now be providing security awareness training to their employees to make the workforce more security-aware. Employees should be trained how to identify phishing attempts, warned of the risk from malware and ransomware, and taught about the risks associated with public Wi-Fi networks.
Five threats associated with open public Wi-Fi hotspots are detailed below:
Evil Twins – Rogue Wi-Fi Hotspots
One of the most common ways of obtaining sensitive information is for a cybercriminal to set up an evil twin hotspot. This is a fake Wi-Fi access point that masquerades as the legitimate access point, such as one offered by a coffee shop or hotel. An SSID could be set up such as “Starbuck Guest Wi-Fi” or even just state the name of the establishment. Any information disclosed while connected to that hotspot can be intercepted.
Packet Sniffers
Using a packet sniffer, a hacker can identify, intercept, and monitor web traffic over unsecured Wi-Fi networks and capture personal information such as login credentials to bank accounts and corporate email accounts. If credentials are obtained, a hacker can gain full control of an account.
File-Sharing
Many people have file-sharing enabled on their devices. This feature is useful at home and in the workplace, but it can easily be abused by hackers. It gives them an easy way to connect to a device that is connected to a Wi-Fi hotspot. A hacker can abuse this feature to drop malware on a device when it connects to a hotspot.
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
Shoulder Surfing
Not all threats are hi-tec. One of the simplest methods of obtaining sensitive information is to observe someone’s online activities by looking over their shoulder. Information such as passwords may be masked so the information is not visible on a screen, but cybercriminals can look at keyboards and work out the passwords when they are typed.
Malware and Ransomware
When connecting to a home or work network, some form of anti-malware control is likely to have been installed, but those protections are often lacking on public Wi-Fi hotspots. Without the protection of AV software and a web filter, malware can be silently downloaded.
Employers can reduce risk by providing comprehensive training to employees to make sure they are aware of the risks from public Wi-Fi hotspots and make sure that employees are aware they should only connect to public Wi-Fi networks if they use a VPN. Employers can further protect workers with WebTitan Cloud – An enterprise-class web filter that protects workers from online threats, regardless of where they connect.
Hotspot providers can protect their customers by securing their Wi-Fi hotspots with WebTitan Cloud for Wi-Fi. WebTitan Cloud for Wi-Fi is a powerful web filter that protects all users of a hotspot from malware and phishing attacks, and can also be used to control the types of sites that can be accessed. If you offer Wi-Fi access, yet are not securing your hotspot, your customers could be at risk.
Contact TitanHQ today to find out how you can protect your customers from online threats, control the content that can be accessed via your Wi-Fi network, and discover how quick and easy it is to create a family-friendly Wi-Fi environment.
Hospitals often invest heavily in solutions to secure the network perimeter, although the importance of Internet and WiFi filtering in hospitals is often misunderstood. Network and software firewalls are essential, but alone they will not provide protection against all attacks. As healthcare IT security staff know all too well, the actions of employees can see cybersecurity defenses bypassed.
A look at the Department of Health and Human Services’ Office for Rights breach portal shows just how many cyberattacks on hospitals are now occurring. Cybercriminals are targeting healthcare organizations due to the value of protected health information (PHI) on the black market. PHI is worth ten times as much as credit card information, so it is no surprise that hospitals are in cybercriminals’ crosshairs. Even a small hospital can hold the PHI of more than 100,000 individuals. If access is gained to a hospital network, the potential rewards for a hacker are considerable.
There has also been a massive increase in ransomware attacks. Since hospitals need access to patients’ PHI, they are more likely to pay a ransom to regain access to their data than in other industry sectors. Hollywood Presbyterian Medical Center paid $17,000 for the keys to unlock its files following a ransomware attack in February 2016. It was one of several hospitals to give in to attackers’ demands following ransomware attacks.
A Web Filter is an Important Extra Security Layer to Protect Against Phishing Attacks
Phishing is one of the main threats for healthcare organizations, so it is vital for the email system to be secured with an advanced spam filtering solution and for security awareness training to be provided to employees. However, layered defenses are required to reduce the threat of phishing to a reasonable and acceptable level.
A web filtering solution is an important additional control in the fight against phishing. If an employee clicks on a hyperlink in a phishing email that has made it past email security defenses, the phishing website can be blocked. Instead, the user will be directed to a block screen and a potential account compromise can be avoided. A web filter will also help to protect users from malicious redirects when browsing the internet.
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
The Hospital WiFi Environment is a Potential Gold Mine for Cybercriminals
Another common weak point is the WiFi network. IT security teams may have endpoint protection systems installed, but often not on mobile devices that connect to WiFi networks. The increasing number of wireless devices that are now in use in hospitals increases the incentive for cybercriminals to attempt to gain access to WiFi networks. Not only do physicians use mobile phones to connect to the networks and communicate PHI, but there are also laptops, tablets, and an increasing number of medical devices connected to WiFi networks. As the use of mobile and IoT devices in healthcare continues to grow, the risk of attacks on the WiFi environment will increase.
Patients also connect to hospital WiFi networks, as do visitors to hospitals. They too need to be protected from malware and ransomware when connected to hospital guest WiFi networks. One of the easiest ways to protect the devices that connect to WiFi networks is a web filtering solution. A web filter allows IT teams to carefully control the types of content that can be accessed on hospital WiFi networks, block malware downloads, and prevent all users from visiting malicious websites. Internet and WiFi filtering in hospitals should be included in cybersecurity defenses to reduce the risk of malware downloads from the internet and is an important additional control against insider breaches.
Internet and WiFi filtering in Hospitals is Not Just About Blocking Cyberthreats
Malware, ransomware, hacking, and phishing prevention aside, there are other important reasons for implementing Internet and WiFi filtering in hospitals.
Guest WiFi access in hospitals is provided to allow patients and visitors to access the Internet; however, there is only a certain amount of bandwidth available. If Internet access is to be provided, all patients and visitors should be able to gain access. Internet and WiFi filtering in hospitals can be used to restrict access to Internet services that consume large amounts of bandwidth, especially at times when network usage is heavy. Time-based controls can be applied at busy times to block access to video streaming sites, for example, to ensure all users can enjoy reasonable Internet speeds.
It is also important to prevent patients, visitors, and healthcare professionals from accessing inappropriate website content. Internet and WiFi filtering in hospitals should include a block on adult content and other inappropriate or illegal material. Blocks can easily be placed on illegal file-sharing websites, gambling or gaming sites, or any other undesirable category of web content.
Internet and WiFi filtering in hospitals ensures WiFi networks can be used safely and securely by all users, including minors. Blocking illegal, undesirable, and age-inappropriate content is not just about protecting patients and visitors. It also reduces legal liability.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
Internet and WiFi Filtering in Hospitals Made Simple
WebTitan Cloud for WiFi is an ideal solution for Internet and WiFi filtering in hospitals. WebTitan Cloud for WiFi is cost-effective to implement, the solution requires no additional hardware or software installations, and there is no latency. Being DNS-based, setup is quick and simple. A change to the DNS settings is all that is required to start filtering the Internet.
WebTitan Cloud for WiFi is ideal for hospital systems. The solution is highly scalable and can be used to protect any number of users in any number of locations. Multiple sites can be protected from one easy-to-use web-based user interface. Separate filtering controls can be applied for different locations, user groups, or even individuals. Since the solution links in with Active Directory setting up controls for different users and departments is quick and simple. Separate content controls can easily be set for guests, visitors, and staff, including filtering controls by role.
WebTitan Cloud for WiFi supports blacklists, whitelists, and allows precision content control via category or keyword, and blocks phishing websites and sites known to host exploit kits and malware. In short, WebTitan Cloud for WiFi gives you control over what users can do when connected to your WiFI network.
To find out more about WebTitan Cloud for WiFi, details of pricing, contact the TitanHQ team today.
Regardless of whether you run a hotel, coffee shop, or retail outlet, Internet access is expected by customers, but make sure you secure guest WiFi for business visitors. Providing business visitors and customers with access to the Internet brings many benefits, but if you do not secure guest WiFi for business visitors you will be exposing yourself – and them – to considerable risk. If you offer secure guest WiFI access, all users will be protected from malware, ransomware, and phishing when connected to the network. That can be a good selling point for businesses. It also shows you care about your customers.
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
Why Is Providing Internet Access so Important?
In 2013, one study revealed that 80% of customers in retail outlets felt the provision of free WiFi access would influence their purchasing decisions. If retailers provide guest WiFi access, they are likely to encourage more potential customers into their stores and get more sales opportunities.
With more people purchasing online, businesses need to adapt. Customers want to be able to check online before making a purchase or signing up for a service, such as reading online reviews. Fail to offer Internet access and customers are more likely to leave and make a purchase at another time. Chances are that sales will be made elsewhere. Keep them in your store and allow them to access the internet and your chances of achieving a sale will be increased. Of course, if you are unable to compete with online retailers – Amazon for example – you could provide free WiFi but block access to that website.
Why is Secure Guest WiFi for Business So Important?
There are considerable benefits to be gained from offering customers free Internet access. It is what customers want, it provides businesses with an opportunity to communicate with customers, it allows businesses to collect contact details for future marketing programs, and by monitoring the use of the Internet in-store, businesses can gain valuable customer insights and find out more about the interests of their customers. Businesses should note however that the General Data Protection Regulation (GDPR) requires consent to be obtained before any personal information is collected and used.
Giving customers and guests access to the Internet opens a business up to considerable risks. If those risks are not mitigated, guest WiFi access can prove incredibly costly. You may have trained your employees to be security-aware and have introduced policies covering allowable Internet usage, but guests, customers, and other visitors are likely to have different views about the content that can be accessed on your WiFi network.
Guests and customers could take advantage of a lack of restrictions to access inappropriate material such as pornography. Individuals could engage in morally or ethically questionable activities on a business network or even illegal activity such as copyright-infringing downloads. They may also accidentally install malware or ransomware or visit phishing websites.
Secure guest WiFi for business means protecting yourself and your customers and guest users. Secure guest WiFi for business visitors and it will ensure they are protected when connected to your network. You will be able to block man-in-the-middle attacks, malware downloads and protect against phishing attacks. By providing secure guest internet access, you will also be able to reduce legal liability.
5 Things to Consider About Secure Guest WiFi for Business Customers
If you are going to open up your network to guests, security cannot be an afterthought. Secure guest WiFi for business is a must. Before providing WiFi access, be sure to consider the points below:
Network Segmentation
Segmenting your network is important for two reasons. Secure guest WiFi for business means visitors should not be able to gain access to parts of the network used by your employees. Your business guest wireless network should be kept totally separate from the internal network used by your employees. Guest users should not be able to log on and see your network assets and confidential files and resources. Use a network firewall or create a separate VLAN for guest use and use a software firewall to protect servers and workstations from traffic from the guest network. Secondly, in the event of a malware or ransomware infection, if you segregate your network, it will greatly limit the harm caused.
Always Change Default Passwords and SSIDs
This is one of the most basic security practices, yet because of that, it is easy to forget. The Internet is littered with reports of data breaches that have occurred as a result of the failure to change default passwords. All network peripherals should have strong, unique passwords set.
It is also important to change your SSID for your WiFi network. The SSID should reflect the name of your business and it should be quite clear to your customers which is your network. Fail to do this and you make it too easy for malicious individuals to set up "evil twin" access points and lure guests onto those rogue access points and conduct man-in-the-middle attacks. You can post the SSID and password internally to make it easy for legitimate users to gain access to your network. Be sure to change your password regularly.
Keep Your Firmware Updated!
Firmware updates are issued for a reason. They correct vulnerabilities that could easily be exploited by cybercriminals to gain access to your devices and network. If those vulnerabilities are exploited, configurations can be changed for a variety of nefarious purposes. You should have policies in place that require firmware updates to be installed promptly, with checks performed monthly to ensure that all devices have been updated and no firmware updates have been missed.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
Encrypt Your Wireless Signals
You want to make it as easy as possible for your guest WiFi network to be accessed by your customers and visitors, but don’t make it too easy for hackers to spy on individuals connected to the network. Make sure you encrypt your wireless network with WPA2/WPA3 encryption.
If your router does not support WPA2 as a minimum it is time to upgrade your router’s firmware or, if that is not possible, you should buy a modern router that supports WPA3 encryption. If you fail to encrypt your WiFi, it is too easy for your bandwidth to be stolen and for data to be intercepted.
Secure Guest WiFi for Business Means Content Filtering
Secure guest WiFi for business means adding controls to limit the content that can be accessed on your WiFi network.
You should block access to adult content – which includes pornography, gambling sites, and dating sites, and also web content that is ethically or morally questionable or illegal.
A web filtering solution will also protect your customers from accidental malware and ransomware downloads and is an important anti-phishing control.
Consider using a cloud-based web filter as these require no additional hardware to be purchased. They can also be configured and maintained remotely and will not require software or firmware upgrades. In contrast to appliance-based web filters, cloud-based filters are more scalable and are more adaptable to the changing needs of your business.
Wireless Guest Network Best Practices
There are many benefits to be gained from setting up a wireless guest network but doing so introduces risks. If those risks are not managed, guest users could gain access to network resources and view or steal sensitive information. Malware may be accidentally or deliberately installed, and vulnerabilities could be introduced that could expose the network to hackers. Fortunately, following some simple wireless guest network best practices will help you with securing the WiFi network, mitigating risks, and making your wireless network as - or more - secure than your wired network.
Separate your wireless guest network from the business network – Set up a second SSID specifically for guests to use. It should not be possible for guest users to access your internal WiFi network.
Choose the SSID wisely – Choose a name that does not advertise the fact that the network belongs to your business if you want to make it harder for hackers to attack your WiFi network.
Set a secure password for guests to use – Make sure the default password is changed to ensure only authorized guests can access the network.
If possible, ensure each guest user can be identified on the network. Use a management solution that collects guest credentials as this will allow you to monitor guest behavior and gain valuable insights into how your customers are using the network. Be aware there are restrictions under GDPR and CCPA that require you to obtain consent to collect personal data and explain why the data is being collected.
Communicate your Internet usage policies to guests so they know what is allowed and prohibited while connected to your WiFi network
Use the most advanced encryption available – All modern routers and access points support WPA2 encryption. Make sure this is enabled – or WPA3 if it is supported. Avoid using WPS as it is vulnerable to brute force attempts to guess the password.
Disable admin access on wireless networks – if a hacker succeeds in gaining access to your WiFi network, this will limit the harm that can be caused.
Implement a web filtering solution – A web filter should be configured to prevent users from accessing inappropriate and malicious websites while connected to the WiFi network
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
WebTitan Cloud for WiFi – Secure Guest WiFi for Business Users
TitanHQ has made it easy to secure guest WiFi for business users. WebTitan Cloud for WiFi is a 100% cloud-based web filter that allows businesses to carefully control the categories of web content that can be accessed by guest users.
WebTitan Cloud for WiFi allows businesses to block access to 53 different predefined categories of web content, including pornography, gambling, dating, news, and social media websites. Within those 53 categories are more than 500 million websites in 200 languages that have been assessed for content and categorized. A cloud-based lookup also ensures accurate and flexible filtering based on-page content.
Secure guest WiFi for business means effective malware, ransomware, and phishing protection. With WebTitan Cloud for WiFi deployed, access to compromised websites, phishing sites, and other malicious websites will be blocked.
Flexible policy creation means control over the filter can be delegated to different departments, and controls can be applied for different types of users. Cloud Keys can also be created to allow specific users to bypass policy rules.
A full suite of reports ensures detailed information is always available, with email notifications alerting administrators to attempted policy violations and a real-time browsing view is available.
If you want to take control of your WiFi network or are an MSP looking for an easy-to-use multi-tenant solution to allow you to provide a web filtering service to your clients, WebTitan Cloud for WiFi is a quick, easy to use, and low-cost way of providing secure guest WiFi for business users.
Contact TitanHQ today for further information on WiFI guest network security and to find out how WebTItan can protect your business. Our knowledgeable sales staff will be able to advise you on the best way to improve guest WiFi security and will help you choose the best deployment option. If you want to see WebTitan in action before you make a purchase decision, our sales staff will be happy to schedule a product demonstration and help set up a free trial of the solution.
Guest Wi-Fi Security FAQs
How can I improve guest Wi-Fi security?
You must ensure your guest Wi-Fi network is properly configured. You should set a password for access, ensure traffic is encrypted to prevent interception by selecting WPA2 or WPA3 on the router, ensure guest users cannot access and change the router settings, and you should use a content filtering solution to prevent malware downloads and restrict access to inappropriate website content.
What content can I block on guest Wi-Fi networks?
You have full control over the content that guests can access via your Wi-Fi network. With WebTitan Cloud for Wi-Fi, you can block content using 53 pre-defined categories and can create up to 10 categories of your own using your own keywords. Access to specific websites can be allowed or blocked using whitelists and blacklists. All known malicious websites will be automatically blocked.
Can I see what websites guest users are accessing?
A web filtering solution gives you full visibility into the web content that your employees and guest users are viewing, including providing real-time views of Internet access. This information can give you valuable insights into customer behavior which can guide your marketing efforts. You can also run reports to find out the URLs that users have attempted to visit but were blocked by the web filter.
Will a cloud-based web filter for guest Wi-Fi work on all devices?
There is no software to download onto devices and no restrictions on the devices that can connect to your secure Wi-Fi network. WebTitan Cloud for Wi-Fi works with all operating systems and all devices and allows businesses to offer clean, filtered Internet access for customers on Wi-Fi access points. If required, different filtering controls can be set up for different user groups.
Is SSL inspection necessary?
If you have a web filter that does not have SSL inspection, traffic to and from HTTPS websites will be invisible to the filtering solution. That means files downloaded from HTTPS websites cannot be scanned by the AV engines of the web filter. Since many malicious websites have SSL certificates, a web filter with SSL inspection is essential.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
There are many reasons why businesses want to restrict internet access at work. Allowing employees to have unrestricted access to the internet can result in a major drain on productivity. Unfettered internet access can also increase the risk of malware and ransomware downloads, while inappropriate internet access at work can lead to a range of legal issues. Due to the risks involved, it is unsurprising that many firms choose to use a technological solution to enforce acceptable Internet usage policies and block access to malicious websites. This post explores some of the key benefits that come from using a web filter to limit internet access in the workplace and some of the potential problems that can be caused by using content-control software.
The Problem of Personal Internet Use at Work
It is inevitable that employees will slack off from time to time, regardless of whether they have access to the internet but internet access makes slacking off much easier. Simply placing restrictions on the websites that can be accessed will not eradicate time-wasting, but it can allow businesses to make significant gains in productivity. Some employees spend a considerable percentage of the working day on personal internet use, playing online games, or accessing their social media accounts. If every employee in an organization was to spend an hour a day on personal internet use, the productivity losses would be considerable. A company with 100 employees would lose 100 hours a day – That’s a loss of 26,100 working hours a year – and many employees spend much longer each day on personal internet use.
There are other issues that can result from excessive personal internet use at work. When employees use streaming services, download files via P2P networks, or engage in other bandwidth-heavy activities, it will naturally have an impact on internet speeds across the entire organization. Using a web filter to restrict internet access at work and limiting access to certain bandwidth draining activities allows businesses to ensure sufficient bandwidth is available for all employees.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
The Danger of Malware and Ransomware Downloads
If employees are accessing social media websites, downloading files, or are visiting questionable websites, the risk of malware or ransomware downloads increases significantly.
Exploit kits probe for vulnerabilities in browsers and plugins, which are then exploited to silently download malware. Traffic is usually directed to these websites through malicious adverts – termed malvertising – although high-traffic websites are constantly being compromised by hackers who add malicious content such as phishing webpages and malware.
Certain types of websites carry a high risk of resulting in malware infections. Allowing employees to access these sites, many of which are not suitable for work, could easily result in a malware or ransomware download.
The operators of legitimate pornographic websites usually take great care to ensure their sites are not compromised or infected with malware. They are, after all, legitimate businesses. However, pornographic content is often used as a lure to spread malware and there are many disreputable adult sites whose purpose is solely to infect visitors with malware or harvest credit card information. Blocking these NSFW sites not only helps to improve productivity and avoid legal issues, but it also reduces the risk of malware infections.
One of the riskiest online activities is the use of torrents sites and P2P file-sharing networks. There are few – if any – controls over the content that is shared via torrents sites and pirated music and video files are often seeded with malware, spyware, and adware. Illegal software downloads are incredibly risky as malware is often bundled in the executable files used to install the software, or in the accompanying Keygen tools that generate product keys to allow the software to be used.
A malware or ransomware attack can prove incredibly costly. Many companies have experienced ransomware attacks that have resulted in systems being taken out of action for several days or even weeks, causing massive losses as the business grinds to a halt. A ransomware attack can result in an entire network being taken out of action, as was the case with the WannaCry attacks in 2017. The NHS in the UK suffered major disruption as a result of the installation of the malware and mitigating the attacks cost £92 million. The NotPetya wiper malware campaign conducted soon after caused widespread damage. The shipping firm Maersk had its systems infected and the clean-up bill has been estimated to be $300 million.
A web filter will not prevent all malware and ransomware attacks, but it is possible to prevent certain categories of ‘risky’ websites from being visited by employees, the filtering solution can be configured to block the downloading of certain file types, and websites known to contain malware or exploit kits can be blocked. Any attempt to visit one of those websites will direct a user to a block screen. Many businesses decide to restrict internet access at work primarily to protect against malware and ransomware downloads.
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
Additional Protection Against Phishing Attacks
Phishing is the number one cyber threat faced by businesses. It has been estimated that more than 90% of cyberattacks start with a phishing email. One of the best protections against phishing is a spam filtering solution, which will prevent the majority of malicious messages from being delivered to end users. However, no spam filter is 100% effective and some malicious messages will end up in employees’ inboxes. Employees can be trained how to identify phishing emails and be taught cybersecurity best practices that will reduce susceptibility to phishing attacks, but sooner or later an employee will likely be fooled into clicking a link in an email and will arrive at a phishing website.
When a user is directed to a website and discloses their login credentials, an attacker can gain access to their email account and all the sensitive data contained in that account. The compromised account can also be used to send further phishing emails to other employees in the organization or to customers and business contacts. It is common for a single response to a phishing email to result in several email accounts being compromised.
Phishing attacks are some of the costliest cyberattacks to resolve. Each email in a compromised account must be checked for personally identifiable information and other sensitive data. Manually checking thousands of emails can take weeks and can cost hundreds of thousands of dollars.
A web filter is an additional layer of security that helps organizations improve their defenses against phishing by providing time-of-click protection and blocking attempts to visit malicious websites. When an employee clicks a link to a website that has been added to a blacklist due to past use in phishing campaigns, the user will be directed to a block screen. TitanHQ’s web filtering solution, WebTitan, blocks attempts to access around 60 million malicious websites a week.
Preventing Inappropriate Web Content from Being Accessed
While most employees do not use the internet to access illegal and not-suitable-for-work content, there are always a few bad apples. The problem of accessing pornography at work is a real issue, and could be much worse than you think.
In 2014, a survey conducted by the Barna Group showed 63% of men and 36% of women have viewed pornography at work. A survey in Forbes in 2013 revealed 25% of adults have viewed porn at work, while in another survey, 28% of employees admitted to downloading porn at work. Not only is the accessing of pornography at work a major drain of productivity, but it can also lead to the development of a hostile working environment. Pornography can be used to harass and degrade employees, especially women. There have been cases of employees taking legal action against their employers over the failure to implement content controls in the workplace and prevent pornography from being accessed by coworkers.
Many businesses feel the best way to tackle the problem of pornography access in the workplace is through acceptable usage policies and greater oversight of employees by line managers. When individuals are discovered to be abusing the internet, action can be taken against individuals without having to restrict internet access at work for everyone. This does not always prove effective. Further, when pornography use at work is discovered, employees usually face instant dismissal. That carries a cost to the HR department and productivity losses while new employees are hired and trained.
The easiest solution is to use a web filter to restrict internet access at work. A web filter can be used to block access to specific websites or categories of website content such as pornographic sites and enforce acceptable usage policies. This is one of the most common reasons why businesses restrict internet access at work.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
Problems with Using a Web Filter to Restrict Internet Access at Work
A web filter may seem like a quick and easy solution to solve the above issues, but it should be explained that companies that restrict internet access at work with web filters can encounter problems. If you restrict internet access at work using an appliance-based web filtering solution it can result in latency. Each website must be inspected before it is accessed which delays the loading of websites. In the case of secure (HTTPS) sites, each webpage must be decrypted, inspected, and re-encrypted. This places a considerable strain on resources. As more sites switch to HTTPS the problem of latency becomes a real issue.
The solution is to use a DNS-based filtering solution. With DNS-filtering, all filtering occurs in the cloud and there is no latency. There are other benefits too. Cloud-based web filters are more flexible, scalable, and do not require the purchase of any hardware which results in considerable cost savings.
When web filters are used to restrict internet access at work and they lack highly granular controls, there can be issues with the overblocking of website content. Websites that need to be accessed for work purposes may be blocked, which requires the IT support team to spend time whitelisting websites. The solution is to choose a web filter with highly granular controls, which allows content to be easily blocked without also blocking websites that need to be accessed for work purposes.
Should Companies Restrict Internet Access?
While content control software may seem like an ideal way of preventing employees from cyberslacking to make productivity gains, care must be taken when applying those controls otherwise the productivity gains may not be realized. If you restrict internet access at work, employees who were only accessing the occasional personal site may be unhappy with the new restrictions. This can have a negative effect on productivity and create a hostile working environment. Why should all employees be made to suffer because of the actions of a few? Care must therefore be taken when deciding what types of websites to block. With careful and intelligent control, you can make productivity gains and can avoid any staff issues.
How to Control Internet Usage in Office and Avoid Staff Problems
One of the easiest ways to improve productivity while applying controls over internet access is to use a web filtering solution that allows time-based filtering controls to be applied. Employers can use this feature to restrict internet access at work during busy times and relax controls at others. It is easy to block access to certain sites 100% of the time and others only some of the time. With WebTitan, administrators can set standard controls during busy times such as mornings, and relax controls during breaks or outside of office hours.
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
How Can I Block Internet Access on an Employee’s Computer?
There are several ways to block internet access on an employee’s computer. If you want to block internet access totally for a specific employee, be that a temporary or permanent block, you can use your existing network hardware or a firewall rule to block a specific IP address.
A web filter allows much more granular controls to be applied, such as blocking specific websites or categories of websites for a specific employee or group of employees. This option is much easier and less time-consuming if you need to block internet access – or implement partial blocks – for more than one employee. With a cloud-based web filter, these controls can be applied quickly and easily through a web portal that can be accessed by the administrator from any computer.
How to Limit Employee Internet Access Selectively
Many businesses want to know how to restrict internet access for employees without totally blocking access to the internet. With WebTitan it is easy to limit employee internet access selectively. Different controls can be set for different employees or groups of employees. If you have sales staff, you may want to do as much as possible to make sure they are always on the phone, and internet controls may need to be more restrictive. The marketing department may require much more lax controls since they will be required to access a broader range of websites for work. Since the filter integrates with LDAP and Active Directory, setting controls for different users and user groups is simple. You can implement organization-wide controls (e.g. adult content), department controls (social media), and individuals controls through LDAP/AD.
Speak to TitanHQ About Controlling Internet Access In the Workplace
Internet content control is quick, easy, and cost-effective with WebTitan. The solution allows you to easily restrict internet access at work and avoid problems associated with web filtering. If you are interested in curbing personal internet use at work and improving your organization’s security posture, contact TitanHQ today for advice. You can also sign up for a free trial and evaluate WebTitan in your own environment before you commit to a purchase and can schedule a product demonstration to see WebTitan in action.
FAQs about Restricting Internet Access at Work
Should I set up a guest Wi-Fi network?
Guest Wi-Fi networks allow visitors to access the Internet through the same equipment as your employees but will ensure that both networks are separated. If a guest user’s device is infected with malware, it will not spread to your primary business network. Guest users will also not be able to access any internal resources or data.
What are the most important guest Wi-Fi security best practices?
Ensure a password is set for the guest network. Make sure that traffic is encrypted using Wi-Fi Protected Access (WPA or WPA2) to prevent data interception. Control the content that can be accessed using a web filter for your Wi-Fi network, and monitor what your guest network is being used for.
What is the cost of a content filter for a Wi-Fi network?
Content filtering for Wi-Fi networks is not expensive considering the protection it provides. Some solutions will cost around $2.50 per user, per month. These tend to be aimed at large enterprises with complex needs. For most businesses, you can get the protection you need for around $1 per user, per month.
Does a web filter work for HTTPS websites?
A web filter will block access to all websites in blacklists, which includes HTTPS websites known to be malicious. A web filter with SSL inspection will decrypt, inspect, then re-encrypt HTTPS sites in real-time and will block access to those sites if they violate user-defined policies.
Is Internet content filtering difficult?
Internet content filtering need not be complicated. With a cloud-based web filter you just make a simple change to point your DNS to your service provider. Log in to your web-based user interface and use the checkboxes to select the content you want to permit or block. All malicious websites will automatically be blocked through the blacklists used by the solution.
For the second year in a row, TitanHQ has collected best-in-category awards from Expert Insights for each of its three products: SpamTitan Email Security, WebTitan Web Security, and ArcTitan Email Archiving.
SpamTitan was recognized and awarded top spot in the Best Email Security Gateway and Best Email Security Solution for Office 365 categories, the DNS-based web filtering solution WebTitan Cloud came top in the Best Web Security Solution category, and the cloud-based email archiving solution, ArcTitan, placed top in the Best Email Archiving Solution for Business category.
The cybersecurity solutions were praised for the level of protection they provided against threats such as malware, ransomware, phishing, viruses, and botnets, with all three solutions recognized for ease-of-use and cost-effectiveness. TitanHQ’s world-class technical and customer support also proved to be a hit with Expert Insights’ researchers and businesses that have adopted the solutions.
Expert Insights is an online publication covering cybersecurity and cloud-based technologies that is used by over 80,000 business leaders, IT professionals and others to obtain invaluable advice to help them make the right purchase decisions. The publication includes insights into B2B products and services, with the UK and US-based teams conducting interviews, industry analyses, and technical product reviews.
Each year, the Fall 2021 Best-of Cybersecurity Awards recognize the leading companies and products for businesses and managed service providers, with the category winners selected based on reviews by independent technical analysts, the Expert insights’ editorial team, and feedback from users of the solutions.
To win one award is a great achievement, but to win 4 shows the commitment of the TitanHQ team to providing businesses with powerful solutions that address their needs that are easy to use and at the right price point, providing timely help and advice for customers whenever it is required.
“TitanHQ are proud to have received continued recognition for all three of our advanced cybersecurity solutions. As the threat landscape continues to be a significant risk to organizations across the globe, we are dedicated to continuous innovation to provide consistent, secure, and reliable protection to our customers,” said Ronan Kavanagh, TitanHQ CEO.
In addition to installing a spam filter to block malware delivery via email, it is important to implement a solution to block drive-by malware downloads. A drive-by malware download is a web-based attack where malware is installed onto a victim’s device
Drive-by malware download attacks are those where malicious programs are downloaded and installed on a device without user consent. The malware may be relatively harmless adware that shows ads to generate income for the developer, spyware that gathers information about a user, or more dangerous malware variants such as keyloggers and banking Trojans that harvest credentials, or even ransomware that encrypts files to extort money from the victim.
Drive-by malware downloads can occur silently, without the user being aware anything untoward has happened by tricking them into visiting a malicious website. That could involve a phishing email with a hyperlink that bypasses an email security solution, occur via a redirect from a compromised website, or by clicking a malicious advert online.
Malicious websites can be encountered simply through normal web browsing and drive-by malware downloads can even occur via legitimate websites. Many websites have third-party ad blocks that generate additional revenue for the website owner. Malicious adverts – termed malvertising – may sneak past the checks performed by third-party ad networks and be displayed to site visitors. If a link is clicked, the user is directed to a malicious website. Threat actors also engage in search engine poisoning, where search engine optimization techniques are used to get malicious websites appearing high up in the search engine listings.
These downloads may occur silently, or individuals may be tricked into downloading malicious software or apps that they believe to be genuine. They install the software and are unaware than malware has also been installed. This week, an alert was issued about a campaign involving a fake .msi installer which is being used to deliver an information stealing malware variant called Jupyter that has been extensively used in attacks on the healthcare and education sectors.
It is important for businesses to protect against drive-by malware downloads, and one of the best ways to do this is by using a web filtering solution. A web filter, as the name suggests, is used to filter out undesirable website content. The consumer versions include parental control solutions on home WiFi networks. Just as you would want to prevent your children from accessing potentially harmful age-inappropriate web content, a web filter is used by businesses to prevent harmful content from being accessed by employees.
WebTitan from TitanHQ is used by businesses, managed services providers, and Internet service providers to block access to malicious, illegal, and other undesirable web content such as pornography and protects against drive-by malware downloads in several ways.
First, it is possible to prevent downloads of certain file types from the Internet – The file types commonly associated with malware (.exe, .js, and .msi for example). Another control to prevent malware downloads is the use of blacklists of IP addresses and domains that have previously been identified as being used for malware distribution. The solution can also be configured to block access to risky website categories that are often used for malware distribution, such as peer-2-peer file sharing networks.
WebTitan is quick and easy to implement and configure, has no impact on page low speeds, can protect any number of users including on-site and remote workers, and the solution is automatically updated with the latest threat intelligence to block malicious content as soon as it is detected.
If you want to block drive-by malware downloads, improve protection against phishing attacks, and carefully control the web content that can be accessed via your wired and wireless networks, contact TitanHQ today for more information about WebTitan. Product demonstrations can be arranged on request, and you can take advantage of a free 14-day trial of the solution.
A new SharePoint phishing scam has been detected which attempts to steal Office 365 credentials from business users. those credentials are subsequently used to gain access to sensitive company information stored in the cloud and email accounts which can be used in phishing and business email compromise attacks.
The scam emails used in this campaign are similar to those used in countless Google Docs phishing scams. The messages appear at face value to be genuine attempts by employees and contacts to collaborate through the sharing of files. Most of these scams are concerned with spreading malware. The documents usually contain malicious macros which download the malware payload if allowed to run. JavaScript and VB scripts are also used to achieve that aim. However, due to the value of Office 365 accounts, hackers are increasingly conducting attacks to gain access to Office 365 credentials.
The latest scam uses messages that appear to be standard quests to collaborate on SharePoint. This SharePoint phishing scam includes a hyperlink to a genuine SharePoint document, which may not be flagged as malicious since the file itself does not contain malware.
The SharePoint file advises the user that the content they are looking for has been uploaded to OneDrive for Business and a further click is necessary to access the file. A hyperlink named “Access Document” is included in the SharePoint file along with the genuine OneDrive for Business logo. At face value, the document does not appear to be malicious, although checking the destination URL of the link will reveal that it directs the user to a suspect website.
After clicking the link, the user is presented with a login window for Office 365 and their Microsoft Office 365 credentials must be entered to proceed. Entering Office 365 credentials at this point will see them harvested by the scammers running this campaign. The user is unlikely to realize that they have been successfully phished as after entering their credentials they will be directed to the genuine Office 365 web page.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
This SharePoint phishing scam is being used in targeted attacks on businesses. SharePoint is commonly used by businesses for collaboration, so there is a high probability that employees will be used to receiving such requests. Finding email addresses for business users is also straightforward. Lists can be purchased on darknet marketplaces and hacking forums, or they can be obtained from professional social networking sites such as LinkedIn.
This SharePoint phishing scam, Google Docs phishing scams, and similar campaigns spoofing Dropbox are commonplace and are highly effective. They take advantage of familiarity with these collaboration services, trust in the brands, and the lack of security awareness of employees. These brand impersonation attacks use email formats that are identical to those used in genuine collaboration requests, including correct logos, formatting and genuine-looking links, and can be difficult for end users to identify as malicious.
Preventing these SharePoint spoofing scams requires technological solutions to stop the messages from being delivered and links from being followed. Standard Office 365 anti-phishing protections are not particularly effective at blocking threats such as these. Businesses will be better protected using a dedicated anti-phishing solution on top of Office 365. SpamTitan is an award-winning anti-spam and anti-phishing solution that works seamlessly with Office 365 and provides superior protection against phishing attacks. SpamTitan uses a wide range of innovative techniques to identify malicious emails and block them at source to prevent them from reaching end users’ inboxes.
Security awareness training is also vitally important to condition employees to stop and think before taking any action requested in an email and to raise awareness of the use of collaboration requests in phishing campaigns.
If you want to improve email security and better defend your organization against phishing attacks, contact the TitanHQ team today and request further information on SpamTitan. Product demonstrations can be arranged on request, free trials of the full product are available with full support during the trial, and a range of deployment options are available to suit the needs of your business. Also consider using a web filter such as WebTitan, which will block attempts to block websites used for phishing and malware distribution.
The dangers of public Wi-Fi are well documented, but the increase in remote working means the threat has grown. During the pandemic, many businesses had little option other than to allow their employees to work remotely. Remote working during the pandemic meant employees working from home, but now that COVID-19 restrictions are easing the dangers of public Wi-Fi have reared their head one again. Many businesses have seen benefits to remote working and are continuing to allow employees to work from home, while many others are considering adopting a hybrid working model, where employees can work remotely for at least some of the week.
The Dangers of Public Wi-Fi
There are a variety of risks when accessing the Internet over public Wi-Fi networks, one of the most serious being the Wi-Fi access point that people connect to is not actually the Wi-Fi network of the establishment where employees are working. It is all too common for threat actors to set up rogue access points that resemble the legitimate Wi-Fi access points that they spoof. Through those access points – often referred to as evil twins – connections are monitored, and no communicated data are secure.
Attackers often inject malicious proxies, eavesdrop on network traffic, and use redirects to send Wi-Fi users to malicious websites. While perhaps unlikely in a local coffee shop, it is possible to compromise wireless technologies such as Bluetooth and Near Field Communication (NFC), and these tactics are commonly used, especially in foreign countries. If Bluetooth and NFC are enabled, an attacker could scan for nearby devices and gain information that could allow them to identify and target a particular individual.
How to Reduce Risk
There are various steps that remote workers should take to ensure they do not unwittingly fall victim to a malware infection, disclose their credentials in a phishing attack, or otherwise compromise their device, and in turn, the network of their employer. The most straightforward of these measures is to simply not use public Wi-Fi networks, although that is not always possible for travelling employees.
If it cannot be avoided, it is important to connect to a Wi-Fi hotspot that has encryption and strong authentication, as security will be greater. It is never a good idea to connect to any Wi-Fi network that has no security and does not require a password to connect, but it can be difficult to determine how good Wi-Fi security actually is.
It is important to remember that having a password on a Wi-Fi access point does not mean there is data encryption, so any transmitted data may be intercepted. Even with encryption, if an attacker knows the pre-shared key, the encryption is rendered useless as data can easily be decrypted.
It is also possible to force a network into using unsecure protocols or obsolete algorithms, and there are widely available open-source tools that can easily be used to capture credentials and other sensitive data.
It is therefore important to take precautions. For employees, the steps are straightforward. Avoid public Wi-Fi networks if at all possible and avoid disclosing any sensitive data on websites that do not start with HTTPS. Bear in mind that hackers can set up HTTPS websites just as easily as anyone else so be sure not to place too much reliance on https for providing security.
Employees should avoid disclosing any sensitive data or accessing their email or work network entirely over public Wi-Fi if possible, and to ensure that tools supplied by employers – such as a VPN – are used.
Employers should ensure a Virtual Private Network (VPN) is available to employees and there is sufficient capacity to allow all workers to connect. Employers can – and should – extend the protection of their web filtering solution to remote workers’ devices. Web filters will block access to known malicious websites and can block malware downloads. Solutions such as WebTitan are easy to configure to protect remote workers’ devices, and filtering controls will then be applied just as if the employees are in the office.
Standard cybersecurity best practices should also be followed, such as ensuring patches and software are kept up to date, including VPNs. Multifactor authentication should be enabled and anti-malware software installed. Anti-spam solutions – SpamTitan for example – should also be implemented to block email attacks, and firewalls should be used to prevent unauthorized inbound and outbound connections.
It is also recommended to disable Link-Local Multicast Name Resolution (LLMNR) and Netbios Name Service (NBT-NS) on Windows laptops and to configure Web-Proxy Autodiscovery Protocol (WPAD) to use only corporate proxy servers and to turn off device file and printer sharing on public networks.
In this post, we explore some of the common wireless network attacks and offer advice on simple steps that can be taken to secure wireless networks and prevent costly data breaches.
Many Businesses are Neglecting WiFi Security
Many businesses have moved from wired to wireless technologies which has had a negative impact on their security posture. Wired networks are generally a lot easier to secure than wireless networks, and poor implementation often introduces vulnerabilities in WiFi networks. Many businesses also fail to perform a thorough risk analysis which means those vulnerabilities are not identified and addressed. Because of these security flaws, and the ease of exploiting them, wireless networks attacks are common.
The Importance of WiFi Security
Wi-Fi access used to be something you had to pay for, but now free WiFi is something many people take for granted. Visitors to a hotel, coffee shop, bar, retail outlet, or restaurant now expect WiFi to be provided free of charge. The decision to use a particular establishment is often influenced by whether free WiFi is available, but increasingly the quality of the connection is a factor in the decision process.
The quality of the WiFi on offer is not just a question of there being enough bandwidth and fast internet speeds. Parents often choose to visit establishments that provide secure WiFi with content control, for instance, businesses that have been verified under the Friendly WiFi scheme. In order to be accredited under the scheme, businesses must have implemented appropriate filtering controls to ensure minors are prevented from accessing age-inappropriate material.
The massive rise in cyberattacks via public WiFi networks coupled with warnings about WiFi risks in the mainstream media has seen many consumers favor establishments that offer secure WiFi access.
If you run a business and are providing WiFi to customers or if you are considering adding a WiFi hotspot to attract more customers, be sure to consider the security of the network. The past couple of years have seen many attacks on WiFi networks and customers who use those wireless services. The increase in WLAN attacks means WiFi security has never been so important.
Before covering some of the most common wireless attacks, it is worthwhile exploring some of the common wireless network vulnerabilities that can be exploited to eavesdrop on traffic, infect users with malware, and steal sensitive information.
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
Common Wireless Vulnerabilities
Listed below are some of the most common wireless network vulnerabilities and steps that can be taken to prevent the vulnerabilities from being exploited. These wireless network vulnerabilities could easily be exploited in real-world attacks on wireless networks to steal sensitive data, take control of a router or connected device, or install malware or ransomware.
Use of Default SSIDs and Passwords
WIFi access points are shipped with a default SSID and password which need to be changed, but all too often, those default passwords are left in place. That makes it easy for an attacker to log in and take control of the router, change settings or firmware, load malicious scripts, or even change the DNS server so that all traffic is directed to an IP owned by the attacker. Default passwords must be changed to prevent anyone within range of the signal from connecting and sniffing traffic.
If wireless controllers are used to manage WiFi access points via web interfaces, make sure the default passwords are also changed. These default passwords can be easily found online and can be used to attack wireless networks.
Placing an Access Point Where Tampering Can Occur
If the access point is placed in a location where it can be physically accessed, tampering can occur. It takes just seconds to revert the access point to factory default settings. Make sure the access point is located in a secure location, such as a locked closet.
Use of Vulnerable WEP Protocol
The Wired Equivalent Privacy (WEP) protocol was the first protocol used to encrypt wireless traffic. WEP, as the name suggests, was intended to make wireless networks as secure as their wired counterparts, but that does not make WEP wireless networks secure.
WEP is based on the RC4 cypher, which is secure. The problem is how RC4 is implemented in WEP. WEP allows an initialization vector to be re-used, and the re-use of keys is never a good idea. That allows an attacker to crack the encryption with ease. Several other vulnerabilities have been identified in WEP which make it far from secure.
Even though WEP has been depreciated and there are much more secure wireless encryption protocols to use, many businesses continue to use WEP in the mistaken belief that it is secure. WEP is more secure than no encryption at all – bad security is better than no security – but there are much more secure options for encrypting WiFi traffic. If you want to improve security and prevent WLAN attacks, upgrade to WPA2 or WPA3, which use the much more secure Advanced Encryption Standard (AES) and lack the vulnerabilities of WEP.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
WPA2 Krack Vulnerability
WPA may be more secure than WEP, but it is not without its own wireless vulnerabilities. Two Belgian researchers – Mathy Vanhoef and Frank Piessens of the University of Leuven – identified a serious flaw in the WPA security protocol. The flaw was named KRACK, short for Key Reinstallation Attack. The flaw can be exploited in a man-in-the-middle attack to steal sensitive data sent via the WPA encrypted WiFi connection. If the WPA flaw is exploited, an attacker could eavesdrop on traffic and obtain banking credentials, passwords, and credit card information.
The vulnerability exists in the four-way handshake. An encrypted WPA2 connection starts with a four-way handshake, but not all parts of that handshake are required. To speed up re-connections, the third part is retransmitted. That third part of the handshake may be repeated several times, and it is this step that could be used in a wireless network attack.
By repeatedly resetting the nonce transmitted in the third step of the handshake, an attacker can gradually match encrypted packets and discover the full keychain used to encrypt traffic.
A threat actor could set up a clone of a WiFi access point that a user has previously connected to – an evil twin. To the user, nothing would appear untoward as Internet access would be provided via that evil twin. An attacker can force a user to connect to the cloned WiFi network and all information sent via that evil twin WiFi network can be intercepted. While the attack will not work on sites with SSL/TLS encryption, tools can be used that make this possible by forcing a user to visit an HTTP version of the website.
In order to execute a KRACK WiFi attack, the WiFi network must be using WPA2-PSK or WPA-Enterprise and the attacker needs to be within range of the WiFi signal. Virtually all routers currently in use are vulnerable to KRACK WiFi attacks. The best defense is to keep routers up to date and for users to only connect to wireless networks using a paid-for, up-to-date VPN. The issue has been addressed in WPA3, which is supported by the latest wireless access points. However, even with this exceptionally common wireless network vulnerability, WPA2 is still far more secure than WEP.
NetSpectre – Remote Spectre Exploit
Spectre is a vulnerability that affects microprocessors that perform branch prediction. The vulnerability can be exploited to allow an attacker to access chosen virtual memory locations and thus obtain sensitive data. In order for the flaw to be exploited, an attacker would first need to convince a user to download and run malicious code or to visit a website where JavaScript is run in the browser. Researchers at Graz University of Technology have developed a new type of attack that can be performed via network connections, including WiFi networks. The attack – termed NetSpectre – is fortunately complex so there are far easier ways to attack an organization. The risk of exploitation is therefore low.
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
What are the Most Common Wireless Network Attacks?
Many of the most common wireless network attacks are opportunistic in nature. WiFi hackers look for wireless networks that are easy to attack.
Hackers are more than happy to take advantage of poor security controls to gain access to sensitive information and distribute malware. Why waste time attacking well-secured WiFi networks when there are plenty with scant or no security?
Poorly secured WiFi networks are also targeted by more sophisticated cybercriminals and organized crime groups to gain a foothold in the network. The attacks can be extremely lucrative. Access to a business network can allow ransomware to be installed and if malware can be installed on POS systems, the credit/debit card numbers of tens or hundreds of thousands of customers can be stolen.
Types of Wireless Network Attacks
There are several different types of WiFi attacks that hackers use to eavesdrop on wireless network connections to obtain passwords and banking credentials and spread malware. The main types of WiFi attacks are detailed below.
Fake WiFi Access Points, Evil Twins, and Man in the Middle Attacks
Visitors to hotels, coffee shops, and malls often connect to the free WiFi on offer, but various studies have shown that care is not always taken when connecting. Customers often choose the WiFi access point based on the SSID without checking it is the wireless network set up by a particular establishment for customer use.
Criminals can easily set up fake WiFi access points, often using the name of the establishment in the SSID. An SSID called ‘Free Airport WiFi’ would be enough to get many people to connect. When customers connect to these rogue WiFi networks they can still access the Internet, so are unlikely to realize anything is wrong. However, once connected to that network, everything they do online will be monitored by cybercriminals. Sensitive information entered online, such as email addresses and passwords, credit card numbers, or banking credentials, can and will be stolen.
How is this done? The attacker simply creates a hotspot on a smartphone and pairs it with a tablet or laptop. The hacker can then sit in a coffee shop drinking a latte while monitoring the traffic of everyone that connects. Alternatively, they can use a router with the same name and password as the one currently in use. This may also have a stronger WiFi signal, which may see more people connect. Through the “evil twin” all traffic will be plainly visible to the attacker and all data sent over the network can be captured.
Fake access points and evil twins are among the most common wireless network attacks. They are easy to conduct, require little technical skill, and are very effective. One study indicated more than a third of WiFi hotspot users take no precautions when accessing WiFi hotspots and frequently connect to unsecured networks.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
Packet Sniffing: Interception of Unencrypted Traffic
Research by Kaspersky Lab in 2016 showed more than a quarter of public Wi-Fi hotspots set up in malls were insecure and lacked even basic security controls. A quarter did not encrypt traffic at all, while research conducted by Skycure showed that five of the 10 busiest malls in the USA had risky WiFi networks.
One mall in Las Vegas was discovered to be operating 14 risky WiFi access points. Hackers can use packet sniffers to intercept traffic on unencrypted WiFi networks. Packet sniffing is one of the most common wireless attacks.
These common wireless network attacks are easy on older routers, such as those using WEP encryption. WPA offers better security, WPA2 is better still, or ideally, the new WPA3 encryption protocol should be used if it is supported by your access point.
Wardriving
Wardriving is a technique used to identify and map vulnerable access points. The name comes from the fact that attackers drive around a neighborhood and use a laptop with a GPS device, antenna to identify and record the location of wireless networks. This technique is effective since many WiFi networks used by businesses extend beyond the confines of the building and poor security controls are applied to secure those networks.
Warshipping
Warshipping is a more efficient method of attacking WiFi networks as it allows attacks to be conducted remotely, even if the attacker is not within range of a WiFi network. The tactic was explained by IBM X-Force Red researchers at Black Hat USA. They used cheap (under $100) and easy-to-obtain components to create a single-board computer with WiFi and 3G capabilities that runs on a cell phone battery. The device can be used to locally connect to the WiFi network and send information back to the attackers via the 3G cellular connection.
Since the device is small, it can easily be hidden inside a small package, and getting that package into a building is easy. It can just be mailed. Since the package may be addressed to someone not working it the company, it could sit in the mailroom for a while before it is opened. Since the package can be tracked, the attackers will know when it is in the building. Alternatively, it could be hidden in any number of items from plant pots to teddy bears. If the device is within range of WiFi networks, it could be used to attack those networks.
Hashed network access codes can be sent back to the attackers to crack, and the device can then connect to WiFi networks in the building and harvest data. The device could be used in a man-in-the-middle attack by impersonating an internal WiFi network.
MAC Spoofing
Many businesses use MAC filtering to prevent specific devices from connecting to their WiFi networks. While this is useful for preventing individuals from taking advantage of free WiFi for customers, this method of blocking users can be easily bypassed. It is easy to spoof a MAC address and bypass this filtering control.
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
Examples of WiFi Network Attacks
Attacks on wireless networks are not just theoretical. Listed below are some examples of common wireless networks attacks that have resulted in the installation of malware or theft of sensitive information. These latest wireless security attacks could easily have been prevented had appropriate security controls been implemented.
Latest Wireless Security Attacks
Tel Aviv Free WiFi Network Hacking Incident
One notable example of how easy it can be for a hacker to take over a WiFi network comes from Tel Aviv. Tel Aviv offers a city-wide free WiFi network, which incorporates basic security controls to keep users secure on the network. However, it did not prove to be as secure as city officials thought.
While commuting home, Tel Aviv resident Amihai Neiderman noticed a new WiFi access point had appeared. The FREE_TLV access point was provided by the city and Neiderman decided to test its security controls. After determining the IP address through which WiFi clients accessed the Internet, he disconnected, scanned the router, and discovered the web-based login interface was run through HTTPS port 443.
While he found no major vulnerabilities, after extensive analysis he identified a buffer overflow vulnerability which he successfully exploited to take full control of the router. By doing so, if he was so inclined, he could have intercepted the traffic from tens of thousands of users.
Toasters Used to Hack Unsecured WiFi Networks
Perhaps not one of the most common WiFi network attacks, but notable nonetheless due to the rise in the use of IoT devices. IoT capability has been incorporated into all manner of devices from toasters to washing machines. These devices can be vulnerable to supply chain attacks – Where hardware is altered to allow the devices to be used to attack WiFi networks. In 2016, Russian officials discovered chips imported from China had been altered and were being used to spread malware that could eavesdrop on unsecured WiFi networks from a range of 200 meters. They were used to infect those networks with malware that could steal information.
In-Flight WiFi Network Hacking from the Ground
Cybersecurity expert Ruben Santamarta has demonstrated it is possible to hack into airline WiFi networks from the ground and view the internet activity of passengers and intercept their information. More worryingly, he was also able to gain access to the cockpit network and SATCOM equipment. He claims the same technique could be used for ships, industrial facilities, and even military installations. He explained how he did it in his “Last Call for SATCOM Security” presentation at the 2018 black hat hacker conference.
Orange Modems Leaking Wi-Fi Passwords
A vulnerability has been identified in Orange LiveBox ADSL modems that causes them to leak the SSID and WiFi passwords in plaintext. The flaw was identified by Bad Packets researchers who observed their honeypots being actively attacked. A search on Shodan showed there are nearly 20,000 vulnerable Orange modems that leak Wi-Fi passwords and SSIDs in plaintext. In many cases, the default credentials of admin/admin were still being used! The flaw means the WiFi networks could easily be attacked remotely. Attackers could change device settings, alter firmware, and even obtain the phone number and conduct a range of other attacks.
WeWork WiFi Security Flaws
WeWork, a provider of custom workspaces, private offices, and on-demand workspaces equipped with high-bandwidth WiFi, has made an error implementing those WiFi networks which makes them far from secure.
WeWork used the same WiFi password at many of its shared offices for several years. To make matters worse, that password was weak and regularly features in the top 25 lists of extremely poor passwords. However, there was no need to guess it as it was available through the WeWork app in plaintext. Such a simple yet serious error placed all users of those workspaces at risk for several years. The researchers investigated several locations in San Francisco and found the same weak password used at multiple locations. Further, the WiFi network was only protected with WPA2 Personal security.
Teemu Airamo checked the security of the workspace he had just moved into and found hundreds of other companies’ devices exposed. Subsequent scans on the WeWork network revealed an enormous amount of sensitive data had been exposed. Password reuse is never a good idea, and neither is using dictionary words or heaven forbid, any of the top 25 lists of shockingly awful passwords.
Protection from web-based threats and precision Internet content control for your workforce. Book a FREE WebTitan demo. Book Free Demo
WiFi Networks Can be Used to Gain Access to Business Data
Creating a WiFi network for guests is simple. Ensuring it is secure and cannot be used for attacks on the business network or customers requires more thought and effort. Any business that allows customers to make purchases using credit and debit cards is a major target for hackers and poor WiFi security is likely to be exploited sooner or later. The past few years have seen many major attacks that have resulted in malware being installed on POS systems. These are now some of the most common wireless network attacks.
How Can Businesses Prevent the Most Common Wireless Network Attacks?
How can businesses protect against some of the most common wireless network attacks? While it is difficult to prevent the creation of fake WiFi hotspots, there are steps that can be taken to prevent many common wireless network attacks and keep the WiFi network secure.
Isolate the Guest Network
If your business network is not isolated from your guest WiFi network, it could be used to gain access to business data and could place your POS at risk of compromise. Use a router that offers multiple SSIDs – most modern routers have that functionality. These routers often have a guest SSID option or separate guest portal. Make sure it is activated when it is deployed. Alternatively, your wireless router may have a wireless isolation feature that will prevent WiFi users from accessing your internal network and other client devices. If you require multiple access points throughout your establishment, you are likely to need a VLAN or EoIP tunnel configuration – A more complicated setup that will require you to seek professional advice on security.
Encrypt WiFi Traffic with WPA2 or WPA3
If you have an old router that does not support WPA2 encryption it’s time for an upgrade. WPA2 is the minimum standard for WiFi security, and while it can still be cracked, it is time-consuming and difficult. WPA3 has now been released and an upgrade should be considered. You should also make sure that WPS is turned off.
Update Firmware Promptly
All software and devices contain vulnerabilities and require updating. Software should be patched and devices such as routers will need to have their firmware upgraded when new versions are released. Check your device manufacturer’s website periodically for details of firmware updates and ensure your device is updated.
Create a Secure SSID
Your router will have a default SSID name, but this should be changed to personalize it to your business. If you make it easily identifiable, it will reduce the potential for rogue access points to be confused with your own. Ensure that you enforce WPA2 encryption with a shared key and post that information for your customers along with your SSID in a prominent place where they can see it.
Restrict WiFi Access
If your wireless router or access point is too powerful, it could be accessed from outside your premises. Choose a router that allows you to alter the strength of your signal and you can ensure only your customers will use your connection. Also, ensure that your WiFi access point is only available during business hours. If your access points are left unsupervised when your business is closed, it increases the risk of an attack.
Secure Your Infrastructure
Administrator access can be abused, so ensure that your login name and your passwords are secure. If the default credentials are not changed, it will only be a matter of time before they are abused. Change the username from ‘admin’ or any other default username. Set a strong password that includes upper and lower-case letters, at least one number, and a special character. The password must be at least 8 characters although more is better. Alternatively use a 14-character+ passphrase.
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
Use a Web Filter
A web filtering solution is an essential protection for all WiFi networks. Web filters will prevent users from visiting websites and web pages that are known to have been compromised or have been confirmed as malicious. This will protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. A web filter will also allow you to prevent your network from being used to download or view unacceptable content such as pornography and lets you control bandwidth usage to ensure all customers can enjoy decent Internet speeds.
TitanHQ offers a scalable, easy to deploy, granular web filter for WiFi networks. WebTitan Cloud for WiFi requires no hardware purchases or software downloads as it is 100% cloud-based, can be managed and monitored from any location, and can help protect you against the most common wireless network attacks.
How Does WebTitan Cloud for WiFi Work?
Features of WebTitan Cloud for WiFi
No hardware or software installation required
Quick and easy to implement
Fast: DNS solution provides almost zero additional latency
Supports both static and dynamic IPs addresses
No specialist training required
Protects against all web-based threats
Precision control over the content that can be accessed over WiFi
Instant alerts about users trying to access restricted content
Can be integrated into existing systems for easy management
Available to MSPs and resellers in white-label form
Fully multi-tenanted platform
WebTitan Cloud for WiFi, live all TitanHQ solutions, is available on a free trial for you to evaluate the full solution in your own environment. During the trial, you will receive full product support to ensure you get the most out of your trial.
Contact TitanHQ today to arrange your trial, for details of pricing, or to book a product demonstration. Our Customer Service team will be more than happy to answer any questions you have about the product.
Web Filtering FAQs
How can I make my guest Wi-Fi network secure?
You should change your SSID from the default, set a strong password, enable encryption (WPA2 or WPA3), prevent guests from accessing router settings and local network resources, and set up a web filtering solution to restrict access to potentially harmful web content.
How much does content filtering cost?
You can expect to pay between $1 and $3 per user, per month depending on the Wi-Fi content filtering solution you choose. At TitanHQ, we offer powerful content filtering at an affordable price for all businesses. WebTitan Cloud for Wi-Fi starts at $1.01 per user per month.
What is the best way to block phishing attacks?
Two anti-phishing solutions that businesses should implement are an email security gateway or spam filter to block malicious emails and a web filter to prevent employees from visiting phishing websites, either from links in malicious emails or through web browsing and redirects.
How easy is it to start filtering the Internet?
With WebTitan Cloud for Wi-Fi, content filtering is easy. Simply point your DNS to WebTitan, log in to your web-based user interface, then select the categories of content you want to block. It is that simple. Everything is intuitive and you have additional options if you want more precise control or need to implement different controls for different user groups. If ever you get stuck, you benefit from world-class customer support to get you back on track.
Should I enable SSL inspection?
SSL inspection allows you to inspect traffic to and from encrypted websites. Since most websites now secure the connection between the site and browser, this traffic will be invisible unless you enable SSL inspection. Malicious websites often have SSL certificates and will pose a serious threat if traffic is not inspected.
A new version of WebTitan Cloud has been released – WebTitan Cloud 4.16 – that includes support for Azure Active Directory and introduces a new school web filtering solution – WebTitan OTG (on-the-go) for Chromebooks.
The new version of WebTitan Cloud includes DNS Proxy 2.06 which supports filtering of users in Azure Active Directory, in addition to on-premise AD and directory integration for Active Directory. Further directory services will be added to meet customer needs and ensure they can enjoy the benefits of per-user filtering with exceptional ease of management. – Further information on the Azure AD app is available here.
Existing WebTitan customers need do nothing to get the latest WebTitan Cloud release as the solution will be updated automatically.
WebTitan OTG for Chromebooks
Using WebTitan OTG for Chromebooks provides an effective way to apply filtering policies to your Chromebooks from the cloud.
WebTitan OTG for Chromebooks is a new web filtering solution for the education sector that allows schools to carefully control the websites that can be access by students both in the classroom and offsite, including in student’s homes.
Schools can easily devise filtering policies for all pupils or specific age groups and apply those filtering polices in the cloud. The solution allows schools to enforce the use of Safe Search and prevent access to age-inappropriate web content to keep students safe.
WebTitan OTG for Chromebooks delivers fast and effective user- and device-level web filtering and empowers students to discover the Internet in a safe and secure fashion, while also ensuring compliance with federal and state laws such as the U.S. Children’s Internet Protection Act (CIPA).
The solution is cost effective for schools to implement, setup and management is quick and easy, and administrators can schedule or run usage reports on demand and have full visibility into Chromebook users’ online activities and locations. It is also possible to lockdown Chromebooks to prevent students from circumventing the web filtering controls.
As with all WebTitan Cloud solutions, there is no need for any on-premises hardware, no proxies or VPNs required, and there is no impact on Internet speed as filtering takes place at the DNS-level before any content is downloaded.
“This new release comes after an expansive first quarter. The launch of WebTitan Cloud 4.16 brings phenomenal new security features to our customers,” Said TitanHQ CEO, Ronan Kavanagh. “After experiencing significant growth in 2020, TitanHQ expects these product enhancements and new features to make 2021 another record-breaking year.”
The disruption to learning from a pandemic that has lasted more than a year is bad enough, but many schools have experienced even more disruption just as many have opened their gates and allowed students back into classrooms. The SARS-CoV-2 virus may have been brought under control thanks to lockdown measures and the rollout of vaccines, but another type of virus is proving to be a major threat – ransomware.
FBI Warns of Targeted Ransomware Attacks on K12 Schools and Higher Education
Ransomware attacks on schools have been stepped up in recent months and schools and higher education institutions are being actively targeted. In the United States, the Federal Bureau of Investigation recently issued an alert to the education sector warning about the threat of attacks involving Pysa ransomware. The threat actors behind this ransomware variant have been actively targeting K12 schools, higher education, and seminaries. Buffalo City Schools were forced to close their schools in March following a ransomware attack that crippled their IT systems, just before students were about to return to classrooms as part of a phased reopening of schools.
The ransomware is deployed manually after compromising the network. The attack often starts with a phishing email, which gives the attackers the foothold in the network they need. They then conduct reconnaissance, move laterally, and compromise entire networks before deploying their ransomware.
Prior to running the encryption routine that cripple IT systems, the attackers steal sensitive data. Files containing student information are obtained and threats are issued to publish or sell the stolen data if the ransom is not paid. The gang, like many others, has a leak site and routinely follows through on the threat.
Spike in Ransomware Attacks on UK Schools
Ransomware attacks on schools are not confined to the United States. The Pysa ransomware gang is also targeting schools in the United Kingdom and many other countries, and the Pysa gang is not alone. Many other ransomware operations have been attacking schools.
Following a rise in ransomware attacks on UK schools, the UK’s National Cyber Security Centre (NCSC) issued an alert to educational institutions about the growing threat of attacks. NCSC has observed an increase in ransomware attacks on schools from late February 2021, which coincides with students returning to classrooms after an extensive period of school closures due to the pandemic.
The NCSC said there is no reason to believe that these attacks are being conducted by the same criminal group. This appears to be the work of multiple threat groups. These attacks have caused varying levels of disruption, including rendering entire networks inoperable, disabling email and websites, and hampering the ability of students to learn. In some cases, students have lost coursework as a result of the attacks, records of COVID-19 tests have been rendered inaccessible, and school financial records have been lost.
Unfortunately, even paying the ransom is no guarantee of being able to recover encrypted files. While the attackers claim they have the keys to unlock the encryption, they may not be provided. There is also no guarantee that stolen data will be deleted when the ransom is paid. There have been many cases when further ransom demands have been issued after payment has been made.
Adopt a Defense in Depth Strategy to Block Ransomware Attacks
The Department for Education (DfE) has recently urged UK schools to review their cybersecurity defenses and take the necessary steps to harden their defenses against cyberattacks. The NCSC explained that there is no single cybersecurity solution that will provide protection against these attacks. What is required is a defense in depth approach to security.
Defense in depth means implementing multiple overlapping layers of security. If one layer fails to block an attack, others are in place to block the attack.
In practice this means good patch management – applying updates to software, firmware, and operating systems promptly. Antivirus software must be installed on all devices and be kept up to date. Spam filtering solutions should be implemented to block the phishing emails that give the attackers access to the network. These filters can also be used to block email attachments that are not typically received.
Web filters should be used to block access to malicious websites. These filters inspect the content of websites to determine if it is malicious. They also categorize web content, and the filters allow schools to carefully control the types of content that students and staff can access to reduce risk.
Multi factor authentication should be implemented on all remote access points and email accounts, remote access ports that are not being used should be blocked, and a VPN should be used for remote access. The rule of least privilege should be applied for remote access and all staff and student accounts.
It is also recommended to prevent all non-administrator accounts from being able to install software, office macros should be disabled, as should autorun on portable devices.
It is also vital that all files are backed up daily and backups tested to make sure file recovery is possible. Backups should be stored on non-networked devices and must not be accessible from the systems where the data resides. Ideally, multiple backup copies should be created with at least one stored on an air-gaped device.
TitanHQ is proud to announce three of its innovative products have been named winners at the Experts Insights’ 2021 Best-Of Awards in the Web Security, Email Security Gateway, and Email Archiving categories.
Expert Insights helps businesses identify the most powerful, innovative, and ease to use cybersecurity solutions through its website, and helps clear up the confusion about cybersecurity solutions through objective reviews, industry analysis, and interviews with industry leaders. The top cybersecurity products are listed on the website along with reviews and ratings from genuine users of the solutions. Expert Insights now helps more than 40,000 businesses each month select the most appropriate cybersecurity solutions to meet their needs.
The leading cybersecurity companies and their products are recognized each year in the Expert insights’ “Best-Of” Awards. Products are assessed by technology experts and the Expert Insights’ Editorial Team based on many factors, including market presence, technical features of the products, ease-of-use, and ratings by verified users of the products. Winners are selected in a range of different categories such as email security, web security, endpoint security, multi-factor authentication, backup, and many more.
“2020 was an unprecedented year of cybersecurity challenges, with a rapid rise in remote working causing a massive acceleration in cybercrime,” said Craig MacAlpine, CEO and Founder, Expert Insights. “Expert Insights’ Best-Of awards are designed to recognize innovative cybersecurity providers like TitanHQ that have developed powerful solutions to keep businesses safe against increasingly sophisticated cybercrime.”
TitanHQ was recognized for the WebTitan DNS filtering solution, which was named a winner in the Web Security category, SpamTitan was named a winner in the Email Security category, and ArcTitan was named a winner in the Email Archiving category. In addition to the level of protection provided, each solution is consistently rated highly on price and ease of use by enterprises, SMBs, and Managed Service Providers. The solutions are used by more than 8,500 businesses and over 2,500 MSPs in more than 150 countries. In addition to the high ratings on Experts’ Insights, the solutions have received top marks on G2 Crowd, Capterra, GetApp, Software Advice, and Google Reviews.
“The recent pandemic and the growth of remote working initiatives have further highlighted the need for multiple layers of cybersecurity and our award-winning solutions form key pillars in this security strategy,” said Ronan Kavanagh, CEO, TitanHQ. “We will continue to innovate and provide solutions that MSPs can use to deliver a consistent, secure and reliable experience to their customers.”
Cybercriminals use many tactics to obtain credentials that they then use to remotely access corporate accounts, cloud services, and gain access to business networks. Phishing is the most common method, which is most commonly conducted via email. Attackers craft emails using a variety of lures to trick the recipient into visiting a malicious website where they are required to enter their credentials that are captured and used by the attackers to remotely access the accounts.
Businesses are now realizing the benefits of implementing an advanced spam filtering solution to block these phishing emails at source and ensure they do not reach inboxes. Advanced antispam and anti-phishing solutions will block virtually all phishing attempts, so if you have yet to implement such a solution or you are relying on Microsoft Office 365 protections, we urge you to get in touch and give SpamTitan a trial.
Phishing is not only performed via email. Rather than using email to deliver the hook, many threat groups use SMS or instant messaging platforms and increasing numbers of phishing campaigns are now being conducted by telephone and these types of phishing attack are harder to block.
Smishing for Credentials
When phishing occurs through SMS messages it is known as Smishing. Rather than an email, an SMS message is sent with a link that users are instructed to click. Instant messaging platforms such as WhatsApp are also used. Many different lures are used, but it is common for security alerts to be sent that warn the recipient about a fraudulent transaction or other security threat that requires them to login to their account.
Recently, Allied Irish Bank (AIB) customers in Ireland were targeted with such as smishing campaign. The SMS message advises the recipient that there has been a suspected fraudulent transaction which they are required to review by clicking a link and logging in. Their credentials are harvested, and they are instructed to provide codes from their card reader or one-time passwords as part of the security check. Doing so will allow the scammers to access the account and make fraudulent transactions. A variation on this theme involves the user being told they have been locked out of their account.
In this campaign the scammers use a URL on the domain secureonlineservicepayeeroi.com, although these domains frequently change. Many campaigns mask the destination URL using URL shortening services, and one recent campaign conducted by an Iranian threat group used a seemingly legitimate google.com URL and several redirects before the user landed on the phishing page. Smishing is also often used in PayPal phishing attacks using messages warning about the closure of an account.
Vishing Attacks on Businesses Spike
In December 2019, the U.S. Federal Bureau of Investigation (FBI) identified a campaign where cybercriminals were conducting phishing over the telephone – termed vishing. Since then, the number of cases of vishing attacks has increased, prompting the FBI and the Cybersecurity and Infrastructure Security Agency to issue a joint alert in the summer about a campaign targeting remote workers. This month, the FBI has issued a further alert following a spike in vishing attacks on businesses.
Cybercriminals often target users with high levels of privileges, but not always. There has been a growing trend for cybercriminals to target all credentials, so all users are at risk. Once one set of credentials is obtained, attempts are made to elevate privileges and reconnaissance is performed to identify targets in the company with the level of permissions they need – I.e. permissions to perform email changes.
The scammers make VoIP calls to employees and convince them to visit a webpage where they need to login. In one attack, an employee of the company was found in the company’s chatroom, and was contacted and convinced to login to their company’s VPN on a fake VPN page. Credentials were obtained and used to perform reconnaissance. Another target was identified that likely had advanced permissions, and that individual was contacted and scammed into revealing their credentials.
How to Block Smishing and Vishing Attacks
Blocking these types of phishing attacks requires a combination of measures. In contrast to email phishing, these threats cannot be easily blocked at source. It is therefore important to cover these threats in security awareness training sessions as well as warning about the risks of email phishing.
A web filtering solution is recommended to block attempts to visit the malicious domains where the phishing pages are hosted. Web filters such as WebTitan can be used to control the websites that employees can access on their corporate-issued phones and mobile devices and will provide protection no matter where an employee accesses the Internet.
It is also important to set up multifactor authentication to prevent any stolen credentials from being used by attackers to remotely access accounts. The FBI also recommends granting network access using the rule of least privilege: ensuring users are only given access to the resources they need to complete their jobs. The FBI also recommends regularly scanning and auditing user access rights given and monitoring for any changes in permissions.
The Internet opened up a world of new opportunities for businesses, allowing them to get in touch with customers around the world, explore new markets, find new suppliers, and access a wealth of knowledge. Web filtering solutions allow businesses to control internet access and monitor its use by employees and guest users, but why is web filtering in the workplace necessary, what are the benefits, and what are the risks of not filtering the internet? In this post we will explore the benefits of web filtering in the workplace.
What Exactly is a Web Filter?
You will no doubt be aware of spam filters, which are used to carefully control what emails are delivered to inboxes, blocking threats such as phishing emails and malware. Spam filters may also scan outbound email and apply controls to prevent data loss and malicious emails from being sent externally. A web filter performs a similar function for Internet access.
A web filter sits between your end users and the Internet and applies controls over the websites that can be accessed and the files that can be downloaded. The main function of a web filter is content control to restrict access to NSFW websites and block phishing websites and malware downloads.
Reasons for Web Filtering in the Workplace
There are many different reasons for web filtering in the workplace. These include:
Blocking access to inappropriate web content
Web filters are often used to prevent employees from accessing NSFW content such as pornography, images of violence, and hate speech, which can lead to the development of a hostile work environment. Businesses such as coffee shops, along with libraries and schools, use web filtering to create a family-friendly online environment and prevent minors from accessing age-inappropriate content.
Blocking online threats
Phishing attacks are now commonplace and there is a significant risk of malware being downloaded from the Internet. A web filter blocks these threats, by first preventing users from accessing known malicious websites and secondly by preventing downloads of malicious files.
Controlling bandwidth use
There will be a limited amount of bandwidth available and sometimes that bandwidth may be squeezed, resulting in considerable latency that affects all Internet users on the network. A web filter can be used to restrict bandwidth use by blocking certain online activities – video streaming for instance – ensuring sufficient bandwidth is available for all.
Improving productivity
The Internet makes slacking off very easy for employees. Business can suffer major productivity losses from employees accessing certain types of websites which serve no purpose in the workplace. A web filter can be used to block access to social media networks, dating websites, gambling and gaming sites, and video streaming services such as YouTube.
Preventing legal issues
Legal issues can arise from uncontrolled Internet use. If an employee or user of a Wi-Fi network engages in illegal activity, the business owner may be liable for their actions. For instance, illegal software, music, and video downloads from P2P file sharing networks. Web filters can also prevent data theft by blocking access to file sharing sites.
Monitoring Internet use
You may want to adopt a permissive approach and only restrict access to illegal content and malicious websites, but a web filter gives you insights into what users are doing online. This can help you to prevent and resolve HR issues and identify insider threats.
How Web Filtering in the Workplace is Achieved?
There are several ways that web filtering in the workplace can be implemented. A physical appliance can be purchased through which all Internet traffic is routed, with controls applied by a system administrator. Cloud-based web filters are now much more popular. With filtering taking place in the cloud, no equipment purchases are required.
DNS-based web filtering sees filtering take place at the DNS lookup stage of a web request, with filtering occurring without content being downloaded. Cloud-based filters that operate at the DNS level also avoid any latency issues, which can be a problem with physical appliances.
Methods of Web Filtering
There are various methods of web filtering in the workplace, with most solutions using a combination of all.
Whitelists and Blacklists
Blacklists are used to block access to specific domains and URLs, either through third-party or user-generated blacklists. Whitelists are used to always allow access to a specific URL or domain, regardless of the content filtering controls put in place.
Category Filtering
Category filtering is the easiest way of exercising content control. A web filtering solution will assign websites into categories based on the content of the website. Using a checkbox in the UI, the system administrator can select which categories of content should be blocked. Commonly blocked categories include pornography, gambling, gaming, dating, social media, news, and webmail.
Content Analysis
Web filters can perform analyses of web content to detect certain keywords and can assign a score to each URL. Thresholds can be set for individual users, departments, or the entire organization and if that threshold is exceeded, the content will not be displayed.
WebTitan Cloud: Workplace Web Filtering Made Simple
WebTitan cloud is a powerful web filtering solution that provides visibility into the online activities of users and allows controls to easily be set to control Internet access and block online threats that could threaten your business. WebTitan Cloud has been developed to be easy to set up and use, with no technical prowess required to use the solution.
Highly granular filtering controls allow precision control over the content that can be accessed, without overblocking and preventing important web content from being accessed. The solution is DNS-based, so no equipment purchases or software downloads are necessary, and there is zero latency.
WebTitan Cloud protects on-site workers on the network, Wi-Fi users, and remote workers no matter where they access the Internet.
There is a transparent pricing policy, no optional extras, the product is extremely competitively priced, and customers benefit from industry-leading customer support.
Managed Service Providers (MSPs) that want to add web filtering to their service stacks benefit from many MSP-friendly features such as multiple hosting options, a brandable white-label version of the product, monthly billing, and pricing that accommodates rapidly changing numbers of seats.
To find out more about the full benefits of WebTitan Cloud, to arrange a product demonstration, give the WebTitan team a call today.
Exploit kits used to be one of the most common methods of distributing malware, although their use has dwindled to a fraction of the level seen in 2016. That said, there has recently been an uptick in the use of exploit kits and multiple threat actors are conducting campaigns to deliver malware payloads.
An exploit kit is malicious code that incorporates exploits for one or more vulnerabilities. When a visitor arrives on a website hosting an exploit kit, their computer is scanned for vulnerabilities and if one that is being targeted, the exploit is executed and a malicious payload such as a banking Trojan, keylogger, or ransomware is silently downloaded.
Exploit kits are loaded onto websites under the control of the attackers, which can be their own domains or a legitimate site that has been compromised. Traffic is usually sent to the exploit kit through malicious adverts on third-party ad networks (malvertising). These ad networks are used by many websites for adding revenue-generating third party adverts.
According to research conducted by Malwarebytes, a campaign is being conducted using the Fallout exploit kit to deliver the Racoon Stealer, with the EK loaded onto popular adult websites. The campaign was reported to the ad network and the malicious advert was removed, only to be replaced with an advert directing visitors to a site hosting the Rig exploit kit.
Another campaign was identified involving a different threat actor who is known to have targeted various adult ad networks. The malicious adverts were displayed on a wide range of different adult websites, including one of the most popular adult websites that generates more than 1 billion page views a month.
The threat actor had submitted bids for users of Internet Explorer only, as the exploit kit contained an exploit for an unpatched IE vulnerability. The vulnerabilities exploited were CVE-2019-0752 and CVE-2018-15982, the former is an IE vulnerability and the latter is a vulnerability in Adobe Flash Player. In this campaign, Smoke Loader malware was delivered, along with Racoon Stealer and ZLoader.
For an exploit kit to work, a computer must have an unpatched vulnerability, an exploit for which must be included in the EK. Prompt patching is therefore one of the best ways of ensuring that these attacks are not successful. It is also strongly advisable to stop using Internet Explorer and Flash Player. Vulnerabilities in each are frequently targeted.
These campaigns can also easily be blocked by using a web filter. Unless your business operates in the adult entertainment sector, access to adult content on work devices should be blocked. A web filter allows your business to block access to all adult websites, and other categories of web content that employees should not be accessing in the workplace.
A cloud-based web filter such as WebTitan is a low cost solution that can protect against a web-based attacks such as exploit kits and drive-by malware downloads, while also helping businesses to improve productivity by preventing employees from visiting websites that have no work purpose. Web filters can also reduce legal liability by preventing employees from engaging in illegal online activities, such as copyright infringing file downloads.
Once implemented – a process that takes a few minutes – access to certain categories of website can be blocked with the click of a mouse and employees will be prevented from accessing websites known to harbor malware, phishing kits, and other potentially malicious websites.
For further information on WebTitan and protecting your business from web-based threats, give the TitanHQ team a call today.
Cybercriminals have adopted a new tactic to deliver malware and conduct phishing attacks on unsuspecting internet users. They are hijacking inactive domains and using them to direct visitors to malicious websites in a form of malvertising.
Malvertising is the term given to the use of malicious code in seemingly legitimate adverts, which are often displayed on high-traffic websites. Website owners use third-party ad networks as a way to increase revenue from their websites. Most of these adverts are genuine and will direct users to a legitimate website, but cybercriminals often sneak malicious code into these adverts. Clicking the link will direct the user to a website hosting an exploit kit or phishing form. In some cases, ‘drive-by’ malware downloads occur without any user interaction, simply if the web content loads and the user has a vulnerable device.
The new tactic uses domains that have expired and are no longer active. These websites may still be listed in the search engine results for key search terms. When user conducts a search and clicks the link or uses a link in their bookmarks to a previously visited website, they will arrive at a landing page that explains that the website is no longer active. Oftentimes, that page will include a series of links that will direct the visitor to related websites.
What often happens is these expired domains are put up for sale. They can be attractive for purchasers as there may already be many links to the website, which is preferable to starting a brand-new website from scratch. These expired domains are then auctioned. Researchers at Kaspersky found that cybercriminals have taken advantage of these auction-listed websites and have added links that direct visitors to malicious websites.
When a visitor arrives on the site, instead of being directed to the auction stub, the stub is replaced with a link to a malicious website. The study uncovered around 1,000 domains that had been listed for sale on a popular auction site, which redirected visitors to more than 2,500 unwanted URLs. In the majority of those cases, the URLs were ad-related pages, but 11% of the URLs were malicious and were mostly being used to distribute the Shlayer Trojan via infected documents that the user is prompted to download. The Shlayer Trojan installs adware on the user’s device. Several of the sites hosted malicious code on the site rather than redirecting the visitor to a different website.
These domains were once legitimate websites, but are now being used for malicious purposes, which makes the threat hard to block. In some cases, the sites will display different content based on where the user is located and if they are using a VPN to access the internet. These websites change content frequently, but they are indexed and categorized and if determined to be malicious they are added to real time block lists (RBLs).
A web filtering solution such as WebTitan can provide protection against malvertising and redirects to malicious sites. If an attempt is made to send a user to a known malicious website, rather than being connected the user will be directed to a local block page, negating the threat. WebTitan can also be configured to block downloads of risky file types from these websites.
Many organizations have implemented firewalls to prevent direct attacks by hackers, use antivirus software to block malware, and use an anti-spam solution to block attacks via email, but there is a gap in their security protections and web-based threats are not effectively blocked. WebTitan allows organizations to plug that gap and control the websites that can be accessed by employees.
For further information on WebTitan and filtering the internet, give the TitanHQ team a call. WebTitan is available on a free trial to allow you to evaluate the solution and see for yourself how you can block attempts to visit malicious web content and NSFW sites.
If you have been following the security news, you will have seen that there has been a major increase in COVID-19 themed cyberattacks targeting remote workers. Cybercriminals are exploiting fear about the virus and the somewhat chaotic switch from mostly office-based workers to having virtually the entire workforce working remotely. Understandably given the speed at which businesses have had to adjust, vulnerabilities have been introduced.
The attack surface has increased considerably as a result of largely at-home workforces and cybercriminals have taken advantage. According to research conducted by Darktrace, in the United Kingdom, prior to the COVID-19 lockdown being imposed, around 12% of malicious email traffic was targeting home workers. The volume increased to around 60% after 6 weeks of lockdown, which clearly demonstrates the extent to which remote workers are being targeted.
The types of malicious emails being sent to remote workers have been incredibly diverse. Cybercriminals are using all manner of lures to get remote workers to click links and disclose their credentials or open malicious attachments and trigger malware downloads. Financial fraud has also increased with BEC gangs using the COVID-19 pandemic to fraudulently obtain funds from company accounts.
Early on in the pandemic when information about the virus was thin on the ground, emails were being sent offering important advice about preventing infection along with fake updates on cases. As the pandemic progressed and the effects started to be felt, cybercriminals started sending fake requests for donations to charities to help individuals adversely affected by COVID-19. As governments implemented furlough schemes and set up funds to help the employed and self-employed, campaigns were conducted that linked to websites that claimed to offer grants, allow workers to choose to be furloughed, or apply for financial support.
Attacks have targeted the tools that are being used by remote workers to connect to their offices and communicate with colleagues, with the likes of Zoom, Skype, GoToMeeting, and other corporate messaging systems being spoofed to infect users with malware. File sharing platforms have similarly been spoofed to get employees to disclose their credentials. Darktrace’s data shows there has been a massive increase in spoofing attacks during lockdown, increasing from around one fifth of attacks before lockdown to 60%.
It is not only cybercrime groups that are conducting attacks. State-sponsored hacking groups have similarly been taking advantage of the pandemic to steal sensitive data, including the latest COVID-19 research data on potential cures, vaccines, and treatments to further the response efforts in their own countries.
What is not always clear from the new reports is how the increase in cyberattacks targeting remote workers has translated into actual data breaches. Are these attacks succeeding or are companies managing to thwart the attacks and keep the hackers at bay?
There is a lag between intrusions being detected, breaches being confirmed, and announcements being made but it appears that many of these attacks are succeeding. In April, the International Association of IT Asset Managers issued a warning that while a rise in data breaches was to be expected as a result of the pandemic, the number of incidents was actually far higher than anticipated. It is also clear that ransomware attackers have stepped up their efforts to attack businesses. Even organizations on the frontline in the fight against COVID-19 have not been spared.
Threat actors have taken advantage of the opportunities offered by the pandemic. It is up to businesses to make sure their security measures are sufficient to thwart attacks. Combating cyberattacks on remote workers requires additional security measures to be implemented. One measure that is often overlooked but can greatly improve protection is DNS filtering.
A DNS filter provides protection against the web-based component of cyberattacks and is an important measure to implement to improve defenses against phishing and malware. Even with robust email security defenses in place, some messages will arrive in inboxes. A DNS filter provides an extra layer of protection by preventing users from visiting malicious websites linked in emails.
When a malicious link is clicked, a DNS query is made, and a DNS lookup is performed to find the IP address of the URL. DNS filtering ensures that the IP address is not returned if the URL is malicious. A DNS filter such as WebTitan also allows IT teams to block malware downloads, monitor internet activity, and carefully control the types of websites their remote users can access on corporate devices.
If you have not yet implemented a DNS filtering solution and would like more information on how it can protect against cyberattacks on remote workers, give the TitanHQ team a call today.
Cybersecurity for remote workers has never been so important. At-home employees are being targeted by hackers who see them as low hanging fruit and an easy entry point into corporate networks.
The threat faced by businesses that have rapidly shifted to a largely at-home workforce should not be underestimated. With everyone working in the office, within the protection of the corporate firewall, IT departments could keep hackers at bay. Any employees that were authorized to work from home could be provided with a laptop that had security protections appropriate for the increased level of risk.
Moving the entire workforce from the office to attics, basements, kitchens, and spare rooms in a very short space of time has meant corners have had to be cut. Many SMBs have had to adapt quickly and have not had enough time to provide additional training to their at-home employees. The laptop computers now being used by their employees have had to be provisioned quickly and they lack the protection required for at home working. Some businesses are even allowing personal computers to be used out of necessity. Cybercriminals have been rubbing their hands with glee at the new opportunities and the ease at which they can attack businesses.
Lockdowns are now being lifted and people are being encouraged to go back to work, but further spikes in cases are likely as a result and with social distancing in the office problematic for many businesses, many employees will still need to work from home. To reduce the risk of those employees falling for a phishing scam or inadvertently downloading malware or ransomware, additional cybersecurity measures should be implemented.
You will more than likely have an email security solution to block the most common attack vector, but additional layers of security will greatly improve your security posture, one of the most important of which is a web filtering solution. A web filter stops your employees from visiting malicious websites, such as those used for phishing or malware distribution. When an attempt is made to visit a malicious website – through a link in a phishing email, a web redirect, or general web browsing – rather than being allowed to visit the website, employees will be directed to a local block page that explains the site cannot be accessed as it violates your internet usage policies.
A web filter can also be used to stop employees from using their work laptop for personal use by blocking websites by category, and as a control against shadow IT to prevent unauthorized software downloads.
WebTitan Cloud will allow you to improve cybersecurity for remote workers without requiring any software downloads and can be set up and protecting your office staff and remote workers in a matter of minutes.
Join us for our Webinar on Improving Cybersecurity for Remote Workers
If you are reading this before Thursday May 21, 2020, then you can find out more about how WebTitan Cloud can protect your employees and corporate network from attack by joining us on for our webinar.
Title: Keeping your Remote Workers TWICE as secure with SpamTitan & WebTitan
Date: Thursday, May 21, 2020
Time: 11:00-11:30 CDT
If you missed the webinar, just give us a call and we will be happy to answer any questions you have, explain the benefits of WebTitan Cloud, arrange a product demonstration, and help get you filtering the internet and blocking web-based threats.
TitanHQ is hosting a webinar on Thursday May 21, 2020 and will be explaining how you can double protection for your remote workers and better protect them against phishing, malware, ransomware, and zero-day attacks. The webinar is ideal for current SpamTitan customers, prospective customers, Managed Service Providers and small- to medium-sized enterprises.
During the webinar you’ll find out why it is so important to protect against both the email- and web-based components of cyberattacks and you will discover more about an important layer that you can ad to your security defenses that will allow you to significantly reduce susceptibility to a cyber attack and data breach.
TitanHQ will explain how cybercriminals are exploiting the COVID-19 pandemic and are targeting remote workers. You will also discover more about the features and security layers of WebTitan Security and how this DNS-based web filtering solution allows you to manage user security at multiple locations.
Most cyberattacks have an email and web-based component – Find out how WebTitan serves as a vital layer of security to block phishing attacks, malware and ransomware downloads.
Learn why WebTitan is the leading web security option for the Managed Service Provider who service the SMB and SME market.
Join TitanHQ for the webinar, which will be attended by:
Derek Higgins, Engineering Manger TitanHQ
Eddie Monaghan, Channel Manager TitanHQ
Marc Ludden, Strategic Alliance Manager TitanHQ
Kevin Hall, Senior Systems Engineer at Datapac
Webinar Details
Title: Keeping your Remote Workers TWICE as secure with SpamTitan & WebTitan
The COVID-19 pandemic has given cybercriminals a golden opportunity to make money. With the world focused on little else other than the response to the pandemic, and with people craving information about the virus, it is not surprising that standard phishing lures have been abandoned in favor of COVID-19 themed lures.
COVID-19 and coronavirus themed domains have been purchased in the tens of thousands and are being used for phishing, malware distribution, and a variety of scams such as obtaining donations to fake charities. Figures released by the Palo Alto Networks Unit 42 team for the period of February to March show there has been an average daily increase of new COVID-19 related domains of 656%, a 569% increase in the number of malicious COVID-19 domains, and a 788% increase in new high-risk domains.
Several domain registrars have started taking steps to combat coronavirus and COVID-19 related fraud and some, such as Namecheap, are now preventing the registration of new domains related to COVID-19. Domain registrars are flagging these new domains for investigation, but that is a manual review process that takes time. In the meantime, the domains are being set up and used for convincing scams.
One malicious campaign uncovered in the past few days uses COVID-19 themed domains to distribute the banking Trojan Grandoreiro. The websites are used to host videos that promise to provide important information about SARS-CoV-2 and COVID-19. When visitors click on the video, a file download is triggered and the user is required to run the installer to view the video content, but instead installs the banking Trojan. The banking Trojan has previously been delivered via spam email, but the threat group behind the malware have changed tactics in response to the pandemic and have changed to web-based delivery.
There have been many similar campaigns created using malicious COVID-19 domains to deliver a slew of malware variants such as keyloggers, information stealers, cryptocurrency miners, and other Trojans.
Lockdown has left people with a lot of time on their hands and outdoor activities have been swapped for more TV time. It is no surprise that movie piracy sites have seen a huge surge in traffic and malware distributors are taking advantage and are bundling malware with pirated video files and using fake movie torrents to deliver malware.
An investigation by Microsoft identified a campaign that uses a VBScript packaged into ZIP files that claim to be pirated movie files. The campaign was being conducted to deliver a coinminer that runs in the memory, with living-of-the-land binaries also used to download other malicious payloads.
These campaigns often have a phishing component, with emails sent to drive traffic to these malicious websites. An advanced spam filtering solution can help to block the email component of these campaigns, but businesses should also consider an additional layer to their security defenses to block the web-based component of these attacks and prevent their remote employees from visiting malicious COVID-19 domains. That protection can be provided by a DNS filtering solution such as WebTitan Cloud.
WebTitan Cloud filters out malicious websites at the DNS lookup stage of a web access request. When a user attempts to visit a website, instead of the standard DNS lookup to find the IP address of a website, the request is sent through WebTitan. If an attempt is made to visit a malicious domain, the request will be blocked and the user will be directed to a local block page. WebTitan can also be configured to block certain file downloads and filter the internet by category, such as blocking P2P file-sharing and torrents sites to provide additional protection against malware and the installation of shadow IT.
WebTitan Cloud can be quickly set up remotely by sysadmins to protect all workers on and off the network with no clients required, which makes it an ideal solution during the COVID-19 pandemic for protecting remote workers.
For further information on protecting your organization and remote employees from web-based attacks, to register for a free trial of WebTitan, and for details of pricing, give the TitanHQ team a call today.
There has been a massive rise in the number of telecommuting workers as a result of the 2019 Novel Coronavirus pandemic and cybercriminals are taking advantage. Phishing and malware attacks have soared in the past few weeks and home workers are being targeted.
Individuals who regularly worked from home before the COVID-19 crisis will be used to taking precautions when connecting to virtual environments set up by their employers, but huge numbers of employees are now logging in remotely for the very first time and may not be aware of the telecommuting cybersecurity risks. IT and IT security departments have also had to set up the workforce for home working in a hurry, and the sheer number of employees that have been forced into telecommuting means corners have had to be cut which has created opportunities for cybercriminals.
Even if the transition to having the entire workforce telecommuting has been expertly managed, risk will have increased considerably. Cybersecurity is far harder to manage when the entire workforce is outside the protection of the corporate firewall and with most workers telecommuting, the attack surface has grown considerably.
Telecommuting workers are seen as low hanging fruit and cybercriminals are taking advantage of the ease at which attacks can be conducted. Since January there has been a massive increase in phishing attacks, malware attacks, and attacks over the internet targeting remote workers.
NASA Sees “Exponential Increase” in Malware Attacks
On April 6, 2020, NASA sent a memo to all personnel warning of a massive increase in targeted attacks on the agency. NASA explained in the memo that the number of phishing attempts on NASA employees has doubled in the past few days and its systems designed to block employees from accessing malicious websites has gone into overdrive. The number of malicious websites that are now being blocked has also doubled, which strongly suggests employees are clicking on links in phishing emails and are being fooled by these scams. NASA also reports that there has been an “exponential increase in malware attacks on NASA systems.”
Attacks are being conducted by a diverse range of threat actors, from small players to prolific advanced persistent threat (APT) groups and nation-state sponsored hackers. NASA has warned its employees that those attackers are targeting NASA employees’ work and personal devices and that the attacks are likely to continue to increase throughout the Novel Coronavirus pandemic.
NASA is far from alone in experiencing a massive increase in attempted cyberattacks. Businesses of all sizes are now having to deal with unprecedented risks and are struggling to defend their networks from attack. They now have to defend a massively increased attack surface and the number of attacks has skyrocketed.
There are other factors that are making it difficult for employers. Employees crave information about the Novel Coronavirus and COVID-19 and cybercriminals are sending huge numbers of emails offering them just the information they seek. Huge numbers of websites are being set up that purport to offer advice on the Novel Coronavirus and COVID-19. Check Point has reported that more than 16,000 domains related to coronavirus or COVID-19 have been registered since January and those domains are 50% more likely to be malicious than other domains registered in the same period.
How to Protect Telecommuting Workers
There are three main ways that telecommuting workers are being attacked: Email, malicious websites, and the exploitation of vulnerabilities.
To prevent the latter, it is essential for software and operating systems to be kept up to date. This can be a challenge for IT departments at the best of times, but much harder when everyone is working remotely. Despite the difficulty, prompt patching is essential. Vulnerabilities in VPNs are being targeted by cybercriminals and offer an easy way to gain access to corporate networks. Employees should be told to make sure their VPN clients are running the latest software version and businesses should ensure their VPN infrastructure is kept up to date, even if it means some downtime while updates are applied.
TitanHQ Can Help You Strengthen Email and Web Security
Advanced email security defenses are now required to protect against phishing and email-based malware threats. Some of the COVID-19 phishing campaigns that are now being conducted include some of the most sophisticated phishing threats we have ever seen.
You should not rely on one form of email security, such as Microsoft’s Exchange Online Protection for Office 365 accounts. Layered defenses are essential. Office 365 email security can be significantly strengthened by layering SpamTitan on top of Microsoft’s EOP protections. SpamTitan does not replace Office 365 protections, it improves them.
SpamTitan is an advanced email security solution that incorporates powerful, real time updated AI-driven threat intelligence to block spam, phishing, malware, malicious links, and other email threats from incoming mail. SpamTitan sandboxing identifies threats that signature-based detection solutions miss and is effective at identifying and blocking zero-day malware threats.
Each day, the number of malicious websites related to COVID-19 grows. These websites are used to phish for sensitive information such as email and VPN credentials and for drive-by downloads of malware. To protect remote workers and prevent them from accessing these malicious websites, a web filtering solution is required.
WebTitan DNS Security offers protection against web-based threats and prevents employees from accessing known malicious websites. WebTitan DNS Security is seeing massively increased traffic demand for its scanning and web detection features, but the solution is cloud based and has been developed with scalability in mind. WebTitan DNS Security is blocking new threats as soon as they are identified to keep customers and their employees protected. The solution can be easily implemented to protect remote workers but inserting simple code into enterprise devices which points the DNS to WebTitan. That small change will ensure the internet is filtered for all employees, no matter where they are working.
TitanHQ is committed to providing safe and secure email and internet usage for our customers, partners and their users, now more than ever. Contact TitanHQ today for help improving security at your organization.
IT departments have been forced to address cybersecurity risks with remote workers in a hurry due to the 2019 Novel Coronavirus pandemic that has seen large sections of the workforce forced into working from home.
The International Workplace Group conducted a study in 2019 and found that 50% of employees spend at least half of the week working remotely, and 70% of workers spend at least one day each week working from home. The 2019 Novel Coronavirus pandemic has increased that percentage considerably. Many companies have all but closed down their offices and have told their employees they must work from home.
While this is an important strategy for ensuring the safety of the workforce, there are many cybersecurity risks with remote workers and IT departments will find it much harder to secure their systems, protect confidential data, and quickly respond to security incidents.
One of the biggest problems for IT departments is the speed at which changes had to be made to accommodate a massive increase in remote workers. There has been little time to prepare properly, provide training, and ensure the cybersecurity risks with remote workers are all addressed.
Cybercriminals are Targeting Remote Workers
The massive increase in remote workers due to the 2019 Novel Coronavirus pandemic has given cybercriminals easy targets to attack, and unsurprisingly remote workers are being targeted. Remote workers are seen as low hanging fruit and attacks are far easier than when workers are in the office.
Several phishing campaigns have been detected targeting home workers that attempt to obtain email and VPN credentials. These phishing attacks are likely to increase considerably over the coming weeks and months. Attacks on VPNs have also increased, with cybercriminals exploiting unpatched vulnerabilities to steal credentials and gain access to corporate networks.
Campaigns have been detected spoofing Zoom and other videoconferencing platforms. According to Check Point, there have been 1,700 new Zoom domains registered in 2020 and 25% of those have been registered in the past two weeks. Other videoconferencing and communication platforms are also being targeted.
Addressing Cybersecurity Risks with Remote Workers
The massive increase in the number of employees working from home has increased the attack surface dramatically. Laptops, smartphones, and tablets are remotely connecting to the network, often for the very first time. It is essential that al of those devices are secured and data is appropriately protected.
Any device allowed to connect to the network remotely must have the best security software installed to protect against malware. Devices must be running the latest versions of operating systems and patches need to be applied promptly. Some studies suggest that it takes companies around 3 months on average to patch vulnerabilities. For remote workers, patching needs to be accelerated considerably and, ideally, software and operating systems should be configured to update automatically. Computers used by remote workers must also have firewalls enabled.
Ensure Home Routers are Secured
With many countries in lockdown and people being told not to leave the house, one of the biggest problem areas with remote working has been solved. The use of unsecured pubic Wi-Fi networks. When remote workers connect to unsecured public Wi-Wi networks, it is easy for cybercriminals to intercept sensitive corporate data, steal login credentials, and install malware. The Novel Coronavirus pandemic has seen remote workers abandon coffee shops and public Wi-Fi access points and stay at home; however, home Wi-Fi networks may be just as vulnerable.
Home workers will connect to the internet through consumer-grade routers, which will be far less secure than the office. Home Wi-Fi is often poorly secured and many devices that connect to Wi-Fi will have scant security controls in place. Remote workers must ensure that their home Wi-Fi network is protected with a strong password and that routers have WPA2 enabled.
Ensure Remote Workers Use a VPN and Establish a Secure Connection
It is essential for remote workers to establish a secure connection when accessing work resources and the easiest way to do this is with a virtual private network (VPN). A VPN client should be installed on all devices that you allow to remotely connect to the network.
Several vulnerabilities have been found in VPNs over the past year, and even months after patches have been released by VPN solution providers that patches have yet to be applied. Patching VPNs can be difficult when they are in use 24/7, but prompt patching is essential. There has been an increase in cyberattacks exploiting vulnerabilities in VPNs in recent weeks. In addition to ensuring the latest version of VPN clients are used and VPN solutions are patched quickly, training must be provided to remote workers to ensure they know how to use VPNs.
Ensure Multifactor Authentication Is Enabled
Strong passwords must be set to prevent brute force password guessing attempts from succeeding, but passwords alone do not provide sufficient protection for remote workers. You must ensure that multifactor authentication is enabled for all cloud services and for email accounts. If credentials are compromised in a phishing attack, it will not be possible for the credentials to be used to access accounts and sensitive data without another factor also being provided, such as a one-time code sent to an employee’s cellphone.
Security Awareness Training for Remote Workers
IT staff will be well aware that even the best security defenses can be breached as a result of the actions of employees. Employees are the weakest link in the security chain, but through security awareness training risk can be significantly reduced. Most companies will provide security awareness training to staff as part of the onboarding process, and often refresher training sessions will be provided on an annual basis. Consider increasing training for remote workers and conducting training sessions far more frequently.
The purpose of cybersecurity awareness training is to teach employees the skills they will need to recognize and avoid threats and to change the mindset of workers and create a culture of cybersecurity. Best practices for cybersecurity must be taught to prevent employees from falling prey to cyberattacks when working remotely. Employees need to be made aware of the cybersecurity risks with remote workers, which may not have been covered in training sessions when employees were only working in the office. Training remote staff should now be a priority. It is important to step up training to help remote workers identify phishing emails, spoofing, impersonation attacks, and also to teach remote workers about good IT hygiene.
Protect Against Web-Based Attacks
The dangers that come from the internet should be covered in security awareness training, but not all web-based threats are easy for remote workers to identify. Malicious adverts can be found on all manner of websites that direct users to phishing sites and websites where drive by malware downloads occur. To address cybersecurity risks for remote workers when accessing the internet, a web filtering solution should be deployed.
Cloud-based web filters are the most practical choice as they are easy to deploy, require no software downloads, and do not need to be patched or updated as that is handled by the solution provider. DNS-based filters are the best choice as they will involve no latency, which can be a major issue when bandwidth will be limited in workers’ homes.
WebTitan prevents remote workers from visiting or being redirected to known malicious websites and allows IT teams to control the types of websites that can be accessed on work devices to further reduce risk. Since WebTitan integrates with Active Directory and LDAP, IT teams can monitor the internet activity of all employees and can configure the solution to block malicious file downloads and the downloading unauthorized programs onto work devices.
It is fair to say that more people are now working from home than ever before and the number is growing rapidly due to the coronavirus pandemic. Here we explore some of the key cybersecurity challenges for remote working and suggest ways that CIOs and IT managers can reduce risk, keep their networks secure, and protect their workers.
COVID-19 and Remote Working
Even in the absence of a pandemic, an increasing number of people are working from home for at least part of the week. One study conducted by the International Workplace Group in 2018 suggests 50% of employees spend at least two and a half days a week working from home and 70% spend at least one day a week working from home.
The coronavirus pandemic is rapidly changing that. Governments around the world are recommending people work from home if they possibly can and many want to do so to reduce the risk of contracting COVID-19. With the 2019 Novel Coronavirus pandemic likely to last for several months at the very least, that is unlikely to change any time soon. Businesses will come under increasing pressure to get their employees set up for working at home.
Cybersecurity Challenges for Remote Working
For many businesses, having to set up large number of employees to work from home in such a short space of time will have come as a major shock. Rather than being able to transition gradually, the quarantine measures and social distances demanded in response to the coronavirus pandemic has given businesses and their CIOs and IT teams little time to prepare and address the cybersecurity challenges for remote working.
Some employees will already be working from home some of the time, so they will be familiar with the steps they need to take to access work networks and applications securely from home, but for a great deal of workers this will be their first time. Those workers therefore need to be trained and made aware of the additional risks, they must learn how to access work systems remotely, and the steps they need to take to do so securely.
Measures need to be considered to reduce the harm that can be caused should devices be lost or stolen, as the risk of device theft increases considerably when IT equipment is taken out of the office. Even if workers are not venturing out of the house to coffee shops, home environments may not be as safe and secure as the office.
Cyberslacking is likely to increase considerably when workers are not being directly supervised due to working at home, so loss of productivity is a real issue. Productivity losses due to people working from home is a key business concern that should be addressed. Cyber risks also increase from internet access at home.
The risk of insider threats also increases with more remote workers. Steps should be taken to reduce the potential for fraud and data theft.
It is relatively easy for organizations to effectively manage risk when users are connected to internal networks when working in the office. Doing the same when most of the workforce is working remotely is a different matter entirely. As the attack surface increases, mitigating risks and protecting against cyberthreats becomes a major challenge.
There are also issues with authentication. A known individual may be attempting to connect to the network, but it becomes harder to determine is that person is who they claim to be. Authentication measures need to be stepped up a gear.
Many businesses will be faced with the problem of simply not having enough devices to allow workers to work remotely on company-issued devices, so the decision will need to be taken about whether to allow employees to use their personal devices. Personal devices are unlikely to have the same level of protection as company-owned devices and it is much harder to control what employees do on those devices and to protect against malware that could easily be transferred onto the work network.
There is also a greater risk of shadow IT when workers are home-based. The downloading of applications and use of non-authorized tools increases risk considerably. Vulnerabilities may be introduced that can easily be exploited by cybercriminals.
Then there is the problem of having so many people accessing work networks using VPNs. Systems may not be able to cope with the increased number, which means workers will not be able to connect and work from home. IT departments must ensure there is sufficient bandwidth and licenses for VPN solutions. Those VPNs also need to be updated and patched.
These are just some of the many cybersecurity challenges for home working. The list of security concerns is very long.
Cybercriminals are Taking Advantage of a Huge Opportunity
Cybercriminals are constantly changing tactics to attack businesses and the coronavirus pandemic offers them opportunities on a silver platter. It is unsurprising that they are taking advantage. In January, phishing campaigns were launched taking advantage of fear about coronavirus. Those campaigns have increased significantly as the COVID-19 crisis has deepened. Coronavirus and COVID-19 are being used as phishing lures and to COVID-themed emails are being used to distribute malware. Cyberattacks exploiting vulnerabilities in VPNs are also increasing.
As the COVID-19 crisis worsens and lockdowns are enforced, businesses will be forced to have more workers working from home and cyberattacks are likely to continue to increase. Since shutting down the business temporarily or indefinitely simply isn’t an option for most businesses, addressing the cybersecurity challenges for remote working will soon become critical.
Addressing the Cybersecurity Challenges for Home Working
Addressing the cybersecurity challenges for home workers is likely to be difficult. Listed below are some of the steps that should be taken to prepare.
When creating new accounts for home workers, ensure strong passwords are set and use the principle of least privilege to reduce risk.
Enable two-factor authentication.
Ensure workers can connect through VPNs and there are sufficient licenses and bandwidth.
Make sure VPN software is patched and the latest version is installed. Ensure procedures are in place to keep the software updated.
Consider disabling USB ports to prevent the use of portable storage devices. This will reduce the risk of malware infections and the risk of data theft.
Ensure portable devices are protected with encryption. Use software solutions that lock devices in the event of theft or allow devices to be remotely wiped.
Ensure you set up communications channels to allow remote workers to collaborate, such as teleconferencing, chat facilities, document sharing platforms, and SaaS applications. Make sure employees are aware of what can and cannot be shared via chat apps such as Slack and Google Chat.
Ensure staff are trained on new applications, the use of VPNs, and are aware of the additional risks from remote working. Train remote workers on how to identify phishing and other cybersecurity threats.
Ensure policies and procedures are set up for reporting threats to IT security teams. Instruct employees on the correct course of action if they believe they have fallen for a scam.
Implement a DNS filter to prevent employees from accessing high risk websites on corporate-issued devices and block downloads of risky file types.
Ensure email security controls are implemented to block phishing attacks and detect and quarantine malware threats.
How TitanHQ Can Help Protecting Remote Workers and Their Devices
TitanHQ has developed two cybersecurity solutions that can help businesses protect their remote workers and their networks from email and web-based threats. Being 100% cloud-based, these solutions are just as effective when employees are working remotely as they are for office workers.
SpamTitan Cloud is a powerful email security solution that protects against the full range of email threats. SpamTitan has advanced threat detection capabilities to detect known and zero-day phishing, spear phishing, malware, botnet, and ransomware threats and ensure the threats never reach inboxes. SpamTitan Cloud also scans outbound email to detect spamming and malware distribution, as well as improving protection against insider threats through tags for sensitive data.
WebTitan Cloud is a DNS filtering solution that provides protection from web-based attacks for user working on and off the network. Being cloud based, there is no need to backhaul traffic to the office to apply filtering controls. Since the filter is DNS-based, clean, filtered internet access is provided with no latency. Controls can easily be applied to restrict access to certain types of websites to prevent cyberslacking and block cybersecurity threats and malware downloads.
Both of these solutions are easy to implement, require no local clients, and can be set up to protect your employees in minutes. They are also available on a free trial if you want to evaluate the solutions before committing to a purchase.
For further information on SpamTitan Cloud Email Security and WebTitan Cloud DNS filtering and to discover how these solutions can help to protect your business and remote workers at this extremely challenging time, give the TitanHQ team a call today.
Many phishing campaigns have been detected that use the novel coronavirus as a lure and now a new ransomware variant called CoronaVirus has been detected and analyzed by MalwareHunterTeam. CoronaVirus ransomware is being distributed through a malicious website masquerading as software called WiseCleaner, a tool that can be used to clean up the registry and remove duplicate files and junk files from computers. WiseCleaner is legitimate software tool, but the website used in this campaign is fake.
It is currently unclear how traffic to the website is being generated. Campaigns such as this typically use malvertising for traffic – Malicious adverts on ad networks that direct users to malicious websites. These adverts are displayed on many legitimate websites that use third party ad networks to generate extra revenue.
If a website visitor tries to download WiseCleaner from the malicious website (The genuine website is wisecleaner.com), a file named WSHSetup.exe will be downloaded. Executing this file will download two malicious payloads: CoronaVirus ransomware and the Kpot Trojan. The Kpot Trojan is an information stealer that steals a variety of credentials, including Skype, Steam, Discord, VPN, email, and FTP passwords from a variety of different applications. The Kpot Trojan steals information such as banking credentials that have been saved in browsers and can also steal cryptowallets. The executable file also attempts to download other files, although currently only two files are downloaded. The intention may well be to download a cocktail of malware.
When CoronaVirus ransomware is downloaded and executed it encrypts a range of different file types. The encrypted files are renamed using the attacker’s email address, but the original file extension is retained. A ransom note is dropped in each folder where files are encrypted.
Interestingly, the ransom demand is very low. The attackers only charge 0.08 BTC – around $50 – for the keys to decrypt files. This suggests the ransomware component of the attack is not the main aim of the campaign which is to distribute the Kpot Trojan and potentially other malware payloads. CoronaVirus ransomware may just be a distraction.
There is currently no known decryptor for CoronaVirus ransomware and it is unclear whether the attackers can – or will – supply valid keys that allow encrypted files to be recovered.
Businesses can protect against attacks such as this by ensuring they backup all of their files regularly and store the backups offline. A web filtering solution should also be implemented to prevent malicious files from being downloaded. Web filters can be configured to prevent attempts by employees to visit malicious websites and also to block downloads of risky file types such as .exe files.
For more information on web filtering and to find out how TitanHQ’s web filtering solution, WebTitan, can help to protect your business from web-based cyberattacks, give the TitanHQ sales team a call today.