Should You Block File Sharing Websites to Stop Malware Infecting Your Network?

There are some very valid reasons why you should block access to file sharing websites. These websites are mainly used to share pirated software, music, films, and TV shows. It would be improbable that the owner of the copyright would take action against an employer for failing to stop the illegal sharing of copyrighted material, but this is an unnecessary legal danger.

However, the chief risk from using these websites comes in the form of malware. Research completed by IDC in 2013 indicated that out of 533 tests of websites and peer-2-peer file sharing networks, the downloading of pirated software lead to spyware and tracking cookies being downloaded to users’ computers 78% of the time. More concerning is the fact that Trojans were downloaded with pirated software 36% of the time.

A survey carried out on IT managers and CIOs at the time showed that malware was downloaded 15% of the time with the software.  IDC found that overall there was a 33.3% chance of infecting a machine with malware by using pirated software.

Even browsing on torrent sites can be harmful. This week Malwarebytes said that visitors to The Pirate Bay were shown malicious adverts. An advertiser used a pop-under to silently redirect users to a malicious site that had the Magnitude exploit kit which was used to install Cerber ransomware onto users’ devices.

A study completed by UC San Diego involved testing pirated software downloads using VirusTotal. VirusTotal reviews files against the databases of 47 different anti-virus services. The research team found that 50% of pirated files were infected with malware.

Dealing with malware from pirated software was found to take around 1.5 billion hours per year. For companies the cost can be considerable. IDC estimated the cost to enterprises to be around $114 billion in 2013 alone. And that was just for the clean-up. The cost of data breaches caused by illegal software installations was calculated at around $350 billion.

Groups can monitor devices and check for unauthorized software downloads on individual devices; however, by the time a software installation has been identified, malware is likely to already have been downloaded. A recent report by Verizon indicates that on average, hackers are able to extract data within 28 minutes of obtaining access to a system.

One of the simplest ways to manage risk is to block file sharing websites including P2P and torrent sites. A web filter can be easily set up to block file sharing websites and stop them from being accessed. Many web filters can also be set up to block specific file types from being installed, including keygens and other executables.

By preventing access to file sharing websites organizations can ensure that copyright-violating activities are stopped and malware risk is effectively handled. Additionally, web filters can be used to block web-borne threats including phishing websites, compromised webpages, spam and botnets, adware, malware, ransomware, and anonymizers.

Choosing not to block file sharing websites could turn out to be expensive for a company. It is far better to block possibly dangerous websites and online activities than to have to cover the cost of removing malware infections and managing with data breaches.

Practical Approach Vital for Network Security

The best security against malware, spam, hacker attacks, policy breaches and other email and web threats is a layered set of defenses in which software, services, hardware and policies are incorporated to safeguard data and other assets at the network, system and application tiers. However, an obvious – but often-disregarded – layer in this cake of protection is the common sense of your staff – one of the critical layers to stop threats from gaining a foothold. As the picture says ‘just because you can, doesn’t mean you should’, this is where common sense is important.

Spear phishing is an increasing issue where a targeted false email that seems to be legitimate is sent to individuals or a company in order to obtain data. For instance e, by looking at a Facebook page of someone with whom I am not connected. I can see that she is a realtor, has listed a home at 657 Noble in [city name withheld], was born on January 26th, has a cat named Lou, is a member of the Agent Leadership Council at a southern California realty organization, likes ice skating, resides in Thousand Oaks, speaks French, and took a vacation to Orlando on February 11th. If I was a hacker intent on sending her a spearphishing email – perhaps with the intent of infecting her PC with Zeus – I could use these details to craft an email that she would be likely to click on. For example, an email with the title “Need to schedule a vet appointment for Lou” or “We mistakenly overcharged you on your recent trip to Orlando”, or maybe even a LinkedIn invitation that includes personal details, would likely get her attention and increase the possibility of her becoming a victim of a spear phisher. This is not to say that this Facebook customer lacks common sense, but the details she has posted could be used against her and her company and needs to be looked at in that light.

Spam filtering technology is successful at preventing spam emails that include links to malware sources (albeit with some spam filters more effective than others). The RSA exploit in April 2011, in which some staff members received an email with an Excel attachment, was due to spearphishing emails that were effectively quarantined by spam filtering technology, but later opened by staff members from the quarantine. A spearphishing email at the Oak Ridge National Laboratory in April 2011 was received by 530 workers, 11% of whom clicked on a malicious link. Many users are not adequately when asked for information. For instance, before last year’s royal wedding between Prince William and Kate Middleton, a Facebook hacking scam was doing the rounds asking respondents to create their royal wedding guest name. This name consisted of one grandparent’s name, the name of a first pet, and the name of the street on which the victim lived when they were younger – all likely responses to security questions one might get asked when resetting a password.

TitanHQ 2019 Schedule of MSP Roadshow Events

TitanHQ kickstarted its 2019 MSP roadshow program on February 14 with events in London and Florida. The 2019 season will see the TitanHQ team attend 15 roadshows and conferences in Ireland, Canada, the Netherlands, the UK, and the USA and meet new and prospective MSP partners, Wi-Fi providers, and ISPs.

In the summer of 2018, TitanHQ formed a strategic alliance with Datto which saw WebTitan Cloud and WebTitan Cloud for WiFi web filtering solutions incorporated into the Datto networking range. TitanHQ has been working closely with Datto MSPs ever since and has been helping them add web filtering to their security stacks and start providing their clients with world-class web filtering services.

Following on from a highly successful series of Datto roadshows in 2017, the TitanHQ team is back on the road and will be attending 7 Datto roadshow events over the coming 5 months, finishing off at DattoCon in June. The campaign started today at the TitanHQ-sponsored Datto Roadshow in Tampa, Florida. TitanHQ Alliance Manager Patrick Regan attended the roadshow and has been meeting with MSP to explain about WebTitan Cloud, WebTitan Cloud for WiFi, SpamTitan, and ArcTitan, and how they can benefit MSPs an help them build a high margin security practice.

For two years now, TitanHQ has been a member of the IT Nation community and has been helping MSPs get the most out of TitanHQ products to better serve the needs of their clients. It has been a great learning experience and a thoroughly enjoyable couple of years. The first of three IT Nation event took place today – The IT Nation Q1 EMEA Meeting in London. The event was attended by TitanHQ Alliance Manager Eddie Monaghan, who will be helping MSPs discover TitanHQ email security, DNS filtering, and email archiving solutions all week.

TitanHQ Alliance Manager, Eddie Monaghan.

If you were unable to attend either of these events, there are plenty more opportunities to meet with TitanHQ over the coming months. The full schedule of events that will be attended by members of the TitanHQ team are detailed below. We look forward to meeting you at one of the upcoming roadshow events in 2019.

TitanHQ 2019 MSP Roadshow Dates

February 2019

Date Event Location
February 14, 2019 IT Nation (HTG) Q1 EMEA Meeting London, UK
February 14, 2019 Datto Roadshow Tampa, FL, USA

March 2019

Date Event Location
March 5, 2019 CompTIA UK Channel Community Manchester, UK
March 7, 2019 Datto Roadshow EMEA Dublin, IE
March 11, 2019 CompTIA Community Forum Chicago, IL, USA
March 12, 2019 Datto Roadshow NA Norwalk, CT, USA
March 19, 2019 Datto Roadshow EMEA London, UK
March 26, 2019 Datto Roadshow EMEA Houten, Netherlands
March 26, 2019 Datto Roadshow NA Toronto, Canada

April 2019

Date Event Location
April 25, 2019 Datto Roadshow Long Island, NY, USA
April 29, 2019 IT Nation Evolve (HTG 2) Dallas, TX, USA

May 2019

Date Event Location
May 6, 2019 Connect IT Global (Kaseya Connect) Las Vegas, NV, USA
May 13, 2019 IT Nation (HTG) Q1 EMEA Meeting Birmingham, UK
May 14, 2019 Wifi Now Washington DC, USA

June 2019

Date Event Location
June 17, 2019 DattoCon San Diego, CA, USA

New Ovidiy Stealer Password Stealing Malware Priced to Boost Sales

The malware known as ‘Ovidiy Stealer’ is password stealing software that will capture login details and send the information to the hacker’s C2 server. As with most other password stealers, information is captured as it is entered into websites such as banking portals, web-based email accounts, social media accounts and other online services.

However, even if a device is infected, the Ovidiy Stealer will not capture information entered via Internet Explorer or Safari. The malware is also not persistent and if the computer is rebooted the malware will stop trying to complete its task.

Sadly, if you use Chrome or Opera, your confidential personal data is likely to be compromised. Other browsers known to be supported include Orbitum, Torch, Amigo and Kometa. However, sd the malware is being regularly updated it is likely other browsers will come online soon.

Ovidiy Stealer is a new malware, first identified only a month ago. It is chiefly being implemented in attacks in Russian-speaking regions, although it is possible that multi-language versions will be developed and attacks will soon be seen in other regions.

Proofpoint Researchers, who first detected the password stealing malware, are of the opinion that email is the primary attack vector, with the malware packaged in an executable file shared as an attachment. Proofpoint also thinks that rather than email attachments, links to download pages are also being implemented. Samples have been seen bundled with LiteBitcoin installers and the malware is also being sent through file-sharing websites, in particular via Keygen software cracking programs.

New password stealers are regularly being released, but what make the Ovidiy Stealer different and makes it particularly dangerous is it is being made available online at a particularly low price. Just $13 (450-750 Rubles) will get one build bundled into an executable ready for delivery using a spam email campaign. Due to the low cost there are likely to be many malicious actors carrying out campaigns to spread the malware, hence the range of attack vectors.

Would be hackers willing to part with $13 are able to see the number of infections using a web control panel complete with login. using the control panel they can control their account, view the number of infections, build more stubs and review the logs generated by the malware.

Safeguarding against malware such as Ovidiy Stealer demands caution as it requires time before new malware are discovered by AV solutions. Some AV solutions are already identifying the malware, but not all of them. As ever, when receiving an email from an unknown sender, do not click on attachments or visit hyperlinks.

Threat of Exposure with Multiple Malware Infections Visible in Sextortion

Sextortion scams have been in the rise in the last six months and these scams normally implement the technique of threatening to expose a user’s online activities (pornography habits, dating/adultery site usage) to all their contacts and friends/family unless a payment is completed.

A number of the recent sextortion scams have boosted their credibility by claiming to have users’ passwords. However, new sextortion scams have been discovered that are using a different tactic to get users to pay up. The email template seen in this scam is similar to other recent sextortion scams. The scammers say that they have a video of the victim viewing adult content. The footage was captured using the victim’s webcam and has been spliced with screenshots of the content that was being looked at.

In the new campaign the email includes the user’s email account in the text of the email, a password (probably an old password compromised in a previous breach), and a hyperlink that the victim is asked to click to download the video that has been created and see exactly what will soon be shared via email and social media networks.

Clicking the link in the video will lead to the downloading of a zip file. The compressed file includes a document including the text of the email and the supposed video file. That video file is really an information stealer – The Azorult Trojan.

This type of scam is even more likely to be successful than past campaigns. Many people who receive a sextortion scam email will see it as fake. However, the a link to download a video  being included may lead to many people downloading the file to see if the threat is real.

If the zip file is downloaded and the Azorult Trojan executed, it will silently gather data from the user’s computer – similar information to what the hacker claims to have already obtained: Cookies from websites the user has visited, chat histories, files stored on the computer, and login information entered through browsers such as email account and bank details.

The Azorult Trojan will also install a secondary payload: GandCrab ransomware. Once data has been gathered, the user will have their personal files encrypted: Documents, spreadsheets, digital photos, databases, music, videos, and more. Recovery will only be possible if these files having been backed up and not also encrypted by the ransomware. Apart from permanent file loss, the only other option will be to pay a sizeable ransom for the key to decrypt the files.

If the email was issued to a business email account, or a personal email account that was accessed at work, files on the victim’s work computer will also be encrypted. As a record of the initial email will have been extracted on the device, the reason why the malware was downloaded will be made clear to the IT department.

The key to not being tricked is to disregard any threats sent using email and never click links in the emails or click on email attachments.

B

Schools Using Web Filtering

Web filtering for schools has been a requirement in order to qualify for E-Rate discounts on telecommunications and Internet services since the Children´s Internet Protection Act (CIPA) was passed in 2000.

Following this, many states have also passed their own legislation making it a requirement for schools to filter the Internet to ensure children are safeguarded from harmful website content. So far, 24 states have developed legislation to stop children from accessing harmful images including pornography in schools and libraries.

Even in those states where web filtering for schools is not obligatory, lobby groups and parents’ associations have asked for more stringent controls in relation to the content that can be accessed on school computers and through school networks. Web filtering for schools a requirement rather than an option.

While the chief purpose of web filtering for schools is to prevent access to obscene or harmful website content, many schools have opted to put in place a content filtering solution as a cybersecurity tactic. Web filters are used to stop malware downloads and obstructing phishing attacks.

Previously, web filtering required a physical appliance to be placed on a firewall. Appliance based web filters have a number of weaknesses. Appliances are not cheap and need to be updated and maintained by IT support staff. They also restrict the number of users that can access the Internet. When capacity needs to be strengthened, new hardware needs to be bought.

Now a rising number of schools are choosing a lower cost solution. Cloud based web filtering for schools does not necessitate the purchasing of any additional hardware, saving schools thousands of dollars in equipment investment. There is also no obligation for IT teams to be on site. When using a cloud-based solution, everything is cloud based and no software installations are required. DUe to this the entire system can be managed remotely. In order to begin all that you need is for a simple change to be made to the DNS to point it to the solution provider’s servers. That process usually takes just a very short period of time.