Threat Lab

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

We explored the dangers of pirated sport streams so you don’t have to

Coauthored by Dominick Bitting, Sr. Threat Research Analyst, and Colin Maguire, Web Content Specialist.

Manchester City win the Carabao Cup Final, many illegal streamers lose

The COVID pandemic has led to a surge in content consumption as people stayed home and turned to Netflix, Youtube and other streaming services for entertainment. Not everyone agrees with paying for the latest episode or album, however, and this rise has ran parallel with a rise in  digital piracy.

Piracy is widespread and – ethical issues aside – makes for an interesting case study from a threat research perspective. In terms of sports, European football is the most commonly pirated, making up more than a quarter of all illegal sports streams according to one recent study

There is a sizable online community that shares bootlegged movies, TV and live sports streams without copyright protection over HTTP/HTTPS. Sites streaming pirated sports, specifically the English football “free-to-view” sites, were the subject of an April 2021 Webroot study on the week of the Carabao Cup final game between Manchester City and Tottenham Hotspur.

This was not meant to be an exhaustive study, but rather focused on getting a snapshot of the dangers involved in spending 90 minutes illegally streaming a match online.

The sites we analysed

We analysed a total of 20 sites in the study, of which 12 “game sites” were analysed in greater detail for the duration of the Cup Final. 92% per cent of illegal streaming sites analysed by Webroot were found to contain some form of malicious content.

Site Ratings

Sites ranged from having a “trusted” Webroot Brightcloud® reputation score of 92 to an “untrusted” rating of 44. All sites at time of testing had a safe, zero detection rating in Virus Total except for one, “daddylive”, with a rating of 1/85.

However, when examined more closely, most hosting IPs were found to have hosted malicious content (such as some serious malware) in the past, and had connections to other high-risk IPs. Some of the sites caught our attention for leading to a massive amount of URLs. For instance, rojadirecta[.]me pulled 565 different URLs. We focused most of our attention on these suspicious sites.

Virustotal.com graph for hulkstreams. Contextual graphs such as these show the relationships between web hosts and dropped malware
Brightcloud’s Threat Investigator Showing Contextual Information for jokerstream

Insecure Sites

Most of the sites analysed were insecure and running HTTP. The lack of security on these sites means any personal data shared across the site’s connection is out in the open. While the more secure HTTPS isn’t always a guarantee a site is completely safe, the lack of certification and security protocol were red flags, making sharing details or sensitive information risky.

Malvertising/Dishonest links

Most of these sites (more specifically the advertising on these sites) use dishonesty and social engineering to fool users into opening links, enabling an action on their browser or downloading a file they never intended to. This is done using an array of tricks like fake “X” boxes on video overlays, false “notification enable” messages and outrageous promises and warnings.

Redirects

Redirects are not bad in and of themselves, but when links jump between a number of unrelated sites (e.g. sports to dating to bitcoin to online shopping) this is a definite red flag. And we observed it a lot on illegal streaming sites. This signals that the site or site network admins must constantly change what their links direct to as they introduce new URLs. The presence of zero-day (or brand new) sites is a related bad indicator when looking at any site and it’s connected IPs.

Types of threats we saw on pirated streaming sites

Bitcoin scams

“With cryptocurrency values soaring again, executable based cryptojacking has been on the rise.”
Webroot’s 2021 Threat Report

We observed targeted and localised bitcoin scams promising riches and asking users for banking details. The price of Bitcoin and other cryptocurrencies have been booming over the last year, and the rise and fall of these prices affects cryptocrime levels. We observed convincing ads and websites that link directly to fake news sites or feature local(ised) celebrities and politicians selling scams.

An example of a bitcoin scam site that has been localised to appeal to users browsing with an Irish IP address
An example of a bitcoin scam site that has been localised to appeal to users browsing with an Irish IP address

This “Mirror” fake news page is clearly designed to copy the popular UK newspaper. It is a front for a “get rich quick” scam designed to gather users’ cash and personal details. Different versions of this scam have been observed localised for different countries. This was pushed on the vipleague[.]lc streaming site.

“Appearing on the ‘BBC Breakfast’ show, Bill Gates revealed that he invested substantial amounts of money. The idea was simple: allow the average person the opportunity to cash in…”
Text from one scam we witnessed

An example of a bitcoin scam site that has been localised to appeal to users browsing with a UK IP address
A fake AV scam claiming to have found threats on your machine.

Hijacked search results

Hijacking browsers allows cybercriminals to switch a user’s default browser and take over its notifications. This means different search results are served up or users can be spammed with junk notifications and explicit content. Even if users shut down their laptops, the changes will remain.

Notification hijacking

Users looking to watch a stream are also tricked into allowing notifications, which bombard them with explicit and extreme content, as well as scams and links to other malicious sites.

Users of Technoreels are asked to allow notifications to see a stream. This button does not need to be clicked to view content so the messaging is dishonest and those that allow the content will get constant notifications for porn, dating, scams and other content.
An example of spam browser notifications. This one localised to appear to German IP addresses.

Browser Hijacker

Links on jackstream. push users into installing a browser hijacker known as mysearchflow.com, which is blocked as Spyware/Adware by Webroot. Clicking on the stream causes a popup which asks to allow notifications. These particular notifications were pop-up ads appearing in the screen’s right corner that were very intrusive and not easy to disable.

Mobile Threats

All these sites supported mobile browsing and the advertising, social engineering and malicious content targeting mobile users, too. For instance, links pointed to fake mobile apps with privacy issues and useless in-app purchases ranging from £2.09 – £114.99. It’s important for users to note that many of these mobile apps can also be installed on PCs and are often difficult to remove. Here’s a mobile advertisement from hulkstreams.com that earns clicks by claiming a device is infected with viruses.

Figure 2 The initial false “Google” warning on Hulksteams pushing

We installed and ran this particular product. It turned out to be an example of fleeceware, a type of malware that tries to sneak excessive fees past subscribers. It had over 10 thousand downloads on the Google Play store already. The product offered in-app purchases ranging from £2.09 – £114.99 per item and has since been marked as malicious by our threat intelligence.

The sites we analysed. Starred sites indicate “game sites.”
hulkstreams.com*
jackstreams.com*
0eb.net*
jokerswidget.com*
strims.world*
livetotal.tv*
vipleague.lc*
fotyval.com*
footybite.com*
daddylive.co/*
elixx.me/schedule.html*hdstreamss.club/*
liveonscore.tv/
red.soccerstreams.net/
www.blacktiesports.net/soccerstreams/
www.hesgoal.com/
www.ovostreams.com/soccer-streams.php
www.sportnews.to/schedule/
www.sportp2p.com
Figure 3 After installation the app incorrectly advises that you have “several trojans” and then offers to “repair your device”. This is a front for pushing more bogus upgrades and charges.

Our advice

Since pirate streams operate outside the law, they often sell advertising space to entities that are also operating outside the law. Although we found some advertising from reputable vendors, we would not recommend visiting these sites for the good of your overall online safety.

We do recommend that, when browsing any site on the web, users update their software and operating systems, employ AV and anti-phishing detection, and double-check any links before clicking, especially when they profess to offer something that seems too good to be true.

We Finally Got Businesses to Talk About Their Run-ins With Ransomware. Here’s What They Said.

“It is a nightmare. Do all you can to prevent ransomware.”
 
– A survey respondent

Many businesses are hesitant to talk about their experiences with ransomware. It can be uncomfortable to cop being hit. Whether it’s shame at not doing more to prevent it, the risk of additional bad publicity from discussing it or some other reason, companies tend to be tight-lipped about these types of breaches.

By offering anonymity in exchange for invaluable quantitative and qualitative data, Webroot and professional researchers surveyed hundreds of business leaders and IT professionals about their experiences with ransomware attacks.

Perhaps the most surprising finding from our survey, and certainly one that presents broader implications for those involved, is that the ransom demanded by attackers is only a small part of the loss that accompanies these crimes. There are also lost hours of productivity, reputational suffering, neutralized customer loyalty, data that remains unrecoverable with or without paying a ransom and the general sense of unfairness that comes with being the victim of a crime.

Our ransomware report seeks to quantify these knock-on effects of ransomware to the extent possible. We looked at the value of a brand and how likely customers are to remain loyal to one after their data is compromised in a breach. We studied the relationship between the time to detection of the incident and its cost. We added up the labor cost spent during remediation.

But we were also interested in real people’s stories concerning their run-ins with ransomware. What advice would they give to those who may find themselves in their same position? Respondents talked about the inevitability of attack, the relief when frequent backups mitigate the worst effects of ransomware, the importance of a plan, and advised against the payment of ransoms.

Finally, we provide advice for defending against or at least reducing the disruptive impact of ransomware attacks. As a security company, it won’t be surprising that we recommend things like endpoint and network security. But it goes deeper than that. We stress the importance of empowering users with the knowledge of what they’re up against and implementing multiple layers of defense.

Most importantly – no matter how comprehensive or scattershot a business’s protection is – is that that it’s are in place before it’s needed. During the fight is not the time to be building battlements. If your organization has avoided the scourge of ransomware so far, that’s excellent. But IT administrators and other decision-makers shouldn’t count on their luck holding out forever.

Here are a few of the report’s most enticing findings, but be sure the download the full eBook to access all of the insights it delivers.

KEY FINDINGS

  • 50% of ransomware demands were more than $50k
  • 40% of ransomware attacks consumed 8 or more man-hours of work
  • 46% of businesses said their clients were also impacted by the attack
  • 38% of businesses said the attack harmed their brand or reputation
  • 45% were ransomware victims in both their business and personal lives
  • 50% of victims were deceived by a malicious website email link or attachment
  • 45% of victims were unaware of the infection for more than 24 hours
  • 17% of victims were unable to recover their data, even after paying the ransom

Maze Ransomware is Dead. Or is it?

“It’s definitely dead,” says Tyler Moffitt, security analyst at Carbonite + Webroot, OpenText companies. “At least,” he amends, “for now.”

Maze ransomware, which made our top 10 list for Nastiest Malware of 2020 (not to mention numerous headlines throughout the last year), was officially shut down in November of 2020. The ransomware group behind it issued a kind of press release, announcing the shutdown and that they had no partners or successors who would be taking up the mantle. But before that, Maze had been prolific and successful. In fact, shortly before the shutdown, Maze accounted for an estimated 12% of all successful ransomware attacks. So why did they shut down?

I sat down with Tyler to get his take on the scenario and find out whether Maze is well and truly gone.

Why do you think Maze was so successful?

Maze had a great business model. They were the group that popularized the breach leak/auction website. So, they didn’t just steal and encrypt your files like other ransomware; they threatened to expose the data for all to see or even sell it at auction.

Why was this shift so revolutionary?

The Maze group tended to target pretty huge organizations with 10,000 employees or more. Businesses that big are likely to have decent backups, so just taking the data and holding it for ransom isn’t much of an incentive.

Now think about this: those huge businesses also would’ve been subject to pricey fines for data breaches because of regulations like GDPR; and they’re also more likely to have big budgets to pay a ransom. So, instead of simply saying, “we have your data, pay up,” they said, “we have your data and if you don’t pay, we’ll expose it to the world – which includes the regulators and your customers.” Most of the time, paying the ransom is going to be the more cost effective (and less embarrassing) option. We don’t know if the Maze group invented this tactic, but they definitely set the trend, and a bunch of other ransomware groups started following it.

Other than the leak sites, did they do anything else noteworthy or different from other groups?

One of the bigger threat trends we saw in 2020 was malware groups partnering up for different pieces of the infection chain, such as Trojans, backdoors, droppers, etc. The botnet Emotet, for example, was responsible for a huge percentage of ransomware infections from various different groups. Maze, however, was pretty self-contained. We saw them working with a few other groups throughout 2020, but they had their own malspam campaign for delivery and everything else they needed in-house, so to speak. They were like a one-stop shop.

Do you think the move to remote work during the pandemic contributed to their success?

Absolutely, though you could say that about any ransomware group. Phishing and RDP attacks really ramped up when people started working from home. Home networks and personal devices are generally much less secure than corporate ones, and cybercriminals are always looking for ways to exploit a given situation for their gain.

If Maze was doing so well, why did they shut down?

Probably because they’d gotten too much attention. The more notoriety you get, the harder it is to operate. We see this with a lot of malware groups. They shut down for a while, either to lie low because the heat is on, or to just spend the money they’ve gotten from their payouts and enjoy life. Or, sometimes, they don’t lie low at all but just rebrand themselves under a new name. Either way, they tend to come back. For example, a ransomware variant called Ryuk went dark and came back as Conti. Emotet went away for a long time too and then came back under the same group name.

How can you tell when an old group has rebranded?

Unless they announce it in some way, the only way to really tell is if you can get a sample of the malware and reverse engineer it and look at the code. One of our threat researchers did that with a sample of Sodinokibi and discovered it had “GandCrab version 6” in its code. So, that’s an example of a rebrand, but it can be hard to spot.

Do you think Maze is done for good?

Not a chance. They attacked huge targets and got massive payouts. Most ransomware groups attack smaller businesses who are less likely to have strong enough security measures. Even the ones that targeted larger corporations, like Ryuk, still attacked businesses one-fifth the size of a typical Maze target. Now, the Maze group can relax and take a lavish vacation with all the money they got. But I’d be pretty shocked if they just abandoned such a winning business model entirely.

The verdict: Maze may be gone for now, but experts are fairly certain we haven’t seen the last of this virulent and highly successful malware group. In the meantime, Tyler advises businesses everywhere to use the lull as an opportunity to batten down their cyber resilience strategies by implementing layered security measures, locking down RDP, and educating employees on cybersecurity and risk avoidance.

Stay tuned for more ransomware developments right here on the Webroot blog.

False Confidence is the Opposite of Cyber Resilience

Have you ever met a person who thinks they know it all? Or maybe you’ve occasionally been that person in your own life? No shame and no shade intended – it’s great (and important) to be confident about your skills. And in cases where you know your stuff, we encourage you to keep using your knowledge to help enhance the lives and experiences of the people around you.

But there’s a big difference between being reasonably confident and having false confidence, as we saw in our recent global survey. Featured in the report COVID-19 Clicks: How Phishing Capitalized on a Global Crisis, the survey data shows that, all over the world, people are pretty confident about their ability to keep themselves and their data safe online. Unfortunately, people are also still getting phished and social engineering tactics aimed at employees are still a major way that cybercriminals successfully breach businesses. These data points strongly suggest that we aren’t all being quite as cyber-safe as we think.

Overconfidence by the Numbers

Approximately 3 in 5 people (59%) worldwide think they know enough to stay safe online.

You may think 59% doesn’t sound high enough to earn the label of “false confidence”. But there were two outliers in our survey who dragged the average down significantly (France and Japan, with only 44% and 26% confidence, respectively). If you only take the average of the five other countries surveyed (the US, UK, Australia/New Zealand, Germany and Italy), it’s a full ten percentage points higher at 69%. UK respondents had the highest level of confidence out of all seven regions surveyed with 75%.

8 in 10 people say they take steps to determine if an email message is malicious.

Yet 3 in 4 open emails and click links from unknown senders.

When so many of us claim to know what to do to stay safe online (and even say we take steps to determine the potential sketchiness of our emails), why are we still getting phished? We asked Dr. Prashanth Rajivan, assistant professor at the University of Washington and expert in human behavior and technology, for his take on the matter. He had two important points to make.

Individualism

According to Dr. Rajivan, it’s important to note that Japan had the lowest level of confidence about their cybersecurity know-how (only 26%), but the survey showed they also had the lowest rate of falling victim to phishing (16%). He pointed out that countries with more individualistic cultures seem to align with countries who ranked themselves highly on their ability to keep themselves and their data safe.

“When people adopt a less individualistic mindset and, instead, perceive themselves to have a greater responsibility to others, their average level of willingness to take risks decreases. This is especially important to note for businesses that want to have a cyber-aware culture.”

– Prashanth Rajivan, Ph.D.

The Dunning-Kruger Effect

Another factor Dr. Rajivan says may contribute to overconfidence in one’s ability to spot phishing attacks might be a psychological phenomenon called the “Dunning-Kruger Effect”. The Dunning-Kruger Effect refers to a cognitive bias in which people who are less skilled at a given task tend to be overconfident in their ability, i.e. we tend to overestimate our capabilities in areas where we are actually less capable.

How These Numbers Affect Businesses

Only 14% of workers feel that a company’s cyber resilience is a responsibility all employees share.

The correlations between overconfidence and individualism may also translate into a mentality that workers are not responsible for their own cybersecurity during work hours. While 63% of workers surveyed agree that a cyber resilience strategy that includes both security tools and employee education should be a top priority for any business, only 14% felt that cyber resilience was a shared responsibility for all employees.

How to Create a Cyber Aware Culture

The short answer: a strong combination of employee training and tools.

The long answer: when asked what would help them feel better prepared to avoid phishing and prevent cyberattacks, workers worldwide agreed that their employers need to invest more heavily in training and education, in addition to strong cybersecurity tools. Dr. Rajivan also agrees, stating that, if employers want to build cybersecurity awareness into their business culture, then they need to invest heavily in their people.

“By creating a feeling of personal investment in the individuals who make up a company, you encourage the employees to return that feeling of investment toward their workplace. That’s a huge part of ensuring that cybersecurity is part of the culture. Additionally, if we want to enable employees to assess risk properly, we need to cut down on uncertainty and blurring of context lines. That means both educating employees and ensuring we take steps to minimize the ways in which work and personal life get intertwined.”

– Prashanth Rajivan, Ph.D.

Additionally, he tells us, “Human behavior is shaped by past experiences, consequences and reinforcement. To see a real change in human behavior related to phishing and online risk-taking habits in general, people need frequent and varied experiences PLUS appropriate feedback that incentivizes good behavior.”

Ultimately, the importance of training can’t be emphasized enough. According to real-world data from customers using Webroot® Security Awareness Training, which provides both training courses and easy-to-run, customizable phishing simulations, consistent training can reduce click rates on phishing scams by up to 86.5%.

It’s clear a little training can go a long way. If you want to increase cyber resilience, you have to minimize dangerous false confidence. And to do that, you need to empower your workforce with the tools and training they need to confidently (and correctly) make strong, secure decisions about what they do and don’t click online.

Learn more about Security Awareness Training programs.

The Truth about Phishing & the Psychology of Why We Click

“Phishing” may have been a relatively obscure term, but pretty much everyone has heard of it by now. In fact, recent statistics indicate a high likelihood that you—or someone you know—have been the victim of a phishing attack at least once. 

Now, if you remember the classic Nigerian Prince scams from back in the day, you might be asking yourself how the stats could be so high. After all, it seems pretty unlikely that an otherwise cautious person would fall for something like that, right? And in today’s cyber-climate, where the news is filled with headlines about major hacks and malware infections that spread like wildfire, why would anyone click on links from unknown senders or hand over their sensitive, personal information (think SSNs, etc.) without verifying the authenticity of the request? It turns out, there are a lot of subconscious influences at play, and the thing that makes phishing attacks so successful is the way they take advantage of our trust, curiosity, fear, greed, and even desire to do a good job at work.

Understanding the factors that drive a successful phishing attack is fundamental to preventing them in the future. That’s why Webroot partnered with Dr. Cleotilde Gonzalez, research professor at Carnegie Mellon University, to take a deep dive into the psychology of phishing. 

Read our full report, Hook, Line, and Sinker: Why Phishing Attacks Work, for more information on the psychology behind phishing attacks.

Tip #1: Maintain strong, unique passwords. Using individual passwords for each of your accounts will help prevent fraud, identity theft, and other malicious activity. Consider using a secure password manager, and enable two-factor authentication wherever possible.

What kind of person clicks a phishing link, anyway?

The truth? We all do it. While 86% of Americans believe they can distinguish a phishing message from a genuine one, 62% have had their personal information compromised as part of a breach. So what’s the deal here?

“People are generally overconfident about their ability to spot the fakes. Overconfidence is a big problem in many human actions. In this case, this probably happens because the ratio of phishing emails to regular emails feels low, so our mind underestimates the probability of receiving a phishing email, and in turn, overestimates our ability to identify one if we do.” – Cleotilde Gonzalez, Ph. D.

Tip #2: Stay on your toes. The more overconfident and complacent you are about your security, the easier it is for you to be phished. Don’t play into a cybercriminal’s hands. Maintaining a healthy level of suspicion about all links and attachments in messages may make all the difference during an attempted breach.

How are phishers using psychology against us?

By tapping into our own personal sense of urgency, cybercriminals are able to manipulate us in subtle ways that we may not realize until it is too late. Hackers often use cleverly disguised email handles and targeted messaging, known as “spear phishing,” to create a sense of trust and familiarity. This makes links appear more legitimate, and makes us perceive the click as less risky.

“Ultimately, urgency, familiarity, and context have a strong impact on decision making. If you already expect to receive emails from your boss at your office (context and familiarity), and you are accustomed to messages that request quick action (urgency), then you are likely to assume the message is real. It might never occur to you to suspect that it could be phishing.” – Cleotilde Gonzalez, Ph. D.

What are the most convincing ways for a phisher to tap into your sense of urgency to get you to open their email? 

  • 65% of Americans prioritize emails from their boss 
  • 54% prioritize emails from family or friends 
  • 33% prioritize emails to confirm bank transactions 

That means you shouldn’t feel weird or guilty for verifying odd requests from bosses, family, or friends. If your boss sends you an email asking for out-of-the-ordinary action, don’t hesitate to call them up and ask them for details. (Do this instead of replying to the email.) Same with links, downloads, and requests for information from family and friends. It never hurts to double-check.

Practicing phishing mindfulness, even when clicking links from seemingly trustworthy sources, cuts down significantly of the efficacy of spear phishing attacks. Pay close attention to sender addresses and handles, as well as signatures. If you get an email from your bank, financial institution, or even a regular website for which you have a login, navigate to their official website independently instead of clicking through on that potentially risky email.

Tip #3: Back everything up and do it regularly. All of your important data and files should be regularly backed up to a secure hard drive or cloud storage. When using a physical hard drive, only connect it while backing up. This will help prevent the drive from being affected by an infection.

Why are we still clicking?

Here’s the thing: 76% of Americans know they have received a phishing email, and yet still 56% of people would feel comfortable clicking on a link or attachment from an unknown source on their personal devices. So why are so many of us still willing to jeopardize our safety for an unknown link?

“Risk and under-weighed probability are linked. Risks sometimes come with rewards, right? So if the risk seems low and the reward seems high, you’ll make riskier decisions. It’s like gambling; our minds explore different gain/loss experiences, then respond with risk-taking or risk-averse actions.” – Cleotilde Gonzalez, Ph. D.

Tip #4: Always keep your software up-to-date. Hackers are known to regularly exploit security holes in outdated software and operating systems. By installing software updates when prompted, you can stop many cybercriminals in their tracks. 

What if you’ve been phished? Now what?

With 62% of those surveyed reporting some type of data breach, it’s important to know what to do in the event of a breach that can help keep the damage to a minimum. George Anderson, Product Marketing Director at Webroot, recommends the following steps:

  1. Change your account passwords immediately! That includes accounts you don’t believe were breached, but are using the same or a similar password.
  2. Set up alerts with your credit agency. 
  3. Void existing credit cards and order new ones. 
  4. Engage a credit security service. 
  5. Notify law enforcement or the appropriate government agency

While some of these steps may seem obvious to you, they clearly need to be repeated; of people whose information was stolen or exposed, a baffling 32% didn’t bother to change their account passwords afterward. 

Dr. Gonzales shared her thoughts on what can be done to combat this type of complacency.

“These findings illuminate the fact that what we really need here is a mindset makeover,” she says. “The longer-term reward of security needs to be highlighted, front and center, not placed on the backburner. To do that, we’re going to have to shift the way that people think about security and prioritize their responsibilities. We have to allow the time and brain space for security-related considerations.”

What can we all do going forward?

You can nurture the type of security mindset shift Dr. Gonzalez references by taking small steps. First, you know those software and security updates you (like many people) are probably putting off? Just do them. Enable two-factor authentication wherever possible, especially on important online accounts like your banking and credit institution websites. 

You may even find that your heightened security practices influence those around you to make stronger choices. After all, seeing a person you know being on top of their game can be very motivating to start making personal changes! 

Remember, the most important thing you can do is avoid overconfidence. Don’t underestimate the risk of a phishing attack. Doing that is exactly what will make you a prime target for criminals.

“It’s a classic case of underweighting probabilities, but explicit numbers speak for themselves. Providing this information might help people calibrate the risk and confidence more accurately.” – Cleotilde Gonzalez, Ph. D.

Cyber News Rundown: MedusaLocker Ransomware

MedusaLocker Ransomware Spotted Worldwide

While it’s still unclear how MedusaLocker is spreading, the victims have been confirmed around the world in just the last month. By starting with a preparation phase, this variant can ensure that local networking functionality is active and maintain access to network drives. After shutting down security software and deleting Shadow Volume copies, it begins encrypting files while setting up self-preservation tasks.

Bargain Website Server Exposes Customer Data

Several websites used by UK customers to find bargains have left a database filled with customer data belonging to nearly 3.5 million users completely unprotected and connected to the internet. Along with the names and addresses of customers, the database also included banking details and other sensitive information that could be used to commit identity fraud. The researchers who initially discovered the breach notified the site owners, but received no response or any indication the leak would be resolved until nearly six weeks after the database was left exposed.

Arrests Made Following Major BEC Scam

At least three individuals have been arrested in Spain for their connection to a business email compromise (BEC) scam that netted over 10 million euros and affected 12 companies across 10 countries. It appears the operation began in 2016 and involved the cooperation of multiple law enforcement agencies. By creating a web of fake companies and bank accounts, the group was able to successfully launder money into various investments, including real estate, in an attempt to remain undetected.

LA Court System Hacked

The perpetrator of a 2017 spear phishing attack on the LA court system was sentenced to 145 months in prison following convictions on charges of wire fraud, unauthorized access to a computer, and identity theft. The individual was able to compromise employee email accounts and use them to launch a malspam campaign that distributed over 2 million emails.

Pennsylvania School District Hacked

Multiple students are being questioned after school district officials noticed unauthorized access to the student assistance site Naviance, a hack which appears to have been an attempt “to gain a competitive edge in a high-stakes water gun fight.” Access to the site would have also given them access to other student’s personal data, though no financial or social security information is stored on the site. District officials determined the security practices for the site lacking but have not currently released plans for improvement.

5 Key Benchmarks for Choosing Efficient Endpoint Security

First and foremost, endpoint protection must be effective. Short of that, MSPs won’t succeed in protecting their clients and, more than likely, won’t remain in business for very long. But beyond the general ability to stop threats and protect users, which characteristics of an endpoint solution best set its administrators for success?

Get the 2019 PassMark Report: See how 9 endpoint protection products perform against 15 efficiency benchmarks.

Consider the world of the MSP: margins can be thin, competition tight, and time quite literally money. Any additional time spent managing endpoint security, beyond installing and overseeing it, is time not spent on other key business areas. Performance issues stemming from excess CPU or memory usage can invite added support tickets, which require more time and attention from MSPs. 

So, even when an endpoint solution is effective the majority of the time (a tall order in its own right), other factors can still raise the total cost of ownership for MSPs. Here are some metrics to consider when evaluating endpoint solutions, and how they can contribute to the overall health of a business. 

1. Installation Time

We’ve written recently about the trauma “rip and replace” can cause MSPs. It often means significant after-hours work uninstalling and reinstalling one endpoint solution in favor of another. While MSPs can’t do much about the uninstall time of the product they’ve chosen to abandon, shopping around for a replacement with a speedy install time will drastically reduce the time it takes to make the switch. 

Quick installs often also make a good impression on clients, too, who are likely having their first experience with the new software. Finally, it helps if the endpoint solution doesn’t conflict with other AVs.  

2. Installation Size

Few things are more annoying to users and admins than bulky, cumbersome endpoint protection, even when it’s effective. But cybersecurity is an arms race, and new threats often require new features and capabilities. 

So if an endpoint solution is still storing known-bad signatures on the device itself, this can quickly lead to bloated agent with an adverse effect on overall device performance. Cloud-based solutions, on the other hand, tend to be lighter on the device and less noticeable to users.

3. CPU Usage During a Scan

Many of us will remember the early days of antivirus scans when considering this stat. Pioneering AVs tended to render their host devices nearly useless when scanning for viruses and, unfortunately, some are still close to doing so today. 

Some endpoint solutions are able to scan for viruses silently in the background, while others commandeer almost 100 percent of a device’s CPU to hunt for viruses. This can lead to excruciatingly slow performance and even to devices overheating. With such high CPU demand, scans must often be scheduled for off-hours to limit the productivity hit they induce. 

4. Memory Usage During a Scheduled Scan 

Similar to CPU use during a scan, RAM use during a scheduled scan can have a significant effect on device performance, which in turn has a bearing on client satisfaction. Again older, so-called legacy antiviruses will hog significantly more RAM during a scheduled scan than their next-gen predecessors. 

While under 100 MB is generally a low amount of RAM for a scheduled scan, some solutions on the market today can require over 700 MB to perform the function. To keep memory use from quickly becoming an issue on the endpoints you manage, ensure your chosen AV falls on the low end of the RAM use spectrum. 

5. Browse Time

So many of today’s threats target your clients by way of their internet browsers. So it’s essential that endpoint security solutions are able to spot viruses and other malware before it’s downloaded from the web. This can lead to slower browsing and frustrate users into logging support tickets. It’s typically measured as an average of the time a web browser loads a given site, with variables like network connection speed controlled for. 

Effectiveness is essential, but it’s far from the only relevant metric when evaluating new endpoint security. Consider all the above factors to ensure you and your clients get the highest possible level of satisfaction from your chosen solution.

Webroot DNS Protection: Now Leveraging the Google Cloud Platform

We are  excited to announce Webroot® DNS Protection now runs on Google Cloud Platform (GCP). Leveraging GCP in this way will provide Webroot customers with security, performance, and reliability. 

Security

Preventing denial of service (DoS) attacks is a core benefit of Webroot DNS Protection. Now, the solution benefits from Google Cloud load balancers with built-in DoS protection and mitigation, enabling the prevention of attack traffic before it ever hits the agent core. 

“The big thing about Google Cloud is that it dynamically manages denial of service (DoS) attacks,” said Webroot Sales Engineer Jonathan Barnett. “That happens automatically, and we know Google has that figured out.”

Click here to learn why businesses need DNS protection.

Performance

With this release, Webroot DNS Protection now runs on the Google Cloud’s high-redundancy, low-latency networks in 16 regions worldwide. That means there’s no need for a Webroot customer in Australia to have a DNS request resolved in Los Angeles, when more convenient infrastructure exists close by.  

“Google Cloud provides the ability to scale by adding new regions or new servers whenever necessary as load or need determines, nationally or internationally,” said Barnett. “This allows us to provide geolocation-appropriate answers for our customers, maximizing performance.”

Reliability

Because of GCP’s global infrastructure footprint, Webroot can quickly and easily provision more of Google’s servers in any region to ensure latency times remain low. 

And because those regional deployments can be programmed to auto-scale with spikes in traffic, even drastically increasing loads won’t increase wait times for requests.

According to Barnett, “Even if Webroot were to take on a large number of customers in a short time period, say with the closing of a deal to offer DNS solutions to an enterprise-level client with a number of subsidiaries, our environments would automatically scale with the additional load.”

One more note on the release 

Another key feature of the April DNS agent update regards switching communications from port 53, which is typically associated with DNS requests, to port 443, which is more commonly associated with SSL certificates.

The reason for this change is that, given port 443’s relevance to routine requests like banking sites and those accepting payment information, it is rarely constrained, modified, or controlled. This will reduce the need to configure firewalls or make other admin adjustments in order for Webroot DNS Protection to function as intended. 

It’s good to be in good company

With Webroot DNS Protection now leveraging the GCP will power your network-level protection. Fewer outages, latency, and bottlenecks. Ready to experience Webroot DNS Protection for yourself? Try it free for 30-days here. 

A Chat with Kelvin Murray: Senior Threat Research Analyst

In a constantly evolving cyber landscape, it’s no simple task to keep up with every new threat that could potentially harm customers. Webroot Senior Threat Research Analyst Kelvin Murray highlighted the volume of threats he and his peers are faced with in our latest conversation. From finding new threats to answering questions from the press, Kelvin has become a trusted voice in the cybersecurity industry.

What is your favorite part of working as a Senior Threat Research Analyst? 

My favorite part about being a threat researcher is both the thrill of learning about new threats and the satisfaction of knowing that our work directly protects our customers. 

What does a week as a Senior Threat Research Analyst look like? 

My week is all about looking at threat information. Combing through this information helps us find meaningful patterns to make informed analysis and predictions, and to initiate customer protections. It roughly breaks down into three categories. The first would be “top down” customer data like metadata. The data we glean from our customers is very important and a big part of what we do. The interlinking of all our data and the assistance of powerful machine learning is a great benefit to us.  

Next would be “whole file” information, or static file analysis and file testing. This is a slow process but there are times when the absolute certainty and granular detail that this kind of file analysis provides is essential. This isn’t usually part of my week, but I work with some great specialists in this regard.  

Last would be news and reports on the threat landscape in general. Risks anywhere are risks everywhere. Keeping up to date with the latest threats is a big part of what I do. I work with a variety of internal teams and try to advise stakeholders, and sometimes media, on current threats and how Webroot fits in. Twitter is a great tool for staying in the know, but without making a list to filter out the useful bits from the other stuff I follow, I wouldn’t get any work done! 

What skills have you built in this role? 

Customer support taught me a lot in terms of the client, company culture, and dealing with customer requests. By the time I was in business support I was learning the newer console system and more corporate terms. Training on the job was very useful for my move to threat, where I also picked up advanced malware removal (AMR), which is the most hands on you can get with malware and the pain it causes customers. All of that knowledge is now useful to me in my public facing role where I prepare webinars, presentations, interviews, blogs, and press answers about threats in general. 

What is your greatest accomplishment in your career at Webroot so far? 

Learning the no-hands trick on the scooter we have in the office. And of course my promotion to Senior Threat Research Analyst. I have had a lot of different roles in my time here, but I’m glad I went down the path I did in terms of employment. There’s never a dull moment when you are researching criminal news and trends, and surprises are always guaranteed. 

What brought you to Webroot? 

I like to say divine providence. But really I had been travelling around Asia for a few months prior to this job. When I got back home I was totally broke and needed a job. A headhunter called me up out of the blue, and the rest is history.   

Are you involved in anything at Webroot outside of your day to day work? 

Listening, singing and (badly) dancing to music. Dublin is a fantastic place for bands and artists to visit given its proximity to the UK and Europe and the general enthusiasm of concert goers. I do worry that a lot of venues, especially nightclubs, are getting shut down and turned into hotels though. I sing in a choir based out of Trinity College.  

Favorite memory on the job? 

Heading to (the now closed) Mabos social events with my team. The Mabos collective ran workshops and social and cultural events in a run-down warehouse that they lovingly (and voluntarily) converted down in Dublin’s docklands. Funnily enough, that building is now Airbnb’s European headquarters. 

What is your favorite thing about working at Webroot? 

The people that I get to work with. I have made many great friendships in the office and still see previous colleagues socially, even those from five or six years ago.  

What is the hardest thing about being a Senior Threat Research Analyst? 

Prioritizing my time. I can try my hand at a few different areas at work, but if I don’t focus enough on any one thing then nothing gets done. I find everything interesting and that curiosity can get in the way sometimes! 

What is your favorite thing to do in Dublin?  

Trying new restaurants and heading out to gigs. I’d be a millionaire if I didn’t eat out at lunchtime so much. Dublin is full of great places. I like all kinds of gigs from dance to soul to traditional. The Button Factory is one of the coolest venues we have. 

How did you get into the technology field? 

I first become interested in technology through messing with my aunt’s Mac back in the early 90s. There were a lot of cool games on her black and white laptop she brought home from a compucentre she worked in, but the one that sticks in my memory was Shufflepuck Café. My dad always had some crazy pre-Windows machines lying around. Things with cartridges or orange text screens running Norton commander. 

 To learn more about life at Webroot, visit https://www.webroot.com/blog/category/life-at-webroot/

Antivirus vs. VPN: Do You Need Both?

Public concern about online privacy and security is rising, and not without reason. High-profile data breaches make headlines almost daily and tax season predictably increases instances of one of the most common types of identity theft, the fraudulent filings for tax returns known as tax-related identity theft

As a result, more than half of global internet users are more concerned about their safety than they were a year ago. Over 80% in that same survey, conducted annually by the Center for International Governance Innovation, believe cybercriminals are to blame for their unease.  

Evaluating cybersecurity for your home or business? See how 1,600+ IT pros rank all the top competitors against key performance metrics.

Individuals are right to wonder how much of their personally identifiable data (PII) has already leaked onto the dark web. Are their enough pieces of the puzzle to reconstruct their entire online identity?  

Questions like these are leading those with a healthy amount of concern to evaluate their options for enhancing their cybersecurity. And one of the most common questions Webroot receives concerns the use of antivirus vs. a VPN.  

Here we’ll explain what each does and why they work as compliments to each other. Essentially, antivirus solutions keep malware and other cyber threats at bay from your devices, while VPNs cloak your data by encrypting it on its journey to and from your device and the network it’s communicating with. One works at the device level and the other at the network level.  

Why You Need Device-Level Antivirus Security 

Antiviruses bear the primary responsibility for keeping your devices free from infection. By definition, malware is any software written for the purpose of doing damage. This is the category of threats attempting to undermine the antivirus (hopefully) installed on your PC, Mac, and yes, even smartphones like Apple and Android devices, too.  

In an ever-shifting threat landscape, cybercriminals are constantly tweaking their approached to getting your money and data. Banking Trojans designed specifically for lifting your financial details were among the most common examples we saw last year. Spyware known as keyloggers can surreptitiously surveil your keystrokes and use the data to steal passwords and PII. A new category of malware, known as cryptojackers, can even remotely hijack your computing power for its own purposes.  

But the right anti-malware tool guarding your devices can protect against these changing threats. This means that a single errant click or downloaded file doesn’t spell disaster. 

“The amazing thing about cloud-based antivirus solutions,” says Webroot threat analyst Tyler Moffit, “is that even if we’ve never seen a threat before, we can categorize it in real time based on the way it behaves. If it’s determined to be malicious on any single device, we can alert our entire network of users almost instantaneously. From detection to protection in only a few minutes.” 

Why You Need Network-Level VPN Security 

We’ve covered devices, but what about that invisible beam of data traveling between your computer and the network it’s speaking to? That’s where the network-level protection offered by a VPN comes into play.  

While convenient, public networks offering “free” WiFi can be a hotbed for criminal activity, precisely because they’re as easy for bad actors to access as they are for you and me. Packet sniffers, for instance, can be benign tools for helping network admins troubleshoot issues. In the wrong hands, however, they can easily be used to monitor network traffic on wireless networks. It’s also fairly easy, given the right technical abilities, for cybercriminals to compromise routers with man-in-the-middle attacks. Using this strategy, they’re able to commandeer routers for the purpose of seeing and copying all traffic traveling between a device and the network they now control.  

Even on home WiFi networks, where you might expect the protection of the internet service provider (ISP) you pay monthly, that same ISP may be snooping on your traffic with the intent to sell your data.  

With a VPN protecting your connection, though, data including instant messages, login information, social media, and the rest is encrypted. Even were a cybercriminal able to peek at your traffic, it would be unintelligible.  

“For things like checking account balances or paying bills online, an encrypted connection should be considered essential,” says Moffit. “Without a VPN, I wouldn’t even consider playing with such sensitive information on public networks.”  

How Webroot Can Help 

Comprehensive cybersecurity involves protecting both data and devices. Antivirus solutions to protect against known and unknown malware—like the kinds that can ruin a laptop, empty a bank account, or do a cybercriminals bidding from afar—are generally recognized as essential. But for complete protection, it’s best to pair your antivirus with a VPN—one that can shield your data from intrusions like ISP snooping, packet sniffers, and compromised routers.  

Click the links for more information about Webroot SecureAnywhere® antivirus solutions and the Webroot® WiFi Security VPN app.  

HTTPS: Privacy vs. Security, and Where End Users and Security Culture Fit In

Since the dawn of IT, there’s been a very consistent theme among admins: end users are the weakest link in your network, organization, security strategy, fill-in-the-blank. We’ve all heard the stories, and even experienced them first-hand. An employee falls for a phishing scam and the whole network is down. Another colleague torrents a file laced with malware. Or maybe it’s something less sinister: someone wants to charge their phone, so they unplug something from the only nearby outlet, but what they unplug is somehow critical… help desk tickets ensue. 

But when it comes to security issues caused by human error, it’s not necessarily always the end user’s fault. Cyberattacks are getting more and more sophisticated by the second, and all of them are designed to either circumvent defenses or appear totally legitimate to fool people. One of the major advances of this type that we’ve seen is with phishing sites and the use of HTTPS.

HTTPS: The Beginning

While HTTP is the foundation of all data exchange and communication on the internet, it wasn’t designed for privacy. Transmitting information on the web using HTTP is kind of like sending a postcard; anybody who handles that card can read it. HTTPS was supposed to be a way of adding privacy to protect users and sensitive information from prying eyes.

At first, you’d only see HTTPS on financial or health care websites, or maybe the cart page on a shopping site, where the extra privacy was necessary. And back then, getting a security certificate was much harder—it involved significant costs and thorough security checks. Then, a few years ago, most web browsers started requiring security certificates for every website, or else they’d throw up a scary-looking warning that the site you were trying to visit might be dangerous. That trained us to look for (and trust) HTTPS.

A False Sense of Security

These days, when we see HTTPS at the beginning of a URL or the accompanying lock icon in our browser’s address bar, we’ve been conditioned to think that means we’re safe from harm. After all, the S in HTTPS stands for “secure”, right? But the issue is that HTTPS isn’t really about security, it’s about privacy. That little lock icon just means that any information we transmit on that site is encrypted and securely delivered to its destination. It makes no guarantees that the destination itself, is safe.

If you unwittingly end up on a well-faked phishing copy of your banking website and see the lock icon, it’s natural to assume that you’re in the right place and all is well. Except when you try to log in, what you’re really doing is securely transmitting your login credentials to an attacker. In this case, HTTPS would’ve been used to trick you.

The Bad Guys and HTTPS

Malicious actors are always looking for new ways to trick end users. Because so many of us think HTTPS ensures security, attackers are using it against us. It’s no longer difficult to obtain a security certificate. Attackers can do so very cheaply, or even for free, and there’s really no background or security check involved. 

As I mentioned during my talk on HTTPS at this year’s RSA conference, almost half a million of the new phishing sites Webroot discovered each month of 2018 were using HTTPS. In fact, 93% of phishing domains in September and October alone were hosted on HTTPS sites. When you think about these numbers, it’s easy to see why end users might not be to blame when you discover that a major security breach was caused by someone being duped by a phishing scam. 

The Way Forward

As more HTTPS phishing and malware sites emerge, even the most vigilant among us could fall victim. But that doesn’t mean we shouldn’t invest in end user education. End users are on the front lines on the cybersecurity battlefield. It’s up to us to provide right tools and armor to keep users and the companies they represent safe. To be truly effective, we need to implement ongoing security awareness training programs that recur continually throughout an employee’s time with the company. If we accomplish that, the results speak for themselves; after 12 months of training, end users are 70% less likely to fall for a phishing attempt!

We also need to make sure our security strategies incorporate real-time threat intelligence to accurately classify and determine which websites are good or malicious, regardless of their HTTPS designation. In an age where phishing sites appear and disappear in a matter of hours or minutes, malicious sites use HTTPS, and at least 40% of bad URLs can be found on good domains, it’s more important than ever that we all use the most advanced real-time technologies available. 

Ultimately building a culture of cybersecurity will always be more effective than a top-down mandate.. Everyone in the organization, from the CEO to the newest intern, should be invested in adopting and furthering a security conscious culture. Part of that process is going to be shifting the general IT perceptions around human error and the issues it can cause. We shouldn’t think of our end users as the weakest link in the chain; instead we should think of them as the key to a robust security strategy.

To hear more about HTTPS, phishing, and end user education, you can listen to the podcast I did with cybersecurity executive and advisor Shira Rubinoff at RSAC 2019.

Post Coinhive, What’s Next for Cryptojacking?

In late February, the notorious cryptojacking script engine called Coinhive abruptly announced the impending end to its service. The stated reason: it was no longer economically viable to run.

Coinhive became infamous quickly following its debut as an innovative javascript-based cryptomining script in 2018. While Coinhive maintained that its service was born out of good intentions—to offer website owners a means to generate revenue outside of hosting ads—it took cybercriminals no time at all to create cryptojacking attack campaigns. Cryptojacking became incredibly popular in 2018, infecting millions of sites (and cloud systems among the likes of Tesla) and netting criminals millions in cryptocurrency at the expense of their victims.

Source: Coinhive [dot] com

I honestly did not see this happening, but I do understand. It is reasonable to think that Coinhive didn’t intend for their creation to be abused by criminals. However, they have still kept 30 percent of ALL the earnings generated by their script, one that was often found running illegally on hijacked sites. Most of that profit came from illicit mining, which has earned Coinhive a lot of negative press.

Additionally, 2018 was a terrible year in terms of the US-dollar value of Monero (XMR), which means their service is significantly less profitable now, relative to what it once was. Combined with the fact that the XMR development team hard-forked the coin and changed the difficulty of the hashrate, this means Coinhive is making very little money from legitimate miners.

Coinhive created this service so legitimate domain owners could host their script and generate enough revenue to replace ads. Ads are annoying and I believe this innovation was aimed at attempting to fix that problem. But the ultimate result was a bunch of criminals breaking into other people’s domains and injecting them with Coinhive scripts that essentially stole from visitors to that domain. Without consent, millions of victims’ computers were subject to maximum hardware stress for extended periods of time, all so some criminals could make a few pennies worth of cryptocurrency per computer.

Would you continue to operate a startup business in which most of the money you earned was a cut of criminal activity—stealing from victims in the form of an increased power bill? Maybe a year ago, when the hashing difficulty was easier (you earned more XMR) and XMR was worth 10 times what it’s worth now, it might have been easier to “sleep at night” but now it probably just isn’t worth it.

Even before this news, there were plenty of other copycats—Cryptoloot, JSEcoin, Deepminer, and others—so criminals have plenty of similar services to choose from. At the time of its shutdown, Coinhive had about around 60% share of all cryptojacking campaigns, though we saw this market dominance reach as high as 80% last year. I anticipate these other services stand to take larger shares of cryptojacking revenue now that the largest player has left. We might even see a new competitor service emerge to challenge for cryptojacking dominance.

Stay tuned to the Webroot blog for future developments in cryptojacking.