A new malware campaign has been found using coronavirus-themed lures to strike government and energy sectors in Azerbaijan with remote access trojans (RAT) capable of exfiltrating sensitive documents, keystrokes, passwords, and even images from the webcam. The targeted attacks employ Microsoft Word documents as droppers to deploy a previously unknown Python-based RAT dubbed “PoetRAT” due to
The Hacker News
Reading Time: ~ 3 min.
Despite the intent of ensuring safe transit of information to and from a trusted website, encrypted protocols (usually HTTPS) do little to validate that the content of certified websites is safe.
With the widespread usage of HTTPS protocols on major websites, network and security devices relying on interception of user traffic to apply filtering policies have lost visibility into page-level traffic. Cybercriminals can take advantage of this encryption to hide malicious content on secure connections, leaving users vulnerable to visiting malicious URLs within supposedly benign domains.
This limited visibility affects network devices that are unable to implement SSL/TLS decrypt functionality due to limited resources, cost, and capabilities. These devices are typically meant for home or small business use, but are also found in the enterprise arena, meaning the impact of this limited visibility can be widespread.
With 25% of malicious URLs identified by Webroot hosted within benign domains in 2019, a deeper view into underlying URLs is necessary to provide additional context to make better, more informed decisions when the exact URL path isn’t available.
Digging Deeper with Advanced Threat Intel
The BrightCloud® Web Classification and Web Reputation Services offers technology providers the most effective way to supplement domain-level visibility. Using cloud-based analytics and machine learning with more than 10 years of real-world refinement, BrightCloud® Threat Intelligence services have classified more than 842 million domains and 37 billion URLs to-date and can generate a predictive risk score for every domain on the internet.
The Domain Safety Score, available as a premium feature with BrightCloud® Web Classification and Reputation services, can be a valuable metric for filtering decisions when there is lack of path-level visibility on websites using HTTPs protocols. Even technology partners who do have path-level visibility can benefit from using the Domain Safety Score to avoid the complexity and compliance hurdles of deciding when to decrypt user traffic.
The Domain Safety Score is available for every domain and represents the estimated safety of the content found within that domain, ranging from 1 to 100, with 1 being the least safe. A domain with a low score has a higher predictive risk of having content within its pages that could compromise the security of users and systems, such as phishing forms or malicious downloads.
Using these services, organizations can implement and enforce effective web policies that protect users against web threats, whether encrypted through HTTPs or not.
Devising Domain Safety Scores
As mentioned, a Domain Safety Score represents the estimated safety of the content found within that domain. This enables better security filtering decisions for devices with minimal page-level visibility due to increasing adoption of HTTPS encryption.
How do we do it?
BrightCloud uses high-level input features to help determine Domain Safety Scores, including:
- Domain attribute data, including publicly available information associated with the domain, such as registry information, certificate information, IP address information, and the domain name itself.
- Behavioral features obtained from historical records of known communication events with the domain, gathered from real-world endpoints.
- A novel deep-learning architecture employing multiple deep, recurrent neural networks to extract sequence information, feeding them into a classification network that is fully differentiable. This allows us to use the most cutting-edge technology to leverage as much information possible from a domain to determine a safety score.
- Model training using a standard backpropagation through time algorithm, fully unrolling all sequences to calculate gradients. In order to train such a network on a huge dataset, we have developed a custom framework that optimizes the memory footprint to run efficiently on GPU resources in a supercomputing cluster. This approach allows us to train models faster and iterate quickly so we can remain responsive and adapt to large changes in the threat landscape over time.
A secure connection doesn’t have to compromise your privacy. That’s why Webroot’s Domain Safety Scores peek below the domain level to the places where up to a quarter of online threats lurk.
Learn more about Domain Safety Scores, here.
The post The Problem with HTTPS appeared first on Webroot Blog.
Reading Time: ~ 3 min.
One of the most notable findings to come from the Webroot 2020 Threat Report was the significant rise in the number of active phishing sites over 2019—a 640% rise, to be exact. This reflects a year-over-year rise in active phishing sites, but it’s important to keep this (dangerous) threat in context.
“Of all websites that host malicious content, phishing historically has been a minority,” says Webroot Security Analyst Tyler Moffitt. “While it’s growing quite a bit and a significant threat, it’s still not a large percentage of the websites being used for malicious content. Those would be things like botnets or malware hosting.”
This traditional low instance rate is likely one explanation—or at least a portion of an explanation—that’s led to such a gaudy increase in the number of active sites.
Here are three other factors that may have contributed to the rise.
The diversification of attacks
Since first being described in a 1987 paper, phishing attacks have diversified considerably. While it was once reliably email-based with a broad scope, it now entails malware phishing, clone phishing, spear phishing, smishing, and many more specialized forms. Inevitably, these strains of attack require landing pages and form fields in for users to input the information to be stolen, helping to fuel the rise in active phishing sites.
Spear phishing—a highly targeted form of phishing requiring cybercriminals study their subject to craft more a realistic lure—has turned out to be a lucrative sub-technique. This has likely contributed to more cybercriminals adopting the technique over mass-target emails pointing to a single source. More on profitability later.
Check out this infographic for 5 tips on recognizing a phishing email.
After years of studying phishing data, it’s clear that the number of active phishing sites rises predictably during certain times of the year. Large online shopping holidays like Prime Day and Cyber Monday inevitably precipitate a spike in phishing attacks. In another example, webpages spoofing Apple quadrupled near the company’s March product release date, then leveled off.
Uncertainty also tends to fuel a rise in phishing sites.
“Not only do we always see a spike in phishing attacks around the holidays,” says Moffitt, “It also always happens in times of crisis. Throughout the COVID-19 outbreak we’ve followed a spike in phishing attacks in Italy and smishing scams promising to deliver your stimulus check if you click. Natural disasters also tend to bring these types of attacks out of the woodwork.”
The year 2019 was not without its wildfires, cyclones, and typhoons, but it’d be safe to suspect the number of phishing sites will grow again next year.
Short codes and HTTPs represent more phishing opportunities for cyber criminals. Malicious content is now often hosted on good domains (up to a quarter of the time, according to our Threat Report). Short codes also have the unintended consequence of masking a link’s destination URLs. Both these phenomena make it more difficult to identify a phishing attack.
“All of sudden these mental checks that everyone was told to use to sniff out phishing attacks, like double-checking URLs, no longer hold,” says Moffitt.
Let’s face it, this is the big one. The rise in popularity of shared drives makes it more likely that any single phishing success will yield troves of valuable data. Compromising a corporate Dropbox account could easily warrant a six-figure ransom, or more, given the looming threat of GDPR and CCPA compliance violations.
“A few years ago, most of the targets were financial targets like PayPal and Chase,” according to Moffitt. “But now they are tech targets. Sites like Facebook, Google, Microsoft, and Apple. Because shared drives offer a better return on investment.”
Even for private individuals, shared drives are more bang for the buck. Credentials which can easily lead to identity theft can be sold on the dark web and, given the rampant rates of password re-use in the U.S., these can be cross-checked against other sites until the compromise spirals.
Finally, phishing is profitable as an initial entry point. Once a cybercriminal has accessed a business email account, for instance, he or she is able to case the joint until the most valuable next move has been determined.
“It’s a really lucrative first step,” says Moffitt.
Don’t take the bait
Installing up-to-date antivirus software is an essential first step in protecting yourself from phishing attacks. Features like Webroot’s Real-Time Anti-Phishing Shield can help stop these attacks before a user has the chance to fall for it. Continual education is equally as important. Webroot data shows that ongoing phishing simulations can lower click-through rates significantly.
The post What’s Behind the Surge in Phishing Sites? Three Theories appeared first on Webroot Blog.
Microsoft has released an out-of-band security update that fixes remote code execution vulnerabilities in an Autodesk FBX library integrated into Microsoft Office and Paint 3D applications. […] BleepingComputer